@solongate/proxy 0.26.1 → 0.26.3

package/hooks/guard.mjs

@@ -1,1175 +1,1175 @@
-#!/usr/bin/env node
-/**
- * SolonGate Policy Guard Hook (PreToolUse)
- * Reads policy.json and blocks tool calls that violate constraints.
- * Also runs prompt injection detection (Stage 1 rules) on tool arguments.
- * Exit code 2 = BLOCK, exit code 0 = ALLOW.
- * Logs ALL decisions (ALLOW + DENY) to SolonGate Cloud.
- * Auto-installed by: npx @solongate/proxy init
- */
-import { readFileSync, existsSync } from 'node:fs';
-import { resolve } from 'node:path';
-
-// ── Load API key from .env file (Claude Code doesn't load .env into process.env) ──
-function loadEnvKey(dir) {
-  try {
-    const envPath = resolve(dir, '.env');
-    if (!existsSync(envPath)) return {};
-    const lines = readFileSync(envPath, 'utf-8').split('\n');
-    const env = {};
-    for (const line of lines) {
-      const m = line.match(/^([A-Z_]+)=(.*)$/);
-      if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, '').trim();
-    }
-    return env;
-  } catch { return {}; }
-}
-
-const hookCwdEarly = process.cwd();
-const dotenv = loadEnvKey(hookCwdEarly);
-const API_KEY = process.env.SOLONGATE_API_KEY || dotenv.SOLONGATE_API_KEY || '';
-const API_URL = process.env.SOLONGATE_API_URL || dotenv.SOLONGATE_API_URL || 'https://api.solongate.com';
-
-// ── Prompt Injection Detection (Stage 1: Rule-Based) ──
-const PI_CATEGORIES = [
-  {
-    name: 'delimiter_injection', weight: 0.95,
-    patterns: [
-      /<\/system>/i, /<\|im_end\|>/i, /<\|im_start\|>/i, /<\|endoftext\|>/i,
-      /\[INST\]/i, /\[\/INST\]/i, /<<SYS>>/i, /<<\/SYS>>/i,
-      /###\s*(Human|Assistant|System)\s*:/i, /<\|user\|>/i, /<\|assistant\|>/i,
-      /---\s*END\s*SYSTEM\s*PROMPT\s*---/i,
-    ],
-  },
-  {
-    name: 'instruction_override', weight: 0.9,
-    patterns: [
-      /\bignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|rules?|directives?)\b/i,
-      /\bdisregard\s+(all\s+)?(previous|prior|above|earlier|your)\s+(instructions?|prompts?|rules?|guidelines?)\b/i,
-      /\bforget\s+(all\s+|everything\s+)?(your|the|previous|prior|above|earlier)\b/i,
-      /\boverride\s+(the\s+)?(system|previous|current)\s+(prompt|instructions?|rules?|settings?)\b/i,
-      /\bdo\s+not\s+follow\s+(your|the|any)\s+(instructions?|rules?|guidelines?)\b/i,
-      /\bcancel\s+(all\s+)?(prior|previous)\s+(directives?|instructions?)\b/i,
-      /\bnew\s+instructions?\s+supersede\b/i,
-      /\byour\s+(previous\s+)?instructions?\s+are\s+(now\s+)?void\b/i,
-    ],
-  },
-  {
-    name: 'role_hijacking', weight: 0.85,
-    patterns: [
-      /\b(pretend|act|behave)\s+(you\s+are|as\s+if\s+you|like\s+you|to\s+be)\b/i,
-      /\byou\s+are\s+now\s+(a|an|the|my|DAN)\b/i,
-      /\bsimulate\s+being\b/i, /\bassume\s+the\s+role\s+of\b/i,
-      /\benter\s+(developer|admin|debug|god|sudo|unrestricted)\s+mode\b/i,
-      /\bswitch\s+to\s+(unrestricted|unfiltered)\s+mode\b/i,
-      /\byou\s+are\s+no\s+longer\s+bound\b/i,
-      /\bno\s+(safety\s+)?restrictions?\s+(apply|anymore|now)\b/i,
-    ],
-  },
-  {
-    name: 'jailbreak_keywords', weight: 0.8,
-    patterns: [
-      /\bjailbreak\b/i, /\bDAN\s+mode\b/i,
-      /\b(system\s+override|admin\s+mode|debug\s+mode|developer\s+mode|maintenance\s+mode)\b/i,
-      /\bmaster\s+key\b/i, /\bbackdoor\s+access\b/i,
-      /\bsudo\s+mode\b/i, /\bgod\s+mode\b/i,
-      /\bsafety\s+filters?\s+(off|disabled?|removed?)\b/i,
-    ],
-  },
-  {
-    name: 'encoding_evasion', weight: 0.75,
-    patterns: [
-      /\b(decode|translate)\s+(this|the\s+following)\s+(base64|rot13|hex)\b/i,
-      /\b(base64|rot13)\s*:\s*[A-Za-z0-9+/=]{10,}/i,
-      /\bexecute\s+the\s+(reverse|decoded)\b/i,
-      /\breverse\s+of\s*:\s*\w{10,}/i,
-    ],
-  },
-  {
-    name: 'separator_injection', weight: 0.7,
-    patterns: [
-      /[-=]{3,}\s*\n\s*(new\s+instructions?|system|instructions?)\s*:/i,
-      /```\s*\n\s*<\/?system>/i,
-      /\bEND\s+(SYSTEM\s+)?(PROMPT|INSTRUCTIONS?)\b.*\bNEW\s+(SYSTEM\s+)?(PROMPT|INSTRUCTIONS?)\b/is,
-    ],
-  },
-  {
-    name: 'multi_language', weight: 0.7,
-    patterns: [
-      /ignor(iere|a|e[zs]?)\s+(alle|todas?|toutes?|tüm|все)/iu,
-      /игнорируйте/iu, /yoksay/iu,
-      /vorherigen?\s+Anweisungen/iu, /instrucciones\s+anteriores/iu,
-      /instructions?\s+pr[eé]c[eé]dentes?/iu, /önceki\s+talimatlar/iu,
-    ],
-  },
-];
-
-function detectPromptInjection(text, customCategories = [], threshold = 0.5) {
-  const matched = [];
-  let maxWeight = 0;
-  const allCategories = [...PI_CATEGORIES, ...customCategories];
-  for (const cat of allCategories) {
-    for (const pat of cat.patterns) {
-      if (pat.test(text)) {
-        matched.push(cat.name);
-        if (cat.weight > maxWeight) maxWeight = cat.weight;
-        break;
-      }
-    }
-  }
-  if (matched.length === 0) return null;
-  const score = Math.min(1.0, maxWeight + 0.05 * (matched.length - 1));
-  const trustScore = 1.0 - score;
-  const blocked = Math.round(trustScore * 1000) < Math.round(threshold * 1000);
-  return { score, trustScore, categories: matched, blocked };
-}
-
-// ── Glob Matching ──
-function matchGlob(str, pattern) {
-  if (pattern === '*') return true;
-  const s = str.toLowerCase();
-  const p = pattern.toLowerCase();
-  if (s === p) return true;
-  const startsW = p.startsWith('*');
-  const endsW = p.endsWith('*');
-  if (startsW && endsW) { const infix = p.slice(1, -1); return infix.length > 0 && s.includes(infix); }
-  if (startsW) return s.endsWith(p.slice(1));
-  if (endsW) return s.startsWith(p.slice(0, -1));
-  const idx = p.indexOf('*');
-  if (idx !== -1) {
-    const pre = p.slice(0, idx);
-    const suf = p.slice(idx + 1);
-    return s.startsWith(pre) && s.endsWith(suf) && s.length >= pre.length + suf.length;
-  }
-  return false;
-}
-
-// ── Path Glob (supports **) ──
-function matchPathGlob(path, pattern) {
-  const p = path.replace(/\\/g, '/').toLowerCase();
-  const g = pattern.replace(/\\/g, '/').toLowerCase();
-  if (p === g) return true;
-  if (g.includes('**')) {
-    const parts = g.split('**').filter(s => s.length > 0);
-    if (parts.length === 0) return true;
-    return parts.every(segment => p.includes(segment));
-  }
-  return matchGlob(p, g);
-}
-
-// ── Extract Functions (deep scan all string values) ──
-function scanStrings(obj) {
-  const strings = [];
-  function walk(v) {
-    if (typeof v === 'string' && v.trim()) strings.push(v.trim());
-    else if (Array.isArray(v)) v.forEach(walk);
-    else if (v && typeof v === 'object') Object.values(v).forEach(walk);
-  }
-  walk(obj);
-  return strings;
-}
-
-function looksLikeFilename(s) {
-  if (s.startsWith('.')) return true;
-  if (/\.\w+$/.test(s)) return true;
-  const known = ['id_rsa','id_dsa','id_ecdsa','id_ed25519','authorized_keys','known_hosts','makefile','dockerfile'];
-  return known.includes(s.toLowerCase());
-}
-
-function extractFilenames(args) {
-  const names = new Set();
-  for (const s of scanStrings(args)) {
-    if (/^https?:\/\//i.test(s)) continue;
-    if (s.includes('/') || s.includes('\\')) {
-      const base = s.replace(/\\/g, '/').split('/').pop();
-      if (base) names.add(base);
-      continue;
-    }
-    if (s.includes(' ')) {
-      for (const tok of s.split(/\s+/)) {
-        if (tok.includes('/') || tok.includes('\\')) {
-          const b = tok.replace(/\\/g, '/').split('/').pop();
-          if (b && looksLikeFilename(b)) names.add(b);
-        } else if (looksLikeFilename(tok)) names.add(tok);
-      }
-      continue;
-    }
-    if (looksLikeFilename(s)) names.add(s);
-  }
-  return [...names];
-}
-
-function extractUrls(args) {
-  const urls = new Set();
-  for (const s of scanStrings(args)) {
-    if (/^https?:\/\//i.test(s)) { urls.add(s); continue; }
-    if (s.includes(' ')) {
-      for (const tok of s.split(/\s+/)) {
-        if (/^https?:\/\//i.test(tok)) urls.add(tok);
-      }
-    }
-  }
-  return [...urls];
-}
-
-function extractCommands(args) {
-  const cmds = [];
-  const fields = ['command', 'cmd', 'function', 'script', 'shell'];
-  if (typeof args === 'object' && args) {
-    for (const [k, v] of Object.entries(args)) {
-      if (fields.includes(k.toLowerCase()) && typeof v === 'string') {
-        for (const part of v.split(/\s*(?:&&|\|\||;|\|)\s*/)) {
-          const trimmed = part.trim();
-          if (trimmed) cmds.push(trimmed);
-        }
-      }
-    }
-  }
-  return cmds;
-}
-
-function extractPaths(args) {
-  const paths = [];
-  for (const s of scanStrings(args)) {
-    if (/^https?:\/\//i.test(s)) continue;
-    if (s.includes('/') || s.includes('\\') || s.startsWith('.')) paths.push(s);
-  }
-  return paths;
-}
-
-// ── Policy Evaluation ──
-function evaluate(policy, args) {
-  if (!policy || !policy.rules) return null;
-  const denyRules = policy.rules
-    .filter(r => r.effect === 'DENY' && r.enabled !== false)
-    .sort((a, b) => (a.priority || 100) - (b.priority || 100));
-
-  for (const rule of denyRules) {
-    if (rule.filenameConstraints && rule.filenameConstraints.denied) {
-      const filenames = extractFilenames(args);
-      for (const fn of filenames) {
-        for (const pat of rule.filenameConstraints.denied) {
-          if (matchGlob(fn, pat)) return 'Blocked by policy: filename "' + fn + '" matches "' + pat + '"';
-        }
-      }
-    }
-    if (rule.urlConstraints && rule.urlConstraints.denied) {
-      const urls = extractUrls(args);
-      for (const url of urls) {
-        for (const pat of rule.urlConstraints.denied) {
-          if (matchGlob(url, pat)) return 'Blocked by policy: URL "' + url + '" matches "' + pat + '"';
-        }
-      }
-    }
-    if (rule.commandConstraints && rule.commandConstraints.denied) {
-      const cmds = extractCommands(args);
-      for (const cmd of cmds) {
-        for (const pat of rule.commandConstraints.denied) {
-          if (matchGlob(cmd, pat)) return 'Blocked by policy: command "' + cmd.slice(0,60) + '" matches "' + pat + '"';
-        }
-      }
-    }
-    if (rule.pathConstraints && rule.pathConstraints.denied) {
-      const paths = extractPaths(args);
-      for (const p of paths) {
-        for (const pat of rule.pathConstraints.denied) {
-          if (matchPathGlob(p, pat)) return 'Blocked by policy: path "' + p + '" matches "' + pat + '"';
-        }
-      }
-    }
-  }
-  return null;
-}
-
-// ── Main ──
-let input = '';
-process.stdin.on('data', c => input += c);
-process.stdin.on('end', async () => {
-  try {
-    const data = JSON.parse(input);
-    const args = data.tool_input || {};
-
-    // ── Self-protection: block access to hook files and settings ──
-    // Hardcoded, no bypass possible — runs before policy/PI config
-    // Fully protected: block ALL access (read, write, delete, move)
-    const protectedPaths = [
-      '.solongate', '.claude', '.cursor', '.gemini', '.antigravity', '.openclaw', '.perplexity',
-      'policy.json', '.mcp.json',
-    ];
-    // Write-protected: block write/delete/modify, allow read (cat, grep, head, etc.)
-    const writeProtectedPaths = ['.env', '.gitignore'];
-
-    // Block helper — logs to cloud + exits with code 2
-    async function blockSelfProtection(reason) {
-      if (API_KEY && API_KEY.startsWith('sg_live_')) {
-        try {
-          await fetch(API_URL + '/api/v1/audit-logs', {
-            method: 'POST',
-            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-              tool: data.tool_name || '', arguments: args,
-              decision: 'DENY', reason,
-              source: 'claude-code-guard',
-            }),
-            signal: AbortSignal.timeout(3000),
-          });
-        } catch {}
-      }
-      process.stderr.write(reason);
-      process.exit(2);
-    }
-
-    // ── Normalization layers ──
-
-    // 1. Decode ANSI-C quoting: $'\x72' → r, $'\162' → r, $'\n' → newline
-    function decodeAnsiC(s) {
-      return s.replace(/\$'([^']*)'/g, (_, content) => {
-        return content
-          .replace(/\\x([0-9a-fA-F]{2})/g, (__, hex) => String.fromCharCode(parseInt(hex, 16)))
-          .replace(/\\([0-7]{1,3})/g, (__, oct) => String.fromCharCode(parseInt(oct, 8)))
-          .replace(/\\u([0-9a-fA-F]{4})/g, (__, hex) => String.fromCharCode(parseInt(hex, 16)))
-          .replace(/\\n/g, '\n').replace(/\\t/g, '\t').replace(/\\r/g, '\r')
-          .replace(/\\(.)/g, '$1');
-      });
-    }
-
-    // 2. Strip all shell quoting: empty quotes, single, double, backslash escapes
-    function stripShellQuotes(s) {
-      let r = s;
-      r = r.replace(/""/g, '');    // empty double quotes
-      r = r.replace(/''/g, '');    // empty single quotes
-      r = r.replace(/\\(.)/g, '$1'); // backslash escapes
-      r = r.replace(/'/g, '');     // remaining single quotes
-      r = r.replace(/"/g, '');     // remaining double quotes
-      return r;
-    }
-
-    // 3. Full normalization pipeline
-    function normalizeShell(s) {
-      return stripShellQuotes(decodeAnsiC(s));
-    }
-
-    // 4. Extract inner commands from eval, bash -c, sh -c, pipe to bash/sh, heredoc, process substitution
-    function extractInnerCommands(s) {
-      const inner = [];
-      // eval "cmd" or eval 'cmd' or eval cmd
-      for (const m of s.matchAll(/\beval\s+["']([^"']+)["']/gi)) inner.push(m[1]);
-      for (const m of s.matchAll(/\beval\s+([^;"'|&]+)/gi)) inner.push(m[1]);
-      // bash -c "cmd" or sh -c "cmd"
-      for (const m of s.matchAll(/\b(?:bash|sh)\s+-c\s+["']([^"']+)["']/gi)) inner.push(m[1]);
-      // echo "cmd" | bash/sh or printf "cmd" | bash/sh
-      for (const m of s.matchAll(/(?:echo|printf)\s+["']([^"']+)["']\s*\|\s*(?:bash|sh)\b/gi)) inner.push(m[1]);
-      // find ... -name "pattern" ... -exec ...
-      for (const m of s.matchAll(/-name\s+["']?([^\s"']+)["']?/gi)) inner.push(m[1]);
-      // Heredoc: bash << 'EOF'\n...\nEOF or bash <<- EOF\n...\nEOF
-      for (const m of s.matchAll(/<<-?\s*['"]?(\w+)['"]?\s*\n([\s\S]*?)\n\s*\1/gi)) inner.push(m[2]);
-      // Herestring: bash <<< "cmd"
-      for (const m of s.matchAll(/<<<\s*["']([^"']+)["']/gi)) inner.push(m[1]);
-      for (const m of s.matchAll(/<<<\s*([^\s;&|]+)/gi)) inner.push(m[1]);
-      // Process substitution: <(cmd) or >(cmd)
-      for (const m of s.matchAll(/[<>]\(\s*([^)]+)\s*\)/gi)) inner.push(m[1]);
-      return inner;
-    }
-
-    // 5. Check variable assignments for protected path fragments
-    // e.g. X=".solon" && rm -rf ${X}gate → detects ".solon" as prefix of ".solongate"
-    function checkVarAssignments(s) {
-      const assignments = [...s.matchAll(/(\w+)=["']?([^"'\s&|;]+)["']?/g)];
-      for (const [, , value] of assignments) {
-        const v = value.toLowerCase();
-        if (v.length < 3) continue; // avoid false positives
-        for (const p of protectedPaths) {
-          if (p.startsWith(v) || p.includes(v)) return p;
-        }
-      }
-      return null;
-    }
-
-    // 6. Check if a glob/wildcard could match any protected path
-    function globMatchesProtected(s) {
-      const hasWild = s.includes('*') || s.includes('?') || /\[.+\]/.test(s);
-      if (!hasWild) return null;
-      const segments = s.split('/').filter(Boolean);
-      const candidates = [s, ...segments];
-      for (const candidate of candidates) {
-        const candHasWild = candidate.includes('*') || candidate.includes('?') || /\[.+\]/.test(candidate);
-        if (!candHasWild) continue;
-        // Prefix match: ".antig*" → prefix ".antig"
-        const firstWild = Math.min(
-          candidate.includes('*') ? candidate.indexOf('*') : Infinity,
-          candidate.includes('?') ? candidate.indexOf('?') : Infinity,
-          /\[/.test(candidate) ? candidate.indexOf('[') : Infinity,
-        );
-        const prefix = candidate.slice(0, firstWild).toLowerCase();
-        if (prefix.length > 0) {
-          for (const p of protectedPaths) {
-            if (p.startsWith(prefix)) return p;
-          }
-        }
-        // Regex match — convert shell glob to regex
-        // Handles *, ?, and [...] character classes
-        try {
-          let regex = '';
-          let i = 0;
-          const c = candidate.toLowerCase();
-          while (i < c.length) {
-            if (c[i] === '*') { regex += '.*'; i++; }
-            else if (c[i] === '?') { regex += '.'; i++; }
-            else if (c[i] === '[') {
-              // Pass through [...] as regex character class
-              const close = c.indexOf(']', i + 1);
-              if (close !== -1) {
-                regex += c.slice(i, close + 1);
-                i = close + 1;
-              } else {
-                regex += '\\['; i++;
-              }
-            }
-            else {
-              regex += c[i].replace(/[.+^${}()|\\]/g, '\\$&');
-              i++;
-            }
-          }
-          const re = new RegExp('^' + regex + '$', 'i');
-          for (const p of protectedPaths) {
-            if (re.test(p)) return p;
-          }
-        } catch {}
-      }
-      return null;
-    }
-
-    // ── Build all candidate strings from tool input ──
-    const rawStrings = scanStrings(args).map(s => s.replace(/\\/g, '/').toLowerCase());
-    const allStrings = new Set();
-
-    for (const s of rawStrings) {
-      // Raw string
-      allStrings.add(s);
-      // Normalized (ANSI-C decoded, quotes stripped)
-      const norm = normalizeShell(s);
-      allStrings.add(norm);
-      // Extract inner commands (eval, bash -c, pipe to bash, find -name)
-      for (const inner of extractInnerCommands(s)) {
-        allStrings.add(inner.toLowerCase());
-        allStrings.add(normalizeShell(inner.toLowerCase()));
-      }
-      // Split by spaces + shell operators for token-level checks
-      for (const tok of s.split(/[\s;&|]+/)) {
-        if (tok) {
-          allStrings.add(tok);
-          allStrings.add(normalizeShell(tok));
-        }
-      }
-      // Also split normalized version
-      for (const tok of norm.split(/[\s;&|]+/)) {
-        if (tok) allStrings.add(tok);
-      }
-    }
-
-    // ── Check all candidates ──
-    for (const s of allStrings) {
-      // Direct match
-      for (const p of protectedPaths) {
-        if (s.includes(p)) {
-          await blockSelfProtection('SOLONGATE: Access to protected path "' + p + '" is blocked');
-        }
-      }
-      // Wildcard/glob match
-      const globHit = globMatchesProtected(s);
-      if (globHit) {
-        await blockSelfProtection('SOLONGATE: Wildcard "' + s + '" matches protected "' + globHit + '" — blocked');
-      }
-      // Variable assignment targeting protected paths
-      const varHit = checkVarAssignments(s);
-      if (varHit) {
-        await blockSelfProtection('SOLONGATE: Variable assignment targets protected "' + varHit + '" — blocked');
-      }
-    }
-
-    // ── Write-protection for .env, .gitignore ──
-    // These files can be READ but not written/deleted/moved
-    const toolNameLower = (data.tool_name || '').toLowerCase();
-    const isWriteTool = toolNameLower === 'write' || toolNameLower === 'edit' || toolNameLower === 'notebookedit';
-    const isBashTool = toolNameLower === 'bash';
-    const bashDestructive = /\b(?:rm|rmdir|del|unlink|mv|move|rename|cp|chmod|chown|truncate|shred)\b/i;
-    const fullCmd = rawStrings.join(' ');
-
-    for (const wp of writeProtectedPaths) {
-      if (isWriteTool) {
-        // Check file_path and all strings for write-protected paths
-        for (const s of allStrings) {
-          if (s.includes(wp)) {
-            await blockSelfProtection('SOLONGATE: Write to protected file "' + wp + '" is blocked');
-          }
-        }
-      }
-      if (isBashTool && bashDestructive.test(fullCmd)) {
-        for (const s of allStrings) {
-          if (s.includes(wp)) {
-            await blockSelfProtection('SOLONGATE: Destructive operation on "' + wp + '" is blocked');
-          }
-        }
-      }
-    }
-
-    // Also apply glob/wildcard checks for write-protected paths in destructive contexts
-    if (isBashTool && bashDestructive.test(fullCmd)) {
-      for (const s of allStrings) {
-        const hasWild = s.includes('*') || s.includes('?') || /\[.+\]/.test(s);
-        if (!hasWild) continue;
-        // Convert glob to regex and test against write-protected paths
-        try {
-          let regex = '';
-          let i = 0;
-          const c = s.toLowerCase();
-          while (i < c.length) {
-            if (c[i] === '*') { regex += '.*'; i++; }
-            else if (c[i] === '?') { regex += '.'; i++; }
-            else if (c[i] === '[') {
-              const close = c.indexOf(']', i + 1);
-              if (close !== -1) { regex += c.slice(i, close + 1); i = close + 1; }
-              else { regex += '\\['; i++; }
-            }
-            else { regex += c[i].replace(/[.+^${}()|\\]/g, '\\$&'); i++; }
-          }
-          const re = new RegExp('^' + regex + '$', 'i');
-          for (const wp of writeProtectedPaths) {
-            if (re.test(wp)) {
-              await blockSelfProtection('SOLONGATE: Wildcard "' + s + '" matches write-protected "' + wp + '" — blocked');
-            }
-          }
-        } catch {}
-      }
-    }
-
-    // ── Layer 7: Block ALL inline code execution & dangerous patterns ──
-    // Runtime string construction (atob, Buffer.from, fromCharCode, array.join)
-    // makes static analysis impossible. Blanket-block these patterns.
-
-    // 7-pre. Blanket rule: destructive command + dot-prefixed glob = BLOCK
-    // Catches: rm -rf .[a-z]*, mv .[!.]* /tmp, etc.
-    // Any glob starting with "." combined with a destructive op is dangerous
-    const destructiveOps = /\b(?:rm|rmdir|del|unlink|mv|move|rename)\b/i;
-    const dotGlob = /\.\[|\.[\*\?]|\.{[^}]+}/; // .[a-z]*, .*, .?, .{foo,bar}
-    if (destructiveOps.test(fullCmd) && dotGlob.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Destructive command + dot-glob pattern — blocked');
-    }
-
-    // 7-pre2. Heredoc to interpreter — BLOCK
-    // bash << 'EOF' / bash <<< "cmd" / sh << TAG
-    if (/\b(?:bash|sh|node|python[23]?|perl|ruby)\s+<</i.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Heredoc to interpreter — blocked');
-    }
-
-    // 7-pre3. Command substitution + destructive = BLOCK
-    // Catches: rm -rf $(node scan.mjs), rm `node scan.mjs`, rm $(bash scan.sh)
-    // Pattern: destructive command + $() or `` containing interpreter call
-    const hasDestructive = /\b(?:rm|rmdir|del|unlink|mv|move|rename|shred)\b/i.test(fullCmd);
-    const hasCmdSubInterpreter = /\$\(\s*(?:node|bash|sh|python[23]?|perl|ruby)\b/i.test(fullCmd)
-      || /`\s*(?:node|bash|sh|python[23]?|perl|ruby)\b/i.test(fullCmd);
-    if (hasDestructive && hasCmdSubInterpreter) {
-      await blockSelfProtection('SOLONGATE: Command substitution + destructive op — blocked');
-    }
-
-    // 7-pre4. Pipe from interpreter to destructive loop = BLOCK
-    // Catches: node scan.mjs | while read d; do rm -rf "$d"; done
-    //          node scan.mjs | xargs rm -rf
-    //          bash scan.sh | while read ...
-    const pipeFromInterpreter = /\b(?:node|bash|sh|python[23]?|perl|ruby)\s+\S+\s*\|/i;
-    if (pipeFromInterpreter.test(fullCmd) && hasDestructive) {
-      await blockSelfProtection('SOLONGATE: Pipe from script to destructive command — blocked');
-    }
-
-    // 7-pre5. Script chaining: interpreter + destructive in same command chain
-    // Catches: node scan.mjs && rm -rf $(cat /tmp/targets.txt)
-    //          bash scan.sh; while read d < targets.txt; do rm -rf "$d"; done
-    const hasScriptExec = /\b(?:node|bash|sh|python[23]?|perl|ruby)\s+\S+\.\S+/i.test(fullCmd);
-    if (hasScriptExec && hasDestructive) {
-      await blockSelfProtection('SOLONGATE: Script execution + destructive command in chain — blocked');
-    }
-
-    // 7-pre6. Nested script substitution: node clean.mjs $(node scan.mjs)
-    // Two "harmless" scripts chained via command substitution — no rm in the command itself
-    const nestedScriptSub = /\b(?:node|python[23]?|perl|ruby|bash|sh)\s+\S+\.\S+\s+.*\$\(\s*(?:node|python[23]?|perl|ruby|bash|sh)\b/i;
-    const backtickNestedScript = /\b(?:node|python[23]?|perl|ruby|bash|sh)\s+\S+\.\S+\s+.*`\s*(?:node|python[23]?|perl|ruby|bash|sh)\b/i;
-    if (nestedScriptSub.test(fullCmd) || backtickNestedScript.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Nested script substitution — blocked (script output as args to another script)');
-    }
-
-    // 7-pre7. NODE_OPTIONS injection — block commands with NODE_OPTIONS env var
-    // NODE_OPTIONS="--require malicious.cjs" can inject code into any node process
-    if (/\bNODE_OPTIONS\s*=/i.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: NODE_OPTIONS injection — blocked');
-    }
-
-    // 7-pre8. npm lifecycle scripts — scan package.json before npm install/run
-    // npm install can trigger postinstall/preinstall/prepare scripts
-    if (/\bnpm\s+(?:install|i|ci|run|start|test|publish|pack)\b/i.test(fullCmd) || /\bnpx\s+/i.test(fullCmd)) {
-      try {
-        const hookCwdForNpm = data.cwd || process.cwd();
-        const pkgPath = resolve(hookCwdForNpm, 'package.json');
-        if (existsSync(pkgPath)) {
-          const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
-          const scripts = pkg.scripts || {};
-          const lifecycleKeys = ['preinstall', 'install', 'postinstall', 'prepare', 'prepublish', 'prepublishOnly', 'prepack', 'postpack'];
-          const allScripts = Object.entries(scripts);
-          for (const [key, val] of allScripts) {
-            if (typeof val !== 'string') continue;
-            const scriptLower = val.toLowerCase();
-            // Check lifecycle scripts for dangerous patterns
-            const isLifecycle = lifecycleKeys.includes(key);
-            const isExplicitRun = fullCmd.includes(key); // npm run <key>
-            if (isLifecycle || isExplicitRun) {
-              // Check for protected path names
-              for (const p of [...protectedPaths, ...writeProtectedPaths]) {
-                if (scriptLower.includes(p)) {
-                  await blockSelfProtection('SOLONGATE: npm script "' + key + '" references protected "' + p + '" — blocked');
-                }
-              }
-              // Check for string construction patterns
-              if (/fromcharcode|atob\s*\(|buffer\.from|\\x[0-9a-f]{2}/i.test(scriptLower)) {
-                await blockSelfProtection('SOLONGATE: npm script "' + key + '" contains string construction — blocked');
-              }
-              // Check for discovery+destruction combo
-              const hasDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob\b|\bls\s+-[adl]/i.test(scriptLower);
-              const hasDest = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b/i.test(scriptLower);
-              if (hasDisc && hasDest) {
-                await blockSelfProtection('SOLONGATE: npm script "' + key + '" has discovery+destruction — blocked');
-              }
-              // Follow node/bash <file> references in npm scripts — deep scan the target file
-              const scriptFileMatch = scriptLower.match(/\b(?:node|bash|sh|python[23]?)\s+([^\s;&|$]+)/i);
-              if (scriptFileMatch) {
-                try {
-                  const targetPath = resolve(hookCwdForNpm, scriptFileMatch[1]);
-                  if (existsSync(targetPath)) {
-                    const targetContent = readFileSync(targetPath, 'utf-8').toLowerCase();
-                    // Check target file for protected paths
-                    for (const pp of [...protectedPaths, ...writeProtectedPaths]) {
-                      if (targetContent.includes(pp)) {
-                        await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file referencing "' + pp + '" — blocked');
-                      }
-                    }
-                    // Check target for discovery+destruction
-                    const tDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bglob\b/i.test(targetContent);
-                    const tDest = /\brmsync\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(targetContent);
-                    if (tDisc && tDest) {
-                      await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file with discovery+destruction — blocked');
-                    }
-                    // Check target for string construction + destruction
-                    const tStrCon = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b/i.test(targetContent);
-                    if (tStrCon && tDest) {
-                      await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file with string construction+destruction — blocked');
-                    }
-                    // Follow imports in the target file
-                    const tDir = targetPath.replace(/[/\\][^/\\]+$/, '');
-                    const tImports = [...targetContent.matchAll(/(?:import\s+.*?\s+from\s+|import\s+|require\s*\()['"]\.\/([^'"]+)['"]/gi)];
-                    for (const [, imp] of tImports) {
-                      try {
-                        const impAbs = resolve(tDir, imp);
-                        const candidates = [impAbs, impAbs + '.mjs', impAbs + '.js', impAbs + '.cjs'];
-                        for (const c of candidates) {
-                          if (existsSync(c)) {
-                            const impContent = readFileSync(c, 'utf-8').toLowerCase();
-                            const iDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bglob\b/i.test(impContent);
-                            const iDest = /\brmsync\b|\bunlinksync\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(impContent);
-                            if ((iDisc && tDest) || (tDisc && iDest)) {
-                              await blockSelfProtection('SOLONGATE: npm script "' + key + '" — cross-module discovery+destruction — blocked');
-                            }
-                            break;
-                          }
-                        }
-                      } catch {}
-                    }
-                  }
-                } catch {}
-              }
-            }
-          }
-        }
-      } catch {} // Package.json read error — skip
-    }
-
-    // 7a. Inline interpreter execution — TOTAL BLOCK (no content scan needed)
-    // These can construct ANY string at runtime, bypassing all static analysis
-    const blockedInterpreters = [
-      [/\bnode\s+(?:-e|--eval)\b/i, 'node -e/--eval'],
-      [/\bnode\s+-p\b/i, 'node -p'],
-      [/\bpython[23]?\s+-c\b/i, 'python -c'],
-      [/\bperl\s+-e\b/i, 'perl -e'],
-      [/\bruby\s+-e\b/i, 'ruby -e'],
-      [/\bpowershell(?:\.exe)?\s+.*-(?:EncodedCommand|e|ec)\b/i, 'powershell -EncodedCommand'],
-      [/\bpwsh(?:\.exe)?\s+.*-(?:EncodedCommand|e|ec)\b/i, 'pwsh -EncodedCommand'],
-      [/\bpowershell(?:\.exe)?\s+-c(?:ommand)?\b/i, 'powershell -Command'],
-      [/\bpwsh(?:\.exe)?\s+-c(?:ommand)?\b/i, 'pwsh -Command'],
-    ];
-    for (const [pat, name] of blockedInterpreters) {
-      if (pat.test(fullCmd)) {
-        await blockSelfProtection('SOLONGATE: Inline code execution blocked (' + name + ')');
-      }
-    }
-
-    // 7b. Pipe-to-interpreter — TOTAL BLOCK
-    // Any content piped to an interpreter can construct arbitrary commands at runtime
-    // Also catches: | xargs node, | xargs bash, etc.
-    const pipeToInterpreter = /\|\s*(?:xargs\s+)?(?:node|bash|sh|python[23]?|perl|ruby|php)\b/i;
-    if (pipeToInterpreter.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Pipe to interpreter blocked — runtime bypass risk');
-    }
-
-    // 7c. Base64 decode in ANY context — block when piped to anything
-    if (/\bbase64\s+(?:-d|--decode)\b/i.test(fullCmd) && /\|/i.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: base64 decode in pipe chain — blocked');
-    }
-
-    // 7d. Temp/arbitrary script file execution
-    if (/\b(?:bash|sh)\s+(?:\/tmp\/|\/var\/tmp\/|~\/|\/dev\/)/i.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Script execution from temp path — blocked');
-    }
-
-    // 7e. xargs with destructive operations
-    if (/\bxargs\b.*\b(?:rm|mv|cp|rmdir|unlink|del)\b/i.test(fullCmd)) {
-      for (const p of protectedPaths) {
-        if (fullCmd.includes(p.slice(0, 4))) {
-          await blockSelfProtection('SOLONGATE: xargs with destructive op near "' + p + '" — blocked');
-        }
-      }
-    }
-
-    // 7f. cmd.exe /c with encoded/constructed commands
-    if (/\bcmd(?:\.exe)?\s+\/c\b/i.test(fullCmd)) {
-      for (const p of protectedPaths) {
-        if (fullCmd.includes(p) || fullCmd.includes(p.slice(0, 4))) {
-          await blockSelfProtection('SOLONGATE: cmd.exe /c near protected path — blocked');
-        }
-      }
-    }
-
-    // 7g. Script file execution — scan file content for discovery+destruction combo
-    // Catches: bash script.sh / node script.mjs where the script uses readdirSync + rmSync
-    const scriptExecMatch = fullCmd.match(/\b(?:bash|sh|node|python[23]?|perl|ruby)\s+([^\s;&|$`]+)/i);
-    if (scriptExecMatch) {
-      const scriptPath = scriptExecMatch[1];
-      try {
-        const hookCwdForScript = data.cwd || process.cwd();
-        const absPath = scriptPath.startsWith('/') || scriptPath.includes(':')
-          ? scriptPath
-          : resolve(hookCwdForScript, scriptPath);
-        if (existsSync(absPath)) {
-          const scriptContent = readFileSync(absPath, 'utf-8').toLowerCase();
-          // Check for discovery+destruction combo
-          const hasDiscovery = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b|\bls\s+-[adl]|\bls\s+\.\b|\bopendir\b|\bdir\.entries\b|\bwalkdir\b|\bls\b.*\.\[/.test(scriptContent);
-          const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b|\bfs\.\s*(?:rm|unlink|rmdir|write)/.test(scriptContent);
-          if (hasDiscovery && hasDestruction) {
-            await blockSelfProtection('SOLONGATE: Script contains directory discovery + destructive ops — blocked');
-          }
-          // String construction + destructive = BLOCK
-          // Runtime string construction (fromCharCode, atob, Buffer.from) bypasses literal name checks
-          const hasStringConstruction = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b|\\x[0-9a-f]{2}|\bstring\.fromcodepoin/i.test(scriptContent);
-          if (hasStringConstruction && hasDestruction) {
-            await blockSelfProtection('SOLONGATE: Script uses string construction + destructive ops — blocked');
-          }
-          // Import/require chain: if script imports other local files, scan them too
-          const scriptDir = absPath.replace(/[/\\][^/\\]+$/, '');
-          const imports = [...scriptContent.matchAll(/(?:import\s+.*?\s+from\s+|import\s+|require\s*\()['"]\.\/([^'"]+)['"]/gi)];
-          for (const [, importPath] of imports) {
-            try {
-              const importAbs = resolve(scriptDir, importPath);
-              const candidates = [importAbs, importAbs + '.mjs', importAbs + '.js', importAbs + '.cjs'];
-              for (const candidate of candidates) {
-                if (existsSync(candidate)) {
-                  const importContent = readFileSync(candidate, 'utf-8').toLowerCase();
-                  // Cross-module: check if imported module has discovery/destruction/string construction
-                  const importDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b/i.test(importContent);
-                  const importDest = /\brmsync\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(importContent);
-                  const importStrCon = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b/i.test(importContent);
-                  // Cross-module discovery in import + destruction in main (or vice versa)
-                  if ((importDisc && hasDestruction) || (hasDiscovery && importDest)) {
-                    await blockSelfProtection('SOLONGATE: Cross-module discovery+destruction detected — blocked');
-                  }
-                  if ((importStrCon && hasDestruction) || (hasStringConstruction && importDest)) {
-                    await blockSelfProtection('SOLONGATE: Cross-module string construction+destruction — blocked');
-                  }
-                  // Check imported module for protected paths
-                  for (const p of [...protectedPaths, ...writeProtectedPaths]) {
-                    if (importContent.includes(p)) {
-                      await blockSelfProtection('SOLONGATE: Imported module references protected "' + p + '" — blocked');
-                    }
-                  }
-                  break;
-                }
-              }
-            } catch {}
-          }
-          // Check for protected path names in script content
-          for (const p of [...protectedPaths, ...writeProtectedPaths]) {
-            if (scriptContent.includes(p)) {
-              await blockSelfProtection('SOLONGATE: Script references protected path "' + p + '" — blocked');
-            }
-          }
-        }
-      } catch {} // File read error — skip
-    }
-
-    // 7h. Write tool content scanning — detect discovery+destruction in file content being written
-    // Catches: Write tool creating a script that uses readdirSync('.') + rmSync
-    const toolName_ = data.tool_name || '';
-    if (toolName_.toLowerCase() === 'write' || toolName_.toLowerCase() === 'edit') {
-      const fileContent = (args.content || args.new_string || '').toLowerCase();
-      if (fileContent.length > 0) {
-        const hasDiscovery = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b|\bls\s+-[adl]|\bls\s+\.\b|\bopendir\b|\bdir\.entries\b|\bwalkdir\b|\bls\b.*\.\[/.test(fileContent);
-        const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b.*\brm\b|\bfs\.\s*(?:rm|unlink|rmdir)/.test(fileContent);
-        if (hasDiscovery && hasDestruction) {
-          await blockSelfProtection('SOLONGATE: File content contains discovery + destructive ops — write blocked');
-        }
-        // String construction + destructive = BLOCK
-        const hasStringConstruction = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b|\\x[0-9a-f]{2}|\bstring\.fromcodepoin/i.test(fileContent);
-        if (hasStringConstruction && hasDestruction) {
-          await blockSelfProtection('SOLONGATE: File uses string construction + destructive ops — write blocked');
-        }
-      }
-    }
-
-    // 7i. Write tool — detect package.json scripts with dangerous patterns
-    if (toolName_.toLowerCase() === 'write' || toolName_.toLowerCase() === 'edit') {
-      const filePath = (args.file_path || '').toLowerCase();
-      if (filePath.endsWith('package.json')) {
-        const content = args.content || args.new_string || '';
-        try {
-          // Try parsing as JSON to check scripts
-          const pkg = JSON.parse(content);
-          const scripts = pkg.scripts || {};
-          for (const [key, val] of Object.entries(scripts)) {
-            if (typeof val !== 'string') continue;
-            const v = val.toLowerCase();
-            for (const p of [...protectedPaths, ...writeProtectedPaths]) {
-              if (v.includes(p)) {
-                await blockSelfProtection('SOLONGATE: package.json script "' + key + '" references protected "' + p + '" — blocked');
-              }
-            }
-            if (/fromcharcode|atob\s*\(|buffer\.from/i.test(v)) {
-              const hasDest = /\brmsync\b|\brm\b|\bunlink\b|\brimraf\b/i.test(v);
-              if (hasDest) {
-                await blockSelfProtection('SOLONGATE: package.json script "' + key + '" has string construction + destruction — blocked');
-              }
-            }
-          }
-        } catch {} // Not valid JSON or parse error — skip
-      }
-    }
-
-    // ── Fetch PI config from Cloud ──
-    let piCfg = { piEnabled: true, piThreshold: 0.5, piMode: 'block', piWhitelist: [], piToolConfig: {}, piCustomPatterns: [], piWebhookUrl: null };
-    if (API_KEY && API_KEY.startsWith('sg_live_')) {
-      try {
-        const cfgRes = await fetch(API_URL + '/api/v1/project-config', {
-          headers: { 'Authorization': 'Bearer ' + API_KEY },
-          signal: AbortSignal.timeout(3000),
-        });
-        if (cfgRes.ok) {
-          const cfg = await cfgRes.json();
-          piCfg = { ...piCfg, ...cfg };
-        }
-      } catch {} // Fallback: defaults (safe)
-    }
-
-    // ── Per-tool config: check if PI scanning is disabled for this tool ──
-    const toolName = data.tool_name || '';
-    if (piCfg.piToolConfig && typeof piCfg.piToolConfig === 'object') {
-      if (piCfg.piToolConfig[toolName] === false) {
-        // PI scanning explicitly disabled for this tool — skip detection
-        piCfg.piEnabled = false;
-      }
-    }
-
-    // ── Prompt Injection Detection (Stage 1: Rules + Custom Patterns) ──
-    const allText = scanStrings(args).join(' ');
-
-    // Check whitelist — if input matches any whitelist pattern, skip PI detection
-    let whitelisted = false;
-    if (piCfg.piEnabled !== false && Array.isArray(piCfg.piWhitelist) && piCfg.piWhitelist.length > 0) {
-      for (const wlPattern of piCfg.piWhitelist) {
-        try {
-          if (new RegExp(wlPattern, 'i').test(allText)) {
-            whitelisted = true;
-            break;
-          }
-        } catch {} // Invalid regex — skip
-      }
-    }
-
-    // Build custom patterns from config
-    const customCategories = [];
-    if (piCfg.piEnabled !== false && Array.isArray(piCfg.piCustomPatterns)) {
-      for (const cp of piCfg.piCustomPatterns) {
-        if (cp && cp.pattern) {
-          try {
-            customCategories.push({
-              name: cp.name || 'custom_pattern',
-              weight: Math.max(0, Math.min(1, Number(cp.weight) || 0.8)),
-              patterns: [new RegExp(cp.pattern, 'iu')],
-            });
-          } catch {} // Invalid regex — skip
-        }
-      }
-    }
-
-    const piResult = (piCfg.piEnabled !== false && !whitelisted)
-      ? detectPromptInjection(allText, customCategories, piCfg.piThreshold)
-      : null;
-
-    if (piResult && piResult.blocked) {
-      const isLogOnly = piCfg.piMode === 'log-only';
-      const msg = isLogOnly
-        ? 'SOLONGATE: Prompt injection detected [LOG-ONLY] (trust score: ' +
-          (piResult.trustScore * 100).toFixed(0) + '%, categories: ' +
-          piResult.categories.join(', ') + ')'
-        : 'SOLONGATE: Prompt injection detected (trust score: ' +
-          (piResult.trustScore * 100).toFixed(0) + '%, categories: ' +
-          piResult.categories.join(', ') + ')';
-
-      // Log to Cloud
-      if (API_KEY && API_KEY.startsWith('sg_live_')) {
-        try {
-          await fetch(API_URL + '/api/v1/audit-logs', {
-            method: 'POST',
-            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-              tool: toolName,
-              arguments: args,
-              decision: isLogOnly ? 'ALLOW' : 'DENY',
-              reason: msg,
-              source: 'claude-code-guard',
-              pi_detected: true,
-              pi_trust_score: piResult.trustScore,
-              pi_blocked: !isLogOnly,
-              pi_categories: JSON.stringify(piResult.categories),
-              pi_stage_scores: JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 }),
-            }),
-            signal: AbortSignal.timeout(3000),
-          });
-        } catch {}
-
-        // Webhook notification
-        if (piCfg.piWebhookUrl) {
-          try {
-            await fetch(piCfg.piWebhookUrl, {
-              method: 'POST',
-              headers: { 'Content-Type': 'application/json' },
-              body: JSON.stringify({
-                event: 'prompt_injection_detected',
-                tool: toolName,
-                trustScore: piResult.trustScore,
-                categories: piResult.categories,
-                blocked: !isLogOnly,
-                mode: piCfg.piMode,
-                timestamp: new Date().toISOString(),
-              }),
-              signal: AbortSignal.timeout(3000),
-            });
-          } catch {} // Webhook failure is non-blocking
-        }
-      }
-
-      // In log-only mode, warn but don't block
-      if (isLogOnly) {
-        process.stderr.write(msg);
-        // Fall through to policy evaluation (don't exit)
-      } else {
-        process.stderr.write(msg);
-        process.exit(2);
-      }
-    }
-
-    // Load policy (use cwd from hook data if available)
-    const hookCwd = data.cwd || process.cwd();
-    let policy;
-    try {
-      const policyPath = resolve(hookCwd, 'policy.json');
-      policy = JSON.parse(readFileSync(policyPath, 'utf-8'));
-    } catch {
-      // No policy file — still log if PI was detected but not blocked
-      if (piResult && API_KEY && API_KEY.startsWith('sg_live_')) {
-        try {
-          await fetch(API_URL + '/api/v1/audit-logs', {
-            method: 'POST',
-            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-              tool: toolName,
-              arguments: args,
-              decision: 'ALLOW',
-              reason: 'Prompt injection detected but below threshold (trust: ' + (piResult.trustScore * 100).toFixed(0) + '%)',
-              source: 'claude-code-guard',
-              pi_detected: true,
-              pi_trust_score: piResult.trustScore,
-              pi_blocked: false,
-              pi_categories: JSON.stringify(piResult.categories),
-              pi_stage_scores: JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 }),
-            }),
-            signal: AbortSignal.timeout(3000),
-          });
-        } catch {}
-      }
-      process.exit(0); // No policy = allow all
-    }
-
-    let reason = evaluate(policy, args);
-
-    // ── AI Judge: semantic intent analysis (runs when policy ALLOWs) ──
-    if (!reason) {
-      const GROQ_KEY = process.env.GROQ_API_KEY || dotenv.GROQ_API_KEY || '';
-      let aiJudgeEnabled = false;
-      let aiJudgeModel = 'llama-3.1-8b-instant';
-      let aiJudgeEndpoint = 'https://api.groq.com/openai';
-      let aiJudgeTimeout = 5000;
-
-      // Check cloud config for AI Judge settings
-      if (API_KEY && API_KEY.startsWith('sg_live_')) {
-        try {
-          const cfgRes = await fetch(API_URL + '/api/v1/project-config/ai-judge', {
-            headers: { 'Authorization': 'Bearer ' + API_KEY },
-            signal: AbortSignal.timeout(3000),
-          });
-          if (cfgRes.ok) {
-            const cfg = await cfgRes.json();
-            aiJudgeEnabled = Boolean(cfg.enabled);
-            if (cfg.model) aiJudgeModel = cfg.model;
-            if (cfg.endpoint) aiJudgeEndpoint = cfg.endpoint;
-            if (cfg.timeoutMs) aiJudgeTimeout = cfg.timeoutMs;
-          }
-        } catch {}
-      }
-
-      if (aiJudgeEnabled && GROQ_KEY) {
-        try {
-          // Extract protected files/paths from policy
-          const protectedFiles = [];
-          const protectedPathsList = [];
-          if (policy && policy.rules) {
-            for (const rule of policy.rules) {
-              if (rule.effect === 'DENY' && rule.enabled !== false) {
-                if (rule.filenameConstraints && rule.filenameConstraints.denied) {
-                  for (const f of rule.filenameConstraints.denied) protectedFiles.push(f);
-                }
-                if (rule.pathConstraints && rule.pathConstraints.denied) {
-                  for (const p of rule.pathConstraints.denied) protectedPathsList.push(p);
-                }
-              }
-            }
-          }
-
-          const judgePayload = JSON.stringify({
-            tool: toolName,
-            arguments: args,
-            protected_files: protectedFiles,
-            protected_paths: protectedPathsList,
-            denied_actions: ['file deletion', 'data exfiltration', 'remote code execution', 'environment variable leak', 'security control bypass'],
-          });
-
-          const systemPrompt = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
-
-You will receive a JSON object with:
-- "tool": the tool name being called (e.g., Bash, Write, Read, Edit)
-- "arguments": the tool's arguments
-- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected — nothing else.
-- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected — nothing else.
-- "denied_actions": list of actions that are never allowed
-
-IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
-
-DENY if the tool call could, directly or indirectly, access a file from the protected_files list — even through:
-- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
-- Command substitution ($(...), backticks)
-- Process substitution (<(cat file)) — check inside <(...) for protected files
-- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" — DENY only if .env is in protected_files)
-- Input redirection (< file)
-- Multi-stage operations: tar/cp a protected file then read the copy — DENY the entire chain
-- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
-
-Also DENY if:
-- The command sends data to external URLs (curl -d, wget --post)
-- The command leaks environment variables (printenv, env, process.env)
-- The command executes remotely downloaded code (curl|bash)
-
-ALLOW if:
-- The file is NOT in protected_files — even if cat, head, etc. is used. Reading non-protected files is normal.
-- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
-- The action does not touch any protected file or path
-
-CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. "cat package.json" is ALLOWED if package.json is not in protected_files. Do NOT over-block.
-
-Respond with ONLY valid JSON: {"decision": "ALLOW" or "DENY", "reason": "brief explanation", "confidence": 0.0 to 1.0}`;
-
-          const llmRes = await fetch(aiJudgeEndpoint + '/v1/chat/completions', {
-            method: 'POST',
-            headers: {
-              'Content-Type': 'application/json',
-              'Authorization': 'Bearer ' + GROQ_KEY,
-            },
-            body: JSON.stringify({
-              model: aiJudgeModel,
-              messages: [
-                { role: 'system', content: systemPrompt },
-                { role: 'user', content: judgePayload },
-              ],
-              temperature: 0,
-              max_tokens: 200,
-            }),
-            signal: AbortSignal.timeout(aiJudgeTimeout),
-          });
-
-          if (llmRes.ok) {
-            const llmData = await llmRes.json();
-            const content = llmData.choices?.[0]?.message?.content || '';
-            const jsonMatch = content.match(/\{[\s\S]*\}/);
-            if (jsonMatch) {
-              const verdict = JSON.parse(jsonMatch[0]);
-              if (verdict.decision === 'DENY') {
-                reason = '[AI Judge] ' + (verdict.reason || 'Blocked by semantic analysis');
-              }
-            }
-          } else {
-            // Fail-closed: LLM error → DENY
-            reason = '[AI Judge] LLM endpoint error (fail-closed)';
-          }
-        } catch (err) {
-          // Fail-closed: timeout or parse error → DENY
-          reason = '[AI Judge] ' + (err.message || 'error') + ' (fail-closed)';
-        }
-      }
-    }
-
-    const decision = reason ? 'DENY' : 'ALLOW';
-
-    // ── Log ALL decisions to SolonGate Cloud ──
-    if (API_KEY && API_KEY.startsWith('sg_live_')) {
-      try {
-        const logEntry = {
-          tool: toolName, arguments: args,
-          decision, reason: reason || 'allowed by policy',
-          source: 'claude-code-guard',
-        };
-        // Attach PI metadata if detected
-        if (piResult) {
-          logEntry.pi_detected = true;
-          logEntry.pi_trust_score = piResult.trustScore;
-          logEntry.pi_blocked = false;
-          logEntry.pi_categories = JSON.stringify(piResult.categories);
-          logEntry.pi_stage_scores = JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 });
-        }
-        await fetch(API_URL + '/api/v1/audit-logs', {
-          method: 'POST',
-          headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-          body: JSON.stringify(logEntry),
-          signal: AbortSignal.timeout(3000),
-        });
-      } catch {}
-    }
-
-    if (reason) {
-      process.stderr.write(reason);
-      process.exit(2);
-    }
-  } catch {}
-  process.exit(0);
-});
+#!/usr/bin/env node
+/**
+ * SolonGate Policy Guard Hook (PreToolUse)
+ * Reads policy.json and blocks tool calls that violate constraints.
+ * Also runs prompt injection detection (Stage 1 rules) on tool arguments.
+ * Exit code 2 = BLOCK, exit code 0 = ALLOW.
+ * Logs ALL decisions (ALLOW + DENY) to SolonGate Cloud.
+ * Auto-installed by: npx @solongate/proxy init
+ */
+import { readFileSync, existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+// ── Load API key from .env file (Claude Code doesn't load .env into process.env) ──
+function loadEnvKey(dir) {
+  try {
+    const envPath = resolve(dir, '.env');
+    if (!existsSync(envPath)) return {};
+    const lines = readFileSync(envPath, 'utf-8').split('\n');
+    const env = {};
+    for (const line of lines) {
+      const m = line.match(/^([A-Z_]+)=(.*)$/);
+      if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, '').trim();
+    }
+    return env;
+  } catch { return {}; }
+}
+
+const hookCwdEarly = process.cwd();
+const dotenv = loadEnvKey(hookCwdEarly);
+const API_KEY = process.env.SOLONGATE_API_KEY || dotenv.SOLONGATE_API_KEY || '';
+const API_URL = process.env.SOLONGATE_API_URL || dotenv.SOLONGATE_API_URL || 'https://api.solongate.com';
+
+// ── Prompt Injection Detection (Stage 1: Rule-Based) ──
+const PI_CATEGORIES = [
+  {
+    name: 'delimiter_injection', weight: 0.95,
+    patterns: [
+      /<\/system>/i, /<\|im_end\|>/i, /<\|im_start\|>/i, /<\|endoftext\|>/i,
+      /\[INST\]/i, /\[\/INST\]/i, /<<SYS>>/i, /<<\/SYS>>/i,
+      /###\s*(Human|Assistant|System)\s*:/i, /<\|user\|>/i, /<\|assistant\|>/i,
+      /---\s*END\s*SYSTEM\s*PROMPT\s*---/i,
+    ],
+  },
+  {
+    name: 'instruction_override', weight: 0.9,
+    patterns: [
+      /\bignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|rules?|directives?)\b/i,
+      /\bdisregard\s+(all\s+)?(previous|prior|above|earlier|your)\s+(instructions?|prompts?|rules?|guidelines?)\b/i,
+      /\bforget\s+(all\s+|everything\s+)?(your|the|previous|prior|above|earlier)\b/i,
+      /\boverride\s+(the\s+)?(system|previous|current)\s+(prompt|instructions?|rules?|settings?)\b/i,
+      /\bdo\s+not\s+follow\s+(your|the|any)\s+(instructions?|rules?|guidelines?)\b/i,
+      /\bcancel\s+(all\s+)?(prior|previous)\s+(directives?|instructions?)\b/i,
+      /\bnew\s+instructions?\s+supersede\b/i,
+      /\byour\s+(previous\s+)?instructions?\s+are\s+(now\s+)?void\b/i,
+    ],
+  },
+  {
+    name: 'role_hijacking', weight: 0.85,
+    patterns: [
+      /\b(pretend|act|behave)\s+(you\s+are|as\s+if\s+you|like\s+you|to\s+be)\b/i,
+      /\byou\s+are\s+now\s+(a|an|the|my|DAN)\b/i,
+      /\bsimulate\s+being\b/i, /\bassume\s+the\s+role\s+of\b/i,
+      /\benter\s+(developer|admin|debug|god|sudo|unrestricted)\s+mode\b/i,
+      /\bswitch\s+to\s+(unrestricted|unfiltered)\s+mode\b/i,
+      /\byou\s+are\s+no\s+longer\s+bound\b/i,
+      /\bno\s+(safety\s+)?restrictions?\s+(apply|anymore|now)\b/i,
+    ],
+  },
+  {
+    name: 'jailbreak_keywords', weight: 0.8,
+    patterns: [
+      /\bjailbreak\b/i, /\bDAN\s+mode\b/i,
+      /\b(system\s+override|admin\s+mode|debug\s+mode|developer\s+mode|maintenance\s+mode)\b/i,
+      /\bmaster\s+key\b/i, /\bbackdoor\s+access\b/i,
+      /\bsudo\s+mode\b/i, /\bgod\s+mode\b/i,
+      /\bsafety\s+filters?\s+(off|disabled?|removed?)\b/i,
+    ],
+  },
+  {
+    name: 'encoding_evasion', weight: 0.75,
+    patterns: [
+      /\b(decode|translate)\s+(this|the\s+following)\s+(base64|rot13|hex)\b/i,
+      /\b(base64|rot13)\s*:\s*[A-Za-z0-9+/=]{10,}/i,
+      /\bexecute\s+the\s+(reverse|decoded)\b/i,
+      /\breverse\s+of\s*:\s*\w{10,}/i,
+    ],
+  },
+  {
+    name: 'separator_injection', weight: 0.7,
+    patterns: [
+      /[-=]{3,}\s*\n\s*(new\s+instructions?|system|instructions?)\s*:/i,
+      /```\s*\n\s*<\/?system>/i,
+      /\bEND\s+(SYSTEM\s+)?(PROMPT|INSTRUCTIONS?)\b.*\bNEW\s+(SYSTEM\s+)?(PROMPT|INSTRUCTIONS?)\b/is,
+    ],
+  },
+  {
+    name: 'multi_language', weight: 0.7,
+    patterns: [
+      /ignor(iere|a|e[zs]?)\s+(alle|todas?|toutes?|tüm|все)/iu,
+      /игнорируйте/iu, /yoksay/iu,
+      /vorherigen?\s+Anweisungen/iu, /instrucciones\s+anteriores/iu,
+      /instructions?\s+pr[eé]c[eé]dentes?/iu, /önceki\s+talimatlar/iu,
+    ],
+  },
+];
+
+function detectPromptInjection(text, customCategories = [], threshold = 0.5) {
+  const matched = [];
+  let maxWeight = 0;
+  const allCategories = [...PI_CATEGORIES, ...customCategories];
+  for (const cat of allCategories) {
+    for (const pat of cat.patterns) {
+      if (pat.test(text)) {
+        matched.push(cat.name);
+        if (cat.weight > maxWeight) maxWeight = cat.weight;
+        break;
+      }
+    }
+  }
+  if (matched.length === 0) return null;
+  const score = Math.min(1.0, maxWeight + 0.05 * (matched.length - 1));
+  const trustScore = 1.0 - score;
+  const blocked = Math.round(trustScore * 1000) < Math.round(threshold * 1000);
+  return { score, trustScore, categories: matched, blocked };
+}
+
+// ── Glob Matching ──
+function matchGlob(str, pattern) {
+  if (pattern === '*') return true;
+  const s = str.toLowerCase();
+  const p = pattern.toLowerCase();
+  if (s === p) return true;
+  const startsW = p.startsWith('*');
+  const endsW = p.endsWith('*');
+  if (startsW && endsW) { const infix = p.slice(1, -1); return infix.length > 0 && s.includes(infix); }
+  if (startsW) return s.endsWith(p.slice(1));
+  if (endsW) return s.startsWith(p.slice(0, -1));
+  const idx = p.indexOf('*');
+  if (idx !== -1) {
+    const pre = p.slice(0, idx);
+    const suf = p.slice(idx + 1);
+    return s.startsWith(pre) && s.endsWith(suf) && s.length >= pre.length + suf.length;
+  }
+  return false;
+}
+
+// ── Path Glob (supports **) ──
+function matchPathGlob(path, pattern) {
+  const p = path.replace(/\\/g, '/').toLowerCase();
+  const g = pattern.replace(/\\/g, '/').toLowerCase();
+  if (p === g) return true;
+  if (g.includes('**')) {
+    const parts = g.split('**').filter(s => s.length > 0);
+    if (parts.length === 0) return true;
+    return parts.every(segment => p.includes(segment));
+  }
+  return matchGlob(p, g);
+}
+
+// ── Extract Functions (deep scan all string values) ──
+function scanStrings(obj) {
+  const strings = [];
+  function walk(v) {
+    if (typeof v === 'string' && v.trim()) strings.push(v.trim());
+    else if (Array.isArray(v)) v.forEach(walk);
+    else if (v && typeof v === 'object') Object.values(v).forEach(walk);
+  }
+  walk(obj);
+  return strings;
+}
+
+function looksLikeFilename(s) {
+  if (s.startsWith('.')) return true;
+  if (/\.\w+$/.test(s)) return true;
+  const known = ['id_rsa','id_dsa','id_ecdsa','id_ed25519','authorized_keys','known_hosts','makefile','dockerfile'];
+  return known.includes(s.toLowerCase());
+}
+
+function extractFilenames(args) {
+  const names = new Set();
+  for (const s of scanStrings(args)) {
+    if (/^https?:\/\//i.test(s)) continue;
+    if (s.includes('/') || s.includes('\\')) {
+      const base = s.replace(/\\/g, '/').split('/').pop();
+      if (base) names.add(base);
+      continue;
+    }
+    if (s.includes(' ')) {
+      for (const tok of s.split(/\s+/)) {
+        if (tok.includes('/') || tok.includes('\\')) {
+          const b = tok.replace(/\\/g, '/').split('/').pop();
+          if (b && looksLikeFilename(b)) names.add(b);
+        } else if (looksLikeFilename(tok)) names.add(tok);
+      }
+      continue;
+    }
+    if (looksLikeFilename(s)) names.add(s);
+  }
+  return [...names];
+}
+
+function extractUrls(args) {
+  const urls = new Set();
+  for (const s of scanStrings(args)) {
+    if (/^https?:\/\//i.test(s)) { urls.add(s); continue; }
+    if (s.includes(' ')) {
+      for (const tok of s.split(/\s+/)) {
+        if (/^https?:\/\//i.test(tok)) urls.add(tok);
+      }
+    }
+  }
+  return [...urls];
+}
+
+function extractCommands(args) {
+  const cmds = [];
+  const fields = ['command', 'cmd', 'function', 'script', 'shell'];
+  if (typeof args === 'object' && args) {
+    for (const [k, v] of Object.entries(args)) {
+      if (fields.includes(k.toLowerCase()) && typeof v === 'string') {
+        for (const part of v.split(/\s*(?:&&|\|\||;|\|)\s*/)) {
+          const trimmed = part.trim();
+          if (trimmed) cmds.push(trimmed);
+        }
+      }
+    }
+  }
+  return cmds;
+}
+
+function extractPaths(args) {
+  const paths = [];
+  for (const s of scanStrings(args)) {
+    if (/^https?:\/\//i.test(s)) continue;
+    if (s.includes('/') || s.includes('\\') || s.startsWith('.')) paths.push(s);
+  }
+  return paths;
+}
+
+// ── Policy Evaluation ──
+function evaluate(policy, args) {
+  if (!policy || !policy.rules) return null;
+  const denyRules = policy.rules
+    .filter(r => r.effect === 'DENY' && r.enabled !== false)
+    .sort((a, b) => (a.priority || 100) - (b.priority || 100));
+
+  for (const rule of denyRules) {
+    if (rule.filenameConstraints && rule.filenameConstraints.denied) {
+      const filenames = extractFilenames(args);
+      for (const fn of filenames) {
+        for (const pat of rule.filenameConstraints.denied) {
+          if (matchGlob(fn, pat)) return 'Blocked by policy: filename "' + fn + '" matches "' + pat + '"';
+        }
+      }
+    }
+    if (rule.urlConstraints && rule.urlConstraints.denied) {
+      const urls = extractUrls(args);
+      for (const url of urls) {
+        for (const pat of rule.urlConstraints.denied) {
+          if (matchGlob(url, pat)) return 'Blocked by policy: URL "' + url + '" matches "' + pat + '"';
+        }
+      }
+    }
+    if (rule.commandConstraints && rule.commandConstraints.denied) {
+      const cmds = extractCommands(args);
+      for (const cmd of cmds) {
+        for (const pat of rule.commandConstraints.denied) {
+          if (matchGlob(cmd, pat)) return 'Blocked by policy: command "' + cmd.slice(0,60) + '" matches "' + pat + '"';
+        }
+      }
+    }
+    if (rule.pathConstraints && rule.pathConstraints.denied) {
+      const paths = extractPaths(args);
+      for (const p of paths) {
+        for (const pat of rule.pathConstraints.denied) {
+          if (matchPathGlob(p, pat)) return 'Blocked by policy: path "' + p + '" matches "' + pat + '"';
+        }
+      }
+    }
+  }
+  return null;
+}
+
+// ── Main ──
+let input = '';
+process.stdin.on('data', c => input += c);
+process.stdin.on('end', async () => {
+  try {
+    const data = JSON.parse(input);
+    const args = data.tool_input || {};
+
+    // ── Self-protection: block access to hook files and settings ──
+    // Hardcoded, no bypass possible — runs before policy/PI config
+    // Fully protected: block ALL access (read, write, delete, move)
+    const protectedPaths = [
+      '.solongate', '.claude', '.cursor', '.gemini', '.antigravity', '.openclaw', '.perplexity',
+      'policy.json', '.mcp.json',
+    ];
+    // Write-protected: block write/delete/modify, allow read (cat, grep, head, etc.)
+    const writeProtectedPaths = ['.env', '.gitignore'];
+
+    // Block helper — logs to cloud + exits with code 2
+    async function blockSelfProtection(reason) {
+      if (API_KEY && API_KEY.startsWith('sg_live_')) {
+        try {
+          await fetch(API_URL + '/api/v1/audit-logs', {
+            method: 'POST',
+            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+              tool: data.tool_name || '', arguments: args,
+              decision: 'DENY', reason,
+              source: 'claude-code-guard',
+            }),
+            signal: AbortSignal.timeout(3000),
+          });
+        } catch {}
+      }
+      process.stderr.write(reason);
+      process.exit(2);
+    }
+
+    // ── Normalization layers ──
+
+    // 1. Decode ANSI-C quoting: $'\x72' → r, $'\162' → r, $'\n' → newline
+    function decodeAnsiC(s) {
+      return s.replace(/\$'([^']*)'/g, (_, content) => {
+        return content
+          .replace(/\\x([0-9a-fA-F]{2})/g, (__, hex) => String.fromCharCode(parseInt(hex, 16)))
+          .replace(/\\([0-7]{1,3})/g, (__, oct) => String.fromCharCode(parseInt(oct, 8)))
+          .replace(/\\u([0-9a-fA-F]{4})/g, (__, hex) => String.fromCharCode(parseInt(hex, 16)))
+          .replace(/\\n/g, '\n').replace(/\\t/g, '\t').replace(/\\r/g, '\r')
+          .replace(/\\(.)/g, '$1');
+      });
+    }
+
+    // 2. Strip all shell quoting: empty quotes, single, double, backslash escapes
+    function stripShellQuotes(s) {
+      let r = s;
+      r = r.replace(/""/g, '');    // empty double quotes
+      r = r.replace(/''/g, '');    // empty single quotes
+      r = r.replace(/\\(.)/g, '$1'); // backslash escapes
+      r = r.replace(/'/g, '');     // remaining single quotes
+      r = r.replace(/"/g, '');     // remaining double quotes
+      return r;
+    }
+
+    // 3. Full normalization pipeline
+    function normalizeShell(s) {
+      return stripShellQuotes(decodeAnsiC(s));
+    }
+
+    // 4. Extract inner commands from eval, bash -c, sh -c, pipe to bash/sh, heredoc, process substitution
+    function extractInnerCommands(s) {
+      const inner = [];
+      // eval "cmd" or eval 'cmd' or eval cmd
+      for (const m of s.matchAll(/\beval\s+["']([^"']+)["']/gi)) inner.push(m[1]);
+      for (const m of s.matchAll(/\beval\s+([^;"'|&]+)/gi)) inner.push(m[1]);
+      // bash -c "cmd" or sh -c "cmd"
+      for (const m of s.matchAll(/\b(?:bash|sh)\s+-c\s+["']([^"']+)["']/gi)) inner.push(m[1]);
+      // echo "cmd" | bash/sh or printf "cmd" | bash/sh
+      for (const m of s.matchAll(/(?:echo|printf)\s+["']([^"']+)["']\s*\|\s*(?:bash|sh)\b/gi)) inner.push(m[1]);
+      // find ... -name "pattern" ... -exec ...
+      for (const m of s.matchAll(/-name\s+["']?([^\s"']+)["']?/gi)) inner.push(m[1]);
+      // Heredoc: bash << 'EOF'\n...\nEOF or bash <<- EOF\n...\nEOF
+      for (const m of s.matchAll(/<<-?\s*['"]?(\w+)['"]?\s*\n([\s\S]*?)\n\s*\1/gi)) inner.push(m[2]);
+      // Herestring: bash <<< "cmd"
+      for (const m of s.matchAll(/<<<\s*["']([^"']+)["']/gi)) inner.push(m[1]);
+      for (const m of s.matchAll(/<<<\s*([^\s;&|]+)/gi)) inner.push(m[1]);
+      // Process substitution: <(cmd) or >(cmd)
+      for (const m of s.matchAll(/[<>]\(\s*([^)]+)\s*\)/gi)) inner.push(m[1]);
+      return inner;
+    }
+
+    // 5. Check variable assignments for protected path fragments
+    // e.g. X=".solon" && rm -rf ${X}gate → detects ".solon" as prefix of ".solongate"
+    function checkVarAssignments(s) {
+      const assignments = [...s.matchAll(/(\w+)=["']?([^"'\s&|;]+)["']?/g)];
+      for (const [, , value] of assignments) {
+        const v = value.toLowerCase();
+        if (v.length < 3) continue; // avoid false positives
+        for (const p of protectedPaths) {
+          if (p.startsWith(v) || p.includes(v)) return p;
+        }
+      }
+      return null;
+    }
+
+    // 6. Check if a glob/wildcard could match any protected path
+    function globMatchesProtected(s) {
+      const hasWild = s.includes('*') || s.includes('?') || /\[.+\]/.test(s);
+      if (!hasWild) return null;
+      const segments = s.split('/').filter(Boolean);
+      const candidates = [s, ...segments];
+      for (const candidate of candidates) {
+        const candHasWild = candidate.includes('*') || candidate.includes('?') || /\[.+\]/.test(candidate);
+        if (!candHasWild) continue;
+        // Prefix match: ".antig*" → prefix ".antig"
+        const firstWild = Math.min(
+          candidate.includes('*') ? candidate.indexOf('*') : Infinity,
+          candidate.includes('?') ? candidate.indexOf('?') : Infinity,
+          /\[/.test(candidate) ? candidate.indexOf('[') : Infinity,
+        );
+        const prefix = candidate.slice(0, firstWild).toLowerCase();
+        if (prefix.length > 0) {
+          for (const p of protectedPaths) {
+            if (p.startsWith(prefix)) return p;
+          }
+        }
+        // Regex match — convert shell glob to regex
+        // Handles *, ?, and [...] character classes
+        try {
+          let regex = '';
+          let i = 0;
+          const c = candidate.toLowerCase();
+          while (i < c.length) {
+            if (c[i] === '*') { regex += '.*'; i++; }
+            else if (c[i] === '?') { regex += '.'; i++; }
+            else if (c[i] === '[') {
+              // Pass through [...] as regex character class
+              const close = c.indexOf(']', i + 1);
+              if (close !== -1) {
+                regex += c.slice(i, close + 1);
+                i = close + 1;
+              } else {
+                regex += '\\['; i++;
+              }
+            }
+            else {
+              regex += c[i].replace(/[.+^${}()|\\]/g, '\\$&');
+              i++;
+            }
+          }
+          const re = new RegExp('^' + regex + '$', 'i');
+          for (const p of protectedPaths) {
+            if (re.test(p)) return p;
+          }
+        } catch {}
+      }
+      return null;
+    }
+
+    // ── Build all candidate strings from tool input ──
+    const rawStrings = scanStrings(args).map(s => s.replace(/\\/g, '/').toLowerCase());
+    const allStrings = new Set();
+
+    for (const s of rawStrings) {
+      // Raw string
+      allStrings.add(s);
+      // Normalized (ANSI-C decoded, quotes stripped)
+      const norm = normalizeShell(s);
+      allStrings.add(norm);
+      // Extract inner commands (eval, bash -c, pipe to bash, find -name)
+      for (const inner of extractInnerCommands(s)) {
+        allStrings.add(inner.toLowerCase());
+        allStrings.add(normalizeShell(inner.toLowerCase()));
+      }
+      // Split by spaces + shell operators for token-level checks
+      for (const tok of s.split(/[\s;&|]+/)) {
+        if (tok) {
+          allStrings.add(tok);
+          allStrings.add(normalizeShell(tok));
+        }
+      }
+      // Also split normalized version
+      for (const tok of norm.split(/[\s;&|]+/)) {
+        if (tok) allStrings.add(tok);
+      }
+    }
+
+    // ── Check all candidates ──
+    for (const s of allStrings) {
+      // Direct match
+      for (const p of protectedPaths) {
+        if (s.includes(p)) {
+          await blockSelfProtection('SOLONGATE: Access to protected path "' + p + '" is blocked');
+        }
+      }
+      // Wildcard/glob match
+      const globHit = globMatchesProtected(s);
+      if (globHit) {
+        await blockSelfProtection('SOLONGATE: Wildcard "' + s + '" matches protected "' + globHit + '" — blocked');
+      }
+      // Variable assignment targeting protected paths
+      const varHit = checkVarAssignments(s);
+      if (varHit) {
+        await blockSelfProtection('SOLONGATE: Variable assignment targets protected "' + varHit + '" — blocked');
+      }
+    }
+
+    // ── Write-protection for .env, .gitignore ──
+    // These files can be READ but not written/deleted/moved
+    const toolNameLower = (data.tool_name || '').toLowerCase();
+    const isWriteTool = toolNameLower === 'write' || toolNameLower === 'edit' || toolNameLower === 'notebookedit';
+    const isBashTool = toolNameLower === 'bash';
+    const bashDestructive = /\b(?:rm|rmdir|del|unlink|mv|move|rename|cp|chmod|chown|truncate|shred)\b/i;
+    const fullCmd = rawStrings.join(' ');
+
+    for (const wp of writeProtectedPaths) {
+      if (isWriteTool) {
+        // Check file_path and all strings for write-protected paths
+        for (const s of allStrings) {
+          if (s.includes(wp)) {
+            await blockSelfProtection('SOLONGATE: Write to protected file "' + wp + '" is blocked');
+          }
+        }
+      }
+      if (isBashTool && bashDestructive.test(fullCmd)) {
+        for (const s of allStrings) {
+          if (s.includes(wp)) {
+            await blockSelfProtection('SOLONGATE: Destructive operation on "' + wp + '" is blocked');
+          }
+        }
+      }
+    }
+
+    // Also apply glob/wildcard checks for write-protected paths in destructive contexts
+    if (isBashTool && bashDestructive.test(fullCmd)) {
+      for (const s of allStrings) {
+        const hasWild = s.includes('*') || s.includes('?') || /\[.+\]/.test(s);
+        if (!hasWild) continue;
+        // Convert glob to regex and test against write-protected paths
+        try {
+          let regex = '';
+          let i = 0;
+          const c = s.toLowerCase();
+          while (i < c.length) {
+            if (c[i] === '*') { regex += '.*'; i++; }
+            else if (c[i] === '?') { regex += '.'; i++; }
+            else if (c[i] === '[') {
+              const close = c.indexOf(']', i + 1);
+              if (close !== -1) { regex += c.slice(i, close + 1); i = close + 1; }
+              else { regex += '\\['; i++; }
+            }
+            else { regex += c[i].replace(/[.+^${}()|\\]/g, '\\$&'); i++; }
+          }
+          const re = new RegExp('^' + regex + '$', 'i');
+          for (const wp of writeProtectedPaths) {
+            if (re.test(wp)) {
+              await blockSelfProtection('SOLONGATE: Wildcard "' + s + '" matches write-protected "' + wp + '" — blocked');
+            }
+          }
+        } catch {}
+      }
+    }
+
+    // ── Layer 7: Block ALL inline code execution & dangerous patterns ──
+    // Runtime string construction (atob, Buffer.from, fromCharCode, array.join)
+    // makes static analysis impossible. Blanket-block these patterns.
+
+    // 7-pre. Blanket rule: destructive command + dot-prefixed glob = BLOCK
+    // Catches: rm -rf .[a-z]*, mv .[!.]* /tmp, etc.
+    // Any glob starting with "." combined with a destructive op is dangerous
+    const destructiveOps = /\b(?:rm|rmdir|del|unlink|mv|move|rename)\b/i;
+    const dotGlob = /\.\[|\.[\*\?]|\.{[^}]+}/; // .[a-z]*, .*, .?, .{foo,bar}
+    if (destructiveOps.test(fullCmd) && dotGlob.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: Destructive command + dot-glob pattern — blocked');
+    }
+
+    // 7-pre2. Heredoc to interpreter — BLOCK
+    // bash << 'EOF' / bash <<< "cmd" / sh << TAG
+    if (/\b(?:bash|sh|node|python[23]?|perl|ruby)\s+<</i.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: Heredoc to interpreter — blocked');
+    }
+
+    // 7-pre3. Command substitution + destructive = BLOCK
+    // Catches: rm -rf $(node scan.mjs), rm `node scan.mjs`, rm $(bash scan.sh)
+    // Pattern: destructive command + $() or `` containing interpreter call
+    const hasDestructive = /\b(?:rm|rmdir|del|unlink|mv|move|rename|shred)\b/i.test(fullCmd);
+    const hasCmdSubInterpreter = /\$\(\s*(?:node|bash|sh|python[23]?|perl|ruby)\b/i.test(fullCmd)
+      || /`\s*(?:node|bash|sh|python[23]?|perl|ruby)\b/i.test(fullCmd);
+    if (hasDestructive && hasCmdSubInterpreter) {
+      await blockSelfProtection('SOLONGATE: Command substitution + destructive op — blocked');
+    }
+
+    // 7-pre4. Pipe from interpreter to destructive loop = BLOCK
+    // Catches: node scan.mjs | while read d; do rm -rf "$d"; done
+    //          node scan.mjs | xargs rm -rf
+    //          bash scan.sh | while read ...
+    const pipeFromInterpreter = /\b(?:node|bash|sh|python[23]?|perl|ruby)\s+\S+\s*\|/i;
+    if (pipeFromInterpreter.test(fullCmd) && hasDestructive) {
+      await blockSelfProtection('SOLONGATE: Pipe from script to destructive command — blocked');
+    }
+
+    // 7-pre5. Script chaining: interpreter + destructive in same command chain
+    // Catches: node scan.mjs && rm -rf $(cat /tmp/targets.txt)
+    //          bash scan.sh; while read d < targets.txt; do rm -rf "$d"; done
+    const hasScriptExec = /\b(?:node|bash|sh|python[23]?|perl|ruby)\s+\S+\.\S+/i.test(fullCmd);
+    if (hasScriptExec && hasDestructive) {
+      await blockSelfProtection('SOLONGATE: Script execution + destructive command in chain — blocked');
+    }
+
+    // 7-pre6. Nested script substitution: node clean.mjs $(node scan.mjs)
+    // Two "harmless" scripts chained via command substitution — no rm in the command itself
+    const nestedScriptSub = /\b(?:node|python[23]?|perl|ruby|bash|sh)\s+\S+\.\S+\s+.*\$\(\s*(?:node|python[23]?|perl|ruby|bash|sh)\b/i;
+    const backtickNestedScript = /\b(?:node|python[23]?|perl|ruby|bash|sh)\s+\S+\.\S+\s+.*`\s*(?:node|python[23]?|perl|ruby|bash|sh)\b/i;
+    if (nestedScriptSub.test(fullCmd) || backtickNestedScript.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: Nested script substitution — blocked (script output as args to another script)');
+    }
+
+    // 7-pre7. NODE_OPTIONS injection — block commands with NODE_OPTIONS env var
+    // NODE_OPTIONS="--require malicious.cjs" can inject code into any node process
+    if (/\bNODE_OPTIONS\s*=/i.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: NODE_OPTIONS injection — blocked');
+    }
+
+    // 7-pre8. npm lifecycle scripts — scan package.json before npm install/run
+    // npm install can trigger postinstall/preinstall/prepare scripts
+    if (/\bnpm\s+(?:install|i|ci|run|start|test|publish|pack)\b/i.test(fullCmd) || /\bnpx\s+/i.test(fullCmd)) {
+      try {
+        const hookCwdForNpm = data.cwd || process.cwd();
+        const pkgPath = resolve(hookCwdForNpm, 'package.json');
+        if (existsSync(pkgPath)) {
+          const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+          const scripts = pkg.scripts || {};
+          const lifecycleKeys = ['preinstall', 'install', 'postinstall', 'prepare', 'prepublish', 'prepublishOnly', 'prepack', 'postpack'];
+          const allScripts = Object.entries(scripts);
+          for (const [key, val] of allScripts) {
+            if (typeof val !== 'string') continue;
+            const scriptLower = val.toLowerCase();
+            // Check lifecycle scripts for dangerous patterns
+            const isLifecycle = lifecycleKeys.includes(key);
+            const isExplicitRun = fullCmd.includes(key); // npm run <key>
+            if (isLifecycle || isExplicitRun) {
+              // Check for protected path names
+              for (const p of [...protectedPaths, ...writeProtectedPaths]) {
+                if (scriptLower.includes(p)) {
+                  await blockSelfProtection('SOLONGATE: npm script "' + key + '" references protected "' + p + '" — blocked');
+                }
+              }
+              // Check for string construction patterns
+              if (/fromcharcode|atob\s*\(|buffer\.from|\\x[0-9a-f]{2}/i.test(scriptLower)) {
+                await blockSelfProtection('SOLONGATE: npm script "' + key + '" contains string construction — blocked');
+              }
+              // Check for discovery+destruction combo
+              const hasDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob\b|\bls\s+-[adl]/i.test(scriptLower);
+              const hasDest = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b/i.test(scriptLower);
+              if (hasDisc && hasDest) {
+                await blockSelfProtection('SOLONGATE: npm script "' + key + '" has discovery+destruction — blocked');
+              }
+              // Follow node/bash <file> references in npm scripts — deep scan the target file
+              const scriptFileMatch = scriptLower.match(/\b(?:node|bash|sh|python[23]?)\s+([^\s;&|$]+)/i);
+              if (scriptFileMatch) {
+                try {
+                  const targetPath = resolve(hookCwdForNpm, scriptFileMatch[1]);
+                  if (existsSync(targetPath)) {
+                    const targetContent = readFileSync(targetPath, 'utf-8').toLowerCase();
+                    // Check target file for protected paths
+                    for (const pp of [...protectedPaths, ...writeProtectedPaths]) {
+                      if (targetContent.includes(pp)) {
+                        await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file referencing "' + pp + '" — blocked');
+                      }
+                    }
+                    // Check target for discovery+destruction
+                    const tDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bglob\b/i.test(targetContent);
+                    const tDest = /\brmsync\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(targetContent);
+                    if (tDisc && tDest) {
+                      await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file with discovery+destruction — blocked');
+                    }
+                    // Check target for string construction + destruction
+                    const tStrCon = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b/i.test(targetContent);
+                    if (tStrCon && tDest) {
+                      await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file with string construction+destruction — blocked');
+                    }
+                    // Follow imports in the target file
+                    const tDir = targetPath.replace(/[/\\][^/\\]+$/, '');
+                    const tImports = [...targetContent.matchAll(/(?:import\s+.*?\s+from\s+|import\s+|require\s*\()['"]\.\/([^'"]+)['"]/gi)];
+                    for (const [, imp] of tImports) {
+                      try {
+                        const impAbs = resolve(tDir, imp);
+                        const candidates = [impAbs, impAbs + '.mjs', impAbs + '.js', impAbs + '.cjs'];
+                        for (const c of candidates) {
+                          if (existsSync(c)) {
+                            const impContent = readFileSync(c, 'utf-8').toLowerCase();
+                            const iDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bglob\b/i.test(impContent);
+                            const iDest = /\brmsync\b|\bunlinksync\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(impContent);
+                            if ((iDisc && tDest) || (tDisc && iDest)) {
+                              await blockSelfProtection('SOLONGATE: npm script "' + key + '" — cross-module discovery+destruction — blocked');
+                            }
+                            break;
+                          }
+                        }
+                      } catch {}
+                    }
+                  }
+                } catch {}
+              }
+            }
+          }
+        }
+      } catch {} // Package.json read error — skip
+    }
+
+    // 7a. Inline interpreter execution — TOTAL BLOCK (no content scan needed)
+    // These can construct ANY string at runtime, bypassing all static analysis
+    const blockedInterpreters = [
+      [/\bnode\s+(?:-e|--eval)\b/i, 'node -e/--eval'],
+      [/\bnode\s+-p\b/i, 'node -p'],
+      [/\bpython[23]?\s+-c\b/i, 'python -c'],
+      [/\bperl\s+-e\b/i, 'perl -e'],
+      [/\bruby\s+-e\b/i, 'ruby -e'],
+      [/\bpowershell(?:\.exe)?\s+.*-(?:EncodedCommand|e|ec)\b/i, 'powershell -EncodedCommand'],
+      [/\bpwsh(?:\.exe)?\s+.*-(?:EncodedCommand|e|ec)\b/i, 'pwsh -EncodedCommand'],
+      [/\bpowershell(?:\.exe)?\s+-c(?:ommand)?\b/i, 'powershell -Command'],
+      [/\bpwsh(?:\.exe)?\s+-c(?:ommand)?\b/i, 'pwsh -Command'],
+    ];
+    for (const [pat, name] of blockedInterpreters) {
+      if (pat.test(fullCmd)) {
+        await blockSelfProtection('SOLONGATE: Inline code execution blocked (' + name + ')');
+      }
+    }
+
+    // 7b. Pipe-to-interpreter — TOTAL BLOCK
+    // Any content piped to an interpreter can construct arbitrary commands at runtime
+    // Also catches: | xargs node, | xargs bash, etc.
+    const pipeToInterpreter = /\|\s*(?:xargs\s+)?(?:node|bash|sh|python[23]?|perl|ruby|php)\b/i;
+    if (pipeToInterpreter.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: Pipe to interpreter blocked — runtime bypass risk');
+    }
+
+    // 7c. Base64 decode in ANY context — block when piped to anything
+    if (/\bbase64\s+(?:-d|--decode)\b/i.test(fullCmd) && /\|/i.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: base64 decode in pipe chain — blocked');
+    }
+
+    // 7d. Temp/arbitrary script file execution
+    if (/\b(?:bash|sh)\s+(?:\/tmp\/|\/var\/tmp\/|~\/|\/dev\/)/i.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: Script execution from temp path — blocked');
+    }
+
+    // 7e. xargs with destructive operations
+    if (/\bxargs\b.*\b(?:rm|mv|cp|rmdir|unlink|del)\b/i.test(fullCmd)) {
+      for (const p of protectedPaths) {
+        if (fullCmd.includes(p.slice(0, 4))) {
+          await blockSelfProtection('SOLONGATE: xargs with destructive op near "' + p + '" — blocked');
+        }
+      }
+    }
+
+    // 7f. cmd.exe /c with encoded/constructed commands
+    if (/\bcmd(?:\.exe)?\s+\/c\b/i.test(fullCmd)) {
+      for (const p of protectedPaths) {
+        if (fullCmd.includes(p) || fullCmd.includes(p.slice(0, 4))) {
+          await blockSelfProtection('SOLONGATE: cmd.exe /c near protected path — blocked');
+        }
+      }
+    }
+
+    // 7g. Script file execution — scan file content for discovery+destruction combo
+    // Catches: bash script.sh / node script.mjs where the script uses readdirSync + rmSync
+    const scriptExecMatch = fullCmd.match(/\b(?:bash|sh|node|python[23]?|perl|ruby)\s+([^\s;&|$`]+)/i);
+    if (scriptExecMatch) {
+      const scriptPath = scriptExecMatch[1];
+      try {
+        const hookCwdForScript = data.cwd || process.cwd();
+        const absPath = scriptPath.startsWith('/') || scriptPath.includes(':')
+          ? scriptPath
+          : resolve(hookCwdForScript, scriptPath);
+        if (existsSync(absPath)) {
+          const scriptContent = readFileSync(absPath, 'utf-8').toLowerCase();
+          // Check for discovery+destruction combo
+          const hasDiscovery = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b|\bls\s+-[adl]|\bls\s+\.\b|\bopendir\b|\bdir\.entries\b|\bwalkdir\b|\bls\b.*\.\[/.test(scriptContent);
+          const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b|\bfs\.\s*(?:rm|unlink|rmdir|write)/.test(scriptContent);
+          if (hasDiscovery && hasDestruction) {
+            await blockSelfProtection('SOLONGATE: Script contains directory discovery + destructive ops — blocked');
+          }
+          // String construction + destructive = BLOCK
+          // Runtime string construction (fromCharCode, atob, Buffer.from) bypasses literal name checks
+          const hasStringConstruction = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b|\\x[0-9a-f]{2}|\bstring\.fromcodepoin/i.test(scriptContent);
+          if (hasStringConstruction && hasDestruction) {
+            await blockSelfProtection('SOLONGATE: Script uses string construction + destructive ops — blocked');
+          }
+          // Import/require chain: if script imports other local files, scan them too
+          const scriptDir = absPath.replace(/[/\\][^/\\]+$/, '');
+          const imports = [...scriptContent.matchAll(/(?:import\s+.*?\s+from\s+|import\s+|require\s*\()['"]\.\/([^'"]+)['"]/gi)];
+          for (const [, importPath] of imports) {
+            try {
+              const importAbs = resolve(scriptDir, importPath);
+              const candidates = [importAbs, importAbs + '.mjs', importAbs + '.js', importAbs + '.cjs'];
+              for (const candidate of candidates) {
+                if (existsSync(candidate)) {
+                  const importContent = readFileSync(candidate, 'utf-8').toLowerCase();
+                  // Cross-module: check if imported module has discovery/destruction/string construction
+                  const importDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b/i.test(importContent);
+                  const importDest = /\brmsync\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(importContent);
+                  const importStrCon = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b/i.test(importContent);
+                  // Cross-module discovery in import + destruction in main (or vice versa)
+                  if ((importDisc && hasDestruction) || (hasDiscovery && importDest)) {
+                    await blockSelfProtection('SOLONGATE: Cross-module discovery+destruction detected — blocked');
+                  }
+                  if ((importStrCon && hasDestruction) || (hasStringConstruction && importDest)) {
+                    await blockSelfProtection('SOLONGATE: Cross-module string construction+destruction — blocked');
+                  }
+                  // Check imported module for protected paths
+                  for (const p of [...protectedPaths, ...writeProtectedPaths]) {
+                    if (importContent.includes(p)) {
+                      await blockSelfProtection('SOLONGATE: Imported module references protected "' + p + '" — blocked');
+                    }
+                  }
+                  break;
+                }
+              }
+            } catch {}
+          }
+          // Check for protected path names in script content
+          for (const p of [...protectedPaths, ...writeProtectedPaths]) {
+            if (scriptContent.includes(p)) {
+              await blockSelfProtection('SOLONGATE: Script references protected path "' + p + '" — blocked');
+            }
+          }
+        }
+      } catch {} // File read error — skip
+    }
+
+    // 7h. Write tool content scanning — detect discovery+destruction in file content being written
+    // Catches: Write tool creating a script that uses readdirSync('.') + rmSync
+    const toolName_ = data.tool_name || '';
+    if (toolName_.toLowerCase() === 'write' || toolName_.toLowerCase() === 'edit') {
+      const fileContent = (args.content || args.new_string || '').toLowerCase();
+      if (fileContent.length > 0) {
+        const hasDiscovery = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b|\bls\s+-[adl]|\bls\s+\.\b|\bopendir\b|\bdir\.entries\b|\bwalkdir\b|\bls\b.*\.\[/.test(fileContent);
+        const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b.*\brm\b|\bfs\.\s*(?:rm|unlink|rmdir)/.test(fileContent);
+        if (hasDiscovery && hasDestruction) {
+          await blockSelfProtection('SOLONGATE: File content contains discovery + destructive ops — write blocked');
+        }
+        // String construction + destructive = BLOCK
+        const hasStringConstruction = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b|\\x[0-9a-f]{2}|\bstring\.fromcodepoin/i.test(fileContent);
+        if (hasStringConstruction && hasDestruction) {
+          await blockSelfProtection('SOLONGATE: File uses string construction + destructive ops — write blocked');
+        }
+      }
+    }
+
+    // 7i. Write tool — detect package.json scripts with dangerous patterns
+    if (toolName_.toLowerCase() === 'write' || toolName_.toLowerCase() === 'edit') {
+      const filePath = (args.file_path || '').toLowerCase();
+      if (filePath.endsWith('package.json')) {
+        const content = args.content || args.new_string || '';
+        try {
+          // Try parsing as JSON to check scripts
+          const pkg = JSON.parse(content);
+          const scripts = pkg.scripts || {};
+          for (const [key, val] of Object.entries(scripts)) {
+            if (typeof val !== 'string') continue;
+            const v = val.toLowerCase();
+            for (const p of [...protectedPaths, ...writeProtectedPaths]) {
+              if (v.includes(p)) {
+                await blockSelfProtection('SOLONGATE: package.json script "' + key + '" references protected "' + p + '" — blocked');
+              }
+            }
+            if (/fromcharcode|atob\s*\(|buffer\.from/i.test(v)) {
+              const hasDest = /\brmsync\b|\brm\b|\bunlink\b|\brimraf\b/i.test(v);
+              if (hasDest) {
+                await blockSelfProtection('SOLONGATE: package.json script "' + key + '" has string construction + destruction — blocked');
+              }
+            }
+          }
+        } catch {} // Not valid JSON or parse error — skip
+      }
+    }
+
+    // ── Fetch PI config from Cloud ──
+    let piCfg = { piEnabled: true, piThreshold: 0.5, piMode: 'block', piWhitelist: [], piToolConfig: {}, piCustomPatterns: [], piWebhookUrl: null };
+    if (API_KEY && API_KEY.startsWith('sg_live_')) {
+      try {
+        const cfgRes = await fetch(API_URL + '/api/v1/project-config', {
+          headers: { 'Authorization': 'Bearer ' + API_KEY },
+          signal: AbortSignal.timeout(3000),
+        });
+        if (cfgRes.ok) {
+          const cfg = await cfgRes.json();
+          piCfg = { ...piCfg, ...cfg };
+        }
+      } catch {} // Fallback: defaults (safe)
+    }
+
+    // ── Per-tool config: check if PI scanning is disabled for this tool ──
+    const toolName = data.tool_name || '';
+    if (piCfg.piToolConfig && typeof piCfg.piToolConfig === 'object') {
+      if (piCfg.piToolConfig[toolName] === false) {
+        // PI scanning explicitly disabled for this tool — skip detection
+        piCfg.piEnabled = false;
+      }
+    }
+
+    // ── Prompt Injection Detection (Stage 1: Rules + Custom Patterns) ──
+    const allText = scanStrings(args).join(' ');
+
+    // Check whitelist — if input matches any whitelist pattern, skip PI detection
+    let whitelisted = false;
+    if (piCfg.piEnabled !== false && Array.isArray(piCfg.piWhitelist) && piCfg.piWhitelist.length > 0) {
+      for (const wlPattern of piCfg.piWhitelist) {
+        try {
+          if (new RegExp(wlPattern, 'i').test(allText)) {
+            whitelisted = true;
+            break;
+          }
+        } catch {} // Invalid regex — skip
+      }
+    }
+
+    // Build custom patterns from config
+    const customCategories = [];
+    if (piCfg.piEnabled !== false && Array.isArray(piCfg.piCustomPatterns)) {
+      for (const cp of piCfg.piCustomPatterns) {
+        if (cp && cp.pattern) {
+          try {
+            customCategories.push({
+              name: cp.name || 'custom_pattern',
+              weight: Math.max(0, Math.min(1, Number(cp.weight) || 0.8)),
+              patterns: [new RegExp(cp.pattern, 'iu')],
+            });
+          } catch {} // Invalid regex — skip
+        }
+      }
+    }
+
+    const piResult = (piCfg.piEnabled !== false && !whitelisted)
+      ? detectPromptInjection(allText, customCategories, piCfg.piThreshold)
+      : null;
+
+    if (piResult && piResult.blocked) {
+      const isLogOnly = piCfg.piMode === 'log-only';
+      const msg = isLogOnly
+        ? 'SOLONGATE: Prompt injection detected [LOG-ONLY] (trust score: ' +
+          (piResult.trustScore * 100).toFixed(0) + '%, categories: ' +
+          piResult.categories.join(', ') + ')'
+        : 'SOLONGATE: Prompt injection detected (trust score: ' +
+          (piResult.trustScore * 100).toFixed(0) + '%, categories: ' +
+          piResult.categories.join(', ') + ')';
+
+      // Log to Cloud
+      if (API_KEY && API_KEY.startsWith('sg_live_')) {
+        try {
+          await fetch(API_URL + '/api/v1/audit-logs', {
+            method: 'POST',
+            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+              tool: toolName,
+              arguments: args,
+              decision: isLogOnly ? 'ALLOW' : 'DENY',
+              reason: msg,
+              source: 'claude-code-guard',
+              pi_detected: true,
+              pi_trust_score: piResult.trustScore,
+              pi_blocked: !isLogOnly,
+              pi_categories: JSON.stringify(piResult.categories),
+              pi_stage_scores: JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 }),
+            }),
+            signal: AbortSignal.timeout(3000),
+          });
+        } catch {}
+
+        // Webhook notification
+        if (piCfg.piWebhookUrl) {
+          try {
+            await fetch(piCfg.piWebhookUrl, {
+              method: 'POST',
+              headers: { 'Content-Type': 'application/json' },
+              body: JSON.stringify({
+                event: 'prompt_injection_detected',
+                tool: toolName,
+                trustScore: piResult.trustScore,
+                categories: piResult.categories,
+                blocked: !isLogOnly,
+                mode: piCfg.piMode,
+                timestamp: new Date().toISOString(),
+              }),
+              signal: AbortSignal.timeout(3000),
+            });
+          } catch {} // Webhook failure is non-blocking
+        }
+      }
+
+      // In log-only mode, warn but don't block
+      if (isLogOnly) {
+        process.stderr.write(msg);
+        // Fall through to policy evaluation (don't exit)
+      } else {
+        process.stderr.write(msg);
+        process.exit(2);
+      }
+    }
+
+    // Load policy (use cwd from hook data if available)
+    const hookCwd = data.cwd || process.cwd();
+    let policy;
+    try {
+      const policyPath = resolve(hookCwd, 'policy.json');
+      policy = JSON.parse(readFileSync(policyPath, 'utf-8'));
+    } catch {
+      // No policy file — still log if PI was detected but not blocked
+      if (piResult && API_KEY && API_KEY.startsWith('sg_live_')) {
+        try {
+          await fetch(API_URL + '/api/v1/audit-logs', {
+            method: 'POST',
+            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+              tool: toolName,
+              arguments: args,
+              decision: 'ALLOW',
+              reason: 'Prompt injection detected but below threshold (trust: ' + (piResult.trustScore * 100).toFixed(0) + '%)',
+              source: 'claude-code-guard',
+              pi_detected: true,
+              pi_trust_score: piResult.trustScore,
+              pi_blocked: false,
+              pi_categories: JSON.stringify(piResult.categories),
+              pi_stage_scores: JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 }),
+            }),
+            signal: AbortSignal.timeout(3000),
+          });
+        } catch {}
+      }
+      process.exit(0); // No policy = allow all
+    }
+
+    let reason = evaluate(policy, args);
+
+    // ── AI Judge: semantic intent analysis (runs when policy ALLOWs) ──
+    if (!reason) {
+      const GROQ_KEY = process.env.GROQ_API_KEY || dotenv.GROQ_API_KEY || '';
+      let aiJudgeEnabled = false;
+      let aiJudgeModel = 'llama-3.1-8b-instant';
+      let aiJudgeEndpoint = 'https://api.groq.com/openai';
+      let aiJudgeTimeout = 5000;
+
+      // Check cloud config for AI Judge settings
+      if (API_KEY && API_KEY.startsWith('sg_live_')) {
+        try {
+          const cfgRes = await fetch(API_URL + '/api/v1/project-config/ai-judge', {
+            headers: { 'Authorization': 'Bearer ' + API_KEY },
+            signal: AbortSignal.timeout(3000),
+          });
+          if (cfgRes.ok) {
+            const cfg = await cfgRes.json();
+            aiJudgeEnabled = Boolean(cfg.enabled);
+            if (cfg.model) aiJudgeModel = cfg.model;
+            if (cfg.endpoint) aiJudgeEndpoint = cfg.endpoint;
+            if (cfg.timeoutMs) aiJudgeTimeout = cfg.timeoutMs;
+          }
+        } catch {}
+      }
+
+      if (aiJudgeEnabled && GROQ_KEY) {
+        try {
+          // Extract protected files/paths from policy
+          const protectedFiles = [];
+          const protectedPathsList = [];
+          if (policy && policy.rules) {
+            for (const rule of policy.rules) {
+              if (rule.effect === 'DENY' && rule.enabled !== false) {
+                if (rule.filenameConstraints && rule.filenameConstraints.denied) {
+                  for (const f of rule.filenameConstraints.denied) protectedFiles.push(f);
+                }
+                if (rule.pathConstraints && rule.pathConstraints.denied) {
+                  for (const p of rule.pathConstraints.denied) protectedPathsList.push(p);
+                }
+              }
+            }
+          }
+
+          const judgePayload = JSON.stringify({
+            tool: toolName,
+            arguments: args,
+            protected_files: protectedFiles,
+            protected_paths: protectedPathsList,
+            denied_actions: ['file deletion', 'data exfiltration', 'remote code execution', 'environment variable leak', 'security control bypass'],
+          });
+
+          const systemPrompt = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+
+You will receive a JSON object with:
+- "tool": the tool name being called (e.g., Bash, Write, Read, Edit)
+- "arguments": the tool's arguments
+- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected — nothing else.
+- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected — nothing else.
+- "denied_actions": list of actions that are never allowed
+
+IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
+
+DENY if the tool call could, directly or indirectly, access a file from the protected_files list — even through:
+- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
+- Command substitution ($(...), backticks)
+- Process substitution (<(cat file)) — check inside <(...) for protected files
+- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" — DENY only if .env is in protected_files)
+- Input redirection (< file)
+- Multi-stage operations: tar/cp a protected file then read the copy — DENY the entire chain
+- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+
+Also DENY if:
+- The command sends data to external URLs (curl -d, wget --post)
+- The command leaks environment variables (printenv, env, process.env)
+- The command executes remotely downloaded code (curl|bash)
+
+ALLOW if:
+- The file is NOT in protected_files — even if cat, head, etc. is used. Reading non-protected files is normal.
+- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
+- The action does not touch any protected file or path
+
+CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. "cat package.json" is ALLOWED if package.json is not in protected_files. Do NOT over-block.
+
+Respond with ONLY valid JSON: {"decision": "ALLOW" or "DENY", "reason": "brief explanation", "confidence": 0.0 to 1.0}`;
+
+          const llmRes = await fetch(aiJudgeEndpoint + '/v1/chat/completions', {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'Authorization': 'Bearer ' + GROQ_KEY,
+            },
+            body: JSON.stringify({
+              model: aiJudgeModel,
+              messages: [
+                { role: 'system', content: systemPrompt },
+                { role: 'user', content: judgePayload },
+              ],
+              temperature: 0,
+              max_tokens: 200,
+            }),
+            signal: AbortSignal.timeout(aiJudgeTimeout),
+          });
+
+          if (llmRes.ok) {
+            const llmData = await llmRes.json();
+            const content = llmData.choices?.[0]?.message?.content || '';
+            const jsonMatch = content.match(/\{[\s\S]*\}/);
+            if (jsonMatch) {
+              const verdict = JSON.parse(jsonMatch[0]);
+              if (verdict.decision === 'DENY') {
+                reason = '[SolonGate AI Judge] Blocked: ' + (verdict.reason || 'Semantic analysis detected a policy violation');
+              }
+            }
+          } else {
+            // Fail-closed: LLM error → DENY
+            reason = '[SolonGate AI Judge] Blocked: Groq API error (fail-closed)';
+          }
+        } catch (err) {
+          // Fail-closed: timeout or parse error → DENY
+          reason = '[SolonGate AI Judge] Blocked: ' + (err.message || 'error') + ' (fail-closed)';
+        }
+      }
+    }
+
+    const decision = reason ? 'DENY' : 'ALLOW';
+
+    // ── Log ALL decisions to SolonGate Cloud ──
+    if (API_KEY && API_KEY.startsWith('sg_live_')) {
+      try {
+        const logEntry = {
+          tool: toolName, arguments: args,
+          decision, reason: reason || 'allowed by policy',
+          source: 'claude-code-guard',
+        };
+        // Attach PI metadata if detected
+        if (piResult) {
+          logEntry.pi_detected = true;
+          logEntry.pi_trust_score = piResult.trustScore;
+          logEntry.pi_blocked = false;
+          logEntry.pi_categories = JSON.stringify(piResult.categories);
+          logEntry.pi_stage_scores = JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 });
+        }
+        await fetch(API_URL + '/api/v1/audit-logs', {
+          method: 'POST',
+          headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+          body: JSON.stringify(logEntry),
+          signal: AbortSignal.timeout(3000),
+        });
+      } catch {}
+    }
+
+    if (reason) {
+      process.stderr.write(reason);
+      process.exit(2);
+    }
+  } catch {}
+  process.exit(0);
+});