@solongate/proxy 0.42.2 → 0.43.0

package/dist/index.js

@@ -2745,12 +2745,56 @@ var PolicyRuleSchema = z.object({
   createdAt: z.string().datetime(),
   updatedAt: z.string().datetime()
 });
+var GroupPolicyRuleSchema = z.object({
+  toolPattern: z.string().min(1),
+  permission: z.enum(["READ", "WRITE", "EXECUTE", "NETWORK"]).optional(),
+  effect: z.enum(["ALLOW", "DENY"]),
+  pathConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional(),
+    rootDirectory: z.string().optional(),
+    allowSymlinks: z.boolean().optional()
+  }).optional(),
+  commandConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional()
+  }).optional(),
+  urlConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional()
+  }).optional()
+});
+var AgentRelationshipConfigSchema = z.object({
+  source: z.string().min(1),
+  target: z.string().min(1),
+  type: z.enum(["peer", "delegation", "supervisor"]),
+  trustLevel: z.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]).optional(),
+  allowedTools: z.array(z.string()).optional(),
+  deniedTools: z.array(z.string()).optional(),
+  allowedPermissions: z.array(z.string()).optional(),
+  maxDelegationDepth: z.number().int().min(0).max(10).optional()
+});
+var DelegationConfigSchema = z.object({
+  chain: z.array(z.string()).min(2),
+  effectiveTools: z.array(z.string()).optional(),
+  effectivePermissions: z.array(z.string()).optional()
+});
+var AgentTrustMapSchema = z.object({
+  groups: z.record(z.object({
+    description: z.string().optional(),
+    members: z.array(z.string()),
+    rules: z.array(GroupPolicyRuleSchema)
+  })).optional(),
+  relationships: z.array(AgentRelationshipConfigSchema).optional(),
+  delegations: z.array(DelegationConfigSchema).optional()
+});
 var PolicySetSchema = z.object({
   id: z.string().min(1).max(256),
   name: z.string().min(1).max(256),
   description: z.string().max(2048),
   version: z.number().int().min(0),
   rules: z.array(PolicyRuleSchema),
+  agentTrustMap: AgentTrustMapSchema.optional(),
   createdAt: z.string().datetime(),
   updatedAt: z.string().datetime()
 });
@@ -5409,6 +5453,132 @@ var SolonGate = class {
   }
 };
 
+// src/agent-trust.ts
+function matchGlob(value, pattern) {
+  if (pattern === "*") return true;
+  if (!pattern.includes("*")) return value === pattern;
+  const regex = new RegExp("^" + pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*") + "$");
+  return regex.test(value);
+}
+var AgentTrustEvaluator = class {
+  localConfig = null;
+  cloudRulesCache = /* @__PURE__ */ new Map();
+  lastFetchTime = /* @__PURE__ */ new Map();
+  fetchIntervalMs = 6e4;
+  apiKey;
+  apiUrl;
+  constructor(apiKey, apiUrl) {
+    this.apiKey = apiKey;
+    this.apiUrl = apiUrl;
+  }
+  /** Load local trust map from policy.json's agentTrustMap section */
+  loadLocal(config) {
+    this.localConfig = config ?? null;
+  }
+  /** Fetch cloud rules for a specific agent */
+  async fetchCloudRules(agentId) {
+    if (!this.apiKey || !this.apiUrl) return;
+    const lastFetch = this.lastFetchTime.get(agentId) ?? 0;
+    if (Date.now() - lastFetch < this.fetchIntervalMs) return;
+    try {
+      const res = await fetch(`${this.apiUrl}/api/v1/trust-map/rules?agentId=${encodeURIComponent(agentId)}`, {
+        headers: {
+          "Authorization": `Bearer ${this.apiKey}`,
+          "Content-Type": "application/json"
+        },
+        signal: AbortSignal.timeout(5e3)
+      });
+      if (res.ok) {
+        const data = await res.json();
+        this.cloudRulesCache.set(agentId, data);
+        this.lastFetchTime.set(agentId, Date.now());
+      }
+    } catch {
+    }
+  }
+  /**
+   * Evaluate whether agentId is allowed to call toolName with the given permission.
+   * DENY wins: if either local or cloud rules deny, the tool call is blocked.
+   */
+  evaluate(agentId, toolName, permission, subAgentId) {
+    const effectiveId = subAgentId || agentId;
+    const localDecision = this.evaluateLocal(effectiveId, toolName, permission);
+    if (!localDecision.allowed) return localDecision;
+    const cloudDecision = this.evaluateCloud(effectiveId, toolName, permission);
+    if (!cloudDecision.allowed) return cloudDecision;
+    return { allowed: true, reason: "Passed agent trust checks" };
+  }
+  evaluateLocal(agentId, toolName, permission) {
+    if (!this.localConfig) return { allowed: true, reason: "No local agent trust map" };
+    for (const [groupName, group] of Object.entries(this.localConfig.groups ?? {})) {
+      if (group.members.includes(agentId)) {
+        for (const rule of group.rules) {
+          if (matchGlob(toolName, rule.toolPattern)) {
+            if (rule.permission && rule.permission !== permission) continue;
+            if (rule.effect === "DENY") {
+              return { allowed: false, reason: `Blocked by group "${groupName}": ${rule.toolPattern}` };
+            }
+          }
+        }
+      }
+    }
+    for (const rel of this.localConfig.relationships ?? []) {
+      if (rel.target === agentId) {
+        if (rel.deniedTools?.some((p) => matchGlob(toolName, p))) {
+          return { allowed: false, reason: `Blocked by relationship: ${rel.source} \u2192 ${rel.target}` };
+        }
+        if (rel.allowedTools && rel.allowedTools.length > 0) {
+          if (!rel.allowedTools.some((p) => matchGlob(toolName, p))) {
+            return { allowed: false, reason: `Tool not in allowed list: ${rel.source} \u2192 ${rel.target}` };
+          }
+        }
+      }
+    }
+    for (const del of this.localConfig.delegations ?? []) {
+      if (del.chain.includes(agentId)) {
+        if (del.effectiveTools && del.effectiveTools.length > 0) {
+          if (!del.effectiveTools.some((p) => matchGlob(toolName, p))) {
+            return { allowed: false, reason: `Tool not in delegation chain effective tools` };
+          }
+        }
+      }
+    }
+    return { allowed: true, reason: "Passed local checks" };
+  }
+  evaluateCloud(agentId, toolName, permission) {
+    const rules = this.cloudRulesCache.get(agentId);
+    if (!rules) return { allowed: true, reason: "No cloud rules cached" };
+    for (const group of rules.groups) {
+      for (const rule of group.policyRules) {
+        if (matchGlob(toolName, rule.toolPattern)) {
+          if (rule.permission && rule.permission !== permission) continue;
+          if (rule.effect === "DENY") {
+            return { allowed: false, reason: `Blocked by cloud group "${group.name}": ${rule.toolPattern}` };
+          }
+        }
+      }
+    }
+    for (const rel of rules.relationships) {
+      if (rel.deniedTools.some((p) => matchGlob(toolName, p))) {
+        return { allowed: false, reason: `Blocked by cloud relationship: ${rel.sourceAgentId} \u2192 ${agentId}` };
+      }
+      if (rel.allowedTools.length > 0) {
+        if (!rel.allowedTools.some((p) => matchGlob(toolName, p))) {
+          return { allowed: false, reason: `Tool not in cloud allowed list: ${rel.sourceAgentId} \u2192 ${agentId}` };
+        }
+      }
+    }
+    for (const del of rules.delegations) {
+      if (del.chain.includes(agentId) && del.effectiveTools.length > 0) {
+        if (!del.effectiveTools.some((p) => matchGlob(toolName, p))) {
+          return { allowed: false, reason: `Tool not in cloud delegation chain` };
+        }
+      }
+    }
+    return { allowed: true, reason: "Passed cloud checks" };
+  }
+};
+
 // src/proxy.ts
 init_config();
 
@@ -5940,6 +6110,8 @@ var SolonGateProxy = class {
   httpAgentInfo = /* @__PURE__ */ new Map();
   /** Per-request sub-agent info from HTTP headers (transient, overwritten per request) */
   httpSubAgent = null;
+  /** Agent trust map evaluator for group/relationship/delegation rules */
+  agentTrustEvaluator = null;
   constructor(config) {
     this.config = config;
     this.guardConfig = config.advancedDetection ? { ...DEFAULT_INPUT_GUARD_CONFIG, advancedDetection: config.advancedDetection } : DEFAULT_INPUT_GUARD_CONFIG;
@@ -5962,6 +6134,13 @@ var SolonGateProxy = class {
     for (const w of warnings) {
       log2("WARNING:", w);
     }
+    if (config.policy.agentTrustMap || config.apiKey && !config.apiKey.startsWith("sg_test_")) {
+      this.agentTrustEvaluator = new AgentTrustEvaluator(config.apiKey, config.apiUrl);
+      if (config.policy.agentTrustMap) {
+        this.agentTrustEvaluator.loadLocal(config.policy.agentTrustMap);
+        log2("Agent trust map loaded from policy.json");
+      }
+    }
   }
   /** Normalize well-known MCP client names to display-friendly agent identities */
   normalizeAgentName(raw) {
@@ -6193,6 +6372,10 @@ var SolonGateProxy = class {
         } else if (this.config.agentName) {
           log2(`Agent identity from --agent-name flag: ${this.agentName} (clientInfo: ${clientVersion?.name || "none"})`);
         }
+        if (this.agentTrustEvaluator && this.agentId) {
+          this.agentTrustEvaluator.fetchCloudRules(this.agentId).catch(() => {
+          });
+        }
       }
     };
     this.server.setRequestHandler(ListToolsRequestSchema, async () => {
@@ -6212,6 +6395,36 @@ var SolonGateProxy = class {
         };
       }
       log2(`Tool call: ${name}`);
+      if (this.agentTrustEvaluator) {
+        const trustDecision = this.agentTrustEvaluator.evaluate(
+          this.agentId ?? "unknown",
+          name,
+          guessPermission(name),
+          subAgent?.subAgentId
+        );
+        if (!trustDecision.allowed) {
+          log2(`DENY: ${name} \u2014 ${trustDecision.reason}`);
+          const apiUrl = this.config.apiUrl || "https://api.solongate.com";
+          if (this.config.apiKey && !this.config.apiKey.startsWith("sg_test_")) {
+            sendAuditLog(this.config.apiKey, apiUrl, {
+              tool: name,
+              arguments: args ?? {},
+              decision: "DENY",
+              reason: trustDecision.reason,
+              permission: guessPermission(name),
+              evaluationTimeMs: 0,
+              agent_id: this.agentId ?? void 0,
+              agent_name: this.agentName ?? void 0,
+              sub_agent_id: subAgent?.subAgentId,
+              sub_agent_name: subAgent?.subAgentName
+            });
+          }
+          return {
+            content: [{ type: "text", text: `Blocked by agent trust policy: ${trustDecision.reason}` }],
+            isError: true
+          };
+        }
+      }
       let piResult;
       if (args && typeof args === "object") {
         const argsCheck = this.config.advancedDetection ? await sanitizeInputAsync("tool.arguments", args, this.guardConfig) : sanitizeInput("tool.arguments", args);

package/dist/lib.js

@@ -692,12 +692,56 @@ var PolicyRuleSchema = z.object({
   createdAt: z.string().datetime(),
   updatedAt: z.string().datetime()
 });
+var GroupPolicyRuleSchema = z.object({
+  toolPattern: z.string().min(1),
+  permission: z.enum(["READ", "WRITE", "EXECUTE", "NETWORK"]).optional(),
+  effect: z.enum(["ALLOW", "DENY"]),
+  pathConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional(),
+    rootDirectory: z.string().optional(),
+    allowSymlinks: z.boolean().optional()
+  }).optional(),
+  commandConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional()
+  }).optional(),
+  urlConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional()
+  }).optional()
+});
+var AgentRelationshipConfigSchema = z.object({
+  source: z.string().min(1),
+  target: z.string().min(1),
+  type: z.enum(["peer", "delegation", "supervisor"]),
+  trustLevel: z.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]).optional(),
+  allowedTools: z.array(z.string()).optional(),
+  deniedTools: z.array(z.string()).optional(),
+  allowedPermissions: z.array(z.string()).optional(),
+  maxDelegationDepth: z.number().int().min(0).max(10).optional()
+});
+var DelegationConfigSchema = z.object({
+  chain: z.array(z.string()).min(2),
+  effectiveTools: z.array(z.string()).optional(),
+  effectivePermissions: z.array(z.string()).optional()
+});
+var AgentTrustMapSchema = z.object({
+  groups: z.record(z.object({
+    description: z.string().optional(),
+    members: z.array(z.string()),
+    rules: z.array(GroupPolicyRuleSchema)
+  })).optional(),
+  relationships: z.array(AgentRelationshipConfigSchema).optional(),
+  delegations: z.array(DelegationConfigSchema).optional()
+});
 var PolicySetSchema = z.object({
   id: z.string().min(1).max(256),
   name: z.string().min(1).max(256),
   description: z.string().max(2048),
   version: z.number().int().min(0),
   rules: z.array(PolicyRuleSchema),
+  agentTrustMap: AgentTrustMapSchema.optional(),
   createdAt: z.string().datetime(),
   updatedAt: z.string().datetime()
 });
@@ -3629,6 +3673,132 @@ import { createServer as createHttpServer } from "http";
 import { resolve as resolve2, join } from "path";
 import { existsSync as existsSync3, readFileSync as readFileSync3, mkdirSync as mkdirSync2, appendFileSync } from "fs";
 
+// src/agent-trust.ts
+function matchGlob(value, pattern) {
+  if (pattern === "*") return true;
+  if (!pattern.includes("*")) return value === pattern;
+  const regex = new RegExp("^" + pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*") + "$");
+  return regex.test(value);
+}
+var AgentTrustEvaluator = class {
+  localConfig = null;
+  cloudRulesCache = /* @__PURE__ */ new Map();
+  lastFetchTime = /* @__PURE__ */ new Map();
+  fetchIntervalMs = 6e4;
+  apiKey;
+  apiUrl;
+  constructor(apiKey, apiUrl) {
+    this.apiKey = apiKey;
+    this.apiUrl = apiUrl;
+  }
+  /** Load local trust map from policy.json's agentTrustMap section */
+  loadLocal(config) {
+    this.localConfig = config ?? null;
+  }
+  /** Fetch cloud rules for a specific agent */
+  async fetchCloudRules(agentId) {
+    if (!this.apiKey || !this.apiUrl) return;
+    const lastFetch = this.lastFetchTime.get(agentId) ?? 0;
+    if (Date.now() - lastFetch < this.fetchIntervalMs) return;
+    try {
+      const res = await fetch(`${this.apiUrl}/api/v1/trust-map/rules?agentId=${encodeURIComponent(agentId)}`, {
+        headers: {
+          "Authorization": `Bearer ${this.apiKey}`,
+          "Content-Type": "application/json"
+        },
+        signal: AbortSignal.timeout(5e3)
+      });
+      if (res.ok) {
+        const data = await res.json();
+        this.cloudRulesCache.set(agentId, data);
+        this.lastFetchTime.set(agentId, Date.now());
+      }
+    } catch {
+    }
+  }
+  /**
+   * Evaluate whether agentId is allowed to call toolName with the given permission.
+   * DENY wins: if either local or cloud rules deny, the tool call is blocked.
+   */
+  evaluate(agentId, toolName, permission, subAgentId) {
+    const effectiveId = subAgentId || agentId;
+    const localDecision = this.evaluateLocal(effectiveId, toolName, permission);
+    if (!localDecision.allowed) return localDecision;
+    const cloudDecision = this.evaluateCloud(effectiveId, toolName, permission);
+    if (!cloudDecision.allowed) return cloudDecision;
+    return { allowed: true, reason: "Passed agent trust checks" };
+  }
+  evaluateLocal(agentId, toolName, permission) {
+    if (!this.localConfig) return { allowed: true, reason: "No local agent trust map" };
+    for (const [groupName, group] of Object.entries(this.localConfig.groups ?? {})) {
+      if (group.members.includes(agentId)) {
+        for (const rule of group.rules) {
+          if (matchGlob(toolName, rule.toolPattern)) {
+            if (rule.permission && rule.permission !== permission) continue;
+            if (rule.effect === "DENY") {
+              return { allowed: false, reason: `Blocked by group "${groupName}": ${rule.toolPattern}` };
+            }
+          }
+        }
+      }
+    }
+    for (const rel of this.localConfig.relationships ?? []) {
+      if (rel.target === agentId) {
+        if (rel.deniedTools?.some((p) => matchGlob(toolName, p))) {
+          return { allowed: false, reason: `Blocked by relationship: ${rel.source} \u2192 ${rel.target}` };
+        }
+        if (rel.allowedTools && rel.allowedTools.length > 0) {
+          if (!rel.allowedTools.some((p) => matchGlob(toolName, p))) {
+            return { allowed: false, reason: `Tool not in allowed list: ${rel.source} \u2192 ${rel.target}` };
+          }
+        }
+      }
+    }
+    for (const del of this.localConfig.delegations ?? []) {
+      if (del.chain.includes(agentId)) {
+        if (del.effectiveTools && del.effectiveTools.length > 0) {
+          if (!del.effectiveTools.some((p) => matchGlob(toolName, p))) {
+            return { allowed: false, reason: `Tool not in delegation chain effective tools` };
+          }
+        }
+      }
+    }
+    return { allowed: true, reason: "Passed local checks" };
+  }
+  evaluateCloud(agentId, toolName, permission) {
+    const rules = this.cloudRulesCache.get(agentId);
+    if (!rules) return { allowed: true, reason: "No cloud rules cached" };
+    for (const group of rules.groups) {
+      for (const rule of group.policyRules) {
+        if (matchGlob(toolName, rule.toolPattern)) {
+          if (rule.permission && rule.permission !== permission) continue;
+          if (rule.effect === "DENY") {
+            return { allowed: false, reason: `Blocked by cloud group "${group.name}": ${rule.toolPattern}` };
+          }
+        }
+      }
+    }
+    for (const rel of rules.relationships) {
+      if (rel.deniedTools.some((p) => matchGlob(toolName, p))) {
+        return { allowed: false, reason: `Blocked by cloud relationship: ${rel.sourceAgentId} \u2192 ${agentId}` };
+      }
+      if (rel.allowedTools.length > 0) {
+        if (!rel.allowedTools.some((p) => matchGlob(toolName, p))) {
+          return { allowed: false, reason: `Tool not in cloud allowed list: ${rel.sourceAgentId} \u2192 ${agentId}` };
+        }
+      }
+    }
+    for (const del of rules.delegations) {
+      if (del.chain.includes(agentId) && del.effectiveTools.length > 0) {
+        if (!del.effectiveTools.some((p) => matchGlob(toolName, p))) {
+          return { allowed: false, reason: `Tool not in cloud delegation chain` };
+        }
+      }
+    }
+    return { allowed: true, reason: "Passed cloud checks" };
+  }
+};
+
 // src/config.ts
 import { readFileSync, existsSync } from "fs";
 import { appendFile } from "fs/promises";
@@ -4266,6 +4436,8 @@ var SolonGateProxy = class {
   httpAgentInfo = /* @__PURE__ */ new Map();
   /** Per-request sub-agent info from HTTP headers (transient, overwritten per request) */
   httpSubAgent = null;
+  /** Agent trust map evaluator for group/relationship/delegation rules */
+  agentTrustEvaluator = null;
   constructor(config) {
     this.config = config;
     this.guardConfig = config.advancedDetection ? { ...DEFAULT_INPUT_GUARD_CONFIG, advancedDetection: config.advancedDetection } : DEFAULT_INPUT_GUARD_CONFIG;
@@ -4288,6 +4460,13 @@ var SolonGateProxy = class {
     for (const w of warnings) {
       log2("WARNING:", w);
     }
+    if (config.policy.agentTrustMap || config.apiKey && !config.apiKey.startsWith("sg_test_")) {
+      this.agentTrustEvaluator = new AgentTrustEvaluator(config.apiKey, config.apiUrl);
+      if (config.policy.agentTrustMap) {
+        this.agentTrustEvaluator.loadLocal(config.policy.agentTrustMap);
+        log2("Agent trust map loaded from policy.json");
+      }
+    }
   }
   /** Normalize well-known MCP client names to display-friendly agent identities */
   normalizeAgentName(raw) {
@@ -4519,6 +4698,10 @@ var SolonGateProxy = class {
         } else if (this.config.agentName) {
           log2(`Agent identity from --agent-name flag: ${this.agentName} (clientInfo: ${clientVersion?.name || "none"})`);
         }
+        if (this.agentTrustEvaluator && this.agentId) {
+          this.agentTrustEvaluator.fetchCloudRules(this.agentId).catch(() => {
+          });
+        }
       }
     };
     this.server.setRequestHandler(ListToolsRequestSchema, async () => {
@@ -4538,6 +4721,36 @@ var SolonGateProxy = class {
         };
       }
       log2(`Tool call: ${name}`);
+      if (this.agentTrustEvaluator) {
+        const trustDecision = this.agentTrustEvaluator.evaluate(
+          this.agentId ?? "unknown",
+          name,
+          guessPermission(name),
+          subAgent?.subAgentId
+        );
+        if (!trustDecision.allowed) {
+          log2(`DENY: ${name} \u2014 ${trustDecision.reason}`);
+          const apiUrl = this.config.apiUrl || "https://api.solongate.com";
+          if (this.config.apiKey && !this.config.apiKey.startsWith("sg_test_")) {
+            sendAuditLog(this.config.apiKey, apiUrl, {
+              tool: name,
+              arguments: args ?? {},
+              decision: "DENY",
+              reason: trustDecision.reason,
+              permission: guessPermission(name),
+              evaluationTimeMs: 0,
+              agent_id: this.agentId ?? void 0,
+              agent_name: this.agentName ?? void 0,
+              sub_agent_id: subAgent?.subAgentId,
+              sub_agent_name: subAgent?.subAgentName
+            });
+          }
+          return {
+            content: [{ type: "text", text: `Blocked by agent trust policy: ${trustDecision.reason}` }],
+            isError: true
+          };
+        }
+      }
       let piResult;
       if (args && typeof args === "object") {
         const argsCheck = this.config.advancedDetection ? await sanitizeInputAsync("tool.arguments", args, this.guardConfig) : sanitizeInput("tool.arguments", args);

package/hooks/guard.mjs

@@ -366,6 +366,66 @@ function evaluate(policy, args) {
   return null;
 }
 
+// ── Agent Trust Map Evaluation ──
+function matchTrustGlob(value, pattern) {
+  if (pattern === '*') return true;
+  if (!pattern.includes('*')) return value === pattern;
+  const regex = new RegExp('^' + pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*') + '$');
+  return regex.test(value);
+}
+
+function evaluateAgentTrust(policy, agentId, toolName, permission) {
+  const trustMap = policy && policy.agentTrustMap;
+  if (!trustMap) return null;
+
+  // 1. Group rules
+  if (trustMap.groups) {
+    for (const [groupName, group] of Object.entries(trustMap.groups)) {
+      if (group.members && group.members.includes(agentId)) {
+        for (const rule of (group.rules || [])) {
+          if (matchTrustGlob(toolName, rule.toolPattern)) {
+            if (rule.permission && rule.permission !== permission) continue;
+            if (rule.effect === 'DENY') {
+              return 'Blocked by agent group "' + groupName + '": ' + rule.toolPattern;
+            }
+          }
+        }
+      }
+    }
+  }
+
+  // 2. Relationship rules (where this agent is the target)
+  if (trustMap.relationships) {
+    for (const rel of trustMap.relationships) {
+      if (rel.target === agentId) {
+        if (rel.deniedTools && rel.deniedTools.some(p => matchTrustGlob(toolName, p))) {
+          return 'Blocked by relationship: ' + rel.source + ' → ' + rel.target;
+        }
+        if (rel.allowedTools && rel.allowedTools.length > 0) {
+          if (!rel.allowedTools.some(p => matchTrustGlob(toolName, p))) {
+            return 'Tool not in allowed list: ' + rel.source + ' → ' + rel.target;
+          }
+        }
+      }
+    }
+  }
+
+  // 3. Delegation chains
+  if (trustMap.delegations) {
+    for (const del of trustMap.delegations) {
+      if (del.chain && del.chain.includes(agentId)) {
+        if (del.effectiveTools && del.effectiveTools.length > 0) {
+          if (!del.effectiveTools.some(p => matchTrustGlob(toolName, p))) {
+            return 'Tool not in delegation chain effective tools';
+          }
+        }
+      }
+    }
+  }
+
+  return null;
+}
+
 // ── Main ──
 let input = '';
 process.stdin.on('data', c => input += c);
@@ -394,6 +454,7 @@ process.stdin.on('end', async () => {
       session_id: raw.session_id || raw.sessionId || raw.conversation_id || '',
     };
     const args = data.tool_input;
+    const toolName = data.tool_name || '';
 
     // ── Self-protection: block access to hook files and settings ──
     // Hardcoded, no bypass possible — runs before policy/PI config
@@ -997,7 +1058,7 @@ process.stdin.on('end', async () => {
     }
 
     // ── Per-tool config: check if PI scanning is disabled for this tool ──
-    const toolName = data.tool_name || '';
+    // toolName already defined above (before self-protection)
     if (piCfg.piToolConfig && typeof piCfg.piToolConfig === 'object') {
       if (piCfg.piToolConfig[toolName] === false) {
         // PI scanning explicitly disabled for this tool — skip detection
@@ -1141,8 +1202,91 @@ process.stdin.on('end', async () => {
       allowTool(); // No policy = allow all
     }
 
+    // ── Fetch cloud trust-map rules and merge into policy.agentTrustMap ──
+    if (API_KEY && API_KEY.startsWith('sg_live_') && AGENT_ID) {
+      const tmCacheFile = join(resolve('.solongate'), '.trust-rules-cache.json');
+      let tmCached = null;
+      try {
+        if (existsSync(tmCacheFile)) {
+          const cached = JSON.parse(readFileSync(tmCacheFile, 'utf-8'));
+          if (cached._ts && Date.now() - cached._ts < 60000 && cached._agentId === AGENT_ID) {
+            tmCached = cached;
+          }
+        }
+      } catch {}
+      if (!tmCached) {
+        try {
+          const tmRes = await fetch(API_URL + '/api/v1/trust-map/rules?agentId=' + encodeURIComponent(AGENT_ID), {
+            headers: { 'Authorization': 'Bearer ' + API_KEY },
+            signal: AbortSignal.timeout(5000),
+          });
+          if (tmRes.ok) {
+            tmCached = await tmRes.json();
+            tmCached._ts = Date.now();
+            tmCached._agentId = AGENT_ID;
+            try { writeFileSync(tmCacheFile, JSON.stringify(tmCached)); } catch {}
+          }
+        } catch {}
+      }
+      if (tmCached) {
+        if (!policy) policy = {};
+        if (!policy.agentTrustMap) policy.agentTrustMap = {};
+        const tm = policy.agentTrustMap;
+
+        // Merge cloud groups into local groups
+        if (tmCached.groups && tmCached.groups.length > 0) {
+          if (!tm.groups) tm.groups = {};
+          for (const g of tmCached.groups) {
+            const key = 'cloud_' + g.id;
+            if (!tm.groups[key]) {
+              tm.groups[key] = {
+                members: [AGENT_ID],
+                rules: (g.policyRules || []).map(r => ({
+                  toolPattern: r.toolPattern || '*',
+                  permission: r.permission,
+                  effect: r.effect || 'DENY',
+                })),
+              };
+            }
+          }
+        }
+
+        // Merge cloud relationships into local relationships
+        if (tmCached.relationships && tmCached.relationships.length > 0) {
+          if (!tm.relationships) tm.relationships = [];
+          for (const r of tmCached.relationships) {
+            tm.relationships.push({
+              source: r.sourceAgentId,
+              target: AGENT_ID,
+              type: r.relationshipType || 'peer',
+              allowedTools: r.allowedTools || [],
+              deniedTools: r.deniedTools || [],
+            });
+          }
+        }
+
+        // Merge cloud delegations into local delegations
+        if (tmCached.delegations && tmCached.delegations.length > 0) {
+          if (!tm.delegations) tm.delegations = [];
+          for (const d of tmCached.delegations) {
+            tm.delegations.push({
+              chain: d.chain || [],
+              effectiveTools: d.effectiveTools || [],
+              effectivePermissions: d.effectivePermissions || [],
+            });
+          }
+        }
+      }
+    }
+
     let reason = evaluate(policy, args);
 
+    // ── Agent Trust Map evaluation ──
+    if (!reason) {
+      const trustReason = evaluateAgentTrust(policy, AGENT_ID, toolName, guessPermission(toolName));
+      if (trustReason) reason = trustReason;
+    }
+
     // ── AI Judge: semantic intent analysis (runs when policy ALLOWs) ──
     if (!reason) {
       let GROQ_KEY = process.env.GROQ_API_KEY || dotenv.GROQ_API_KEY || '';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.42.2",
+  "version": "0.43.0",
   "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {