@solongate/proxy 0.37.0 → 0.39.0

package/dist/index.js

@@ -5707,6 +5707,27 @@ var AiJudge = class _AiJudge {
       }
       this.consecutiveFailures = 0;
     }
+    const argStr = JSON.stringify(args).toLowerCase();
+    const hasShellTricks = /\$[\({]|`|<\(|>\(|\beval\b|\bexec\b|\bsource\b|\bxargs\b/.test(argStr);
+    const hasWildcard = /[*?]/.test(argStr);
+    let couldMatchProtected = hasShellTricks || hasWildcard;
+    if (!couldMatchProtected) {
+      const allProtected = [...this.protectedFiles, ...this.protectedPaths];
+      for (const p of allProtected) {
+        const core = p.replace(/[*?[\]{}]/g, "").replace(/^\.+/, "").toLowerCase();
+        if (core && core.length >= 2 && argStr.includes(core)) {
+          couldMatchProtected = true;
+          break;
+        }
+      }
+    }
+    if (!couldMatchProtected) {
+      return {
+        decision: "ALLOW",
+        reason: "No protected file/path referenced in arguments",
+        confidence: 1
+      };
+    }
     const sanitizedArgs = this.sanitizeArgs(args);
     const userMessage = JSON.stringify({
       tool: toolName,

package/dist/lib.js

@@ -4006,6 +4006,27 @@ var AiJudge = class _AiJudge {
       }
       this.consecutiveFailures = 0;
     }
+    const argStr = JSON.stringify(args).toLowerCase();
+    const hasShellTricks = /\$[\({]|`|<\(|>\(|\beval\b|\bexec\b|\bsource\b|\bxargs\b/.test(argStr);
+    const hasWildcard = /[*?]/.test(argStr);
+    let couldMatchProtected = hasShellTricks || hasWildcard;
+    if (!couldMatchProtected) {
+      const allProtected = [...this.protectedFiles, ...this.protectedPaths];
+      for (const p of allProtected) {
+        const core = p.replace(/[*?[\]{}]/g, "").replace(/^\.+/, "").toLowerCase();
+        if (core && core.length >= 2 && argStr.includes(core)) {
+          couldMatchProtected = true;
+          break;
+        }
+      }
+    }
+    if (!couldMatchProtected) {
+      return {
+        decision: "ALLOW",
+        reason: "No protected file/path referenced in arguments",
+        confidence: 1
+      };
+    }
     const sanitizedArgs = this.sanitizeArgs(args);
     const userMessage = JSON.stringify({
       tool: toolName,

package/hooks/guard.mjs

@@ -1134,7 +1134,9 @@ process.stdin.on('end', async () => {
 
     // ── AI Judge: semantic intent analysis (runs when policy ALLOWs) ──
     if (!reason) {
-      const GROQ_KEY = process.env.GROQ_API_KEY || dotenv.GROQ_API_KEY || '';
+      let GROQ_KEY = process.env.GROQ_API_KEY || dotenv.GROQ_API_KEY || '';
+      // Skip placeholder values
+      if (GROQ_KEY && (GROQ_KEY.includes('your_') || GROQ_KEY.includes('_here') || GROQ_KEY.length < 10)) GROQ_KEY = '';
       let aiJudgeEnabled = false;
       let aiJudgeModel = 'llama-3.1-8b-instant';
       let aiJudgeEndpoint = 'https://api.groq.com/openai';
@@ -1192,45 +1194,63 @@ process.stdin.on('end', async () => {
             }
           }
 
+          // Pre-filter: skip AI Judge if tool args clearly don't touch any protected file/path.
+          // Only call LLM when there's a potential match or obfuscation attempt.
+          const argStr = JSON.stringify(args).toLowerCase();
+          const hasShellTricks = /\$[\({]|`|<\(|>\(|\beval\b|\bexec\b|\bsource\b|\bxargs\b/.test(argStr);
+          const hasWildcard = /[*?]/.test(argStr);
+          let couldMatchProtected = hasShellTricks || hasWildcard;
+          if (!couldMatchProtected) {
+            // Check if any protected file/path name (without glob chars) appears in args
+            const allProtected = [...protectedFiles, ...protectedPathsList];
+            for (const p of allProtected) {
+              // Strip glob chars to get the core name: "*.env*" → "env", ".solongate" → "solongate"
+              const core = p.replace(/[*?[\]{}]/g, '').replace(/^\.+/, '').toLowerCase();
+              if (core && core.length >= 2 && argStr.includes(core)) {
+                couldMatchProtected = true;
+                break;
+              }
+            }
+          }
+
+          // If args clearly don't reference any protected pattern, skip LLM — instant ALLOW
+          if (!couldMatchProtected) {
+            // No need to call AI Judge — nothing to protect here
+          } else {
+
           const judgePayload = JSON.stringify({
             tool: toolName,
             arguments: args,
             protected_files: protectedFiles,
             protected_paths: protectedPathsList,
-            denied_actions: ['file deletion', 'data exfiltration', 'remote code execution', 'environment variable leak', 'security control bypass'],
           });
 
-          const systemPrompt = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+          const systemPrompt = `You are a security judge for an AI coding tool. Your ONLY job is to check if a tool call accesses files or paths that are in the protected lists. Nothing else.
 
 You will receive a JSON object with:
-- "tool": the tool name being called (e.g., Bash, Write, Read, Edit)
+- "tool": the tool name being called
 - "arguments": the tool's arguments
-- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected — nothing else.
-- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected — nothing else.
-- "denied_actions": list of actions that are never allowed
-
-IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
-
-DENY if the tool call could, directly or indirectly, access a file from the protected_files list — even through:
-- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
-- Command substitution ($(...), backticks)
-- Process substitution (<(cat file)) — check inside <(...) for protected files
-- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" — DENY only if .env is in protected_files)
-- Input redirection (< file)
-- Multi-stage operations: tar/cp a protected file then read the copy — DENY the entire chain
-- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
-
-Also DENY if:
-- The command sends data to external URLs (curl -d, wget --post)
-- The command leaks environment variables (printenv, env, process.env)
-- The command executes remotely downloaded code (curl|bash)
-
-ALLOW if:
-- The file is NOT in protected_files — even if cat, head, etc. is used. Reading non-protected files is normal.
-- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
-- The action does not touch any protected file or path
-
-CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. "cat package.json" is ALLOWED if package.json is not in protected_files. Do NOT over-block.
+- "protected_files": the EXACT and COMPLETE list of protected files from the user's policy
+- "protected_paths": the EXACT and COMPLETE list of protected directories from the user's policy
+
+RULES:
+1. DENY ONLY if the tool call could access a file or path that is in protected_files or protected_paths.
+2. ALLOW everything else. You must NOT invent your own security rules.
+3. If a file is NOT in protected_files, it is NOT protected — even if the filename looks sensitive.
+4. "cat test.txt" is ALLOWED if test.txt is not in protected_files.
+5. "curl https://example.com" is ALLOWED unless it sends protected file content.
+6. "printenv" is ALLOWED unless the policy explicitly protects it.
+
+BYPASS DETECTION — DENY if the command accesses a protected file through:
+- Shell glob patterns: "cat cred*" could match "credentials.json" IF it is in protected_files
+- Command substitution: "cat $(echo .env)" builds ".env"
+- Variable interpolation: f=".en"; cat \${f}v builds ".env"
+- Process substitution: <(cat .env)
+- Multi-stage: cp protected_file /tmp/x && cat /tmp/x
+- Input redirection: < .env
+- Any file-reading utility (cat, head, tail, less, perl, awk, sed, xxd, etc.)
+
+CRITICAL: You have NO security opinions of your own. You ONLY enforce the protected_files and protected_paths lists. If something is not in those lists, it is ALLOWED. Do NOT over-block.
 
 Respond with ONLY valid JSON: {"decision": "ALLOW" or "DENY", "reason": "brief explanation", "confidence": 0.0 to 1.0}`;
 
@@ -1258,17 +1278,18 @@ Respond with ONLY valid JSON: {"decision": "ALLOW" or "DENY", "reason": "brief e
             const jsonMatch = content.match(/\{[\s\S]*\}/);
             if (jsonMatch) {
               const verdict = JSON.parse(jsonMatch[0]);
-              if (verdict.decision === 'DENY') {
+              if (verdict.decision === 'DENY' && verdict.confidence >= 0.7) {
                 reason = '[SolonGate AI Judge] Blocked: ' + (verdict.reason || 'Semantic analysis detected a policy violation');
               }
+              // Low-confidence DENY or ALLOW → skip (don't block)
             }
-          } else {
-            // Fail-closed: LLM error → DENY
-            reason = '[SolonGate AI Judge] Blocked: Groq API error (fail-closed)';
           }
-        } catch (err) {
-          // Fail-closed: timeout or parse error → DENY
-          reason = '[SolonGate AI Judge] Blocked: ' + (err.message || 'error') + ' (fail-closed)';
+          // Auth/config errors (401, 403) → skip AI Judge, don't DENY
+          // Other LLM errors → skip too (policy engine already evaluated)
+
+          } // end else (couldMatchProtected)
+        } catch {
+          // Timeout or parse error → skip AI Judge (policy engine already passed)
         }
       }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.37.0",
+  "version": "0.39.0",
   "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {