@solongate/proxy 0.36.0 → 0.38.0

package/dist/index.js

@@ -5640,39 +5640,34 @@ var PolicySyncManager = class {
 };
 
 // src/ai-judge.ts
-var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. Your ONLY job is to check if a tool call accesses files or paths that are in the protected lists. Nothing else.
 
 You will receive a JSON object with:
 - "tool": the tool name being called
 - "arguments": the tool's arguments
-- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected \u2014 nothing else.
-- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected \u2014 nothing else.
-- "denied_actions": list of actions that are never allowed
+- "protected_files": the EXACT and COMPLETE list of protected files from the user's policy
+- "protected_paths": the EXACT and COMPLETE list of protected directories from the user's policy
 
-IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
+RULES:
+1. DENY ONLY if the tool call could access a file or path that is in protected_files or protected_paths.
+2. ALLOW everything else. You must NOT invent your own security rules.
+3. If a file is NOT in protected_files, it is NOT protected \u2014 even if the filename looks sensitive.
+4. "cat test.txt" is ALLOWED if test.txt is not in protected_files.
+5. "curl https://example.com" is ALLOWED unless it sends protected file content.
+6. "printenv" is ALLOWED unless the policy explicitly protects it.
 
-DENY if the tool call could, directly or indirectly, access a file from the protected_files list \u2014 even through:
-- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
-- Command substitution ($(...), backticks)
-- Process substitution (<(cat file)) \u2014 check inside <(...) for protected files
-- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" \u2014 DENY only if .env is in protected_files)
-- Input redirection (< file)
-- Multi-stage operations: tar/cp a protected file then read the copy \u2014 DENY the entire chain
-- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+BYPASS DETECTION \u2014 DENY if the command accesses a protected file through:
+- Shell glob patterns: "cat cred*" could match "credentials.json" IF it is in protected_files
+- Command substitution: "cat $(echo .env)" builds ".env"
+- Variable interpolation: f=".en"; cat \${f}v builds ".env"
+- Process substitution: <(cat .env)
+- Multi-stage: cp protected_file /tmp/x && cat /tmp/x
+- Input redirection: < .env
+- Any file-reading utility (cat, head, tail, less, perl, awk, sed, xxd, etc.)
 
-Also DENY if:
-- The command sends data to external URLs (curl -d, wget --post)
-- The command leaks environment variables (printenv, env, process.env)
-- The command executes remotely downloaded code (curl|bash)
+CRITICAL: You have NO security opinions of your own. You ONLY enforce the protected_files and protected_paths lists. If something is not in those lists, it is ALLOWED. Do NOT over-block.
 
-ALLOW if:
-- The file is NOT in protected_files \u2014 even if cat, head, etc. is used. Reading non-protected files is normal.
-- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
-- The action does not touch any protected file or path
-
-CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. Do NOT over-block.
-
-Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
+Respond with ONLY valid JSON:
 {"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;
 var AuthError = class extends Error {
   constructor(message) {
@@ -5684,24 +5679,16 @@ var AiJudge = class _AiJudge {
   config;
   protectedFiles;
   protectedPaths;
-  deniedActions;
   isOllamaEndpoint;
   // Circuit breaker: after 3 consecutive failures in 60s, skip AI Judge
   consecutiveFailures = 0;
   lastFailureTime = 0;
   static CIRCUIT_BREAKER_THRESHOLD = 3;
   static CIRCUIT_BREAKER_RESET_MS = 6e4;
-  constructor(config, protectedFiles, protectedPaths, deniedActions = [
-    "file deletion",
-    "data exfiltration",
-    "remote code execution",
-    "environment variable leak",
-    "security control bypass"
-  ]) {
+  constructor(config, protectedFiles, protectedPaths) {
     this.config = config;
     this.protectedFiles = protectedFiles;
     this.protectedPaths = protectedPaths;
-    this.deniedActions = deniedActions;
     this.isOllamaEndpoint = config.endpoint.includes("11434") || config.endpoint.includes("ollama");
   }
   /**
@@ -5725,8 +5712,7 @@ var AiJudge = class _AiJudge {
       tool: toolName,
       arguments: sanitizedArgs,
       protected_files: this.protectedFiles,
-      protected_paths: this.protectedPaths,
-      denied_actions: this.deniedActions
+      protected_paths: this.protectedPaths
     });
     try {
       const response = await this.callLLM(userMessage);

package/dist/lib.js

@@ -3939,39 +3939,34 @@ var PolicySyncManager = class {
 };
 
 // src/ai-judge.ts
-var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. Your ONLY job is to check if a tool call accesses files or paths that are in the protected lists. Nothing else.
 
