@solongate/proxy 0.47.0 → 0.47.1

package/dist/global-install.js

@@ -170,12 +170,13 @@ async function runGlobalInstall(opts = {}) {
   const guardAbs = join(p.hooksDir, "guard.mjs").replace(/\\/g, "/");
   const auditAbs = join(p.hooksDir, "audit.mjs").replace(/\\/g, "/");
   const stopAbs = join(p.hooksDir, "stop.mjs").replace(/\\/g, "/");
+  const nodeBin = process.execPath.replace(/\\/g, "/");
   const merged = {
     ...existing,
     hooks: {
-      PreToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${guardAbs}" claude-code "Claude Code"` }] }],
-      PostToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${auditAbs}" claude-code "Claude Code"` }] }],
-      Stop: [{ matcher: "", hooks: [{ type: "command", command: `node "${stopAbs}" claude-code "Claude Code"` }] }]
+      PreToolUse: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${guardAbs}" claude-code "Claude Code"` }] }],
+      PostToolUse: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${auditAbs}" claude-code "Claude Code"` }] }],
+      Stop: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${stopAbs}" claude-code "Claude Code"` }] }]
     }
   };
   writeFileSync(p.settingsPath, JSON.stringify(merged, null, 2) + "\n");

package/dist/index.js

@@ -6747,12 +6747,13 @@ async function runGlobalInstall(opts = {}) {
   const guardAbs = join3(p.hooksDir, "guard.mjs").replace(/\\/g, "/");
   const auditAbs = join3(p.hooksDir, "audit.mjs").replace(/\\/g, "/");
   const stopAbs = join3(p.hooksDir, "stop.mjs").replace(/\\/g, "/");
+  const nodeBin = process.execPath.replace(/\\/g, "/");
   const merged = {
     ...existing,
     hooks: {
-      PreToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${guardAbs}" claude-code "Claude Code"` }] }],
-      PostToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${auditAbs}" claude-code "Claude Code"` }] }],
-      Stop: [{ matcher: "", hooks: [{ type: "command", command: `node "${stopAbs}" claude-code "Claude Code"` }] }]
+      PreToolUse: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${guardAbs}" claude-code "Claude Code"` }] }],
+      PostToolUse: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${auditAbs}" claude-code "Claude Code"` }] }],
+      Stop: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${stopAbs}" claude-code "Claude Code"` }] }]
     }
   };
   writeFileSync2(p.settingsPath, JSON.stringify(merged, null, 2) + "\n");
@@ -7047,9 +7048,10 @@ function installHooks(selectedTools = [], wrappedMcpConfig) {
   for (const client of clients) {
     const clientDir = resolve4(client.dir);
     mkdirSync4(clientDir, { recursive: true });
-    const guardCmd = `node .solongate/hooks/guard.mjs ${client.agentId} "${client.agentName}"`;
-    const auditCmd = `node .solongate/hooks/audit.mjs ${client.agentId} "${client.agentName}"`;
-    const stopCmd = `node .solongate/hooks/stop.mjs ${client.agentId} "${client.agentName}"`;
+    const nodeBin = process.execPath.replace(/\\/g, "/");
+    const guardCmd = `"${nodeBin}" .solongate/hooks/guard.mjs ${client.agentId} "${client.agentName}"`;
+    const auditCmd = `"${nodeBin}" .solongate/hooks/audit.mjs ${client.agentId} "${client.agentName}"`;
+    const stopCmd = `"${nodeBin}" .solongate/hooks/stop.mjs ${client.agentId} "${client.agentName}"`;
     if (client.key === "gemini") {
       const result = installGeminiConfig(clientDir, guardCmd, auditCmd, stopCmd, wrappedMcpConfig);
       if (result === "skipped") skippedNames.push(client.name);
@@ -7596,6 +7598,12 @@ async function main2() {
   console.log("  \u2502  Restart Claude Code to apply.                  \u2502");
   console.log("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
   console.log("");
+  console.log(`  ${c.bold}${c.yellow}!  Already-open terminals are NOT protected yet.${c.reset}`);
+  console.log(`  ${c.dim}   Hooks load only when a session starts, so any terminal`);
+  console.log(`     (and the Claude Code running in it) that was already open`);
+  console.log(`     won't be caught. Open a NEW terminal and start Claude Code`);
+  console.log(`     there for the guard + audit logging to take effect.${c.reset}`);
+  console.log("");
 }
 var sleep2, SPINNER_FRAMES2;
 var init_login = __esm({

package/dist/init.js

@@ -209,12 +209,13 @@ async function runGlobalInstall(opts = {}) {
   const guardAbs = join(p.hooksDir, "guard.mjs").replace(/\\/g, "/");
   const auditAbs = join(p.hooksDir, "audit.mjs").replace(/\\/g, "/");
   const stopAbs = join(p.hooksDir, "stop.mjs").replace(/\\/g, "/");
+  const nodeBin = process.execPath.replace(/\\/g, "/");
   const merged = {
     ...existing,
     hooks: {
-      PreToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${guardAbs}" claude-code "Claude Code"` }] }],
-      PostToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${auditAbs}" claude-code "Claude Code"` }] }],
-      Stop: [{ matcher: "", hooks: [{ type: "command", command: `node "${stopAbs}" claude-code "Claude Code"` }] }]
+      PreToolUse: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${guardAbs}" claude-code "Claude Code"` }] }],
+      PostToolUse: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${auditAbs}" claude-code "Claude Code"` }] }],
+      Stop: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${stopAbs}" claude-code "Claude Code"` }] }]
     }
   };
   writeFileSync(p.settingsPath, JSON.stringify(merged, null, 2) + "\n");
@@ -504,9 +505,10 @@ function installHooks(selectedTools = [], wrappedMcpConfig) {
   for (const client of clients) {
     const clientDir = resolve2(client.dir);
     mkdirSync2(clientDir, { recursive: true });
-    const guardCmd = `node .solongate/hooks/guard.mjs ${client.agentId} "${client.agentName}"`;
-    const auditCmd = `node .solongate/hooks/audit.mjs ${client.agentId} "${client.agentName}"`;
-    const stopCmd = `node .solongate/hooks/stop.mjs ${client.agentId} "${client.agentName}"`;
+    const nodeBin = process.execPath.replace(/\\/g, "/");
+    const guardCmd = `"${nodeBin}" .solongate/hooks/guard.mjs ${client.agentId} "${client.agentName}"`;
+    const auditCmd = `"${nodeBin}" .solongate/hooks/audit.mjs ${client.agentId} "${client.agentName}"`;
+    const stopCmd = `"${nodeBin}" .solongate/hooks/stop.mjs ${client.agentId} "${client.agentName}"`;
     if (client.key === "gemini") {
       const result = installGeminiConfig(clientDir, guardCmd, auditCmd, stopCmd, wrappedMcpConfig);
       if (result === "skipped") skippedNames.push(client.name);

package/dist/login.js

@@ -178,12 +178,13 @@ async function runGlobalInstall(opts = {}) {
   const guardAbs = join(p.hooksDir, "guard.mjs").replace(/\\/g, "/");
   const auditAbs = join(p.hooksDir, "audit.mjs").replace(/\\/g, "/");
   const stopAbs = join(p.hooksDir, "stop.mjs").replace(/\\/g, "/");
+  const nodeBin = process.execPath.replace(/\\/g, "/");
   const merged = {
     ...existing,
     hooks: {
-      PreToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${guardAbs}" claude-code "Claude Code"` }] }],
-      PostToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${auditAbs}" claude-code "Claude Code"` }] }],
-      Stop: [{ matcher: "", hooks: [{ type: "command", command: `node "${stopAbs}" claude-code "Claude Code"` }] }]
+      PreToolUse: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${guardAbs}" claude-code "Claude Code"` }] }],
+      PostToolUse: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${auditAbs}" claude-code "Claude Code"` }] }],
+      Stop: [{ matcher: "", hooks: [{ type: "command", command: `"${nodeBin}" "${stopAbs}" claude-code "Claude Code"` }] }]
     }
   };
   writeFileSync(p.settingsPath, JSON.stringify(merged, null, 2) + "\n");
@@ -320,6 +321,12 @@ async function main() {
   console.log("  \u2502  Restart Claude Code to apply.                  \u2502");
   console.log("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
   console.log("");
+  console.log(`  ${c.bold}${c.yellow}!  Already-open terminals are NOT protected yet.${c.reset}`);
+  console.log(`  ${c.dim}   Hooks load only when a session starts, so any terminal`);
+  console.log(`     (and the Claude Code running in it) that was already open`);
+  console.log(`     won't be caught. Open a NEW terminal and start Claude Code`);
+  console.log(`     there for the guard + audit logging to take effect.${c.reset}`);
+  console.log("");
 }
 main().catch((err) => {
   console.log(`Fatal: ${err instanceof Error ? err.message : String(err)}`);

package/hooks/guard.bundled.mjs

@@ -6530,11 +6530,23 @@ var init_src = __esm({
 });
 
 // hooks/guard.mjs
-import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync } from "node:fs";
+import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync, chmodSync, renameSync } from "node:fs";
 import { resolve, join } from "node:path";
 import { homedir } from "node:os";
 import { gunzipSync } from "node:zlib";
+import { createHash } from "node:crypto";
+var HOOK_VERSION = 5;
 var MAX_FILE_READ = 1024 * 1024;
+function safeReadFileSync(filePath, encoding = "utf-8") {
+  try {
+    const stat = statSync(filePath);
+    if (stat.size > MAX_FILE_READ)
+      return "";
+    return readFileSync(filePath, encoding);
+  } catch {
+    return "";
+  }
+}
 function loadEnvKey(dir) {
   try {
     const envPath = resolve(dir, ".env");
@@ -6563,6 +6575,17 @@ function loadGlobalCloudConfig() {
     return {};
   }
 }
+function isRealKey(k) {
+  if (typeof k !== "string")
+    return false;
+  const v = k.trim();
+  if (!/^sg_(live|test)_/.test(v))
+    return false;
+  const body = v.replace(/^sg_(live|test)_/, "");
+  if (/your_key_here|placeholder|example|^x+$/i.test(body))
+    return false;
+  return /^[a-f0-9]{16,}$/i.test(body);
+}
 function guessPermission(toolName) {
   const name = (toolName || "").toLowerCase();
   if (name.includes("exec") || name.includes("shell") || name.includes("run") || name.includes("eval") || name === "bash")
@@ -6577,8 +6600,46 @@ var hookCwdEarly = process.cwd();
 var dotenv = loadEnvKey(hookCwdEarly);
 var globalCfg = loadGlobalCloudConfig();
 var API_URL = process.env.SOLONGATE_API_URL || dotenv.SOLONGATE_API_URL || globalCfg.apiUrl || "https://api.solongate.com";
-var API_KEY = process.env.SOLONGATE_API_KEY || dotenv.SOLONGATE_API_KEY || globalCfg.apiKey || "";
+var API_KEY = [process.env.SOLONGATE_API_KEY, dotenv.SOLONGATE_API_KEY, globalCfg.apiKey].find(isRealKey) || "";
 var AUTH_HEADERS = API_KEY ? { "Authorization": "Bearer " + API_KEY, "X-API-Key": API_KEY } : {};
+async function maybeSelfUpdate() {
+  if (!API_KEY)
+    return;
+  try {
+    const sgDir = resolve(homedir(), ".solongate");
+    const stamp = join(sgDir, ".hook-update-check");
+    const last = parseInt(safeReadFileSync(stamp) || "0", 10);
+    if (Number.isFinite(last) && Date.now() - last < 6 * 3600 * 1e3)
+      return;
+    try {
+      writeFileSync(stamp, String(Date.now()));
+    } catch {
+    }
+    const res = await fetch(API_URL + "/api/v1/hooks/guard", { headers: AUTH_HEADERS, signal: AbortSignal.timeout(5e3) });
+    if (!res.ok)
+      return;
+    const data = await res.json();
+    if (!data || typeof data.version !== "number" || data.version <= HOOK_VERSION)
+      return;
+    if (typeof data.content !== "string" || typeof data.sha256 !== "string")
+      return;
+    const buf = Buffer.from(data.content, "base64");
+    if (createHash("sha256").update(buf).digest("hex") !== data.sha256)
+      return;
+    const text = buf.toString("utf-8");
+    if (!text.startsWith("#!/usr/bin/env node") || text.length < 5e4 || !text.includes("SolonGate Cloud Policy Guard"))
+      return;
+    const hooksDir = join(sgDir, "hooks");
+    const tmp = join(hooksDir, ".guard.mjs.tmp");
+    writeFileSync(tmp, text);
+    try {
+      chmodSync(join(hooksDir, "guard.mjs"), 420);
+    } catch {
+    }
+    renameSync(tmp, join(hooksDir, "guard.mjs"));
+  } catch {
+  }
+}
 var AGENT_TYPE = process.argv[2] || "claude-code";
 var POLICY_SELECTOR = process.env.SOLONGATE_AGENT_ID || "";
 var AGENT_ID = POLICY_SELECTOR || AGENT_TYPE;
@@ -6757,13 +6818,23 @@ function extractCommands(args) {
   }
   return cmds;
 }
-function extractPaths(args) {
+function extractPaths(args, isExec) {
   const paths = [];
+  const add = (t) => {
+    if (!t || /^https?:\/\//i.test(t))
+      return;
+    if (t.includes("/") || t.includes("\\") || t.startsWith("."))
+      paths.push(t.replace(/\\/g, "/"));
+  };
   for (const s of scanStrings(args)) {
     if (/^https?:\/\//i.test(s))
       continue;
-    if (s.includes("/") || s.includes("\\") || s.startsWith("."))
-      paths.push(s.replace(/\\/g, "/"));
+    if (isExec && /\s/.test(s)) {
+      for (const tok of s.split(/[\s;|&><()`'"]+/))
+        add(tok);
+    } else {
+      add(s);
+    }
   }
   return paths;
 }
@@ -7036,7 +7107,7 @@ async function evaluateWithOpa(policy, args, toolName, cwd) {
       permission: guessPermission(toolName),
       trust_level: "TRUSTED",
       arguments: expandedArgs,
-      paths: extractPaths(accessArgs),
+      paths: extractPaths(accessArgs, isExecTool),
       commands: extractCommands(expandedArgs),
       urls: extractUrls(accessArgs),
       filenames: extractFilenames(accessArgs)
@@ -7145,7 +7216,7 @@ process.stdin.on("end", async () => {
     let policy;
     const agentKey = (AGENT_ID || "default").replace(/[^a-zA-Z0-9_-]/g, "_");
     const policyCacheFile = join(resolve(homedir(), ".solongate"), ".policy-cache-" + agentKey + ".json");
-    const POLICY_TTL_MS = 1e4;
+    const POLICY_TTL_MS = 3e3;
     try {
       let dashboardPolicy = null;
       try {
@@ -7214,8 +7285,12 @@ process.stdin.on("end", async () => {
     } else if (policy && policy.rules) {
       const opaResult = await evaluateWithOpa(policy, args, toolName, hookCwd);
       if (opaResult === void 0) {
-        reason = "[SolonGate OPA] Policy WASM unavailable \u2014 failing closed (DENY). Ensure the SolonGate API is reachable so policies compile to WASM.";
-        opaRoute = "black";
+        if (policy.mode === "whitelist") {
+          reason = "[SolonGate OPA] Policy WASM unavailable \u2014 failing closed (DENY). Ensure the SolonGate API is reachable so policies compile to WASM.";
+          opaRoute = "black";
+        } else {
+          opaRoute = "white";
+        }
       } else if (typeof opaResult === "string") {
         reason = opaResult;
         opaRoute = "black";
@@ -7249,9 +7324,11 @@ process.stdin.on("end", async () => {
         }
       }
       writeDenyFlag(toolName);
+      await maybeSelfUpdate();
       blockTool(reason);
     }
   } catch {
   }
+  await maybeSelfUpdate();
   allowTool();
 });

package/hooks/guard.mjs

@@ -21,10 +21,17 @@
  * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs.
  * Auto-installed by: npx @solongate/proxy init --global
  */
-import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync } from 'node:fs';
+import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync, chmodSync, renameSync } from 'node:fs';
 import { resolve, join } from 'node:path';
 import { homedir } from 'node:os';
 import { gunzipSync } from 'node:zlib';
+import { createHash } from 'node:crypto';
+
+// Bump on every guard.mjs change. The cloud serves the newest bundle + version;
+// the installed hook self-updates when the cloud version is higher (see
+// maybeSelfUpdate). This is what makes guard fixes propagate without a manual
+// reinstall — the same trust model as the OPA WASM this hook already runs.
+const HOOK_VERSION = 5;
 
 // Safe file read with size limit (1MB max) to prevent DoS via large files
 const MAX_FILE_READ = 1024 * 1024; // 1MB
@@ -65,6 +72,23 @@ function loadGlobalCloudConfig() {
   } catch { return {}; }
 }
 
+// A real cloud key is `sg_live_`/`sg_test_` followed by hex (see generateApiKey:
+// 24 random bytes → 48 hex chars). Template/placeholder values shipped in sample
+// .env files (e.g. `sg_live_your_key_here`) pass a naive truthiness check but are
+// bogus — and because resolution prefers a project .env over the global login
+// credential, a stray placeholder .env would shadow a valid login and 401 every
+// API call, making the guard fail closed on EVERYTHING. Filter to real keys so a
+// placeholder is skipped and the next real candidate (usually the login cred in
+// cloud-guard.json) is used instead.
+function isRealKey(k) {
+  if (typeof k !== 'string') return false;
+  const v = k.trim();
+  if (!/^sg_(live|test)_/.test(v)) return false;
+  const body = v.replace(/^sg_(live|test)_/, '');
+  if (/your_key_here|placeholder|example|^x+$/i.test(body)) return false;
+  return /^[a-f0-9]{16,}$/i.test(body);
+}
+
 function guessPermission(toolName) {
   const name = (toolName || '').toLowerCase();
   if (name.includes('exec') || name.includes('shell') || name.includes('run') || name.includes('eval') || name === 'bash') return 'EXECUTE';
@@ -82,12 +106,46 @@ const API_URL = process.env.SOLONGATE_API_URL || dotenv.SOLONGATE_API_URL || glo
 // Cloud API key (sg_live_… / sg_test_…). The key identifies the project AND
 // authenticates every API call (active policy, compiled WASM, audit logs). When
 // absent, this hook does nothing — a machine with no key is intentionally
-// unenforced (the cloud has no policy to apply).
-const API_KEY = process.env.SOLONGATE_API_KEY || dotenv.SOLONGATE_API_KEY || globalCfg.apiKey || '';
+// unenforced (the cloud has no policy to apply). Each candidate is filtered
+// through isRealKey() so a placeholder .env (sg_live_your_key_here) can't shadow
+// the real login credential and force a fail-closed on every call.
+const API_KEY = [process.env.SOLONGATE_API_KEY, dotenv.SOLONGATE_API_KEY, globalCfg.apiKey].find(isRealKey) || '';
 // Auth headers attached to every cloud API request. Cloud accepts either the
 // Authorization: Bearer form or X-API-Key; we send both for robustness.
 const AUTH_HEADERS = API_KEY ? { 'Authorization': 'Bearer ' + API_KEY, 'X-API-Key': API_KEY } : {};
 
+// ── Self-update (best-effort, throttled, integrity-checked) ──
+// Once per ~6h the hook asks the cloud for the latest guard bundle. If the cloud
+// version is higher AND the sha256 verifies AND the payload looks like this guard
+// hook, it atomically replaces its own file. Any failure is swallowed so a bad
+// update can never break enforcement — the current code simply keeps running.
+async function maybeSelfUpdate() {
+  if (!API_KEY) return;
+  try {
+    const sgDir = resolve(homedir(), '.solongate');
+    const stamp = join(sgDir, '.hook-update-check');
+    const last = parseInt(safeReadFileSync(stamp) || '0', 10);
+    if (Number.isFinite(last) && Date.now() - last < 6 * 3600 * 1000) return;
+    try { writeFileSync(stamp, String(Date.now())); } catch { /* ignore */ }
+
+    const res = await fetch(API_URL + '/api/v1/hooks/guard', { headers: AUTH_HEADERS, signal: AbortSignal.timeout(5000) });
+    if (!res.ok) return;
+    const data = await res.json();
+    if (!data || typeof data.version !== 'number' || data.version <= HOOK_VERSION) return;
+    if (typeof data.content !== 'string' || typeof data.sha256 !== 'string') return;
+    const buf = Buffer.from(data.content, 'base64');
+    if (createHash('sha256').update(buf).digest('hex') !== data.sha256) return;
+    const text = buf.toString('utf-8');
+    // Sanity gate: must look like THIS guard hook before we overwrite ourselves.
+    if (!text.startsWith('#!/usr/bin/env node') || text.length < 50000 || !text.includes('SolonGate Cloud Policy Guard')) return;
+    const hooksDir = join(sgDir, 'hooks');
+    const tmp = join(hooksDir, '.guard.mjs.tmp');
+    writeFileSync(tmp, text);
+    try { chmodSync(join(hooksDir, 'guard.mjs'), 0o644); } catch { /* may be locked read-only */ }
+    renameSync(tmp, join(hooksDir, 'guard.mjs')); // atomic swap, takes effect next call
+  } catch { /* never break enforcement on update failure */ }
+}
+
 // Two distinct identities, deliberately kept separate:
 //
 //   AGENT_TYPE — the real AI client running this hook (claude-code /
@@ -410,14 +468,26 @@ function extractCommands(args) {
   return cmds;
 }
 
-function extractPaths(args) {
+function extractPaths(args, isExec) {
   const paths = [];
-  for (const s of scanStrings(args)) {
-    if (/^https?:\/\//i.test(s)) continue;
+  const add = (t) => {
+    if (!t || /^https?:\/\//i.test(t)) return;
     // Normalize Windows backslashes to forward slashes so paths match the
     // compiled Rego patterns (which are also normalized to "/"). OPA glob.match
     // does no separator translation, so raw "C:\..." never matched "/" patterns.
-    if (s.includes('/') || s.includes('\\') || s.startsWith('.')) paths.push(s.replace(/\\/g, '/'));
+    if (t.includes('/') || t.includes('\\') || t.startsWith('.')) paths.push(t.replace(/\\/g, '/'));
+  };
+  for (const s of scanStrings(args)) {
+    if (/^https?:\/\//i.test(s)) continue;
+    if (isExec && /\s/.test(s)) {
+      // A command line (exec tool): pull out individual path-like tokens instead
+      // of treating the whole command as one path. Otherwise `node src/app.js`
+      // becomes the path "node src/app.js", which no path glob can match — so a
+      // path-scoped EXECUTE rule would never fire. Tokenizing yields "src/app.js".
+      for (const tok of s.split(/[\s;|&><()`'"]+/)) add(tok);
+    } else {
+      add(s);
+    }
   }
   return paths;
 }
@@ -582,7 +652,7 @@ function patternsOf(constraint) {
   return Array.isArray(list) && list.length > 0 ? list : null;
 }
 
-function ruleMatches(rule, args) {
+function ruleMatches(rule, args, isExec) {
   const fnPats = patternsOf(rule.filenameConstraints);
   if (fnPats) {
     const filenames = extractFilenames(args);
@@ -612,7 +682,7 @@ function ruleMatches(rule, args) {
   }
   const pathPats = patternsOf(rule.pathConstraints);
   if (pathPats) {
-    const paths = extractPaths(args);
+    const paths = extractPaths(args, isExec);
     for (const p of paths) {
       for (const pat of pathPats) {
         if (matchPathGlob(p, pat)) return { kind: 'path', value: p, pattern: pat };
@@ -630,13 +700,14 @@ function evaluate(policy, args, toolName) {
   if (!policy || !policy.rules) return null;
   const enabledRules = policy.rules.filter(r => r.enabled !== false);
   const mode = policy.mode === 'whitelist' ? 'whitelist' : 'denylist';
+  const isExec = /bash|shell|exec|powershell|cmd|run|eval/.test((toolName || '').toLowerCase());
 
   // DENY pass — runs in both modes. DENY wins over ALLOW.
   const denyRules = enabledRules
     .filter(r => r.effect === 'DENY' && permissionApplies(r, toolName))
     .sort((a, b) => (a.priority || 100) - (b.priority || 100));
   for (const rule of denyRules) {
-    const m = ruleMatches(rule, args);
+    const m = ruleMatches(rule, args, isExec);
     if (m) return 'Blocked by policy: ' + m.kind + ' "' + m.value + '" matches "' + m.pattern + '"';
   }
 
@@ -648,7 +719,7 @@ function evaluate(policy, args, toolName) {
     }
     let matched = false;
     for (const rule of allowRules) {
-      if (ruleMatches(rule, args)) { matched = true; break; }
+      if (ruleMatches(rule, args, isExec)) { matched = true; break; }
     }
     if (!matched) {
       return 'Blocked by policy: strict whitelist mode — request does not match any ALLOW rule';
@@ -835,7 +906,7 @@ async function evaluateWithOpa(policy, args, toolName, cwd) {
       permission: guessPermission(toolName),
       trust_level: 'TRUSTED',
       arguments: expandedArgs,
-      paths: extractPaths(accessArgs),
+      paths: extractPaths(accessArgs, isExecTool),
       commands: extractCommands(expandedArgs),
       urls: extractUrls(accessArgs),
       filenames: extractFilenames(accessArgs),
@@ -988,7 +1059,7 @@ process.stdin.on('end', async () => {
     // don't share a stale cached policy.
     const agentKey = (AGENT_ID || 'default').replace(/[^a-zA-Z0-9_-]/g, '_');
     const policyCacheFile = join(resolve(homedir(), '.solongate'), '.policy-cache-' + agentKey + '.json');
-    const POLICY_TTL_MS = 10_000;
+    const POLICY_TTL_MS = 3_000;
     try {
       let dashboardPolicy = null;
       // Try cache first
@@ -1057,9 +1128,10 @@ process.stdin.on('end', async () => {
     // OPA WASM is the SOLE policy engine. With no policy configured for this
     // agent we skip evaluation entirely (allow). With a policy present,
     // evaluateWithOpa returns a reason (DENY), null (ALLOW), or undefined when
-    // the WASM bundle could not be obtained at all — in which case we fail
-    // CLOSED rather than silently allowing. (The legacy JS evaluate() below is
-    // retained but no longer on the decision path — OPA decides everything.)
+    // the WASM bundle could not be obtained at all — in which case we fall back
+    // to the policy mode's default (whitelist → fail closed, denylist → fail
+    // open); see the branch below. (The legacy JS evaluate() below is retained
+    // but no longer on the decision path — OPA decides everything.)
     // Cloud routing is BINARY — WHITE (allow) / BLACK (block). There is NO AI
     // Judge in the cloud (that is an air-gap-only feature), so there is no GRAY
     // "send to the judge" lane: the OPA policy alone decides. Tamper protection
@@ -1071,8 +1143,21 @@ process.stdin.on('end', async () => {
     } else if (policy && policy.rules) {
       const opaResult = await evaluateWithOpa(policy, args, toolName, hookCwd);
       if (opaResult === undefined) {
-        reason = '[SolonGate OPA] Policy WASM unavailable — failing closed (DENY). Ensure the SolonGate API is reachable so policies compile to WASM.';
-        opaRoute = 'black';
+        // OPA produced no decision (no WASM bundle, runtime missing, fetch error).
+        // Honor policy-mode defaults instead of a blanket fail-closed:
+        //   whitelist (default-deny): fail CLOSED — nothing is allowed without an
+        //     explicit ALLOW match, so an unavailable engine must block.
+        //   denylist  (default-allow): fail OPEN — the engine being down means no
+        //     DENY rule could match, and denylist's default IS allow. Blocking
+        //     everything here is whitelist behavior and wrong for a denylist policy
+        //     (it bricks every tool call during any transient WASM hiccup).
+        // Tamper protection already ran above and is unaffected either way.
+        if (policy.mode === 'whitelist') {
+          reason = '[SolonGate OPA] Policy WASM unavailable — failing closed (DENY). Ensure the SolonGate API is reachable so policies compile to WASM.';
+          opaRoute = 'black';
+        } else {
+          opaRoute = 'white';
+        }
       } else if (typeof opaResult === 'string') {
         reason = opaResult; // explicit DENY
         opaRoute = 'black';
@@ -1106,8 +1191,10 @@ process.stdin.on('end', async () => {
         } catch {}
       }
       writeDenyFlag(toolName);
+      await maybeSelfUpdate();
       blockTool(reason);
     }
   } catch {}
+  await maybeSelfUpdate();
   allowTool();
 });

package/package.json

@@ -1,76 +1,76 @@
-{
-  "name": "@solongate/proxy",
-  "version": "0.47.0",
-  "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
-  "type": "module",
-  "bin": {
-    "solongate": "./dist/index.js",
-    "solongate-proxy": "./dist/index.js",
-    "solongate-init": "./dist/init.js",
-    "proxy": "./dist/index.js"
-  },
-  "main": "./dist/lib.js",
-  "exports": {
-    ".": {
-      "import": "./dist/lib.js"
-    },
-    "./cli": {
-      "import": "./dist/index.js"
-    }
-  },
-  "files": [
-    "dist",
-    "hooks",
-    "README.md"
-  ],
-  "scripts": {
-    "build": "tsup && pnpm build:hooks",
-    "build:hooks": "node scripts/bundle-hooks.mjs",
-    "dev": "tsx src/index.ts",
-    "typecheck": "tsc --noEmit",
-    "clean": "rm -rf dist .turbo"
-  },
-  "keywords": [
-    "ai-tool-security",
-    "ai-tool-proxy",
-    "security",
-    "proxy",
-    "gateway",
-    "firewall",
-    "ai-security",
-    "tool-security",
-    "claude",
-    "openclaw",
-    "solongate",
-    "prompt-injection",
-    "path-traversal",
-    "rate-limiting"
-  ],
-  "author": "SolonGate <hello@solongate.com>",
-  "license": "MIT",
-  "homepage": "https://solongate.com",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/solongate/solongate"
-  },
-  "engines": {
-    "node": ">=18.0.0"
-  },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.26.0",
-    "zod": "^3.25.0"
-  },
-  "optionalDependencies": {
-    "@huggingface/transformers": ">=3.0.0"
-  },
-  "devDependencies": {
-    "@open-policy-agent/opa-wasm": "^1.10.0",
-    "@solongate/core": "workspace:*",
-    "@solongate/policy-engine": "workspace:*",
-    "@solongate/tsconfig": "workspace:*",
-    "esbuild": "^0.19.12",
-    "tsup": "^8.3.0",
-    "tsx": "^4.19.0",
-    "typescript": "^5.7.0"
-  }
-}
+{
+  "name": "@solongate/proxy",
+  "version": "0.47.1",
+  "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
+  "type": "module",
+  "bin": {
+    "solongate": "./dist/index.js",
+    "solongate-proxy": "./dist/index.js",
+    "solongate-init": "./dist/init.js",
+    "proxy": "./dist/index.js"
+  },
+  "main": "./dist/lib.js",
+  "exports": {
+    ".": {
+      "import": "./dist/lib.js"
+    },
+    "./cli": {
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "hooks",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup && pnpm build:hooks",
+    "build:hooks": "node scripts/bundle-hooks.mjs",
+    "dev": "tsx src/index.ts",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist .turbo"
+  },
+  "keywords": [
+    "ai-tool-security",
+    "ai-tool-proxy",
+    "security",
+    "proxy",
+    "gateway",
+    "firewall",
+    "ai-security",
+    "tool-security",
+    "claude",
+    "openclaw",
+    "solongate",
+    "prompt-injection",
+    "path-traversal",
+    "rate-limiting"
+  ],
+  "author": "SolonGate <hello@solongate.com>",
+  "license": "MIT",
+  "homepage": "https://solongate.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/solongate/solongate"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "zod": "^3.25.0"
+  },
+  "optionalDependencies": {
+    "@huggingface/transformers": ">=3.0.0"
+  },
+  "devDependencies": {
+    "@open-policy-agent/opa-wasm": "^1.10.0",
+    "@solongate/core": "workspace:*",
+    "@solongate/policy-engine": "workspace:*",
+    "@solongate/tsconfig": "workspace:*",
+    "esbuild": "^0.19.12",
+    "tsup": "^8.3.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0"
+  }
+}