@solongate/proxy 0.43.0 → 0.45.0

package/hooks/guard.mjs

@@ -1,14 +1,30 @@
 #!/usr/bin/env node
 /**
- * SolonGate Policy Guard Hook (PreToolUse)
- * Reads policy.json and blocks tool calls that violate constraints.
- * Also runs prompt injection detection (Stage 1 rules) on tool arguments.
+ * SolonGate Cloud Policy Guard Hook (PreToolUse) — GLOBAL system-wide enforcement.
+ *
+ * This is the cloud twin of the air-gapped guard hook. Identical decision engine
+ * (OPA WASM, NIST SP 800-207 PDP, fail-closed), but the policy + compiled WASM
+ * are fetched from SolonGate Cloud and authenticated with the project API key.
+ * Installed globally (~/.claude/settings.json) it intercepts EVERY tool call from
+ * EVERY Claude Code session on the machine — exactly like the air-gapped product,
+ * just sourced from the cloud instead of a local docker API.
+ *
+ * Cloud differences vs. air-gap guard.mjs:
+ *   - API_KEY (sg_live_…/sg_test_…) from env/.env, attached to every API call.
+ *   - API_URL defaults to https://api.solongate.com.
+ *   - Enforcement is gated on the API key (the key identifies the project +
+ *     its active policy), NOT on SOLONGATE_AGENT_ID.
+ *   - No AI Judge and NO gray route: cloud routing is binary, WHITE (allow) /
+ *     BLACK (block). The OPA policy alone decides; nothing is escalated.
+ *
  * Exit code 2 = BLOCK, exit code 0 = ALLOW.
  * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs.
- * Auto-installed by: npx @solongate/proxy init
+ * Auto-installed by: npx @solongate/proxy init --global
  */
 import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync } from 'node:fs';
 import { resolve, join } from 'node:path';
+import { homedir } from 'node:os';
+import { gunzipSync } from 'node:zlib';
 
 // Safe file read with size limit (1MB max) to prevent DoS via large files
 const MAX_FILE_READ = 1024 * 1024; // 1MB
@@ -20,7 +36,7 @@ function safeReadFileSync(filePath, encoding = 'utf-8') {
   } catch { return ''; }
 }
 
-// ── Load API key from .env file (Claude Code doesn't load .env into process.env) ──
+// ── Load .env file (Claude Code doesn't load .env into process.env) ──
 function loadEnvKey(dir) {
   try {
     const envPath = resolve(dir, '.env');
@@ -35,6 +51,20 @@ function loadEnvKey(dir) {
   } catch { return {}; }
 }
 
+// ── Global cloud config (~/.solongate/cloud-guard.json) ──
+// A GLOBAL hook runs from an arbitrary cwd every session, so a project-local
+// .env can't be relied on to carry the API key. The global installer writes the
+// key + URL here once; this absolute path is read regardless of cwd. Shape:
+//   { "apiKey": "sg_live_…", "apiUrl": "https://api.solongate.com" }
+function loadGlobalCloudConfig() {
+  try {
+    const p = resolve(homedir(), '.solongate', 'cloud-guard.json');
+    if (!existsSync(p)) return {};
+    const cfg = JSON.parse(readFileSync(p, 'utf-8'));
+    return (cfg && typeof cfg === 'object') ? cfg : {};
+  } catch { return {}; }
+}
+
 function guessPermission(toolName) {
   const name = (toolName || '').toLowerCase();
   if (name.includes('exec') || name.includes('shell') || name.includes('run') || name.includes('eval') || name === 'bash') return 'EXECUTE';
@@ -45,12 +75,34 @@ function guessPermission(toolName) {
 
 const hookCwdEarly = process.cwd();
 const dotenv = loadEnvKey(hookCwdEarly);
-const API_KEY = process.env.SOLONGATE_API_KEY || dotenv.SOLONGATE_API_KEY || '';
-const API_URL = process.env.SOLONGATE_API_URL || dotenv.SOLONGATE_API_URL || 'https://api.solongate.com';
-
-// Agent identity from CLI args: node guard.mjs <agent_id> <agent_name>
-const AGENT_ID = process.argv[2] || 'claude-code';
-const AGENT_NAME = process.argv[3] || 'Claude Code';
+const globalCfg = loadGlobalCloudConfig();
+// Resolution order: process env → project-local .env → global ~/.solongate
+// config. The global config is what makes a system-wide install self-sufficient.
+const API_URL = process.env.SOLONGATE_API_URL || dotenv.SOLONGATE_API_URL || globalCfg.apiUrl || 'https://api.solongate.com';
+// Cloud API key (sg_live_… / sg_test_…). The key identifies the project AND
+// authenticates every API call (active policy, compiled WASM, audit logs). When
+// absent, this hook does nothing — a machine with no key is intentionally
+// unenforced (the cloud has no policy to apply).
+const API_KEY = process.env.SOLONGATE_API_KEY || dotenv.SOLONGATE_API_KEY || globalCfg.apiKey || '';
+// Auth headers attached to every cloud API request. Cloud accepts either the
+// Authorization: Bearer form or X-API-Key; we send both for robustness.
+const AUTH_HEADERS = API_KEY ? { 'Authorization': 'Bearer ' + API_KEY, 'X-API-Key': API_KEY } : {};
+
+// Two distinct identities, deliberately kept separate:
+//
+//   AGENT_TYPE — the real AI client running this hook (claude-code /
+//   gemini-cli / openclaw). Baked into the hook registration by the installer
+//   as argv[2] (e.g. `node guard.mjs claude-code`). Decides the response
+//   format AND whether a selected policy actually applies to this client.
+//
+//   POLICY_SELECTOR — set per-terminal via SOLONGATE_AGENT_ID (a policy id
+//   from the dashboard "Use in terminal" button, or an agent name). Decides
+//   WHICH policy to load. When unset, no policy is enforced — a plain launch
+//   is intentionally unrestricted.
+const AGENT_TYPE = process.argv[2] || 'claude-code';
+const POLICY_SELECTOR = process.env.SOLONGATE_AGENT_ID || '';
+const AGENT_ID = POLICY_SELECTOR || AGENT_TYPE;
+const AGENT_NAME = process.env.SOLONGATE_AGENT_NAME || process.argv[3] || AGENT_TYPE;
 
 // ── Per-tool block/allow output ──
 // Response format depends on the agent:
@@ -58,7 +110,7 @@ const AGENT_NAME = process.argv[3] || 'Claude Code';
 // Gemini CLI:   {"decision": "deny/allow", "reason": "..."}
 
 function blockTool(reason) {
-  if (AGENT_ID === 'gemini-cli') {
+  if (AGENT_TYPE === 'gemini-cli') {
     process.stdout.write(JSON.stringify({
       decision: 'deny',
       reason: `[SolonGate] ${reason}`,
@@ -72,7 +124,7 @@ function blockTool(reason) {
 }
 
 function allowTool() {
-  if (AGENT_ID === 'gemini-cli') {
+  if (AGENT_TYPE === 'gemini-cli') {
     process.stdout.write(JSON.stringify({ decision: 'allow' }));
   }
   process.exit(0);
@@ -261,25 +313,69 @@ function looksLikeFilename(s) {
   return known.includes(s.toLowerCase());
 }
 
+// Deterministic shell normalizer — handles the common bypass tricks BEFORE
+// any semantic check, so OPA's literal matcher sees the canonical command.
+// Specifically: variable assignment + interpolation, quote concatenation
+// (.e""nv, ."env"). Doesn't try to be a full shell — just enough to defeat
+// the obfuscation patterns AI judges keep getting wrong non-deterministically.
+function normalizeShellCommand(cmd) {
+  if (typeof cmd !== 'string' || !cmd) return cmd;
+  const vars = {};
+  const out = [];
+  // Split on statement separators (; && ||) but NOT pipes (|).
+  for (const rawPart of cmd.split(/\s*(?:;|&&|\|\|)\s*/)) {
+    let part = rawPart;
+    // Detect var assignment: NAME=value | NAME="value" | NAME='value'
+    const m = part.match(/^(\w+)=(?:"([^"]*)"|'([^']*)'|([^\s;&|]*))\s*$/);
+    if (m) {
+      vars[m[1]] = m[2] ?? m[3] ?? m[4] ?? '';
+      continue;
+    }
+    // Substitute ${var} then $var.
+    part = part.replace(/\$\{(\w+)\}/g, (_, n) => vars[n] !== undefined ? vars[n] : '${' + n + '}');
+    part = part.replace(/\$(\w+)/g, (_, n) => vars[n] !== undefined ? vars[n] : '$' + n);
+    // Collapse quote-concat: a"b"c → abc, .e""nv → .env, ."env" → .env
+    part = part.replace(/"([^"]*)"/g, '$1').replace(/'([^']*)'/g, '$1');
+    out.push(part);
+  }
+  return out.join('; ');
+}
+
+// Normalize all shell-command-valued fields of an args object before tokenizing.
+function normalizeArgs(args) {
+  if (!args || typeof args !== 'object') return args;
+  const fields = ['command', 'cmd', 'function', 'script', 'shell'];
+  const copy = { ...args };
+  for (const [k, v] of Object.entries(copy)) {
+    if (fields.includes(k.toLowerCase()) && typeof v === 'string') {
+      copy[k] = normalizeShellCommand(v);
+    }
+  }
+  return copy;
+}
+
 function extractFilenames(args) {
+  args = normalizeArgs(args);
   const names = new Set();
+  // Strip surrounding/trailing quotes — `"…/secret.env"` must reduce to
+  // `secret.env`, not `secret.env"` (a trailing quote breaks the *.env glob).
+  const dequote = (t) => t.replace(/^["'`]+/, '').replace(/["'`]+$/, '');
   for (const s of scanStrings(args)) {
     if (/^https?:\/\//i.test(s)) continue;
-    if (s.includes('/') || s.includes('\\')) {
-      const base = s.replace(/\\/g, '/').split('/').pop();
-      if (base) names.add(base);
-      continue;
-    }
-    if (s.includes(' ')) {
-      for (const tok of s.split(/\s+/)) {
-        if (tok.includes('/') || tok.includes('\\')) {
-          const b = tok.replace(/\\/g, '/').split('/').pop();
-          if (b && looksLikeFilename(b)) names.add(b);
-        } else if (looksLikeFilename(tok)) names.add(tok);
+    // Process EVERY whitespace-separated token, not just the last `/` segment of
+    // the whole string. Multi-file commands (`rm a b c`) must check all of them.
+    const tokens = s.includes(' ') ? s.split(/\s+/) : [s];
+    const single = tokens.length === 1;
+    for (let tok of tokens) {
+      tok = dequote(tok);
+      if (!tok || /^https?:\/\//i.test(tok)) continue;
+      if (tok.includes('/') || tok.includes('\\')) {
+        const b = dequote(tok.replace(/\\/g, '/').split('/').pop() || '');
+        if (b && (single || looksLikeFilename(b))) names.add(b);
+      } else if (looksLikeFilename(tok)) {
+        names.add(tok);
       }
-      continue;
     }
-    if (looksLikeFilename(s)) names.add(s);
   }
   return [...names];
 }
@@ -298,6 +394,7 @@ function extractUrls(args) {
 }
 
 function extractCommands(args) {
+  args = normalizeArgs(args);
   const cmds = [];
   const fields = ['command', 'cmd', 'function', 'script', 'shell'];
   if (typeof args === 'object' && args) {
@@ -322,1155 +419,684 @@ function extractPaths(args) {
   return paths;
 }
 
-// ── Policy Evaluation ──
-function evaluate(policy, args) {
-  if (!policy || !policy.rules) return null;
-  const denyRules = policy.rules
-    .filter(r => r.effect === 'DENY' && r.enabled !== false)
-    .sort((a, b) => (a.priority || 100) - (b.priority || 100));
+// ── Hardcoded Tamper Protection ──
+// Runs BEFORE policy evaluation. Cannot be disabled by editing policies.
+// Even if all policy rules are removed, these stay enforced.
+const TAMPER_GUARD_TOOLS_WRITE = new Set([
+  'write', 'edit', 'multiedit', 'notebookedit',
+  'create', 'update', 'delete', 'remove', 'move', 'rename', 'copy',
+  'filesystem', 'fs_write', 'fs_edit', 'str_replace_editor',
+]);
+const TAMPER_GUARD_TOOLS_EXEC = new Set([
+  'bash', 'powershell', 'shell', 'exec', 'run', 'eval', 'cmd',
+]);
+const TAMPER_HOME = resolve(homedir()).replace(/\\/g, '/').toLowerCase();
+const TAMPER_SG = '/.solongate';
+const TAMPER_CC = '/.claude';
+const TAMPER_PROTECTED_ABS = [
+  TAMPER_HOME + TAMPER_CC + '/settings.json',
+  TAMPER_HOME + TAMPER_CC + '/settings.local.json',
+  TAMPER_HOME + TAMPER_SG + '/hooks',
+  TAMPER_HOME + TAMPER_SG + '/policy.json',
+  TAMPER_HOME + TAMPER_SG + '/.policy-cache.json',
+  // The cloud credential (contains the API key) — never readable via a tool.
+  TAMPER_HOME + TAMPER_SG + '/cloud-guard.json',
+];
+const TAMPER_INSTALL = '/solongate';
+const TAMPER_PROTECTED_GLOBS = [
+  '**' + TAMPER_CC + '/settings.json',
+  '**' + TAMPER_CC + '/settings.local.json',
+  '**' + TAMPER_SG + '/hooks/**',
+  '**' + TAMPER_SG + '/policy.json',
+  '**' + TAMPER_SG + '/.policy-cache.json',
+  '**' + TAMPER_SG + '/.policy-cache-*.json',
+  '**' + TAMPER_SG + '/.pi-config-cache.json',
+  '**' + TAMPER_SG + '/cloud-guard.json',
+  '**' + TAMPER_SG + '/.opa-wasm-*.json',
+  // Persistent host data (DB + audit JSONL) at ~/.solongate/data
+  '**' + TAMPER_SG + '/data/**',
+  // Customer install layout (zip extracted as solongate/)
+  '**' + TAMPER_INSTALL + '/compose/**',
+  '**' + TAMPER_INSTALL + '/data/**',
+  '**' + TAMPER_INSTALL + '/images/**',
+  '**' + TAMPER_INSTALL + '/helm/**',
+  '**' + TAMPER_INSTALL + '/solongate.exe',
+  '**' + TAMPER_INSTALL + '/setup.sh',
+];
+const TAMPER_BASENAMES = [
+  'guard.mjs', 'audit.mjs', 'stop.mjs',
+  'policy.json', '.policy-cache.json',
+  '.pi-config-cache.json', 'cloud-guard.json',
+  // Customer install: DB and wizard exe
+  'solongate.db', 'solongate.exe',
+];
+const TAMPER_PATH_FIELDS = new Set([
+  'file_path', 'path', 'target_file', 'notebook_path',
+  'dest', 'destination', 'source', 'src', 'from', 'to',
+  'directory', 'dir', 'folder',
+]);
+
+function normTamperPath(p) {
+  return String(p || '').replace(/\\/g, '/').toLowerCase();
+}
 
-  for (const rule of denyRules) {
-    if (rule.filenameConstraints && rule.filenameConstraints.denied) {
-      const filenames = extractFilenames(args);
-      for (const fn of filenames) {
-        for (const pat of rule.filenameConstraints.denied) {
-          if (matchGlob(fn, pat)) return 'Blocked by policy: filename "' + fn + '" matches "' + pat + '"';
-        }
-      }
-    }
-    if (rule.urlConstraints && rule.urlConstraints.denied) {
-      const urls = extractUrls(args);
-      for (const url of urls) {
-        for (const pat of rule.urlConstraints.denied) {
-          if (matchGlob(url, pat)) return 'Blocked by policy: URL "' + url + '" matches "' + pat + '"';
-        }
-      }
-    }
-    if (rule.commandConstraints && rule.commandConstraints.denied) {
-      const cmds = extractCommands(args);
-      for (const cmd of cmds) {
-        for (const pat of rule.commandConstraints.denied) {
-          if (matchGlob(cmd, pat)) return 'Blocked by policy: command "' + cmd.slice(0,60) + '" matches "' + pat + '"';
-        }
-      }
-    }
-    if (rule.pathConstraints && rule.pathConstraints.denied) {
-      const paths = extractPaths(args);
-      for (const p of paths) {
-        for (const pat of rule.pathConstraints.denied) {
-          if (matchPathGlob(p, pat)) return 'Blocked by policy: path "' + p + '" matches "' + pat + '"';
-        }
-      }
-    }
+function isProtectedPath(p) {
+  if (!p) return false;
+  const np = normTamperPath(p);
+  for (const abs of TAMPER_PROTECTED_ABS) {
+    if (np === abs || np.startsWith(abs + '/')) return abs;
   }
-  return null;
+  for (const g of TAMPER_PROTECTED_GLOBS) {
+    if (matchPathGlob(np, g)) return g;
+  }
+  if (/\/\.claude\/settings(\.local)?\.json$/.test(np)) return 'settings.json';
+  if (/\/\.solongate\/hooks(\/|$)/.test(np)) return 'solongate-hooks';
+  return false;
 }
 
-// ── Agent Trust Map Evaluation ──
-function matchTrustGlob(value, pattern) {
-  if (pattern === '*') return true;
-  if (!pattern.includes('*')) return value === pattern;
-  const regex = new RegExp('^' + pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*') + '$');
-  return regex.test(value);
+function commandTargetsProtected(cmd) {
+  const c = String(cmd || '').toLowerCase();
+  if (!c) return false;
+  for (const b of TAMPER_BASENAMES) {
+    if (c.includes(b.toLowerCase())) return b;
+  }
+  if (/\.claude[\\/]+settings(\.local)?\.json/.test(c)) return 'settings.json';
+  if (/\.solongate[\\/]+hooks/.test(c)) return 'solongate-hooks';
+  // Customer install dirs
+  if (/[\\/]solongate[\\/]+(compose|data|images|helm)[\\/]/.test(c)) return 'solongate-install';
+  // Mutating API calls against policies / audit-logs endpoints
+  const mutating = /\b(post|put|delete|patch)\b/.test(c) ||
+                   /(-x|--request|-method)\s+(post|put|delete|patch)\b/.test(c);
+  if (mutating && /api\/v1\/(policies|audit-logs)/.test(c)) return 'api-policies-mutation';
+  return false;
 }
 
-function evaluateAgentTrust(policy, agentId, toolName, permission) {
-  const trustMap = policy && policy.agentTrustMap;
-  if (!trustMap) return null;
-
-  // 1. Group rules
-  if (trustMap.groups) {
-    for (const [groupName, group] of Object.entries(trustMap.groups)) {
-      if (group.members && group.members.includes(agentId)) {
-        for (const rule of (group.rules || [])) {
-          if (matchTrustGlob(toolName, rule.toolPattern)) {
-            if (rule.permission && rule.permission !== permission) continue;
-            if (rule.effect === 'DENY') {
-              return 'Blocked by agent group "' + groupName + '": ' + rule.toolPattern;
-            }
+function extractTargetPaths(args) {
+  const out = [];
+  if (typeof args !== 'object' || !args) return out;
+  for (const [k, v] of Object.entries(args)) {
+    const lk = k.toLowerCase();
+    if (TAMPER_PATH_FIELDS.has(lk) && typeof v === 'string') out.push(v);
+    if (Array.isArray(v)) {
+      for (const item of v) {
+        if (item && typeof item === 'object') {
+          for (const [k2, v2] of Object.entries(item)) {
+            if (TAMPER_PATH_FIELDS.has(k2.toLowerCase()) && typeof v2 === 'string') out.push(v2);
           }
         }
       }
     }
   }
+  return out;
+}
 
-  // 2. Relationship rules (where this agent is the target)
-  if (trustMap.relationships) {
-    for (const rel of trustMap.relationships) {
-      if (rel.target === agentId) {
-        if (rel.deniedTools && rel.deniedTools.some(p => matchTrustGlob(toolName, p))) {
-          return 'Blocked by relationship: ' + rel.source + ' → ' + rel.target;
-        }
-        if (rel.allowedTools && rel.allowedTools.length > 0) {
-          if (!rel.allowedTools.some(p => matchTrustGlob(toolName, p))) {
-            return 'Tool not in allowed list: ' + rel.source + ' → ' + rel.target;
-          }
-        }
-      }
-    }
+function tamperCheck(toolName, args) {
+  const tn = String(toolName || '').toLowerCase();
+  const isExec = TAMPER_GUARD_TOOLS_EXEC.has(tn) || /bash|shell|exec|powershell|cmd|run|eval/.test(tn);
+  // ANY tool that targets a protected path is blocked — READ as well as write.
+  // An AI must not even read SolonGate's own protection files. This is enforced
+  // at the tool boundary; the hooks themselves are run by node directly (not via
+  // a Claude Code tool), so node still loads/executes them normally.
+  // Check the tool's TARGET PATH fields only (file_path, path, …) — never the
+  // free-form content/body, which would false-positive on any file that merely
+  // mentions a protected path in its text.
+  for (const p of extractTargetPaths(args)) {
+    const hit = isProtectedPath(p);
+    if (hit) return 'Tamper protection: access to "' + p + '" is blocked (protected: ' + hit + ')';
   }
-
-  // 3. Delegation chains
-  if (trustMap.delegations) {
-    for (const del of trustMap.delegations) {
-      if (del.chain && del.chain.includes(agentId)) {
-        if (del.effectiveTools && del.effectiveTools.length > 0) {
-          if (!del.effectiveTools.some(p => matchTrustGlob(toolName, p))) {
-            return 'Tool not in delegation chain effective tools';
-          }
-        }
-      }
+  if (isExec) {
+    for (const cmd of extractCommands(args)) {
+      const hit = commandTargetsProtected(cmd);
+      if (hit) return 'Tamper protection: command references protected resource "' + hit + '" — blocked';
     }
   }
-
   return null;
 }
 
-// ── Main ──
-let input = '';
-process.stdin.on('data', c => input += c);
-process.stdin.on('end', async () => {
-  try {
-    const raw = JSON.parse(input);
-
-    // Debug: append guard invocation to debug log
-    try {
-      const { appendFileSync: afs, mkdirSync: mds } = await import('node:fs');
-      mds(resolve('.solongate'), { recursive: true });
-      const debugLine = JSON.stringify({ ts: new Date().toISOString(), hook: 'guard', argv: process.argv.slice(2), tool_name: raw.tool_name || raw.toolName || raw.command, agent_id: AGENT_ID }) + '\n';
-      afs(resolve('.solongate', '.debug-guard-log'), debugLine);
-    } catch {}
-
-    let mappedToolName = raw.tool_name || raw.toolName || '';
-    let mappedToolInput = raw.tool_input || raw.toolInput || raw.params || {};
-
-    // Normalize field names across tools
-    const data = {
-      ...raw,
-      tool_name: mappedToolName,
-      tool_input: mappedToolInput,
-      tool_response: raw.tool_response || raw.toolResponse || {},
-      cwd: raw.cwd || process.cwd(),
-      session_id: raw.session_id || raw.sessionId || raw.conversation_id || '',
-    };
-    const args = data.tool_input;
-    const toolName = data.tool_name || '';
-
-    // ── Self-protection: block access to hook files and settings ──
-    // Hardcoded, no bypass possible — runs before policy/PI config
-    // Fully protected: block ALL access (read, write, delete, move)
-    const protectedPaths = [
-      '.solongate', '.claude', '.gemini', '.openclaw',
-      'policy.json', '.mcp.json',
-    ];
-    // Write-protected: block write/delete/modify, allow read (cat, grep, head, etc.)
-    const writeProtectedPaths = ['.env', '.gitignore'];
-
-    // Block helper — logs to cloud + exits with code 2
-    async function blockSelfProtection(reason) {
-      if (API_KEY && API_KEY.startsWith('sg_live_')) {
-        try {
-          await fetch(API_URL + '/api/v1/audit-logs', {
-            method: 'POST',
-            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-              tool: data.tool_name || '', arguments: args,
-              decision: 'DENY', reason,
-              permission: guessPermission(data.tool_name || ''),
-              source: `${AGENT_ID}-guard`,
-              agent_id: AGENT_ID, agent_name: AGENT_NAME,
-            }),
-            signal: AbortSignal.timeout(3000),
-          });
-        } catch {}
-      }
-      writeDenyFlag(toolName);
-      blockTool(reason);
-    }
-
-    // ── Normalization layers ──
-
-    // 1. Decode ANSI-C quoting: $'\x72' → r, $'\162' → r, $'\n' → newline
-    function decodeAnsiC(s) {
-      return s.replace(/\$'([^']*)'/g, (_, content) => {
-        return content
-          .replace(/\\x([0-9a-fA-F]{2})/g, (__, hex) => String.fromCharCode(parseInt(hex, 16)))
-          .replace(/\\([0-7]{1,3})/g, (__, oct) => String.fromCharCode(parseInt(oct, 8)))
-          .replace(/\\u([0-9a-fA-F]{4})/g, (__, hex) => String.fromCharCode(parseInt(hex, 16)))
-          .replace(/\\n/g, '\n').replace(/\\t/g, '\t').replace(/\\r/g, '\r')
-          .replace(/\\(.)/g, '$1');
-      });
-    }
-
-    // 2. Strip all shell quoting: empty quotes, single, double, backslash escapes
-    function stripShellQuotes(s) {
-      let r = s;
-      r = r.replace(/""/g, '');    // empty double quotes
-      r = r.replace(/''/g, '');    // empty single quotes
-      r = r.replace(/\\(.)/g, '$1'); // backslash escapes
-      r = r.replace(/'/g, '');     // remaining single quotes
-      r = r.replace(/"/g, '');     // remaining double quotes
-      return r;
-    }
-
-    // 3. Full normalization pipeline
-    function normalizeShell(s) {
-      return stripShellQuotes(decodeAnsiC(s));
-    }
-
-    // 4. Extract inner commands from eval, bash -c, sh -c, pipe to bash/sh, heredoc, process substitution
-    function extractInnerCommands(s) {
-      const inner = [];
-      // eval "cmd" or eval 'cmd' or eval cmd
-      for (const m of s.matchAll(/\beval\s+["']([^"']+)["']/gi)) inner.push(m[1]);
-      for (const m of s.matchAll(/\beval\s+([^;"'|&]+)/gi)) inner.push(m[1]);
-      // bash -c "cmd" or sh -c "cmd"
-      for (const m of s.matchAll(/\b(?:bash|sh)\s+-c\s+["']([^"']+)["']/gi)) inner.push(m[1]);
-      // echo "cmd" | bash/sh or printf "cmd" | bash/sh
-      for (const m of s.matchAll(/(?:echo|printf)\s+["']([^"']+)["']\s*\|\s*(?:bash|sh)\b/gi)) inner.push(m[1]);
-      // find ... -name "pattern" ... -exec ...
-      for (const m of s.matchAll(/-name\s+["']?([^\s"']+)["']?/gi)) inner.push(m[1]);
-      // Heredoc: bash << 'EOF'\n...\nEOF or bash <<- EOF\n...\nEOF
-      for (const m of s.matchAll(/<<-?\s*['"]?(\w+)['"]?\s*\n([\s\S]*?)\n\s*\1/gi)) inner.push(m[2]);
-      // Herestring: bash <<< "cmd"
-      for (const m of s.matchAll(/<<<\s*["']([^"']+)["']/gi)) inner.push(m[1]);
-      for (const m of s.matchAll(/<<<\s*([^\s;&|]+)/gi)) inner.push(m[1]);
-      // Process substitution: <(cmd) or >(cmd)
-      for (const m of s.matchAll(/[<>]\(\s*([^)]+)\s*\)/gi)) inner.push(m[1]);
-      return inner;
-    }
-
-    // 5. Check variable assignments for protected path fragments
-    // e.g. X=".solon" && rm -rf ${X}gate → detects ".solon" as prefix of ".solongate"
-    function checkVarAssignments(s) {
-      const assignments = [...s.matchAll(/(\w+)=["']?([^"'\s&|;]+)["']?/g)];
-      for (const [, , value] of assignments) {
-        const v = value.toLowerCase();
-        if (v.length < 3) continue; // avoid false positives
-        for (const p of protectedPaths) {
-          if (p.startsWith(v) || p.includes(v)) return p;
-        }
-      }
-      return null;
-    }
+// ── Policy Evaluation ──
 
-    // 6. Check if a glob/wildcard could match any protected path
-    function globMatchesProtected(s) {
-      const hasWild = s.includes('*') || s.includes('?') || /\[.+\]/.test(s);
-      if (!hasWild) return null;
-      const segments = s.split('/').filter(Boolean);
-      const candidates = [s, ...segments];
-      for (const candidate of candidates) {
-        const candHasWild = candidate.includes('*') || candidate.includes('?') || /\[.+\]/.test(candidate);
-        if (!candHasWild) continue;
-        // Prefix match: ".antig*" → prefix ".antig"
-        const firstWild = Math.min(
-          candidate.includes('*') ? candidate.indexOf('*') : Infinity,
-          candidate.includes('?') ? candidate.indexOf('?') : Infinity,
-          /\[/.test(candidate) ? candidate.indexOf('[') : Infinity,
-        );
-        const prefix = candidate.slice(0, firstWild).toLowerCase();
-        if (prefix.length > 0) {
-          for (const p of protectedPaths) {
-            if (p.startsWith(prefix)) return p;
-          }
-        }
-        // Regex match — convert shell glob to regex
-        // Handles *, ?, and [...] character classes
-        try {
-          let regex = '';
-          let i = 0;
-          const c = candidate.toLowerCase();
-          while (i < c.length) {
-            if (c[i] === '*') { regex += '.*'; i++; }
-            else if (c[i] === '?') { regex += '.'; i++; }
-            else if (c[i] === '[') {
-              // Pass through [...] as regex character class
-              const close = c.indexOf(']', i + 1);
-              if (close !== -1) {
-                regex += c.slice(i, close + 1);
-                i = close + 1;
-              } else {
-                regex += '\\['; i++;
-              }
-            }
-            else {
-              regex += c[i].replace(/[.+^${}()|\\]/g, '\\$&');
-              i++;
-            }
-          }
-          const re = new RegExp('^' + regex + '$', 'i');
-          for (const p of protectedPaths) {
-            if (re.test(p)) return p;
-          }
-        } catch {}
-      }
-      return null;
-    }
+// Permission filter: a rule with rule.permission set only applies to tool
+// calls whose guessed permission category is in that list. Empty/missing =
+// applies to all categories.
+function permissionApplies(rule, toolName) {
+  if (!rule.permission) return true;
+  const perms = Array.isArray(rule.permission) ? rule.permission : [rule.permission];
+  if (perms.length === 0) return true;
+  const guessed = guessPermission(toolName);
+  return perms.includes(guessed);
+}
 
-    // ── Build all candidate strings from tool input ──
-    const rawStrings = scanStrings(args).map(s => s.replace(/\\/g, '/').toLowerCase());
-    const allStrings = new Set();
+// Returns the first pattern that any of the rule's constraints matches against
+// the args, or null if nothing matches. Used for both DENY (engine blocks on
+// match) and ALLOW (whitelist mode requires at least one match).
+// Each constraint may store its pattern list in either `denied` or `allowed`
+// depending on which effect the rule was created with in the dashboard. The
+// hook treats both as the same "pattern list" — the rule's effect determines
+// whether a match means block (DENY) or pass (ALLOW in whitelist mode).
+function patternsOf(constraint) {
+  if (!constraint) return null;
+  const list = constraint.denied || constraint.allowed;
+  return Array.isArray(list) && list.length > 0 ? list : null;
+}
 
-    for (const s of rawStrings) {
-      // Raw string
-      allStrings.add(s);
-      // Normalized (ANSI-C decoded, quotes stripped)
-      const norm = normalizeShell(s);
-      allStrings.add(norm);
-      // Extract inner commands (eval, bash -c, pipe to bash, find -name)
-      for (const inner of extractInnerCommands(s)) {
-        allStrings.add(inner.toLowerCase());
-        allStrings.add(normalizeShell(inner.toLowerCase()));
-      }
-      // Split by spaces + shell operators for token-level checks
-      for (const tok of s.split(/[\s;&|]+/)) {
-        if (tok) {
-          allStrings.add(tok);
-          allStrings.add(normalizeShell(tok));
-        }
-      }
-      // Also split normalized version
-      for (const tok of norm.split(/[\s;&|]+/)) {
-        if (tok) allStrings.add(tok);
+function ruleMatches(rule, args) {
+  const fnPats = patternsOf(rule.filenameConstraints);
+  if (fnPats) {
+    const filenames = extractFilenames(args);
+    for (const fn of filenames) {
+      for (const pat of fnPats) {
+        if (matchGlob(fn, pat)) return { kind: 'filename', value: fn, pattern: pat };
       }
     }
-
-    // ── Check all candidates ──
-    for (const s of allStrings) {
-      // Direct match
-      for (const p of protectedPaths) {
-        if (s.includes(p)) {
-          await blockSelfProtection('SOLONGATE: Access to protected path "' + p + '" is blocked');
-        }
-      }
-      // Wildcard/glob match
-      const globHit = globMatchesProtected(s);
-      if (globHit) {
-        await blockSelfProtection('SOLONGATE: Wildcard "' + s + '" matches protected "' + globHit + '" — blocked');
-      }
-      // Variable assignment targeting protected paths
-      const varHit = checkVarAssignments(s);
-      if (varHit) {
-        await blockSelfProtection('SOLONGATE: Variable assignment targets protected "' + varHit + '" — blocked');
+  }
+  const urlPats = patternsOf(rule.urlConstraints);
+  if (urlPats) {
+    const urls = extractUrls(args);
+    for (const url of urls) {
+      for (const pat of urlPats) {
+        if (matchGlob(url, pat)) return { kind: 'URL', value: url, pattern: pat };
       }
     }
-
-    // ── Write-protection for .env, .gitignore ──
-    // These files can be READ but not written/deleted/moved
-    const toolNameLower = (data.tool_name || '').toLowerCase();
-    const isWriteTool = toolNameLower === 'write' || toolNameLower === 'edit' || toolNameLower === 'notebookedit';
-    const isBashTool = toolNameLower === 'bash';
-    const bashDestructive = /\b(?:rm|rmdir|del|unlink|mv|move|rename|cp|chmod|chown|truncate|shred)\b/i;
-    const fullCmd = rawStrings.join(' ');
-
-    for (const wp of writeProtectedPaths) {
-      if (isWriteTool) {
-        // Check file_path and all strings for write-protected paths
-        for (const s of allStrings) {
-          if (s.includes(wp)) {
-            await blockSelfProtection('SOLONGATE: Write to protected file "' + wp + '" is blocked');
-          }
-        }
-      }
-      if (isBashTool && bashDestructive.test(fullCmd)) {
-        for (const s of allStrings) {
-          if (s.includes(wp)) {
-            await blockSelfProtection('SOLONGATE: Destructive operation on "' + wp + '" is blocked');
-          }
-        }
+  }
+  const cmdPats = patternsOf(rule.commandConstraints);
+  if (cmdPats) {
+    const cmds = extractCommands(args);
+    for (const cmd of cmds) {
+      for (const pat of cmdPats) {
+        if (matchGlob(cmd, pat)) return { kind: 'command', value: cmd.slice(0, 60), pattern: pat };
       }
     }
-
-    // Also apply glob/wildcard checks for write-protected paths in destructive contexts
-    if (isBashTool && bashDestructive.test(fullCmd)) {
-      for (const s of allStrings) {
-        const hasWild = s.includes('*') || s.includes('?') || /\[.+\]/.test(s);
-        if (!hasWild) continue;
-        // Convert glob to regex and test against write-protected paths
-        try {
-          let regex = '';
-          let i = 0;
-          const c = s.toLowerCase();
-          while (i < c.length) {
-            if (c[i] === '*') { regex += '.*'; i++; }
-            else if (c[i] === '?') { regex += '.'; i++; }
-            else if (c[i] === '[') {
-              const close = c.indexOf(']', i + 1);
-              if (close !== -1) { regex += c.slice(i, close + 1); i = close + 1; }
-              else { regex += '\\['; i++; }
-            }
-            else { regex += c[i].replace(/[.+^${}()|\\]/g, '\\$&'); i++; }
-          }
-          const re = new RegExp('^' + regex + '$', 'i');
-          for (const wp of writeProtectedPaths) {
-            if (re.test(wp)) {
-              await blockSelfProtection('SOLONGATE: Wildcard "' + s + '" matches write-protected "' + wp + '" — blocked');
-            }
-          }
-        } catch {}
+  }
+  const pathPats = patternsOf(rule.pathConstraints);
+  if (pathPats) {
+    const paths = extractPaths(args);
+    for (const p of paths) {
+      for (const pat of pathPats) {
+        if (matchPathGlob(p, pat)) return { kind: 'path', value: p, pattern: pat };
       }
     }
+  }
+  return null;
+}
 
-    // ── Layer 7: Block ALL inline code execution & dangerous patterns ──
-    // Runtime string construction (atob, Buffer.from, fromCharCode, array.join)
-    // makes static analysis impossible. Blanket-block these patterns.
+// Evaluate policy. Two modes:
+//   denylist (default): default ALLOW. Any DENY rule that matches → block.
+//   whitelist (strict): default DENY. Must match at least one ALLOW rule to
+//                       pass. DENY rules still override on top.
+function evaluate(policy, args, toolName) {
+  if (!policy || !policy.rules) return null;
+  const enabledRules = policy.rules.filter(r => r.enabled !== false);
+  const mode = policy.mode === 'whitelist' ? 'whitelist' : 'denylist';
 
-    // 7-pre. Blanket rule: destructive command + dot-prefixed glob = BLOCK
-    // Catches: rm -rf .[a-z]*, mv .[!.]* /tmp, etc.
-    // Any glob starting with "." combined with a destructive op is dangerous
-    const destructiveOps = /\b(?:rm|rmdir|del|unlink|mv|move|rename)\b/i;
-    const dotGlob = /\.\[|\.[\*\?]|\.{[^}]+}/; // .[a-z]*, .*, .?, .{foo,bar}
-    if (destructiveOps.test(fullCmd) && dotGlob.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Destructive command + dot-glob pattern — blocked');
-    }
+  // DENY pass — runs in both modes. DENY wins over ALLOW.
+  const denyRules = enabledRules
+    .filter(r => r.effect === 'DENY' && permissionApplies(r, toolName))
+    .sort((a, b) => (a.priority || 100) - (b.priority || 100));
+  for (const rule of denyRules) {
+    const m = ruleMatches(rule, args);
+    if (m) return 'Blocked by policy: ' + m.kind + ' "' + m.value + '" matches "' + m.pattern + '"';
+  }
 
-    // 7-pre2. Heredoc to interpreter — BLOCK
-    // bash << 'EOF' / bash <<< "cmd" / sh << TAG
-    if (/\b(?:bash|sh|node|python[23]?|perl|ruby)\s+<</i.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Heredoc to interpreter — blocked');
+  // Whitelist pass — only in strict mode. Must match at least one ALLOW rule.
+  if (mode === 'whitelist') {
+    const allowRules = enabledRules.filter(r => r.effect === 'ALLOW' && permissionApplies(r, toolName));
+    if (allowRules.length === 0) {
+      return 'Blocked by policy: strict whitelist mode is on and no ALLOW rule applies to ' + (toolName || 'this tool');
     }
-
-    // 7-pre3. Command substitution + destructive = BLOCK
-    // Catches: rm -rf $(node scan.mjs), rm `node scan.mjs`, rm $(bash scan.sh)
-    // Pattern: destructive command + $() or `` containing interpreter call
-    const hasDestructive = /\b(?:rm|rmdir|del|unlink|mv|move|rename|shred)\b/i.test(fullCmd);
-    const hasCmdSubInterpreter = /\$\(\s*(?:node|bash|sh|python[23]?|perl|ruby)\b/i.test(fullCmd)
-      || /`\s*(?:node|bash|sh|python[23]?|perl|ruby)\b/i.test(fullCmd);
-    if (hasDestructive && hasCmdSubInterpreter) {
-      await blockSelfProtection('SOLONGATE: Command substitution + destructive op — blocked');
+    let matched = false;
+    for (const rule of allowRules) {
+      if (ruleMatches(rule, args)) { matched = true; break; }
     }
-
-    // 7-pre4. Pipe from interpreter to destructive loop = BLOCK
-    // Catches: node scan.mjs | while read d; do rm -rf "$d"; done
-    //          node scan.mjs | xargs rm -rf
-    //          bash scan.sh | while read ...
-    const pipeFromInterpreter = /\b(?:node|bash|sh|python[23]?|perl|ruby)\s+\S+\s*\|/i;
-    if (pipeFromInterpreter.test(fullCmd) && hasDestructive) {
-      await blockSelfProtection('SOLONGATE: Pipe from script to destructive command — blocked');
+    if (!matched) {
+      return 'Blocked by policy: strict whitelist mode — request does not match any ALLOW rule';
     }
+  }
 
-    // 7-pre5. Script chaining: interpreter + destructive in same command chain
-    // Catches: node scan.mjs && rm -rf $(cat /tmp/targets.txt)
-    //          bash scan.sh; while read d < targets.txt; do rm -rf "$d"; done
-    const hasScriptExec = /\b(?:node|bash|sh|python[23]?|perl|ruby)\s+\S+\.\S+/i.test(fullCmd);
-    if (hasScriptExec && hasDestructive) {
-      await blockSelfProtection('SOLONGATE: Script execution + destructive command in chain — blocked');
-    }
+  return null;
+}
 
-    // 7-pre6. Nested script substitution: node clean.mjs $(node scan.mjs)
-    // Two "harmless" scripts chained via command substitution — no rm in the command itself
-    const nestedScriptSub = /\b(?:node|python[23]?|perl|ruby|bash|sh)\s+\S+\.\S+\s+.*\$\(\s*(?:node|python[23]?|perl|ruby|bash|sh)\b/i;
-    const backtickNestedScript = /\b(?:node|python[23]?|perl|ruby|bash|sh)\s+\S+\.\S+\s+.*`\s*(?:node|python[23]?|perl|ruby|bash|sh)\b/i;
-    if (nestedScriptSub.test(fullCmd) || backtickNestedScript.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Nested script substitution — blocked (script output as args to another script)');
-    }
+// ── OPA WASM Evaluation (NIST SP 800-207 PDP) ──
+//
+// When the API has compiled this policy to an OPA WASM bundle AND the
+// @open-policy-agent/opa-wasm runtime is resolvable, we evaluate through OPA
+// instead of the hand-written evaluate() above. This is the same decision
+// engine the MCP proxy uses (packages/policy-engine/src/opa).
+//
+// Graceful degradation is the contract: any missing piece (no bundle, no
+// runtime, fetch/parse/eval error) makes evaluateWithOpa() return `undefined`,
+// and the caller falls back to the legacy JS evaluate() — so air-gapped
+// installs without OPA see ZERO behavior change.
+
+// Cheap, dependency-free djb2 fingerprint to detect policy changes for caching.
+function djb2(str) {
+  let h = 5381;
+  for (let i = 0; i < str.length; i++) h = ((h << 5) + h + str.charCodeAt(i)) | 0;
+  return (h >>> 0).toString(36);
+}
 
-    // 7-pre7. NODE_OPTIONS injection — block commands with NODE_OPTIONS env var
-    // NODE_OPTIONS="--require malicious.cjs" can inject code into any node process
-    if (/\bNODE_OPTIONS\s*=/i.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: NODE_OPTIONS injection — blocked');
+// Extracts /policy.wasm from an OPA bundle. Mirrors
+// packages/policy-engine/src/opa/opa-evaluator.ts extractWasmFromBundle().
+// The bundle may be a gzipped tar (.tar.gz from `opa build -t wasm`) or raw WASM.
+function extractWasmFromBundle(buf) {
+  if (buf[0] === 0x1f && buf[1] === 0x8b) {
+    const tar = gunzipSync(buf);
+    let offset = 0;
+    while (offset < tar.length - 512) {
+      const nameEnd = tar.indexOf(0, offset);
+      const name = tar.subarray(offset, Math.min(nameEnd, offset + 100)).toString('utf-8');
+      if (!name || name.length === 0) break;
+      const sizeStr = tar.subarray(offset + 124, offset + 136).toString('utf-8').trim();
+      const size = parseInt(sizeStr, 8) || 0;
+      offset += 512;
+      if (name === 'policy.wasm' || name === './policy.wasm' || name.endsWith('/policy.wasm')) {
+        return Buffer.from(tar.subarray(offset, offset + size));
+      }
+      offset += Math.ceil(size / 512) * 512;
     }
+    throw new Error('policy.wasm not found in OPA bundle');
+  }
+  if (buf[0] === 0x00 && buf[1] === 0x61 && buf[2] === 0x73 && buf[3] === 0x6d) {
+    return buf; // already raw WASM
+  }
+  throw new Error('Unknown OPA bundle format');
+}
 
-    // 7-pre8. npm lifecycle scripts — scan package.json before npm install/run
-    // npm install can trigger postinstall/preinstall/prepare scripts
-    if (/\bnpm\s+(?:install|i|ci|run|start|test|publish|pack)\b/i.test(fullCmd) || /\bnpx\s+/i.test(fullCmd)) {
-      try {
-        const hookCwdForNpm = data.cwd || process.cwd();
-        const pkgPath = resolve(hookCwdForNpm, 'package.json');
-        if (existsSync(pkgPath)) {
-          const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
-          const scripts = pkg.scripts || {};
-          const lifecycleKeys = ['preinstall', 'install', 'postinstall', 'prepare', 'prepublish', 'prepublishOnly', 'prepack', 'postpack'];
-          const allScripts = Object.entries(scripts);
-          for (const [key, val] of allScripts) {
-            if (typeof val !== 'string') continue;
-            const scriptLower = val.toLowerCase();
-            // Check lifecycle scripts for dangerous patterns
-            const isLifecycle = lifecycleKeys.includes(key);
-            const isExplicitRun = fullCmd.includes(key); // npm run <key>
-            if (isLifecycle || isExplicitRun) {
-              // Check for protected path names
-              for (const p of [...protectedPaths, ...writeProtectedPaths]) {
-                if (scriptLower.includes(p)) {
-                  await blockSelfProtection('SOLONGATE: npm script "' + key + '" references protected "' + p + '" — blocked');
-                }
-              }
-              // Check for string construction patterns
-              if (/fromcharcode|atob\s*\(|buffer\.from|\\x[0-9a-f]{2}/i.test(scriptLower)) {
-                await blockSelfProtection('SOLONGATE: npm script "' + key + '" contains string construction — blocked');
-              }
-              // Check for discovery+destruction combo
-              const hasDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob\b|\bls\s+-[adl]/i.test(scriptLower);
-              const hasDest = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b/i.test(scriptLower);
-              if (hasDisc && hasDest) {
-                await blockSelfProtection('SOLONGATE: npm script "' + key + '" has discovery+destruction — blocked');
-              }
-              // Follow node/bash <file> references in npm scripts — deep scan the target file
-              const scriptFileMatch = scriptLower.match(/\b(?:node|bash|sh|python[23]?)\s+([^\s;&|$]+)/i);
-              if (scriptFileMatch) {
-                try {
-                  const targetPath = resolve(hookCwdForNpm, scriptFileMatch[1]);
-                  if (existsSync(targetPath)) {
-                    const targetContent = safeReadFileSync(targetPath).toLowerCase();
-                    // Check target file for protected paths
-                    for (const pp of [...protectedPaths, ...writeProtectedPaths]) {
-                      if (targetContent.includes(pp)) {
-                        await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file referencing "' + pp + '" — blocked');
-                      }
-                    }
-                    // Check target for discovery+destruction
-                    const tDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bglob\b/i.test(targetContent);
-                    const tDest = /\brmsync\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(targetContent);
-                    if (tDisc && tDest) {
-                      await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file with discovery+destruction — blocked');
-                    }
-                    // Check target for string construction + destruction
-                    const tStrCon = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b/i.test(targetContent);
-                    if (tStrCon && tDest) {
-                      await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file with string construction+destruction — blocked');
-                    }
-                    // Follow imports in the target file
-                    const tDir = targetPath.replace(/[/\\][^/\\]+$/, '');
-                    const tImports = [...targetContent.matchAll(/(?:import\s+.*?\s+from\s+|import\s+|require\s*\()['"]\.\/([^'"]+)['"]/gi)];
-                    for (const [, imp] of tImports) {
-                      try {
-                        const impAbs = resolve(tDir, imp);
-                        const candidates = [impAbs, impAbs + '.mjs', impAbs + '.js', impAbs + '.cjs'];
-                        for (const c of candidates) {
-                          if (existsSync(c)) {
-                            const impContent = safeReadFileSync(c).toLowerCase();
-                            const iDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bglob\b/i.test(impContent);
-                            const iDest = /\brmsync\b|\bunlinksync\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(impContent);
-                            if ((iDisc && tDest) || (tDisc && iDest)) {
-                              await blockSelfProtection('SOLONGATE: npm script "' + key + '" — cross-module discovery+destruction — blocked');
-                            }
-                            break;
-                          }
-                        }
-                      } catch {}
-                    }
-                  }
-                } catch {}
-              }
-            }
-          }
+// Fetches the compiled WASM for this policy from the API, with a local cache
+// keyed by a fingerprint of the policy so updates propagate. Returns the raw
+// policy.wasm bytes (Uint8Array) or null when unavailable.
+const OPA_WASM_TTL_MS = 30_000;
+async function getOpaWasmBytes(policy) {
+  if (!policy || !policy.id) return null;
+  const fp = djb2(JSON.stringify(policy.rules || []) + '|' + (policy.mode || ''));
+  const agentKey = (AGENT_ID || 'default').replace(/[^a-zA-Z0-9_-]/g, '_');
+  const cacheFile = join(resolve(homedir(), '.solongate'), '.opa-wasm-' + agentKey + '.json');
+
+  // Read any cached bundle. A "fresh" hit (same policy fingerprint, within TTL)
+  // is returned immediately; otherwise we keep it as `stale` to fall back on if
+  // the API is momentarily unreachable — so transient downtime never drops OPA.
+  let stale = null;
+  try {
+    if (existsSync(cacheFile)) {
+      const c = JSON.parse(readFileSync(cacheFile, 'utf-8'));
+      if (c && c.wasm) {
+        stale = new Uint8Array(Buffer.from(c.wasm, 'base64'));
+        if (c.fp === fp && c._ts && Date.now() - c._ts < OPA_WASM_TTL_MS) {
+          return stale;
         }
-      } catch {} // Package.json read error — skip
-    }
-
-    // 7a. Inline interpreter execution — TOTAL BLOCK (no content scan needed)
-    // These can construct ANY string at runtime, bypassing all static analysis
-    const blockedInterpreters = [
-      [/\bnode\s+(?:-e|--eval)\b/i, 'node -e/--eval'],
-      [/\bnode\s+-p\b/i, 'node -p'],
-      [/\bpython[23]?\s+-c\b/i, 'python -c'],
-      [/\bperl\s+-e\b/i, 'perl -e'],
-      [/\bruby\s+-e\b/i, 'ruby -e'],
-      [/\bpowershell(?:\.exe)?\s+.*-(?:EncodedCommand|e|ec)\b/i, 'powershell -EncodedCommand'],
-      [/\bpwsh(?:\.exe)?\s+.*-(?:EncodedCommand|e|ec)\b/i, 'pwsh -EncodedCommand'],
-      [/\bpowershell(?:\.exe)?\s+-c(?:ommand)?\b/i, 'powershell -Command'],
-      [/\bpwsh(?:\.exe)?\s+-c(?:ommand)?\b/i, 'pwsh -Command'],
-    ];
-    for (const [pat, name] of blockedInterpreters) {
-      if (pat.test(fullCmd)) {
-        await blockSelfProtection('SOLONGATE: Inline code execution blocked (' + name + ')');
       }
     }
+  } catch {}
 
-    // 7b. Pipe-to-interpreter — TOTAL BLOCK
-    // Any content piped to an interpreter can construct arbitrary commands at runtime
-    // Also catches: | xargs node, | xargs bash, etc.
-    const pipeToInterpreter = /\|\s*(?:xargs\s+)?(?:node|bash|sh|python[23]?|perl|ruby|php)\b/i;
-    if (pipeToInterpreter.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Pipe to interpreter blocked — runtime bypass risk');
-    }
-
-    // 7c. Base64 decode in ANY context — block when piped to anything
-    if (/\bbase64\s+(?:-d|--decode)\b/i.test(fullCmd) && /\|/i.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: base64 decode in pipe chain — blocked');
-    }
+  // Fetch the compiled bundle from the API (route already exists).
+  try {
+    const res = await fetch(
+      API_URL + '/api/v1/policies/' + encodeURIComponent(policy.id) + '/wasm',
+      { headers: AUTH_HEADERS, signal: AbortSignal.timeout(2000) },
+    );
+    if (!res.ok) return stale; // API has no compiled WASM right now → last known good
+    const bundle = Buffer.from(await res.arrayBuffer());
+    const wasm = extractWasmFromBundle(bundle);
+    try {
+      mkdirSync(resolve(homedir(), '.solongate'), { recursive: true });
+      writeFileSync(cacheFile, JSON.stringify({ _ts: Date.now(), fp, wasm: Buffer.from(wasm).toString('base64') }));
+    } catch {}
+    return new Uint8Array(wasm);
+  } catch {
+    return stale; // transient network failure → last known good
+  }
+}
 
-    // 7d. Temp/arbitrary script file execution
-    if (/\b(?:bash|sh)\s+(?:\/tmp\/|\/var\/tmp\/|~\/|\/dev\/)/i.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Script execution from temp path — blocked');
-    }
+// Lazily load the opa-wasm runtime. Returns the loadPolicy fn or null if the
+// package isn't installed in this environment (typical for air-gapped hooks).
+let _loadPolicyFn = null;
+let _loadPolicyTried = false;
+async function getLoadPolicy() {
+  if (_loadPolicyTried) return _loadPolicyFn;
+  _loadPolicyTried = true;
+  try {
+    const mod = await import('@open-policy-agent/opa-wasm');
+    _loadPolicyFn = mod.loadPolicy || (mod.default && mod.default.loadPolicy) || null;
+  } catch {
+    _loadPolicyFn = null;
+  }
+  return _loadPolicyFn;
+}
 
-    // 7e. xargs with destructive operations
-    if (/\bxargs\b.*\b(?:rm|mv|cp|rmdir|unlink|del)\b/i.test(fullCmd)) {
-      for (const p of protectedPaths) {
-        if (fullCmd.includes(p.slice(0, 4))) {
-          await blockSelfProtection('SOLONGATE: xargs with destructive op near "' + p + '" — blocked');
+// Evaluates the policy through OPA WASM. Returns:
+//   - a reason string  → DENY
+//   - null             → ALLOW (OPA decided, no violation)
+//   - undefined        → OPA unavailable, caller must fall back to evaluate()
+async function evaluateWithOpa(policy, args, toolName, cwd) {
+  if (!policy || !policy.rules) return undefined;
+  try {
+    const loadPolicy = await getLoadPolicy();
+    if (!loadPolicy) return undefined;
+    const wasmBytes = await getOpaWasmBytes(policy);
+    if (!wasmBytes) return undefined;
+
+    const opaPolicy = await loadPolicy(wasmBytes, { initial: 5 });
+    // trust_level is fixed to 'TRUSTED' to preserve legacy guard.mjs behavior,
+    // which never evaluated minimumTrustLevel constraints.
+    // If the tool call references files (bash X.sh, source X, etc.), inline
+    // their contents so the SAME deterministic extractors see hidden commands.
+    // The hook reads files itself; OPA gets a flat, expanded view — no LLM
+    // needed for hidden-in-file detection at this layer.
+    // Inline referenced-file CONTENT only for tools that EXECUTE a script
+    // (`bash X.sh` → X.sh would run, so its contents matter). For read/write
+    // tools the file is data, not code — inlining its content there causes false
+    // positives (e.g. reading a file that merely mentions ".env" tripping an
+    // *.env rule, or reading a script that documents `rm -rf`).
+    const isExecTool = /bash|shell|exec|powershell|cmd|run|eval/.test((toolName || '').toLowerCase());
+    const refFiles = (isExecTool && typeof readReferencedFiles === 'function')
+      ? readReferencedFiles(args, cwd || process.cwd())
+      : {};
+    const expandedArgs = { ...((args && typeof args === 'object') ? args : {}) };
+    for (const [, content] of Object.entries(refFiles)) {
+      const lines = String(content).split('\n')
+        .map(l => l.trim())
+        .filter(l => l && !l.startsWith('#'));
+      if (lines.length > 0) {
+        const extra = lines.join('; ');
+        if (typeof expandedArgs.command === 'string') {
+          expandedArgs.command = expandedArgs.command + '; ' + extra;
+        } else {
+          expandedArgs.command = extra;
         }
       }
     }
-
-    // 7f. cmd.exe /c with encoded/constructed commands
-    if (/\bcmd(?:\.exe)?\s+\/c\b/i.test(fullCmd)) {
-      for (const p of protectedPaths) {
-        if (fullCmd.includes(p) || fullCmd.includes(p.slice(0, 4))) {
-          await blockSelfProtection('SOLONGATE: cmd.exe /c near protected path — blocked');
-        }
+    // Matching a filename/URL/path that appears in a tool BODY (content,
+    // new_string, text, …) only makes sense for EXEC tools, where that text would
+    // RUN. For read/write tools the body is data, not access — writing a doc that
+    // merely mentions a secret-file pattern is not accessing one. So strip body
+    // fields before extracting access targets; the command fields (what actually
+    // executes) are always scanned via extractCommands.
+    // (isExecTool already computed above for the referenced-file inlining gate.)
+    // For NON-exec tools, only the explicit path/target fields are an "access" —
+    // arbitrary text fields (a question, a description, a file body) are data, not
+    // access, and must not be matched against filename/path/url rules. So scan an
+    // ALLOWLIST of target fields only. Exec tools scan the full command instead.
+    // Includes network/url-bearing fields (url, uri, …) so non-exec network
+    // tools (Fetch/WebFetch) keep their access target — otherwise the url field
+    // is stripped here, input.urls comes out empty, and urlConstraints DENY
+    // rules never match (a fetch to a blocked host slips through).
+    const ACCESS_FIELDS = new Set(['file_path', 'path', 'target_file', 'notebook_path', 'filename', 'dest', 'destination', 'source', 'src', 'from', 'to', 'directory', 'dir', 'folder', 'url', 'urls', 'uri', 'href', 'link', 'endpoint']);
+    let accessArgs = expandedArgs;
+    if (!isExecTool && expandedArgs && typeof expandedArgs === 'object') {
+      accessArgs = {};
+      for (const [k, v] of Object.entries(expandedArgs)) {
+        if (ACCESS_FIELDS.has(k.toLowerCase())) accessArgs[k] = v;
       }
     }
-
-    // 7g. Script file execution — scan file content for discovery+destruction combo
-    // Catches: bash script.sh / node script.mjs where the script uses readdirSync + rmSync
-    const scriptExecMatch = fullCmd.match(/\b(?:bash|sh|node|python[23]?|perl|ruby)\s+([^\s;&|$`]+)/i);
-    if (scriptExecMatch) {
-      const scriptPath = scriptExecMatch[1];
-      try {
-        const hookCwdForScript = data.cwd || process.cwd();
-        const absPath = scriptPath.startsWith('/') || scriptPath.includes(':')
-          ? scriptPath
-          : resolve(hookCwdForScript, scriptPath);
-        if (existsSync(absPath)) {
-          const scriptContent = safeReadFileSync(absPath).toLowerCase();
-          // Check for discovery+destruction combo
-          const hasDiscovery = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b|\bls\s+-[adl]|\bls\s+\.\b|\bopendir\b|\bdir\.entries\b|\bwalkdir\b|\bls\b.*\.\[/.test(scriptContent);
-          const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b|\bfs\.\s*(?:rm|unlink|rmdir|write)/.test(scriptContent);
-          if (hasDiscovery && hasDestruction) {
-            await blockSelfProtection('SOLONGATE: Script contains directory discovery + destructive ops — blocked');
-          }
-          // String construction + destructive = BLOCK
-          // Runtime string construction (fromCharCode, atob, Buffer.from) bypasses literal name checks
-          const hasStringConstruction = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b|\\x[0-9a-f]{2}|\bstring\.fromcodepoin/i.test(scriptContent);
-          if (hasStringConstruction && hasDestruction) {
-            await blockSelfProtection('SOLONGATE: Script uses string construction + destructive ops — blocked');
-          }
-          // Import/require chain: if script imports other local files, scan them too
-          const scriptDir = absPath.replace(/[/\\][^/\\]+$/, '');
-          const imports = [...scriptContent.matchAll(/(?:import\s+.*?\s+from\s+|import\s+|require\s*\()['"]\.\/([^'"]+)['"]/gi)];
-          for (const [, importPath] of imports) {
-            try {
-              const importAbs = resolve(scriptDir, importPath);
-              const candidates = [importAbs, importAbs + '.mjs', importAbs + '.js', importAbs + '.cjs'];
-              for (const candidate of candidates) {
-                if (existsSync(candidate)) {
-                  const importContent = safeReadFileSync(candidate).toLowerCase();
-                  // Cross-module: check if imported module has discovery/destruction/string construction
-                  const importDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b/i.test(importContent);
-                  const importDest = /\brmsync\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(importContent);
-                  const importStrCon = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b/i.test(importContent);
-                  // Cross-module discovery in import + destruction in main (or vice versa)
-                  if ((importDisc && hasDestruction) || (hasDiscovery && importDest)) {
-                    await blockSelfProtection('SOLONGATE: Cross-module discovery+destruction detected — blocked');
-                  }
-                  if ((importStrCon && hasDestruction) || (hasStringConstruction && importDest)) {
-                    await blockSelfProtection('SOLONGATE: Cross-module string construction+destruction — blocked');
-                  }
-                  // Check imported module for protected paths
-                  for (const p of [...protectedPaths, ...writeProtectedPaths]) {
-                    if (importContent.includes(p)) {
-                      await blockSelfProtection('SOLONGATE: Imported module references protected "' + p + '" — blocked');
-                    }
-                  }
-                  break;
-                }
-              }
-            } catch {}
-          }
-          // Check for protected path names in script content
-          for (const p of [...protectedPaths, ...writeProtectedPaths]) {
-            if (scriptContent.includes(p)) {
-              await blockSelfProtection('SOLONGATE: Script references protected path "' + p + '" — blocked');
-            }
-          }
-        }
-      } catch {} // File read error — skip
+    const input = {
+      tool_name: toolName || '',
+      permission: guessPermission(toolName),
+      trust_level: 'TRUSTED',
+      arguments: expandedArgs,
+      paths: extractPaths(accessArgs),
+      commands: extractCommands(expandedArgs),
+      urls: extractUrls(accessArgs),
+      filenames: extractFilenames(accessArgs),
+    };
+    if (process.env.SOLONGATE_DEBUG) {
     }
-
-    // 7h. Write tool content scanning — detect discovery+destruction in file content being written
-    // Catches: Write tool creating a script that uses readdirSync('.') + rmSync
-    const toolName_ = data.tool_name || '';
-    if (toolName_.toLowerCase() === 'write' || toolName_.toLowerCase() === 'edit') {
-      const fileContent = (args.content || args.new_string || '').toLowerCase();
-      if (fileContent.length > 0) {
-        const hasDiscovery = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b|\bls\s+-[adl]|\bls\s+\.\b|\bopendir\b|\bdir\.entries\b|\bwalkdir\b|\bls\b.*\.\[/.test(fileContent);
-        const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b.*\brm\b|\bfs\.\s*(?:rm|unlink|rmdir)/.test(fileContent);
-        if (hasDiscovery && hasDestruction) {
-          await blockSelfProtection('SOLONGATE: File content contains discovery + destructive ops — write blocked');
-        }
-        // String construction + destructive = BLOCK
-        const hasStringConstruction = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b|\\x[0-9a-f]{2}|\bstring\.fromcodepoin/i.test(fileContent);
-        if (hasStringConstruction && hasDestruction) {
-          await blockSelfProtection('SOLONGATE: File uses string construction + destructive ops — write blocked');
-        }
-      }
+    const results = opaPolicy.evaluate(input);
+    const decision = results && results[0] && results[0].result;
+    if (!decision || !decision.effect) return null;
+
+    // The generated Rego always has `default decision := DENY` (whitelist
+    // semantics). We must re-apply the policy mode here so denylist policies
+    // keep their default-ALLOW behavior, matching legacy evaluate():
+    //   - denylist: default-allow → block ONLY when a DENY rule actually
+    //     matched (matched_rule != null). Default DENY means "no rule matched".
+    //   - whitelist: default-deny → block on any DENY (default or matched).
+    // Routing per policy mode semantics:
+    //
+    //   DENYLIST (default-allow):
+    //     DENY match  → BLACK (block)
+    //     no match    → WHITE (default-allow, skip AI Judge — this IS the
+    //                   semantics of denylist: "block these, allow the rest")
+    //     REVIEW match → GRAY (only this explicit effect calls AI Judge)
+    //
+    //   WHITELIST (default-deny):
+    //     ALLOW match → WHITE (skip AI Judge)
+    //     DENY match  → BLACK
+    //     REVIEW match → GRAY
+    //     no match    → BLACK (default-deny)
+    //
+    // AI Judge runs ONLY when a rule explicitly says "this needs semantic
+    // review" — never as a fallback for "I'm not sure". That keeps token cost
+    // proportional to actual ambiguity and avoids running the model on every
+    // routine call.
+    const mode = policy.mode === 'whitelist' ? 'whitelist' : 'denylist';
+    const matched = decision.matched_rule != null;
+    const eff = decision.effect;
+    if (mode === 'denylist') {
+      if (eff === 'DENY' && matched) return '[SolonGate OPA] ' + (decision.reason || 'Blocked by policy');
+      if (eff === 'REVIEW' && matched) return { white: false, reason: decision.reason, ruleId: decision.matched_rule };
+      return { white: true, ruleId: matched ? decision.matched_rule : null };
     }
+    // whitelist
+    if (eff === 'DENY' && matched) return '[SolonGate OPA] ' + (decision.reason || 'Blocked by policy');
+    if (eff === 'REVIEW' && matched) return { white: false, reason: decision.reason, ruleId: decision.matched_rule };
+    if (eff === 'ALLOW' && matched) return { white: true, ruleId: decision.matched_rule };
+    return '[SolonGate OPA] ' + (decision.reason || 'Blocked by policy: no ALLOW rule matched');
+  } catch {
+    return undefined; // any failure → fall back to legacy evaluator
+  }
+}
 
-    // 7i. Write tool — detect package.json scripts with dangerous patterns
-    if (toolName_.toLowerCase() === 'write' || toolName_.toLowerCase() === 'edit') {
-      const filePath = (args.file_path || '').toLowerCase();
-      if (filePath.endsWith('package.json')) {
-        const content = args.content || args.new_string || '';
-        try {
-          // Try parsing as JSON to check scripts
-          const pkg = JSON.parse(content);
-          const scripts = pkg.scripts || {};
-          for (const [key, val] of Object.entries(scripts)) {
-            if (typeof val !== 'string') continue;
-            const v = val.toLowerCase();
-            for (const p of [...protectedPaths, ...writeProtectedPaths]) {
-              if (v.includes(p)) {
-                await blockSelfProtection('SOLONGATE: package.json script "' + key + '" references protected "' + p + '" — blocked');
-              }
-            }
-            if (/fromcharcode|atob\s*\(|buffer\.from/i.test(v)) {
-              const hasDest = /\brmsync\b|\brm\b|\bunlink\b|\brimraf\b/i.test(v);
-              if (hasDest) {
-                await blockSelfProtection('SOLONGATE: package.json script "' + key + '" has string construction + destruction — blocked');
-              }
-            }
-          }
-        } catch {} // Not valid JSON or parse error — skip
+// ── Main ──
+let input = '';
+// Read the contents of files a tool call references, so the AI Judge can see a
+// command HIDDEN inside a script/file (e.g. `bash deploy.sh`). Bounded: at most
+// a few small text files. Returns { name: content }.
+function readReferencedFiles(args, cwd) {
+  const out = {};
+  const MAX_FILES = 3, MAX_BYTES = 65536;
+  const cands = new Set();
+  // Only inline a file that is actually EXECUTED by an interpreter — `bash x.sh`,
+  // `python x.py`, `source x`, `. x`. A file that is merely an argument (rm/cp/cat
+  // x, or a read/write target) is NOT run, so its content must NOT be scanned —
+  // otherwise deleting a file whose text mentions a blocked name would false-block.
+  const INTERP = /^(?:bash|sh|zsh|ksh|dash|ash|python3?|node|deno|bun|ruby|perl|php|pwsh|powershell|source|\.)$/i;
+  if (args && typeof args === 'object') {
+    for (const f of ['command', 'cmd', 'script', 'shell', 'code']) {
+      const v = args[f];
+      if (typeof v !== 'string') continue;
+      const toks = v.split(/[\s'"();|&<>]+/).filter(Boolean);
+      for (let i = 0; i < toks.length - 1; i++) {
+        if (!INTERP.test(toks[i])) continue;
+        // The first non-flag token after the interpreter is the script it runs.
+        let j = i + 1;
+        while (j < toks.length && toks[j].startsWith('-')) j++;
+        if (j < toks.length) cands.add(toks[j]);
       }
     }
+  }
+  let n = 0;
+  for (const c of cands) {
+    if (n >= MAX_FILES) break;
+    try {
+      const p = resolve(cwd || process.cwd(), c);
+      if (!existsSync(p)) continue;
+      const st = statSync(p);
+      if (!st.isFile() || st.size > MAX_BYTES) continue;
+      out[c] = readFileSync(p, 'utf-8').slice(0, MAX_BYTES);
+      n++;
+    } catch {}
+  }
+  return out;
+}
 
-    // ── Fetch PI config from Cloud (cached for 60s to avoid per-call latency) ──
-    let piCfg = { piEnabled: true, piThreshold: 0.5, piMode: 'block', piWhitelist: [], piToolConfig: {}, piCustomPatterns: [], piWebhookUrl: null };
-    if (API_KEY && API_KEY.startsWith('sg_live_')) {
-      const cacheFile = join(resolve('.solongate'), '.pi-config-cache.json');
-      let usedCache = false;
+process.stdin.on('data', c => input += c);
+process.stdin.on('end', async () => {
+  // No policy selected => no enforcement. A plain launch (no SOLONGATE_AGENT_ID)
+  // is intentionally unrestricted.
+  if (process.env.SOLONGATE_DEBUG) {
+  }
+  // Cloud gate: the API key IS the policy selector — it identifies the project
+  // and its active policy. No key → nothing to enforce → allow. (Air-gap gated
+  // on SOLONGATE_AGENT_ID instead; here the key does that job.)
+  if (!API_KEY) {
+    allowTool();
+    return;
+  }
+  const _evalStart = Date.now();
+  try {
+    const raw = JSON.parse(input);
+
+    // Debug: append guard invocation to a cwd-local log. Opt-in only — set
+    // SOLONGATE_DEBUG=1 to enable. Off by default so it doesn't litter every
+    // working directory with .solongate/.debug-guard-log.
+    if (process.env.SOLONGATE_DEBUG) {
       try {
-        if (existsSync(cacheFile)) {
-          const cached = JSON.parse(readFileSync(cacheFile, 'utf-8'));
-          if (cached._ts && Date.now() - cached._ts < 60000) {
-            const { _ts, ...rest } = cached;
-            piCfg = { ...piCfg, ...rest };
-            usedCache = true;
-          }
-        }
+        const { appendFileSync: afs, mkdirSync: mds } = await import('node:fs');
+        mds(resolve('.solongate'), { recursive: true });
+        const debugLine = JSON.stringify({ ts: new Date().toISOString(), hook: 'guard', argv: process.argv.slice(2), tool_name: raw.tool_name || raw.toolName || raw.command, agent_id: AGENT_ID }) + '\n';
+        afs(resolve('.solongate', '.debug-guard-log'), debugLine);
       } catch {}
-      if (!usedCache) {
-        try {
-          const cfgRes = await fetch(API_URL + '/api/v1/project-config', {
-            headers: { 'Authorization': 'Bearer ' + API_KEY },
-            signal: AbortSignal.timeout(3000),
-          });
-          if (cfgRes.ok) {
-            const cfg = await cfgRes.json();
-            piCfg = { ...piCfg, ...cfg };
-            try { writeFileSync(cacheFile, JSON.stringify({ ...cfg, _ts: Date.now() })); } catch {}
-          }
-        } catch {} // Fallback: defaults (safe)
-      }
     }
 
-    // ── Per-tool config: check if PI scanning is disabled for this tool ──
-    // toolName already defined above (before self-protection)
-    if (piCfg.piToolConfig && typeof piCfg.piToolConfig === 'object') {
-      if (piCfg.piToolConfig[toolName] === false) {
-        // PI scanning explicitly disabled for this tool — skip detection
-        piCfg.piEnabled = false;
-      }
-    }
-
-    // ── Prompt Injection Detection (Stage 1: Rules + Custom Patterns) ──
-    const allText = scanStrings(args).join(' ');
-
-    // Check whitelist — if input matches any whitelist pattern, skip PI detection
-    let whitelisted = false;
-    if (piCfg.piEnabled !== false && Array.isArray(piCfg.piWhitelist) && piCfg.piWhitelist.length > 0) {
-      for (const wlPattern of piCfg.piWhitelist) {
-        try {
-          if (!isSafeRegex(wlPattern)) continue;
-          if (new RegExp(wlPattern, 'i').test(allText)) {
-            whitelisted = true;
-            break;
-          }
-        } catch {} // Invalid regex — skip
-      }
-    }
-
-    // Build custom patterns from config
-    const customCategories = [];
-    if (piCfg.piEnabled !== false && Array.isArray(piCfg.piCustomPatterns)) {
-      for (const cp of piCfg.piCustomPatterns) {
-        if (cp && cp.pattern && isSafeRegex(cp.pattern)) {
-          try {
-            customCategories.push({
-              name: cp.name || 'custom_pattern',
-              weight: Math.max(0, Math.min(1, Number(cp.weight) || 0.8)),
-              patterns: [new RegExp(cp.pattern, 'iu')],
-            });
-          } catch {} // Invalid regex — skip
-        }
-      }
-    }
-
-    const piResult = (piCfg.piEnabled !== false && !whitelisted)
-      ? detectPromptInjection(allText, customCategories, piCfg.piThreshold)
-      : null;
-
-    if (piResult && piResult.blocked) {
-      const isLogOnly = piCfg.piMode === 'log-only';
-      const msg = isLogOnly
-        ? 'SOLONGATE: Prompt injection detected [LOG-ONLY] (trust score: ' +
-          (piResult.trustScore * 100).toFixed(0) + '%, categories: ' +
-          piResult.categories.join(', ') + ')'
-        : 'SOLONGATE: Prompt injection detected (trust score: ' +
-          (piResult.trustScore * 100).toFixed(0) + '%, categories: ' +
-          piResult.categories.join(', ') + ')';
-
-      // Log to Cloud
-      if (API_KEY && API_KEY.startsWith('sg_live_')) {
-        try {
-          await fetch(API_URL + '/api/v1/audit-logs', {
-            method: 'POST',
-            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-              tool: toolName,
-              arguments: args,
-              decision: isLogOnly ? 'ALLOW' : 'DENY',
-              reason: msg,
-              permission: guessPermission(toolName),
-              source: `${AGENT_ID}-guard`,
-              agent_id: AGENT_ID, agent_name: AGENT_NAME,
-              pi_detected: true,
-              pi_trust_score: piResult.trustScore,
-              pi_blocked: !isLogOnly,
-              pi_categories: JSON.stringify(piResult.categories),
-              pi_stage_scores: JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 }),
-            }),
-            signal: AbortSignal.timeout(3000),
-          });
-        } catch {}
+    let mappedToolName = raw.tool_name || raw.toolName || '';
+    let mappedToolInput = raw.tool_input || raw.toolInput || raw.params || {};
 
-        // Webhook notification (SSRF-safe: HTTPS only, no private IPs)
-        if (piCfg.piWebhookUrl && isSafeWebhookUrl(piCfg.piWebhookUrl)) {
-          try {
-            await fetch(piCfg.piWebhookUrl, {
-              method: 'POST',
-              headers: { 'Content-Type': 'application/json' },
-              body: JSON.stringify({
-                event: 'prompt_injection_detected',
-                tool: toolName,
-                trustScore: piResult.trustScore,
-                categories: piResult.categories,
-                blocked: !isLogOnly,
-                mode: piCfg.piMode,
-                timestamp: new Date().toISOString(),
-              }),
-              signal: AbortSignal.timeout(3000),
-            });
-          } catch {} // Webhook failure is non-blocking
-        }
-      }
+    // Normalize field names across tools
+    const data = {
+      ...raw,
+      tool_name: mappedToolName,
+      tool_input: mappedToolInput,
+      tool_response: raw.tool_response || raw.toolResponse || {},
+      cwd: raw.cwd || process.cwd(),
+      session_id: raw.session_id || raw.sessionId || raw.conversation_id || '',
+    };
+    const args = data.tool_input;
+    const toolName = data.tool_name || '';
 
-      // In log-only mode, warn but don't block
-      if (isLogOnly) {
-        process.stderr.write(msg);
-        // Fall through to policy evaluation (don't exit)
-      } else {
-        writeDenyFlag(toolName);
-        blockTool(msg);
-      }
-    }
+    // (self-protection + PI hook layers removed per project decision)
 
-    // Load policy (use cwd from hook data if available)
+    // Load policy. Priority:
+    //   1. Dashboard-managed policy (GET /api/v1/policies/active, cached 10s)
+    //   2. Local policy.json next to cwd
+    // The dashboard is the source of truth — local policy.json is only a
+    // fallback for when the API is unreachable.
     const hookCwd = data.cwd || process.cwd();
     let policy;
+    // Cache keyed by agent_id so different agents in different terminals
+    // don't share a stale cached policy.
+    const agentKey = (AGENT_ID || 'default').replace(/[^a-zA-Z0-9_-]/g, '_');
+    const policyCacheFile = join(resolve(homedir(), '.solongate'), '.policy-cache-' + agentKey + '.json');
+    const POLICY_TTL_MS = 10_000;
     try {
-      const policyPath = resolve(hookCwd, 'policy.json');
-      policy = JSON.parse(readFileSync(policyPath, 'utf-8'));
-    } catch {
-      // No policy file — still log if PI was detected but not blocked
-      if (piResult && API_KEY && API_KEY.startsWith('sg_live_')) {
-        try {
-          await fetch(API_URL + '/api/v1/audit-logs', {
-            method: 'POST',
-            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-              tool: toolName,
-              arguments: args,
-              decision: 'ALLOW',
-              reason: 'Prompt injection detected but below threshold (trust: ' + (piResult.trustScore * 100).toFixed(0) + '%)',
-              permission: guessPermission(toolName),
-              source: `${AGENT_ID}-guard`,
-              agent_id: AGENT_ID, agent_name: AGENT_NAME,
-              pi_detected: true,
-              pi_trust_score: piResult.trustScore,
-              pi_blocked: false,
-              pi_categories: JSON.stringify(piResult.categories),
-              pi_stage_scores: JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 }),
-            }),
-            signal: AbortSignal.timeout(3000),
-          });
-        } catch {}
-      }
-      allowTool(); // No policy = allow all
-    }
-
-    // ── Fetch cloud trust-map rules and merge into policy.agentTrustMap ──
-    if (API_KEY && API_KEY.startsWith('sg_live_') && AGENT_ID) {
-      const tmCacheFile = join(resolve('.solongate'), '.trust-rules-cache.json');
-      let tmCached = null;
+      let dashboardPolicy = null;
+      // Try cache first
       try {
-        if (existsSync(tmCacheFile)) {
-          const cached = JSON.parse(readFileSync(tmCacheFile, 'utf-8'));
-          if (cached._ts && Date.now() - cached._ts < 60000 && cached._agentId === AGENT_ID) {
-            tmCached = cached;
+        if (existsSync(policyCacheFile)) {
+          const cached = JSON.parse(readFileSync(policyCacheFile, 'utf-8'));
+          if (cached && cached._ts && Date.now() - cached._ts < POLICY_TTL_MS && cached.policy) {
+            dashboardPolicy = cached.policy;
           }
         }
       } catch {}
-      if (!tmCached) {
+      // Refresh from API if cache expired
+      if (!dashboardPolicy) {
         try {
-          const tmRes = await fetch(API_URL + '/api/v1/trust-map/rules?agentId=' + encodeURIComponent(AGENT_ID), {
-            headers: { 'Authorization': 'Bearer ' + API_KEY },
-            signal: AbortSignal.timeout(5000),
-          });
-          if (tmRes.ok) {
-            tmCached = await tmRes.json();
-            tmCached._ts = Date.now();
-            tmCached._agentId = AGENT_ID;
-            try { writeFileSync(tmCacheFile, JSON.stringify(tmCached)); } catch {}
+          const res = await fetch(API_URL + '/api/v1/policies/active?agent_id=' + encodeURIComponent(AGENT_ID || ''), { headers: AUTH_HEADERS, signal: AbortSignal.timeout(2000) });
+          if (res.ok) {
+            const body = await res.json();
+            if (body && body.policy) {
+              dashboardPolicy = body.policy;
+              try { writeFileSync(policyCacheFile, JSON.stringify({ _ts: Date.now(), policy: dashboardPolicy })); } catch {}
+            }
           }
         } catch {}
       }
-      if (tmCached) {
-        if (!policy) policy = {};
-        if (!policy.agentTrustMap) policy.agentTrustMap = {};
-        const tm = policy.agentTrustMap;
-
-        // Merge cloud groups into local groups
-        if (tmCached.groups && tmCached.groups.length > 0) {
-          if (!tm.groups) tm.groups = {};
-          for (const g of tmCached.groups) {
-            const key = 'cloud_' + g.id;
-            if (!tm.groups[key]) {
-              tm.groups[key] = {
-                members: [AGENT_ID],
-                rules: (g.policyRules || []).map(r => ({
-                  toolPattern: r.toolPattern || '*',
-                  permission: r.permission,
-                  effect: r.effect || 'DENY',
-                })),
-              };
-            }
-          }
-        }
-
-        // Merge cloud relationships into local relationships
-        if (tmCached.relationships && tmCached.relationships.length > 0) {
-          if (!tm.relationships) tm.relationships = [];
-          for (const r of tmCached.relationships) {
-            tm.relationships.push({
-              source: r.sourceAgentId,
-              target: AGENT_ID,
-              type: r.relationshipType || 'peer',
-              allowedTools: r.allowedTools || [],
-              deniedTools: r.deniedTools || [],
-            });
-          }
-        }
 
-        // Merge cloud delegations into local delegations
-        if (tmCached.delegations && tmCached.delegations.length > 0) {
-          if (!tm.delegations) tm.delegations = [];
-          for (const d of tmCached.delegations) {
-            tm.delegations.push({
-              chain: d.chain || [],
-              effectiveTools: d.effectiveTools || [],
-              effectivePermissions: d.effectivePermissions || [],
-            });
+      if (process.env.SOLONGATE_DEBUG) {
+      }
+      if (dashboardPolicy) {
+        policy = dashboardPolicy;
+      } else {
+        // Fall back to ~/.solongate/policy.json (where the wizard writes the
+        // default), then a per-project policy.json next to cwd.
+        const candidates = [
+          join(resolve(homedir(), '.solongate'), 'policy.json'),
+          resolve(hookCwd, 'policy.json'),
+        ];
+        for (const p of candidates) {
+          if (existsSync(p)) {
+            try { policy = JSON.parse(readFileSync(p, 'utf-8')); break; } catch {}
           }
         }
       }
+    } catch {
+      // Couldn't load any policy — leave policy undefined; evaluate() returns null.
     }
 
-    let reason = evaluate(policy, args);
-
-    // ── Agent Trust Map evaluation ──
-    if (!reason) {
-      const trustReason = evaluateAgentTrust(policy, AGENT_ID, toolName, guessPermission(toolName));
-      if (trustReason) reason = trustReason;
+    if (process.env.SOLONGATE_DEBUG) {
     }
-
-    // ── AI Judge: semantic intent analysis (runs when policy ALLOWs) ──
-    if (!reason) {
-      let GROQ_KEY = process.env.GROQ_API_KEY || dotenv.GROQ_API_KEY || '';
-      // Skip placeholder values
-      if (GROQ_KEY && (GROQ_KEY.includes('your_') || GROQ_KEY.includes('_here') || GROQ_KEY.length < 10)) GROQ_KEY = '';
-      let aiJudgeEnabled = false;
-      let aiJudgeModel = 'llama-3.1-8b-instant';
-      let aiJudgeEndpoint = 'https://api.groq.com/openai';
-      let aiJudgeTimeout = 5000;
-
-      // Check cloud config for AI Judge settings (cached for 60s)
-      if (API_KEY && API_KEY.startsWith('sg_live_')) {
-        const ajCacheFile = join(resolve('.solongate'), '.aj-config-cache.json');
-        let ajCached = false;
-        try {
-          if (existsSync(ajCacheFile)) {
-            const cached = JSON.parse(readFileSync(ajCacheFile, 'utf-8'));
-            if (cached._ts && Date.now() - cached._ts < 60000) {
-              aiJudgeEnabled = Boolean(cached.enabled);
-              if (cached.model) aiJudgeModel = cached.model;
-              if (cached.endpoint) aiJudgeEndpoint = cached.endpoint;
-              if (cached.timeoutMs) aiJudgeTimeout = cached.timeoutMs;
-              ajCached = true;
-            }
-          }
-        } catch {}
-        if (!ajCached) {
-        try {
-          const cfgRes = await fetch(API_URL + '/api/v1/project-config/ai-judge', {
-            headers: { 'Authorization': 'Bearer ' + API_KEY },
-            signal: AbortSignal.timeout(3000),
-          });
-          if (cfgRes.ok) {
-            const cfg = await cfgRes.json();
-            aiJudgeEnabled = Boolean(cfg.enabled);
-            if (cfg.model) aiJudgeModel = cfg.model;
-            if (cfg.endpoint) aiJudgeEndpoint = cfg.endpoint;
-            if (cfg.timeoutMs) aiJudgeTimeout = cfg.timeoutMs;
-            try { writeFileSync(ajCacheFile, JSON.stringify({ ...cfg, _ts: Date.now() })); } catch {}
-          }
-        } catch {}
-        }
+    // Agent scoping
+    {
+      const scope = (policy && Array.isArray(policy.agents) && policy.agents.length > 0)
+        ? policy.agents
+        : ['*'];
+      if (!scope.includes('*') && !scope.includes(AGENT_TYPE)) {
+    allowTool();
+        return;
       }
+    }
 
-      if (aiJudgeEnabled && GROQ_KEY) {
-        try {
-          // Extract protected files/paths from policy
-          const protectedFiles = [];
-          const protectedPathsList = [];
-          if (policy && policy.rules) {
-            for (const rule of policy.rules) {
-              if (rule.effect === 'DENY' && rule.enabled !== false) {
-                if (rule.filenameConstraints && rule.filenameConstraints.denied) {
-                  for (const f of rule.filenameConstraints.denied) protectedFiles.push(f);
-                }
-                if (rule.pathConstraints && rule.pathConstraints.denied) {
-                  for (const p of rule.pathConstraints.denied) protectedPathsList.push(p);
-                }
-              }
-            }
-          }
-
-          // Pre-filter: skip AI Judge if tool args clearly don't touch any protected file/path.
-          // Only call LLM when there's a potential match or obfuscation attempt.
-          const argStr = JSON.stringify(args).toLowerCase();
-          const hasShellTricks = /\$[\({]|`|<\(|>\(|\beval\b|\bexec\b|\bsource\b|\bxargs\b/.test(argStr);
-          const hasWildcard = /[*?]/.test(argStr);
-          let couldMatchProtected = hasShellTricks || hasWildcard;
-          if (!couldMatchProtected) {
-            // Check if any protected file/path name (without glob chars) appears in args
-            const allProtected = [...protectedFiles, ...protectedPathsList];
-            for (const p of allProtected) {
-              // Strip glob chars to get the core name: "*.env*" → "env", ".solongate" → "solongate"
-              const core = p.replace(/[*?[\]{}]/g, '').replace(/^\.+/, '').toLowerCase();
-              if (core && core.length >= 2 && argStr.includes(core)) {
-                couldMatchProtected = true;
-                break;
-              }
-            }
-          }
-
-          // If args clearly don't reference any protected pattern, skip LLM — instant ALLOW
-          if (!couldMatchProtected) {
-            // No need to call AI Judge — nothing to protect here
-          } else {
-
-          const judgePayload = JSON.stringify({
-            tool: toolName,
-            arguments: args,
-            protected_files: protectedFiles,
-            protected_paths: protectedPathsList,
-          });
-
-          const systemPrompt = `You are a security judge for an AI coding tool. Your ONLY job is to check if a tool call accesses files or paths that are in the protected lists. Nothing else.
-
-You will receive a JSON object with:
-- "tool": the tool name being called
-- "arguments": the tool's arguments
-- "protected_files": the EXACT and COMPLETE list of protected files from the user's policy
-- "protected_paths": the EXACT and COMPLETE list of protected directories from the user's policy
-
-RULES:
-1. DENY ONLY if the tool call could access a file or path that is in protected_files or protected_paths.
-2. ALLOW everything else. You must NOT invent your own security rules.
-3. If a file is NOT in protected_files, it is NOT protected — even if the filename looks sensitive.
-4. "cat test.txt" is ALLOWED if test.txt is not in protected_files.
-5. "curl https://example.com" is ALLOWED unless it sends protected file content.
-6. "printenv" is ALLOWED unless the policy explicitly protects it.
-
-BYPASS DETECTION — DENY if the command accesses a protected file through:
-- Shell glob patterns: "cat cred*" could match "credentials.json" IF it is in protected_files
-- Command substitution: "cat $(echo .env)" builds ".env"
-- Variable interpolation: f=".en"; cat \${f}v builds ".env"
-- Process substitution: <(cat .env)
-- Multi-stage: cp protected_file /tmp/x && cat /tmp/x
-- Input redirection: < .env
-- Any file-reading utility (cat, head, tail, less, perl, awk, sed, xxd, etc.)
-
-CRITICAL: You have NO security opinions of your own. You ONLY enforce the protected_files and protected_paths lists. If something is not in those lists, it is ALLOWED. Do NOT over-block.
-
-Respond with ONLY valid JSON: {"decision": "ALLOW" or "DENY", "reason": "brief explanation", "confidence": 0.0 to 1.0}`;
-
-          const llmRes = await fetch(aiJudgeEndpoint + '/v1/chat/completions', {
-            method: 'POST',
-            headers: {
-              'Content-Type': 'application/json',
-              'Authorization': 'Bearer ' + GROQ_KEY,
-            },
-            body: JSON.stringify({
-              model: aiJudgeModel,
-              messages: [
-                { role: 'system', content: systemPrompt },
-                { role: 'user', content: judgePayload },
-              ],
-              temperature: 0,
-              max_tokens: 200,
-            }),
-            signal: AbortSignal.timeout(aiJudgeTimeout),
-          });
-
-          if (llmRes.ok) {
-            const llmData = await llmRes.json();
-            const content = llmData.choices?.[0]?.message?.content || '';
-            const jsonMatch = content.match(/\{[\s\S]*\}/);
-            if (jsonMatch) {
-              const verdict = JSON.parse(jsonMatch[0]);
-              if (verdict.decision === 'DENY' && verdict.confidence >= 0.7) {
-                reason = '[SolonGate AI Judge] Blocked: ' + (verdict.reason || 'Semantic analysis detected a policy violation');
-              }
-              // Low-confidence DENY or ALLOW → skip (don't block)
-            }
-          }
-          // Auth/config errors (401, 403) → skip AI Judge, don't DENY
-          // Other LLM errors → skip too (policy engine already evaluated)
-
-          } // end else (couldMatchProtected)
-        } catch {
-          // Timeout or parse error → skip AI Judge (policy engine already passed)
-        }
+    if (process.env.SOLONGATE_DEBUG) {
+    }
+    // Hardcoded tamper protection — runs unconditionally, before policy eval.
+    let reason = tamperCheck(toolName, args);
+    if (process.env.SOLONGATE_DEBUG) {
+    }
+    // OPA WASM is the SOLE policy engine. With no policy configured for this
+    // agent we skip evaluation entirely (allow). With a policy present,
+    // evaluateWithOpa returns a reason (DENY), null (ALLOW), or undefined when
+    // the WASM bundle could not be obtained at all — in which case we fail
+    // CLOSED rather than silently allowing. (The legacy JS evaluate() below is
+    // retained but no longer on the decision path — OPA decides everything.)
+    // Cloud routing is BINARY — WHITE (allow) / BLACK (block). There is NO AI
+    // Judge in the cloud (that is an air-gap-only feature), so there is no GRAY
+    // "send to the judge" lane: the OPA policy alone decides. Tamper protection
+    // and any DENY (incl. fail-closed) → BLACK; everything else → WHITE. A REVIEW
+    // rule with no judge to escalate to is treated as allow under denylist.
+    let opaRoute = 'white';
+    if (reason) {
+      opaRoute = 'black'; // hardcoded tamper protection blocked it
+    } else if (policy && policy.rules) {
+      const opaResult = await evaluateWithOpa(policy, args, toolName, hookCwd);
+      if (opaResult === undefined) {
+        reason = '[SolonGate OPA] Policy WASM unavailable — failing closed (DENY). Ensure the SolonGate API is reachable so policies compile to WASM.';
+        opaRoute = 'black';
+      } else if (typeof opaResult === 'string') {
+        reason = opaResult; // explicit DENY
+        opaRoute = 'black';
+      } else {
+        opaRoute = 'white'; // allow (rule match, default-allow, or review w/o judge)
       }
     }
 
+    process.stderr.write(`[SolonGate ROUTE] ${opaRoute.toUpperCase()} (${reason ? 'block' : 'allow'})\n`);
+
     // Only log DENY decisions from guard hook.
     // ALLOW decisions are logged by the audit hook (PostToolUse) to avoid double-counting.
     if (reason) {
-      if (API_KEY && API_KEY.startsWith('sg_live_')) {
+      if (true) {
         try {
           const logEntry = {
             tool: toolName, arguments: args,
             decision: 'DENY', reason,
             permission: guessPermission(toolName),
-            source: `${AGENT_ID}-guard`,
-            agent_id: AGENT_ID, agent_name: AGENT_NAME,
+            source: `${AGENT_TYPE}-guard`,
+            agent_id: AGENT_TYPE, agent_name: AGENT_NAME,
+            evaluation_time_ms: Date.now() - _evalStart,
           };
-          if (piResult) {
-            logEntry.pi_detected = true;
-            logEntry.pi_trust_score = piResult.trustScore;
-            logEntry.pi_blocked = false;
-            logEntry.pi_categories = JSON.stringify(piResult.categories);
-            logEntry.pi_stage_scores = JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 });
-          }
+          // PI hook layer removed — piResult fields no longer attached.
           await fetch(API_URL + '/api/v1/audit-logs', {
             method: 'POST',
-            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', ...AUTH_HEADERS },
             body: JSON.stringify(logEntry),
             signal: AbortSignal.timeout(3000),
           });