 You will receive a JSON object with:
 - "tool": the tool name being called
 - "arguments": the tool's arguments
-- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected \u2014 nothing else.
-- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected \u2014 nothing else.
-- "denied_actions": list of actions that are never allowed
+- "protected_files": the EXACT and COMPLETE list of protected files from the user's policy
+- "protected_paths": the EXACT and COMPLETE list of protected directories from the user's policy
 
-IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
+RULES:
+1. DENY ONLY if the tool call could access a file or path that is in protected_files or protected_paths.
+2. ALLOW everything else. You must NOT invent your own security rules.
+3. If a file is NOT in protected_files, it is NOT protected \u2014 even if the filename looks sensitive.
+4. "cat test.txt" is ALLOWED if test.txt is not in protected_files.
+5. "curl https://example.com" is ALLOWED unless it sends protected file content.
+6. "printenv" is ALLOWED unless the policy explicitly protects it.
 
-DENY if the tool call could, directly or indirectly, access a file from the protected_files list \u2014 even through:
-- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
-- Command substitution ($(...), backticks)
-- Process substitution (<(cat file)) \u2014 check inside <(...) for protected files
-- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" \u2014 DENY only if .env is in protected_files)
-- Input redirection (< file)
-- Multi-stage operations: tar/cp a protected file then read the copy \u2014 DENY the entire chain
-- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+BYPASS DETECTION \u2014 DENY if the command accesses a protected file through:
+- Shell glob patterns: "cat cred*" could match "credentials.json" IF it is in protected_files
+- Command substitution: "cat $(echo .env)" builds ".env"
+- Variable interpolation: f=".en"; cat \${f}v builds ".env"
+- Process substitution: <(cat .env)
+- Multi-stage: cp protected_file /tmp/x && cat /tmp/x
+- Input redirection: < .env
+- Any file-reading utility (cat, head, tail, less, perl, awk, sed, xxd, etc.)
 
-Also DENY if:
-- The command sends data to external URLs (curl -d, wget --post)
-- The command leaks environment variables (printenv, env, process.env)
-- The command executes remotely downloaded code (curl|bash)
+CRITICAL: You have NO security opinions of your own. You ONLY enforce the protected_files and protected_paths lists. If something is not in those lists, it is ALLOWED. Do NOT over-block.
 
-ALLOW if:
-- The file is NOT in protected_files \u2014 even if cat, head, etc. is used. Reading non-protected files is normal.
-- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
-- The action does not touch any protected file or path
-
-CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. Do NOT over-block.
-
-Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
+Respond with ONLY valid JSON:
 {"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;
 var AuthError = class extends Error {
   constructor(message) {
@@ -3983,24 +3978,16 @@ var AiJudge = class _AiJudge {
   config;
   protectedFiles;
   protectedPaths;
-  deniedActions;
   isOllamaEndpoint;
   // Circuit breaker: after 3 consecutive failures in 60s, skip AI Judge
   consecutiveFailures = 0;
   lastFailureTime = 0;
   static CIRCUIT_BREAKER_THRESHOLD = 3;
   static CIRCUIT_BREAKER_RESET_MS = 6e4;
-  constructor(config, protectedFiles, protectedPaths, deniedActions = [
-    "file deletion",
-    "data exfiltration",
-    "remote code execution",
-    "environment variable leak",
-    "security control bypass"
-  ]) {
+  constructor(config, protectedFiles, protectedPaths) {
     this.config = config;
     this.protectedFiles = protectedFiles;
     this.protectedPaths = protectedPaths;
-    this.deniedActions = deniedActions;
     this.isOllamaEndpoint = config.endpoint.includes("11434") || config.endpoint.includes("ollama");
   }
   /**
@@ -4024,8 +4011,7 @@ var AiJudge = class _AiJudge {
       tool: toolName,
       arguments: sanitizedArgs,
       protected_files: this.protectedFiles,
-      protected_paths: this.protectedPaths,
-      denied_actions: this.deniedActions
+      protected_paths: this.protectedPaths
     });
     try {
       const response = await this.callLLM(userMessage);

package/hooks/guard.mjs

@@ -1134,7 +1134,9 @@ process.stdin.on('end', async () => {
 
     // ── AI Judge: semantic intent analysis (runs when policy ALLOWs) ──
     if (!reason) {
-      const GROQ_KEY = process.env.GROQ_API_KEY || dotenv.GROQ_API_KEY || '';
+      let GROQ_KEY = process.env.GROQ_API_KEY || dotenv.GROQ_API_KEY || '';
+      // Skip placeholder values
+      if (GROQ_KEY && (GROQ_KEY.includes('your_') || GROQ_KEY.includes('_here') || GROQ_KEY.length < 10)) GROQ_KEY = '';
       let aiJudgeEnabled = false;
       let aiJudgeModel = 'llama-3.1-8b-instant';
       let aiJudgeEndpoint = 'https://api.groq.com/openai';
@@ -1197,40 +1199,34 @@ process.stdin.on('end', async () => {
             arguments: args,
             protected_files: protectedFiles,
             protected_paths: protectedPathsList,
-            denied_actions: ['file deletion', 'data exfiltration', 'remote code execution', 'environment variable leak', 'security control bypass'],
           });
 
-          const systemPrompt = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+          const systemPrompt = `You are a security judge for an AI coding tool. Your ONLY job is to check if a tool call accesses files or paths that are in the protected lists. Nothing else.
 
 You will receive a JSON object with:
-- "tool": the tool name being called (e.g., Bash, Write, Read, Edit)
+- "tool": the tool name being called
 - "arguments": the tool's arguments
-- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected — nothing else.
-- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected — nothing else.
-- "denied_actions": list of actions that are never allowed
-
-IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
-
-DENY if the tool call could, directly or indirectly, access a file from the protected_files list — even through:
-- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
-- Command substitution ($(...), backticks)
-- Process substitution (<(cat file)) — check inside <(...) for protected files
-- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" — DENY only if .env is in protected_files)
-- Input redirection (< file)
-- Multi-stage operations: tar/cp a protected file then read the copy — DENY the entire chain
-- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
-
-Also DENY if:
-- The command sends data to external URLs (curl -d, wget --post)
-- The command leaks environment variables (printenv, env, process.env)
-- The command executes remotely downloaded code (curl|bash)
-
-ALLOW if:
-- The file is NOT in protected_files — even if cat, head, etc. is used. Reading non-protected files is normal.
-- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
-- The action does not touch any protected file or path
-
-CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. "cat package.json" is ALLOWED if package.json is not in protected_files. Do NOT over-block.
+- "protected_files": the EXACT and COMPLETE list of protected files from the user's policy
+- "protected_paths": the EXACT and COMPLETE list of protected directories from the user's policy
+
+RULES:
+1. DENY ONLY if the tool call could access a file or path that is in protected_files or protected_paths.
+2. ALLOW everything else. You must NOT invent your own security rules.
+3. If a file is NOT in protected_files, it is NOT protected — even if the filename looks sensitive.
+4. "cat test.txt" is ALLOWED if test.txt is not in protected_files.
+5. "curl https://example.com" is ALLOWED unless it sends protected file content.
+6. "printenv" is ALLOWED unless the policy explicitly protects it.
+
+BYPASS DETECTION — DENY if the command accesses a protected file through:
+- Shell glob patterns: "cat cred*" could match "credentials.json" IF it is in protected_files
+- Command substitution: "cat $(echo .env)" builds ".env"
+- Variable interpolation: f=".en"; cat \${f}v builds ".env"
+- Process substitution: <(cat .env)
+- Multi-stage: cp protected_file /tmp/x && cat /tmp/x
+- Input redirection: < .env
+- Any file-reading utility (cat, head, tail, less, perl, awk, sed, xxd, etc.)
+
+CRITICAL: You have NO security opinions of your own. You ONLY enforce the protected_files and protected_paths lists. If something is not in those lists, it is ALLOWED. Do NOT over-block.
 
 Respond with ONLY valid JSON: {"decision": "ALLOW" or "DENY", "reason": "brief explanation", "confidence": 0.0 to 1.0}`;
 
@@ -1258,17 +1254,16 @@ Respond with ONLY valid JSON: {"decision": "ALLOW" or "DENY", "reason": "brief e
             const jsonMatch = content.match(/\{[\s\S]*\}/);
             if (jsonMatch) {
               const verdict = JSON.parse(jsonMatch[0]);
-              if (verdict.decision === 'DENY') {
+              if (verdict.decision === 'DENY' && verdict.confidence >= 0.7) {
                 reason = '[SolonGate AI Judge] Blocked: ' + (verdict.reason || 'Semantic analysis detected a policy violation');
               }
+              // Low-confidence DENY or ALLOW → skip (don't block)
             }
-          } else {
-            // Fail-closed: LLM error → DENY
-            reason = '[SolonGate AI Judge] Blocked: Groq API error (fail-closed)';
           }
-        } catch (err) {
-          // Fail-closed: timeout or parse error → DENY
-          reason = '[SolonGate AI Judge] Blocked: ' + (err.message || 'error') + ' (fail-closed)';
+          // Auth/config errors (401, 403) → skip AI Judge, don't DENY
+          // Other LLM errors → skip too (policy engine already evaluated)
+        } catch {
+          // Timeout or parse error → skip AI Judge (policy engine already passed)
         }
       }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.36.0",
+  "version": "0.38.0",
   "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {