@solongate/proxy 0.35.0 → 0.37.0

package/dist/index.js

@@ -536,7 +536,7 @@ function isAlreadyProtected(server) {
   }
   return false;
 }
-function wrapServer(serverName, server, policy, agentName, aiJudge) {
+function wrapServer(serverName, server, policy, agentName) {
   const env = { ...server.env ?? {} };
   env.SOLONGATE_API_KEY = "${SOLONGATE_API_KEY}";
   const proxyArgs = ["-y", "@solongate/proxy@latest"];
@@ -546,9 +546,6 @@ function wrapServer(serverName, server, policy, agentName, aiJudge) {
   if (agentName) {
     proxyArgs.push("--agent-name", agentName);
   }
-  if (aiJudge) {
-    proxyArgs.push("--ai-judge");
-  }
   proxyArgs.push("--verbose", "--", server.command, ...server.args ?? []);
   return {
     command: "npx",
@@ -569,8 +566,7 @@ function parseInitArgs(argv) {
   const args = argv.slice(2);
   const options = {
     all: false,
-    tools: [],
-    aiJudge: false
+    tools: []
   };
   for (let i = 0; i < args.length; i++) {
     switch (args[i]) {
@@ -595,9 +591,6 @@ function parseInitArgs(argv) {
       case "--openclaw":
         options.tools.push("openclaw");
         break;
-      case "--ai-judge":
-        options.aiJudge = true;
-        break;
       case "--help":
       case "-h":
         printHelp();
@@ -625,13 +618,8 @@ AI TOOL HOOKS (default: all)
   --gemini            Install hooks for Gemini CLI
   --openclaw          Install hooks for OpenClaw
 
-SECURITY LAYERS
-  --ai-judge          Enable AI Judge (semantic intent analysis via LLM)
-                      Requires GROQ_API_KEY in .env (free at https://console.groq.com/keys)
-
 EXAMPLES
   npx @solongate/proxy init --all                          # Protect everything, all tools
-  npx @solongate/proxy init --all --ai-judge               # With AI Judge enabled
   npx @solongate/proxy init --all --claude-code --gemini   # Only Claude Code + Gemini hooks
   npx @solongate/proxy init --all --policy policy.json     # With custom policy
 `;
@@ -1061,7 +1049,7 @@ async function main() {
   const newConfig = { mcpServers: {} };
   for (const name of serverNames) {
     if (toProtect.includes(name)) {
-      newConfig.mcpServers[name] = wrapServer(name, config.mcpServers[name], policyValue, void 0, options.aiJudge);
+      newConfig.mcpServers[name] = wrapServer(name, config.mcpServers[name], policyValue);
     } else {
       newConfig.mcpServers[name] = config.mcpServers[name];
     }
@@ -5652,39 +5640,34 @@ var PolicySyncManager = class {
 };
 
 // src/ai-judge.ts
-var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. Your ONLY job is to check if a tool call accesses files or paths that are in the protected lists. Nothing else.
 
 You will receive a JSON object with:
 - "tool": the tool name being called
 - "arguments": the tool's arguments
-- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected \u2014 nothing else.
-- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected \u2014 nothing else.
-- "denied_actions": list of actions that are never allowed
-
-IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
-
-DENY if the tool call could, directly or indirectly, access a file from the protected_files list \u2014 even through:
-- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
-- Command substitution ($(...), backticks)
-- Process substitution (<(cat file)) \u2014 check inside <(...) for protected files
-- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" \u2014 DENY only if .env is in protected_files)
-- Input redirection (< file)
-- Multi-stage operations: tar/cp a protected file then read the copy \u2014 DENY the entire chain
-- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+- "protected_files": the EXACT and COMPLETE list of protected files from the user's policy
+- "protected_paths": the EXACT and COMPLETE list of protected directories from the user's policy
 
-Also DENY if:
-- The command sends data to external URLs (curl -d, wget --post)
-- The command leaks environment variables (printenv, env, process.env)
-- The command executes remotely downloaded code (curl|bash)
+RULES:
+1. DENY ONLY if the tool call could access a file or path that is in protected_files or protected_paths.
+2. ALLOW everything else. You must NOT invent your own security rules.
+3. If a file is NOT in protected_files, it is NOT protected \u2014 even if the filename looks sensitive.
+4. "cat test.txt" is ALLOWED if test.txt is not in protected_files.
+5. "curl https://example.com" is ALLOWED unless it sends protected file content.
+6. "printenv" is ALLOWED unless the policy explicitly protects it.
 
-ALLOW if:
-- The file is NOT in protected_files \u2014 even if cat, head, etc. is used. Reading non-protected files is normal.
-- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
-- The action does not touch any protected file or path
+BYPASS DETECTION \u2014 DENY if the command accesses a protected file through:
+- Shell glob patterns: "cat cred*" could match "credentials.json" IF it is in protected_files
+- Command substitution: "cat $(echo .env)" builds ".env"
+- Variable interpolation: f=".en"; cat \${f}v builds ".env"
+- Process substitution: <(cat .env)
+- Multi-stage: cp protected_file /tmp/x && cat /tmp/x
+- Input redirection: < .env
+- Any file-reading utility (cat, head, tail, less, perl, awk, sed, xxd, etc.)
 
-CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. Do NOT over-block.
+CRITICAL: You have NO security opinions of your own. You ONLY enforce the protected_files and protected_paths lists. If something is not in those lists, it is ALLOWED. Do NOT over-block.
 
-Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
+Respond with ONLY valid JSON:
 {"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;
 var AuthError = class extends Error {
   constructor(message) {
@@ -5696,24 +5679,16 @@ var AiJudge = class _AiJudge {
   config;
   protectedFiles;
   protectedPaths;
-  deniedActions;
   isOllamaEndpoint;
   // Circuit breaker: after 3 consecutive failures in 60s, skip AI Judge
   consecutiveFailures = 0;
   lastFailureTime = 0;
   static CIRCUIT_BREAKER_THRESHOLD = 3;
   static CIRCUIT_BREAKER_RESET_MS = 6e4;
-  constructor(config, protectedFiles, protectedPaths, deniedActions = [
-    "file deletion",
-    "data exfiltration",
-    "remote code execution",
-    "environment variable leak",
-    "security control bypass"
-  ]) {
+  constructor(config, protectedFiles, protectedPaths) {
     this.config = config;
     this.protectedFiles = protectedFiles;
     this.protectedPaths = protectedPaths;
-    this.deniedActions = deniedActions;
     this.isOllamaEndpoint = config.endpoint.includes("11434") || config.endpoint.includes("ollama");
   }
   /**
@@ -5737,8 +5712,7 @@ var AiJudge = class _AiJudge {
       tool: toolName,
       arguments: sanitizedArgs,
       protected_files: this.protectedFiles,
-      protected_paths: this.protectedPaths,
-      denied_actions: this.deniedActions
+      protected_paths: this.protectedPaths
     });
     try {
       const response = await this.callLLM(userMessage);

package/dist/init.js

@@ -117,7 +117,7 @@ function isAlreadyProtected(server) {
   }
   return false;
 }
-function wrapServer(serverName, server, policy, agentName, aiJudge) {
+function wrapServer(serverName, server, policy, agentName) {
   const env = { ...server.env ?? {} };
   env.SOLONGATE_API_KEY = "${SOLONGATE_API_KEY}";
   const proxyArgs = ["-y", "@solongate/proxy@latest"];
@@ -127,9 +127,6 @@ function wrapServer(serverName, server, policy, agentName, aiJudge) {
   if (agentName) {
     proxyArgs.push("--agent-name", agentName);
   }
-  if (aiJudge) {
-    proxyArgs.push("--ai-judge");
-  }
   proxyArgs.push("--verbose", "--", server.command, ...server.args ?? []);
   return {
     command: "npx",
@@ -150,8 +147,7 @@ function parseInitArgs(argv) {
   const args = argv.slice(2);
   const options = {
     all: false,
-    tools: [],
-    aiJudge: false
+    tools: []
   };
   for (let i = 0; i < args.length; i++) {
     switch (args[i]) {
@@ -176,9 +172,6 @@ function parseInitArgs(argv) {
       case "--openclaw":
         options.tools.push("openclaw");
         break;
-      case "--ai-judge":
-        options.aiJudge = true;
-        break;
       case "--help":
       case "-h":
         printHelp();
@@ -206,13 +199,8 @@ AI TOOL HOOKS (default: all)
   --gemini            Install hooks for Gemini CLI
   --openclaw          Install hooks for OpenClaw
 
-SECURITY LAYERS
-  --ai-judge          Enable AI Judge (semantic intent analysis via LLM)
-                      Requires GROQ_API_KEY in .env (free at https://console.groq.com/keys)
-
 EXAMPLES
   npx @solongate/proxy init --all                          # Protect everything, all tools
-  npx @solongate/proxy init --all --ai-judge               # With AI Judge enabled
   npx @solongate/proxy init --all --claude-code --gemini   # Only Claude Code + Gemini hooks
   npx @solongate/proxy init --all --policy policy.json     # With custom policy
 `;
@@ -644,7 +632,7 @@ async function main() {
   const newConfig = { mcpServers: {} };
   for (const name of serverNames) {
     if (toProtect.includes(name)) {
-      newConfig.mcpServers[name] = wrapServer(name, config.mcpServers[name], policyValue, void 0, options.aiJudge);
+      newConfig.mcpServers[name] = wrapServer(name, config.mcpServers[name], policyValue);
     } else {
       newConfig.mcpServers[name] = config.mcpServers[name];
     }

package/dist/lib.js

@@ -3939,39 +3939,34 @@ var PolicySyncManager = class {
 };
 
 // src/ai-judge.ts
-var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. Your ONLY job is to check if a tool call accesses files or paths that are in the protected lists. Nothing else.
 
 You will receive a JSON object with:
 - "tool": the tool name being called
 - "arguments": the tool's arguments
-- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected \u2014 nothing else.
-- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected \u2014 nothing else.
-- "denied_actions": list of actions that are never allowed
+- "protected_files": the EXACT and COMPLETE list of protected files from the user's policy
+- "protected_paths": the EXACT and COMPLETE list of protected directories from the user's policy
 
-IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
+RULES:
+1. DENY ONLY if the tool call could access a file or path that is in protected_files or protected_paths.
+2. ALLOW everything else. You must NOT invent your own security rules.
+3. If a file is NOT in protected_files, it is NOT protected \u2014 even if the filename looks sensitive.
+4. "cat test.txt" is ALLOWED if test.txt is not in protected_files.
+5. "curl https://example.com" is ALLOWED unless it sends protected file content.
+6. "printenv" is ALLOWED unless the policy explicitly protects it.
 
-DENY if the tool call could, directly or indirectly, access a file from the protected_files list \u2014 even through:
-- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
-- Command substitution ($(...), backticks)
-- Process substitution (<(cat file)) \u2014 check inside <(...) for protected files
-- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" \u2014 DENY only if .env is in protected_files)
-- Input redirection (< file)
-- Multi-stage operations: tar/cp a protected file then read the copy \u2014 DENY the entire chain
-- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+BYPASS DETECTION \u2014 DENY if the command accesses a protected file through:
+- Shell glob patterns: "cat cred*" could match "credentials.json" IF it is in protected_files
+- Command substitution: "cat $(echo .env)" builds ".env"
+- Variable interpolation: f=".en"; cat \${f}v builds ".env"
+- Process substitution: <(cat .env)
+- Multi-stage: cp protected_file /tmp/x && cat /tmp/x
+- Input redirection: < .env
+- Any file-reading utility (cat, head, tail, less, perl, awk, sed, xxd, etc.)
 
-Also DENY if:
-- The command sends data to external URLs (curl -d, wget --post)
-- The command leaks environment variables (printenv, env, process.env)
-- The command executes remotely downloaded code (curl|bash)
+CRITICAL: You have NO security opinions of your own. You ONLY enforce the protected_files and protected_paths lists. If something is not in those lists, it is ALLOWED. Do NOT over-block.
 
-ALLOW if:
-- The file is NOT in protected_files \u2014 even if cat, head, etc. is used. Reading non-protected files is normal.
-- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
-- The action does not touch any protected file or path
-
-CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. Do NOT over-block.
-
-Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
+Respond with ONLY valid JSON:
 {"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;
 var AuthError = class extends Error {
   constructor(message) {
@@ -3983,24 +3978,16 @@ var AiJudge = class _AiJudge {
   config;
   protectedFiles;
   protectedPaths;
-  deniedActions;
   isOllamaEndpoint;
   // Circuit breaker: after 3 consecutive failures in 60s, skip AI Judge
   consecutiveFailures = 0;
   lastFailureTime = 0;
   static CIRCUIT_BREAKER_THRESHOLD = 3;
   static CIRCUIT_BREAKER_RESET_MS = 6e4;
-  constructor(config, protectedFiles, protectedPaths, deniedActions = [
-    "file deletion",
-    "data exfiltration",
-    "remote code execution",
-    "environment variable leak",
-    "security control bypass"
-  ]) {
+  constructor(config, protectedFiles, protectedPaths) {
     this.config = config;
     this.protectedFiles = protectedFiles;
     this.protectedPaths = protectedPaths;
-    this.deniedActions = deniedActions;
     this.isOllamaEndpoint = config.endpoint.includes("11434") || config.endpoint.includes("ollama");
   }
   /**
@@ -4024,8 +4011,7 @@ var AiJudge = class _AiJudge {
       tool: toolName,
       arguments: sanitizedArgs,
       protected_files: this.protectedFiles,
-      protected_paths: this.protectedPaths,
-      denied_actions: this.deniedActions
+      protected_paths: this.protectedPaths
     });
     try {
       const response = await this.callLLM(userMessage);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.35.0",
+  "version": "0.37.0",
   "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {