@solongate/proxy 0.36.0 → 0.37.0

package/dist/index.js

@@ -5640,39 +5640,34 @@ var PolicySyncManager = class {
 };
 
 // src/ai-judge.ts
-var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. Your ONLY job is to check if a tool call accesses files or paths that are in the protected lists. Nothing else.
 
 You will receive a JSON object with:
 - "tool": the tool name being called
 - "arguments": the tool's arguments
-- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected \u2014 nothing else.
-- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected \u2014 nothing else.
-- "denied_actions": list of actions that are never allowed
+- "protected_files": the EXACT and COMPLETE list of protected files from the user's policy
+- "protected_paths": the EXACT and COMPLETE list of protected directories from the user's policy
 
-IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
+RULES:
+1. DENY ONLY if the tool call could access a file or path that is in protected_files or protected_paths.
+2. ALLOW everything else. You must NOT invent your own security rules.
+3. If a file is NOT in protected_files, it is NOT protected \u2014 even if the filename looks sensitive.
+4. "cat test.txt" is ALLOWED if test.txt is not in protected_files.
+5. "curl https://example.com" is ALLOWED unless it sends protected file content.
+6. "printenv" is ALLOWED unless the policy explicitly protects it.
 
-DENY if the tool call could, directly or indirectly, access a file from the protected_files list \u2014 even through:
-- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
-- Command substitution ($(...), backticks)
-- Process substitution (<(cat file)) \u2014 check inside <(...) for protected files
-- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" \u2014 DENY only if .env is in protected_files)
-- Input redirection (< file)
-- Multi-stage operations: tar/cp a protected file then read the copy \u2014 DENY the entire chain
-- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+BYPASS DETECTION \u2014 DENY if the command accesses a protected file through:
+- Shell glob patterns: "cat cred*" could match "credentials.json" IF it is in protected_files
+- Command substitution: "cat $(echo .env)" builds ".env"
+- Variable interpolation: f=".en"; cat \${f}v builds ".env"
+- Process substitution: <(cat .env)
+- Multi-stage: cp protected_file /tmp/x && cat /tmp/x
+- Input redirection: < .env
+- Any file-reading utility (cat, head, tail, less, perl, awk, sed, xxd, etc.)
 
-Also DENY if:
-- The command sends data to external URLs (curl -d, wget --post)
-- The command leaks environment variables (printenv, env, process.env)
-- The command executes remotely downloaded code (curl|bash)
+CRITICAL: You have NO security opinions of your own. You ONLY enforce the protected_files and protected_paths lists. If something is not in those lists, it is ALLOWED. Do NOT over-block.
 
-ALLOW if:
-- The file is NOT in protected_files \u2014 even if cat, head, etc. is used. Reading non-protected files is normal.
-- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
-- The action does not touch any protected file or path
-
-CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. Do NOT over-block.
-
-Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
+Respond with ONLY valid JSON:
 {"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;
 var AuthError = class extends Error {
   constructor(message) {
@@ -5684,24 +5679,16 @@ var AiJudge = class _AiJudge {
   config;
   protectedFiles;
   protectedPaths;
-  deniedActions;
   isOllamaEndpoint;
   // Circuit breaker: after 3 consecutive failures in 60s, skip AI Judge
   consecutiveFailures = 0;
   lastFailureTime = 0;
   static CIRCUIT_BREAKER_THRESHOLD = 3;
   static CIRCUIT_BREAKER_RESET_MS = 6e4;
-  constructor(config, protectedFiles, protectedPaths, deniedActions = [
-    "file deletion",
-    "data exfiltration",
-    "remote code execution",
-    "environment variable leak",
-    "security control bypass"
-  ]) {
+  constructor(config, protectedFiles, protectedPaths) {
     this.config = config;
     this.protectedFiles = protectedFiles;
     this.protectedPaths = protectedPaths;
-    this.deniedActions = deniedActions;
     this.isOllamaEndpoint = config.endpoint.includes("11434") || config.endpoint.includes("ollama");
   }
   /**
@@ -5725,8 +5712,7 @@ var AiJudge = class _AiJudge {
       tool: toolName,
       arguments: sanitizedArgs,
       protected_files: this.protectedFiles,
-      protected_paths: this.protectedPaths,
-      denied_actions: this.deniedActions
+      protected_paths: this.protectedPaths
     });
     try {
       const response = await this.callLLM(userMessage);

package/dist/lib.js

@@ -3939,39 +3939,34 @@ var PolicySyncManager = class {
 };
 
 // src/ai-judge.ts
-var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. Your ONLY job is to check if a tool call accesses files or paths that are in the protected lists. Nothing else.
 
 You will receive a JSON object with:
 - "tool": the tool name being called
 - "arguments": the tool's arguments
-- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected \u2014 nothing else.
-- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected \u2014 nothing else.
-- "denied_actions": list of actions that are never allowed
+- "protected_files": the EXACT and COMPLETE list of protected files from the user's policy
+- "protected_paths": the EXACT and COMPLETE list of protected directories from the user's policy
 
-IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
+RULES:
+1. DENY ONLY if the tool call could access a file or path that is in protected_files or protected_paths.
+2. ALLOW everything else. You must NOT invent your own security rules.
+3. If a file is NOT in protected_files, it is NOT protected \u2014 even if the filename looks sensitive.
+4. "cat test.txt" is ALLOWED if test.txt is not in protected_files.
+5. "curl https://example.com" is ALLOWED unless it sends protected file content.
+6. "printenv" is ALLOWED unless the policy explicitly protects it.
 
-DENY if the tool call could, directly or indirectly, access a file from the protected_files list \u2014 even through:
-- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
-- Command substitution ($(...), backticks)
-- Process substitution (<(cat file)) \u2014 check inside <(...) for protected files
-- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" \u2014 DENY only if .env is in protected_files)
-- Input redirection (< file)
-- Multi-stage operations: tar/cp a protected file then read the copy \u2014 DENY the entire chain
-- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+BYPASS DETECTION \u2014 DENY if the command accesses a protected file through:
+- Shell glob patterns: "cat cred*" could match "credentials.json" IF it is in protected_files
+- Command substitution: "cat $(echo .env)" builds ".env"
+- Variable interpolation: f=".en"; cat \${f}v builds ".env"
+- Process substitution: <(cat .env)
+- Multi-stage: cp protected_file /tmp/x && cat /tmp/x
+- Input redirection: < .env
+- Any file-reading utility (cat, head, tail, less, perl, awk, sed, xxd, etc.)
 
-Also DENY if:
-- The command sends data to external URLs (curl -d, wget --post)
-- The command leaks environment variables (printenv, env, process.env)
-- The command executes remotely downloaded code (curl|bash)
+CRITICAL: You have NO security opinions of your own. You ONLY enforce the protected_files and protected_paths lists. If something is not in those lists, it is ALLOWED. Do NOT over-block.
 
-ALLOW if:
-- The file is NOT in protected_files \u2014 even if cat, head, etc. is used. Reading non-protected files is normal.
-- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
-- The action does not touch any protected file or path
-
-CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. Do NOT over-block.
-
-Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
+Respond with ONLY valid JSON:
 {"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;
 var AuthError = class extends Error {
   constructor(message) {
@@ -3983,24 +3978,16 @@ var AiJudge = class _AiJudge {
   config;
   protectedFiles;
   protectedPaths;
-  deniedActions;
   isOllamaEndpoint;
   // Circuit breaker: after 3 consecutive failures in 60s, skip AI Judge
   consecutiveFailures = 0;
   lastFailureTime = 0;
   static CIRCUIT_BREAKER_THRESHOLD = 3;
   static CIRCUIT_BREAKER_RESET_MS = 6e4;
-  constructor(config, protectedFiles, protectedPaths, deniedActions = [
-    "file deletion",
-    "data exfiltration",
-    "remote code execution",
-    "environment variable leak",
-    "security control bypass"
-  ]) {
+  constructor(config, protectedFiles, protectedPaths) {
     this.config = config;
     this.protectedFiles = protectedFiles;
     this.protectedPaths = protectedPaths;
-    this.deniedActions = deniedActions;
     this.isOllamaEndpoint = config.endpoint.includes("11434") || config.endpoint.includes("ollama");
   }
   /**
@@ -4024,8 +4011,7 @@ var AiJudge = class _AiJudge {
       tool: toolName,
       arguments: sanitizedArgs,
       protected_files: this.protectedFiles,
-      protected_paths: this.protectedPaths,
-      denied_actions: this.deniedActions
+      protected_paths: this.protectedPaths
     });
     try {
       const response = await this.callLLM(userMessage);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.36.0",
+  "version": "0.37.0",
   "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {