@solongate/proxy 0.26.4 → 0.27.0

package/dist/index.js

@@ -47,7 +47,11 @@ async function fetchCloudPolicy(apiKey, apiUrl, policyId) {
 }
 async function sendAuditLog(apiKey, apiUrl, entry) {
   const url = `${apiUrl}/api/v1/audit-logs`;
-  const body = JSON.stringify(entry);
+  const body = JSON.stringify({
+    ...entry,
+    agent_id: entry.agent_id,
+    agent_name: entry.agent_name
+  });
   for (let attempt = 0; attempt < AUDIT_MAX_RETRIES; attempt++) {
     try {
       const res = await fetch(url, {
@@ -165,6 +169,7 @@ function parseArgs(argv) {
   let aiJudgeEndpoint = "https://api.groq.com/openai";
   let aiJudgeApiKey;
   let aiJudgeTimeout = 5e3;
+  let agentName;
   let separatorIndex = args.indexOf("--");
   const flags = separatorIndex >= 0 ? args.slice(0, separatorIndex) : args;
   const upstreamArgs = separatorIndex >= 0 ? args.slice(separatorIndex + 1) : [];
@@ -228,6 +233,9 @@ function parseArgs(argv) {
       case "--ai-judge-timeout":
         aiJudgeTimeout = parseInt(flags[++i], 10);
         break;
+      case "--agent-name":
+        agentName = flags[++i];
+        break;
     }
   }
   if (!aiJudgeApiKey) {
@@ -296,7 +304,8 @@ function parseArgs(argv) {
       policyPath: resolvePolicyPath(cfgPolicySource) ?? void 0,
       policyId: policyId ?? fileConfig.policyId,
       advancedDetection: advancedDetection ? { enabled: true } : void 0,
-      aiJudge
+      aiJudge,
+      agentName
     };
   }
   if (upstreamUrl) {
@@ -319,7 +328,8 @@ function parseArgs(argv) {
       policyPath: resolvedPolicyPath ?? void 0,
       policyId,
       advancedDetection: advancedDetection ? { enabled: true } : void 0,
-      aiJudge
+      aiJudge,
+      agentName
     };
   }
   if (upstreamArgs.length === 0) {
@@ -346,7 +356,8 @@ function parseArgs(argv) {
     policyPath: resolvedPolicyPath ?? void 0,
     policyId,
     advancedDetection: advancedDetection ? { enabled: true } : void 0,
-    aiJudge
+    aiJudge,
+    agentName
   };
 }
 function resolvePolicyPath(source) {
@@ -481,10 +492,11 @@ function isAlreadyProtected(server) {
   }
   return false;
 }
-function wrapServer(server, policy) {
+function wrapServer(serverName, server, policy) {
   const env = { ...server.env ?? {} };
   env.SOLONGATE_API_KEY = "${SOLONGATE_API_KEY}";
   const proxyArgs = ["-y", "@solongate/proxy@latest"];
+  proxyArgs.push("--agent-name", serverName);
   if (policy) {
     proxyArgs.push("--policy", policy);
   }
@@ -885,7 +897,7 @@ async function main() {
   const newConfig = { mcpServers: {} };
   for (const name of serverNames) {
     if (toProtect.includes(name)) {
-      newConfig.mcpServers[name] = wrapServer(config.mcpServers[name], policyValue);
+      newConfig.mcpServers[name] = wrapServer(name, config.mcpServers[name], policyValue);
     } else {
       newConfig.mcpServers[name] = config.mcpServers[name];
     }
@@ -2889,25 +2901,25 @@ function checkEntropyLimits(value) {
 }
 function calculateShannonEntropy(str) {
   const freq = new Uint32Array(128);
-  let nonAsciiCount = 0;
+  const nonAsciiFreq = /* @__PURE__ */ new Map();
   for (let i = 0; i < str.length; i++) {
     const code = str.charCodeAt(i);
     if (code < 128) {
-      freq[code] = (freq[code] ?? 0) + 1;
+      freq[code] = freq[code] + 1;
     } else {
-      nonAsciiCount++;
+      nonAsciiFreq.set(code, (nonAsciiFreq.get(code) || 0) + 1);
     }
   }
   let entropy = 0;
   const len = str.length;
   for (let i = 0; i < 128; i++) {
-    if ((freq[i] ?? 0) > 0) {
-      const p = (freq[i] ?? 0) / len;
+    if (freq[i] > 0) {
+      const p = freq[i] / len;
       entropy -= p * Math.log2(p);
     }
   }
-  if (nonAsciiCount > 0) {
-    const p = nonAsciiCount / len;
+  for (const count of nonAsciiFreq.values()) {
+    const p = count / len;
     entropy -= p * Math.log2(p);
   }
   return entropy;
@@ -3978,7 +3990,7 @@ function urlConstraintsMatch(constraints, args) {
 }
 function evaluatePolicy(policySet, request) {
   const startTime = performance.now();
-  const sortedRules = policySet.rules;
+  const sortedRules = [...policySet.rules].sort((a, b) => a.priority - b.priority);
   for (const rule of sortedRules) {
     if (ruleMatchesRequest(rule, request)) {
       const endTime2 = performance.now();
@@ -5457,9 +5469,6 @@ var PolicySyncManager = class {
    */
   policiesEqual(a, b) {
     if (a.name !== b.name || a.rules.length !== b.rules.length) return false;
-    if (a.version !== void 0 && b.version !== void 0 && a.version === b.version && a.id === b.id) {
-      return true;
-    }
     return JSON.stringify(a.rules) === JSON.stringify(b.rules);
   }
 };
@@ -5499,12 +5508,17 @@ CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat
 
 Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
 {"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;
-var AiJudge = class {
+var AiJudge = class _AiJudge {
   config;
   protectedFiles;
   protectedPaths;
   deniedActions;
   isOllamaEndpoint;
+  // Circuit breaker: after 3 consecutive failures in 60s, skip AI Judge
+  consecutiveFailures = 0;
+  lastFailureTime = 0;
+  static CIRCUIT_BREAKER_THRESHOLD = 3;
+  static CIRCUIT_BREAKER_RESET_MS = 6e4;
   constructor(config, protectedFiles, protectedPaths, deniedActions = [
     "file deletion",
     "data exfiltration",
@@ -5523,6 +5537,17 @@ var AiJudge = class {
    * Fail-closed: any error (timeout, parse failure, connection refused) → DENY.
    */
   async evaluate(toolName, args) {
+    if (this.consecutiveFailures >= _AiJudge.CIRCUIT_BREAKER_THRESHOLD) {
+      const elapsed = Date.now() - this.lastFailureTime;
+      if (elapsed < _AiJudge.CIRCUIT_BREAKER_RESET_MS) {
+        return {
+          decision: "ALLOW",
+          reason: `AI Judge circuit breaker open (${this.consecutiveFailures} consecutive failures) \u2014 falling back to policy-only`,
+          confidence: 0.5
+        };
+      }
+      this.consecutiveFailures = 0;
+    }
     const sanitizedArgs = this.sanitizeArgs(args);
     const userMessage = JSON.stringify({
       tool: toolName,
@@ -5533,12 +5558,15 @@ var AiJudge = class {
     });
     try {
       const response = await this.callLLM(userMessage);
+      this.consecutiveFailures = 0;
       return this.parseVerdict(response);
     } catch (err) {
+      this.consecutiveFailures++;
+      this.lastFailureTime = Date.now();
       const message = err instanceof Error ? err.message : String(err);
       return {
         decision: "DENY",
-        reason: `AI Judge error (fail-closed): ${message}`,
+        reason: `AI Judge error (fail-closed): ${message.slice(0, 100)}`,
         confidence: 1
       };
     }
@@ -5551,8 +5579,15 @@ var AiJudge = class {
     const sanitize = (val, depth = 0) => {
       if (depth > 10) return "[nested]";
       if (typeof val === "string") {
-        const truncated = val.length > maxStringLen ? val.slice(0, maxStringLen) + "...[truncated]" : val;
-        return truncated;
+        let s = val.length > maxStringLen ? val.slice(0, maxStringLen) + "...[truncated]" : val;
+        s = s.replace(/\{[^{}]*"decision"\s*:/gi, "{[redacted]:");
+        s = s.replace(/\{[^{}]*"ALLOW"[^{}]*\}/gi, "[redacted-json]");
+        s = s.replace(/\{[^{}]*"DENY"[^{}]*\}/gi, "[redacted-json]");
+        s = s.replace(/respond\s+with\s*:/gi, "[redacted]");
+        s = s.replace(/ignore\s+(previous|above|all)\s+(instructions?|prompts?)/gi, "[redacted]");
+        s = s.replace(/you\s+are\s+now\s+/gi, "[redacted] ");
+        s = s.replace(/system\s*:\s*/gi, "[redacted]: ");
+        return s;
       }
       if (Array.isArray(val)) return val.slice(0, 50).map((v) => sanitize(v, depth + 1));
       if (val && typeof val === "object") {
@@ -5595,7 +5630,8 @@ var AiJudge = class {
             { role: "user", content: userMessage }
           ],
           temperature: 0,
-          max_tokens: 200
+          max_tokens: 200,
+          response_format: { type: "json_object" }
         });
         if (this.config.apiKey) {
           headers["Authorization"] = `Bearer ${this.config.apiKey}`;
@@ -5721,9 +5757,20 @@ var SolonGateProxy = class {
   aiJudge = null;
   upstreamTools = [];
   guardConfig;
+  /** Agent identity for trust map — resolved from CLI flag, HTTP headers, or MCP clientInfo */
+  agentId = null;
+  agentName = null;
+  /** Per-session agent info for HTTP mode (keyed by session ID) */
+  httpAgentInfo = /* @__PURE__ */ new Map();
+  /** Per-request sub-agent info from HTTP headers (transient, overwritten per request) */
+  httpSubAgent = null;
   constructor(config) {
     this.config = config;
     this.guardConfig = config.advancedDetection ? { ...DEFAULT_INPUT_GUARD_CONFIG, advancedDetection: config.advancedDetection } : DEFAULT_INPUT_GUARD_CONFIG;
+    if (config.agentName) {
+      this.agentName = config.agentName;
+      this.agentId = config.agentName.toLowerCase().replace(/\s+/g, "-");
+    }
     this.gate = new SolonGate({
       name: config.name ?? "solongate-proxy",
       apiKey: "sg_test_proxy_internal_00000000",
@@ -5740,6 +5787,19 @@ var SolonGateProxy = class {
       log2("WARNING:", w);
     }
   }
+  /** Extract sub-agent identity from MCP _meta field */
+  extractSubAgent(request) {
+    const meta = request?.params?._meta;
+    if (meta && typeof meta === "object") {
+      const solonMeta = meta["io.solongate/agent"];
+      if (solonMeta && typeof solonMeta === "object") {
+        const agent = solonMeta;
+        const id = agent.id ? String(agent.id) : null;
+        if (id) return { subAgentId: id, subAgentName: agent.name ? String(agent.name) : id };
+      }
+    }
+    return null;
+  }
   /**
    * Start the proxy: connect to upstream, then serve downstream.
    */
@@ -5920,6 +5980,16 @@ var SolonGateProxy = class {
         }
       }
     );
+    this.server.oninitialized = () => {
+      if (!this.agentId && this.server) {
+        const clientVersion = this.server.getClientVersion();
+        if (clientVersion?.name) {
+          this.agentId = clientVersion.version ? `${clientVersion.name}/${clientVersion.version}` : clientVersion.name;
+          this.agentName = clientVersion.name;
+          log2(`Agent identified from MCP clientInfo: ${this.agentName} (${this.agentId})`);
+        }
+      }
+    };
     this.server.setRequestHandler(ListToolsRequestSchema, async () => {
       return { tools: this.upstreamTools };
     });
@@ -5927,6 +5997,7 @@ var SolonGateProxy = class {
     const MUTEX_TIMEOUT_MS = 3e4;
     this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
       const { name, arguments: args } = request.params;
+      const subAgent = this.extractSubAgent(request) || this.httpSubAgent;
       const argsSize = TEXT_ENCODER.encode(JSON.stringify(args ?? {})).length;
       if (argsSize > MAX_ARGUMENT_SIZE) {
         log2(`DENY: ${name} \u2014 payload size ${argsSize} exceeds limit ${MAX_ARGUMENT_SIZE}`);
@@ -5964,7 +6035,11 @@ var SolonGateProxy = class {
               decision: "DENY",
               reason: `Prompt injection detected: ${threats}`,
               evaluationTimeMs: 0,
-              promptInjection: piResult
+              promptInjection: piResult,
+              agent_id: this.agentId ?? void 0,
+              agent_name: this.agentName ?? void 0,
+              sub_agent_id: subAgent?.subAgentId,
+              sub_agent_name: subAgent?.subAgentName
             });
           }
           return {
@@ -6056,7 +6131,11 @@ var SolonGateProxy = class {
             reason,
             matchedRule,
             evaluationTimeMs,
-            promptInjection: piResult
+            promptInjection: piResult,
+            agent_id: this.agentId ?? void 0,
+            agent_name: this.agentName ?? void 0,
+            sub_agent_id: subAgent?.subAgentId,
+            sub_agent_name: subAgent?.subAgentName
           });
         } else {
           log2(`Skipping audit log (apiKey: ${this.config.apiKey ? "test key" : "not set"})`);
@@ -6341,6 +6420,18 @@ ${msg.content.text}`;
       await this.server.connect(httpTransport);
       const httpServer = createHttpServer(async (req, res) => {
         if (req.url === "/mcp" || req.url?.startsWith("/mcp?")) {
+          if (!this.agentId) {
+            const headerAgentId = req.headers["x-agent-id"];
+            const headerAgentName = req.headers["x-agent-name"];
+            if (headerAgentId) {
+              this.agentId = headerAgentId;
+              this.agentName = headerAgentName || headerAgentId;
+              log2(`Agent identified from HTTP headers: ${this.agentName} (${this.agentId})`);
+            }
+          }
+          const subAgentId = req.headers["x-sub-agent-id"];
+          const subAgentName = req.headers["x-sub-agent-name"];
+          this.httpSubAgent = subAgentId ? { subAgentId, subAgentName: subAgentName || subAgentId } : null;
           await httpTransport.handleRequest(req, res);
         } else if (req.url === "/health") {
           res.writeHead(200, { "Content-Type": "application/json" });

package/dist/init.js

@@ -98,10 +98,11 @@ function isAlreadyProtected(server) {
   }
   return false;
 }
-function wrapServer(server, policy) {
+function wrapServer(serverName, server, policy) {
   const env = { ...server.env ?? {} };
   env.SOLONGATE_API_KEY = "${SOLONGATE_API_KEY}";
   const proxyArgs = ["-y", "@solongate/proxy@latest"];
+  proxyArgs.push("--agent-name", serverName);
   if (policy) {
     proxyArgs.push("--policy", policy);
   }
@@ -504,7 +505,7 @@ async function main() {
   const newConfig = { mcpServers: {} };
   for (const name of serverNames) {
     if (toProtect.includes(name)) {
-      newConfig.mcpServers[name] = wrapServer(config.mcpServers[name], policyValue);
+      newConfig.mcpServers[name] = wrapServer(name, config.mcpServers[name], policyValue);
     } else {
       newConfig.mcpServers[name] = config.mcpServers[name];
     }

package/dist/lib.js

@@ -1064,25 +1064,25 @@ function checkEntropyLimits(value) {
 }
 function calculateShannonEntropy(str) {
   const freq = new Uint32Array(128);
-  let nonAsciiCount = 0;
+  const nonAsciiFreq = /* @__PURE__ */ new Map();
   for (let i = 0; i < str.length; i++) {
     const code = str.charCodeAt(i);
     if (code < 128) {
-      freq[code] = (freq[code] ?? 0) + 1;
+      freq[code] = freq[code] + 1;
     } else {
-      nonAsciiCount++;
+      nonAsciiFreq.set(code, (nonAsciiFreq.get(code) || 0) + 1);
     }
   }
   let entropy = 0;
   const len = str.length;
   for (let i = 0; i < 128; i++) {
-    if ((freq[i] ?? 0) > 0) {
-      const p = (freq[i] ?? 0) / len;
+    if (freq[i] > 0) {
+      const p = freq[i] / len;
       entropy -= p * Math.log2(p);
     }
   }
-  if (nonAsciiCount > 0) {
-    const p = nonAsciiCount / len;
+  for (const count of nonAsciiFreq.values()) {
+    const p = count / len;
     entropy -= p * Math.log2(p);
   }
   return entropy;
@@ -2178,7 +2178,7 @@ function urlConstraintsMatch(constraints, args) {
 }
 function evaluatePolicy(policySet, request) {
   const startTime = performance.now();
-  const sortedRules = policySet.rules;
+  const sortedRules = [...policySet.rules].sort((a, b) => a.priority - b.priority);
   for (const rule of sortedRules) {
     if (ruleMatchesRequest(rule, request)) {
       const endTime2 = performance.now();
@@ -3661,7 +3661,11 @@ var AUDIT_MAX_RETRIES = 3;
 var AUDIT_LOG_BACKUP_PATH = resolve(".solongate-audit-backup.jsonl");
 async function sendAuditLog(apiKey, apiUrl, entry) {
   const url = `${apiUrl}/api/v1/audit-logs`;
-  const body = JSON.stringify(entry);
+  const body = JSON.stringify({
+    ...entry,
+    agent_id: entry.agent_id,
+    agent_name: entry.agent_name
+  });
   for (let attempt = 0; attempt < AUDIT_MAX_RETRIES; attempt++) {
     try {
       const res = await fetch(url, {
@@ -3930,9 +3934,6 @@ var PolicySyncManager = class {
    */
   policiesEqual(a, b) {
     if (a.name !== b.name || a.rules.length !== b.rules.length) return false;
-    if (a.version !== void 0 && b.version !== void 0 && a.version === b.version && a.id === b.id) {
-      return true;
-    }
     return JSON.stringify(a.rules) === JSON.stringify(b.rules);
   }
 };
@@ -3972,12 +3973,17 @@ CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat
 
 Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
 {"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;
-var AiJudge = class {
+var AiJudge = class _AiJudge {
   config;
   protectedFiles;
   protectedPaths;
   deniedActions;
   isOllamaEndpoint;
+  // Circuit breaker: after 3 consecutive failures in 60s, skip AI Judge
+  consecutiveFailures = 0;
+  lastFailureTime = 0;
+  static CIRCUIT_BREAKER_THRESHOLD = 3;
+  static CIRCUIT_BREAKER_RESET_MS = 6e4;
   constructor(config, protectedFiles, protectedPaths, deniedActions = [
     "file deletion",
     "data exfiltration",
@@ -3996,6 +4002,17 @@ var AiJudge = class {
    * Fail-closed: any error (timeout, parse failure, connection refused) → DENY.
    */
   async evaluate(toolName, args) {
+    if (this.consecutiveFailures >= _AiJudge.CIRCUIT_BREAKER_THRESHOLD) {
+      const elapsed = Date.now() - this.lastFailureTime;
+      if (elapsed < _AiJudge.CIRCUIT_BREAKER_RESET_MS) {
+        return {
+          decision: "ALLOW",
+          reason: `AI Judge circuit breaker open (${this.consecutiveFailures} consecutive failures) \u2014 falling back to policy-only`,
+          confidence: 0.5
+        };
+      }
+      this.consecutiveFailures = 0;
+    }
     const sanitizedArgs = this.sanitizeArgs(args);
     const userMessage = JSON.stringify({
       tool: toolName,
@@ -4006,12 +4023,15 @@ var AiJudge = class {
     });
     try {
       const response = await this.callLLM(userMessage);
+      this.consecutiveFailures = 0;
       return this.parseVerdict(response);
     } catch (err) {
+      this.consecutiveFailures++;
+      this.lastFailureTime = Date.now();
       const message = err instanceof Error ? err.message : String(err);
       return {
         decision: "DENY",
-        reason: `AI Judge error (fail-closed): ${message}`,
+        reason: `AI Judge error (fail-closed): ${message.slice(0, 100)}`,
         confidence: 1
       };
     }
@@ -4024,8 +4044,15 @@ var AiJudge = class {
     const sanitize = (val, depth = 0) => {
       if (depth > 10) return "[nested]";
       if (typeof val === "string") {
-        const truncated = val.length > maxStringLen ? val.slice(0, maxStringLen) + "...[truncated]" : val;
-        return truncated;
+        let s = val.length > maxStringLen ? val.slice(0, maxStringLen) + "...[truncated]" : val;
+        s = s.replace(/\{[^{}]*"decision"\s*:/gi, "{[redacted]:");
+        s = s.replace(/\{[^{}]*"ALLOW"[^{}]*\}/gi, "[redacted-json]");
+        s = s.replace(/\{[^{}]*"DENY"[^{}]*\}/gi, "[redacted-json]");
+        s = s.replace(/respond\s+with\s*:/gi, "[redacted]");
+        s = s.replace(/ignore\s+(previous|above|all)\s+(instructions?|prompts?)/gi, "[redacted]");
+        s = s.replace(/you\s+are\s+now\s+/gi, "[redacted] ");
+        s = s.replace(/system\s*:\s*/gi, "[redacted]: ");
+        return s;
       }
       if (Array.isArray(val)) return val.slice(0, 50).map((v) => sanitize(v, depth + 1));
       if (val && typeof val === "object") {
@@ -4068,7 +4095,8 @@ var AiJudge = class {
             { role: "user", content: userMessage }
           ],
           temperature: 0,
-          max_tokens: 200
+          max_tokens: 200,
+          response_format: { type: "json_object" }
         });
         if (this.config.apiKey) {
           headers["Authorization"] = `Bearer ${this.config.apiKey}`;
@@ -4194,9 +4222,20 @@ var SolonGateProxy = class {
   aiJudge = null;
   upstreamTools = [];
   guardConfig;
+  /** Agent identity for trust map — resolved from CLI flag, HTTP headers, or MCP clientInfo */
+  agentId = null;
+  agentName = null;
+  /** Per-session agent info for HTTP mode (keyed by session ID) */
+  httpAgentInfo = /* @__PURE__ */ new Map();
+  /** Per-request sub-agent info from HTTP headers (transient, overwritten per request) */
+  httpSubAgent = null;
   constructor(config) {
     this.config = config;
     this.guardConfig = config.advancedDetection ? { ...DEFAULT_INPUT_GUARD_CONFIG, advancedDetection: config.advancedDetection } : DEFAULT_INPUT_GUARD_CONFIG;
+    if (config.agentName) {
+      this.agentName = config.agentName;
+      this.agentId = config.agentName.toLowerCase().replace(/\s+/g, "-");
+    }
     this.gate = new SolonGate({
       name: config.name ?? "solongate-proxy",
       apiKey: "sg_test_proxy_internal_00000000",
@@ -4213,6 +4252,19 @@ var SolonGateProxy = class {
       log2("WARNING:", w);
     }
   }
+  /** Extract sub-agent identity from MCP _meta field */
+  extractSubAgent(request) {
+    const meta = request?.params?._meta;
+    if (meta && typeof meta === "object") {
+      const solonMeta = meta["io.solongate/agent"];
+      if (solonMeta && typeof solonMeta === "object") {
+        const agent = solonMeta;
+        const id = agent.id ? String(agent.id) : null;
+        if (id) return { subAgentId: id, subAgentName: agent.name ? String(agent.name) : id };
+      }
+    }
+    return null;
+  }
   /**
    * Start the proxy: connect to upstream, then serve downstream.
    */
@@ -4393,6 +4445,16 @@ var SolonGateProxy = class {
         }
       }
     );
+    this.server.oninitialized = () => {
+      if (!this.agentId && this.server) {
+        const clientVersion = this.server.getClientVersion();
+        if (clientVersion?.name) {
+          this.agentId = clientVersion.version ? `${clientVersion.name}/${clientVersion.version}` : clientVersion.name;
+          this.agentName = clientVersion.name;
+          log2(`Agent identified from MCP clientInfo: ${this.agentName} (${this.agentId})`);
+        }
+      }
+    };
     this.server.setRequestHandler(ListToolsRequestSchema, async () => {
       return { tools: this.upstreamTools };
     });
@@ -4400,6 +4462,7 @@ var SolonGateProxy = class {
     const MUTEX_TIMEOUT_MS = 3e4;
     this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
       const { name, arguments: args } = request.params;
+      const subAgent = this.extractSubAgent(request) || this.httpSubAgent;
       const argsSize = TEXT_ENCODER.encode(JSON.stringify(args ?? {})).length;
       if (argsSize > MAX_ARGUMENT_SIZE) {
         log2(`DENY: ${name} \u2014 payload size ${argsSize} exceeds limit ${MAX_ARGUMENT_SIZE}`);
@@ -4437,7 +4500,11 @@ var SolonGateProxy = class {
               decision: "DENY",
               reason: `Prompt injection detected: ${threats}`,
               evaluationTimeMs: 0,
-              promptInjection: piResult
+              promptInjection: piResult,
+              agent_id: this.agentId ?? void 0,
+              agent_name: this.agentName ?? void 0,
+              sub_agent_id: subAgent?.subAgentId,
+              sub_agent_name: subAgent?.subAgentName
             });
           }
           return {
@@ -4529,7 +4596,11 @@ var SolonGateProxy = class {
             reason,
             matchedRule,
             evaluationTimeMs,
-            promptInjection: piResult
+            promptInjection: piResult,
+            agent_id: this.agentId ?? void 0,
+            agent_name: this.agentName ?? void 0,
+            sub_agent_id: subAgent?.subAgentId,
+            sub_agent_name: subAgent?.subAgentName
           });
         } else {
           log2(`Skipping audit log (apiKey: ${this.config.apiKey ? "test key" : "not set"})`);
@@ -4814,6 +4885,18 @@ ${msg.content.text}`;
       await this.server.connect(httpTransport);
       const httpServer = createHttpServer(async (req, res) => {
         if (req.url === "/mcp" || req.url?.startsWith("/mcp?")) {
+          if (!this.agentId) {
+            const headerAgentId = req.headers["x-agent-id"];
+            const headerAgentName = req.headers["x-agent-name"];
+            if (headerAgentId) {
+              this.agentId = headerAgentId;
+              this.agentName = headerAgentName || headerAgentId;
+              log2(`Agent identified from HTTP headers: ${this.agentName} (${this.agentId})`);
+            }
+          }
+          const subAgentId = req.headers["x-sub-agent-id"];
+          const subAgentName = req.headers["x-sub-agent-name"];
+          this.httpSubAgent = subAgentId ? { subAgentId, subAgentName: subAgentName || subAgentId } : null;
           await httpTransport.handleRequest(req, res);
         } else if (req.url === "/health") {
           res.writeHead(200, { "Content-Type": "application/json" });

package/hooks/guard.mjs

@@ -7,9 +7,19 @@
  * Logs ALL decisions (ALLOW + DENY) to SolonGate Cloud.
  * Auto-installed by: npx @solongate/proxy init
  */
-import { readFileSync, existsSync } from 'node:fs';
+import { readFileSync, existsSync, statSync } from 'node:fs';
 import { resolve } from 'node:path';
 
+// Safe file read with size limit (1MB max) to prevent DoS via large files
+const MAX_FILE_READ = 1024 * 1024; // 1MB
+function safeReadFileSync(filePath, encoding = 'utf-8') {
+  try {
+    const stat = statSync(filePath);
+    if (stat.size > MAX_FILE_READ) return '';
+    return readFileSync(filePath, encoding);
+  } catch { return ''; }
+}
+
 // ── Load API key from .env file (Claude Code doesn't load .env into process.env) ──
 function loadEnvKey(dir) {
   try {
@@ -157,6 +167,32 @@ function matchPathGlob(path, pattern) {
   return matchGlob(p, g);
 }
 
+// ── Safe Webhook URL Validation (prevent SSRF) ──
+function isSafeWebhookUrl(urlStr) {
+  try {
+    const u = new URL(urlStr);
+    if (u.protocol !== 'https:') return false;
+    const host = u.hostname.toLowerCase();
+    // Block private/reserved IPs and metadata endpoints
+    if (host === 'localhost' || host === '127.0.0.1' || host === '0.0.0.0' || host === '::1') return false;
+    if (host.startsWith('10.') || host.startsWith('192.168.') || host.startsWith('172.')) return false;
+    if (host === '169.254.169.254' || host === 'metadata.google.internal') return false;
+    if (host.endsWith('.internal') || host.endsWith('.local')) return false;
+    return true;
+  } catch { return false; }
+}
+
+// ── Safe Regex Validation (prevent ReDoS from cloud-supplied patterns) ──
+function isSafeRegex(pattern) {
+  if (typeof pattern !== 'string' || pattern.length > 512) return false;
+  // Block nested quantifiers: (a+)+, (a*)+, (a{1,})+, etc.
+  if (/(\+|\*|\{[^}]+\})\s*(\+|\*|\{[^}]+\})/.test(pattern)) return false;
+  if (/\([^)]*(\+|\*|\{[^}]+\})[^)]*\)\s*(\+|\*|\{[^}]+\})/.test(pattern)) return false;
+  // Block excessive alternation groups (>10 alternatives)
+  if ((pattern.match(/\|/g) || []).length > 10) return false;
+  try { new RegExp(pattern); return true; } catch { return false; }
+}
+
 // ── Extract Functions (deep scan all string values) ──
 function scanStrings(obj) {
   const strings = [];
@@ -643,7 +679,7 @@ process.stdin.on('end', async () => {
                 try {
                   const targetPath = resolve(hookCwdForNpm, scriptFileMatch[1]);
                   if (existsSync(targetPath)) {
-                    const targetContent = readFileSync(targetPath, 'utf-8').toLowerCase();
+                    const targetContent = safeReadFileSync(targetPath).toLowerCase();
                     // Check target file for protected paths
                     for (const pp of [...protectedPaths, ...writeProtectedPaths]) {
                       if (targetContent.includes(pp)) {
@@ -670,7 +706,7 @@ process.stdin.on('end', async () => {
                         const candidates = [impAbs, impAbs + '.mjs', impAbs + '.js', impAbs + '.cjs'];
                         for (const c of candidates) {
                           if (existsSync(c)) {
-                            const impContent = readFileSync(c, 'utf-8').toLowerCase();
+                            const impContent = safeReadFileSync(c).toLowerCase();
                             const iDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bglob\b/i.test(impContent);
                             const iDest = /\brmsync\b|\bunlinksync\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(impContent);
                             if ((iDisc && tDest) || (tDisc && iDest)) {
@@ -756,7 +792,7 @@ process.stdin.on('end', async () => {
           ? scriptPath
           : resolve(hookCwdForScript, scriptPath);
         if (existsSync(absPath)) {
-          const scriptContent = readFileSync(absPath, 'utf-8').toLowerCase();
+          const scriptContent = safeReadFileSync(absPath).toLowerCase();
           // Check for discovery+destruction combo
           const hasDiscovery = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b|\bls\s+-[adl]|\bls\s+\.\b|\bopendir\b|\bdir\.entries\b|\bwalkdir\b|\bls\b.*\.\[/.test(scriptContent);
           const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b|\bfs\.\s*(?:rm|unlink|rmdir|write)/.test(scriptContent);
@@ -778,7 +814,7 @@ process.stdin.on('end', async () => {
               const candidates = [importAbs, importAbs + '.mjs', importAbs + '.js', importAbs + '.cjs'];
               for (const candidate of candidates) {
                 if (existsSync(candidate)) {
-                  const importContent = readFileSync(candidate, 'utf-8').toLowerCase();
+                  const importContent = safeReadFileSync(candidate).toLowerCase();
                   // Cross-module: check if imported module has discovery/destruction/string construction
                   const importDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b/i.test(importContent);
                   const importDest = /\brmsync\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(importContent);
@@ -890,6 +926,7 @@ process.stdin.on('end', async () => {
     if (piCfg.piEnabled !== false && Array.isArray(piCfg.piWhitelist) && piCfg.piWhitelist.length > 0) {
       for (const wlPattern of piCfg.piWhitelist) {
         try {
+          if (!isSafeRegex(wlPattern)) continue;
           if (new RegExp(wlPattern, 'i').test(allText)) {
             whitelisted = true;
             break;
@@ -902,7 +939,7 @@ process.stdin.on('end', async () => {
     const customCategories = [];
     if (piCfg.piEnabled !== false && Array.isArray(piCfg.piCustomPatterns)) {
       for (const cp of piCfg.piCustomPatterns) {
-        if (cp && cp.pattern) {
+        if (cp && cp.pattern && isSafeRegex(cp.pattern)) {
           try {
             customCategories.push({
               name: cp.name || 'custom_pattern',
@@ -950,8 +987,8 @@ process.stdin.on('end', async () => {
           });
         } catch {}
 
-        // Webhook notification
-        if (piCfg.piWebhookUrl) {
+        // Webhook notification (SSRF-safe: HTTPS only, no private IPs)
+        if (piCfg.piWebhookUrl && isSafeWebhookUrl(piCfg.piWebhookUrl)) {
           try {
             await fetch(piCfg.piWebhookUrl, {
               method: 'POST',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.26.4",
+  "version": "0.27.0",
   "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {