@solongate/proxy 0.47.0 → 0.47.2

package/hooks/guard.mjs

@@ -21,10 +21,17 @@
  * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs.
  * Auto-installed by: npx @solongate/proxy init --global
  */
-import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync } from 'node:fs';
+import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync, chmodSync, renameSync } from 'node:fs';
 import { resolve, join } from 'node:path';
 import { homedir } from 'node:os';
 import { gunzipSync } from 'node:zlib';
+import { createHash } from 'node:crypto';
+
+// Bump on every guard.mjs change. The cloud serves the newest bundle + version;
+// the installed hook self-updates when the cloud version is higher (see
+// maybeSelfUpdate). This is what makes guard fixes propagate without a manual
+// reinstall — the same trust model as the OPA WASM this hook already runs.
+const HOOK_VERSION = 14;
 
 // Safe file read with size limit (1MB max) to prevent DoS via large files
 const MAX_FILE_READ = 1024 * 1024; // 1MB
@@ -65,6 +72,23 @@ function loadGlobalCloudConfig() {
   } catch { return {}; }
 }
 
+// A real cloud key is `sg_live_`/`sg_test_` followed by hex (see generateApiKey:
+// 24 random bytes → 48 hex chars). Template/placeholder values shipped in sample
+// .env files (e.g. `sg_live_your_key_here`) pass a naive truthiness check but are
+// bogus — and because resolution prefers a project .env over the global login
+// credential, a stray placeholder .env would shadow a valid login and 401 every
+// API call, making the guard fail closed on EVERYTHING. Filter to real keys so a
+// placeholder is skipped and the next real candidate (usually the login cred in
+// cloud-guard.json) is used instead.
+function isRealKey(k) {
+  if (typeof k !== 'string') return false;
+  const v = k.trim();
+  if (!/^sg_(live|test)_/.test(v)) return false;
+  const body = v.replace(/^sg_(live|test)_/, '');
+  if (/your_key_here|placeholder|example|^x+$/i.test(body)) return false;
+  return /^[a-f0-9]{16,}$/i.test(body);
+}
+
 function guessPermission(toolName) {
   const name = (toolName || '').toLowerCase();
   if (name.includes('exec') || name.includes('shell') || name.includes('run') || name.includes('eval') || name === 'bash') return 'EXECUTE';
@@ -82,12 +106,46 @@ const API_URL = process.env.SOLONGATE_API_URL || dotenv.SOLONGATE_API_URL || glo
 // Cloud API key (sg_live_… / sg_test_…). The key identifies the project AND
 // authenticates every API call (active policy, compiled WASM, audit logs). When
 // absent, this hook does nothing — a machine with no key is intentionally
-// unenforced (the cloud has no policy to apply).
-const API_KEY = process.env.SOLONGATE_API_KEY || dotenv.SOLONGATE_API_KEY || globalCfg.apiKey || '';
+// unenforced (the cloud has no policy to apply). Each candidate is filtered
+// through isRealKey() so a placeholder .env (sg_live_your_key_here) can't shadow
+// the real login credential and force a fail-closed on every call.
+const API_KEY = [process.env.SOLONGATE_API_KEY, dotenv.SOLONGATE_API_KEY, globalCfg.apiKey].find(isRealKey) || '';
 // Auth headers attached to every cloud API request. Cloud accepts either the
 // Authorization: Bearer form or X-API-Key; we send both for robustness.
 const AUTH_HEADERS = API_KEY ? { 'Authorization': 'Bearer ' + API_KEY, 'X-API-Key': API_KEY } : {};
 
+// ── Self-update (best-effort, throttled, integrity-checked) ──
+// Once per ~6h the hook asks the cloud for the latest guard bundle. If the cloud
+// version is higher AND the sha256 verifies AND the payload looks like this guard
+// hook, it atomically replaces its own file. Any failure is swallowed so a bad
+// update can never break enforcement — the current code simply keeps running.
+async function maybeSelfUpdate() {
+  if (!API_KEY) return;
+  try {
+    const sgDir = resolve(homedir(), '.solongate');
+    const stamp = join(sgDir, '.hook-update-check');
+    const last = parseInt(safeReadFileSync(stamp) || '0', 10);
+    if (Number.isFinite(last) && Date.now() - last < 6 * 3600 * 1000) return;
+    try { writeFileSync(stamp, String(Date.now())); } catch { /* ignore */ }
+
+    const res = await fetch(API_URL + '/api/v1/hooks/guard', { headers: AUTH_HEADERS, signal: AbortSignal.timeout(5000) });
+    if (!res.ok) return;
+    const data = await res.json();
+    if (!data || typeof data.version !== 'number' || data.version <= HOOK_VERSION) return;
+    if (typeof data.content !== 'string' || typeof data.sha256 !== 'string') return;
+    const buf = Buffer.from(data.content, 'base64');
+    if (createHash('sha256').update(buf).digest('hex') !== data.sha256) return;
+    const text = buf.toString('utf-8');
+    // Sanity gate: must look like THIS guard hook before we overwrite ourselves.
+    if (!text.startsWith('#!/usr/bin/env node') || text.length < 50000 || !text.includes('SolonGate Cloud Policy Guard')) return;
+    const hooksDir = join(sgDir, 'hooks');
+    const tmp = join(hooksDir, '.guard.mjs.tmp');
+    writeFileSync(tmp, text);
+    try { chmodSync(join(hooksDir, 'guard.mjs'), 0o644); } catch { /* may be locked read-only */ }
+    renameSync(tmp, join(hooksDir, 'guard.mjs')); // atomic swap, takes effect next call
+  } catch { /* never break enforcement on update failure */ }
+}
+
 // Two distinct identities, deliberately kept separate:
 //
 //   AGENT_TYPE — the real AI client running this hook (claude-code /
@@ -410,14 +468,26 @@ function extractCommands(args) {
   return cmds;
 }
 
-function extractPaths(args) {
+function extractPaths(args, isExec) {
   const paths = [];
-  for (const s of scanStrings(args)) {
-    if (/^https?:\/\//i.test(s)) continue;
+  const add = (t) => {
+    if (!t || /^https?:\/\//i.test(t)) return;
     // Normalize Windows backslashes to forward slashes so paths match the
     // compiled Rego patterns (which are also normalized to "/"). OPA glob.match
     // does no separator translation, so raw "C:\..." never matched "/" patterns.
-    if (s.includes('/') || s.includes('\\') || s.startsWith('.')) paths.push(s.replace(/\\/g, '/'));
+    if (t.includes('/') || t.includes('\\') || t.startsWith('.')) paths.push(t.replace(/\\/g, '/'));
+  };
+  for (const s of scanStrings(args)) {
+    if (/^https?:\/\//i.test(s)) continue;
+    if (isExec && /\s/.test(s)) {
+      // A command line (exec tool): pull out individual path-like tokens instead
+      // of treating the whole command as one path. Otherwise `node src/app.js`
+      // becomes the path "node src/app.js", which no path glob can match — so a
+      // path-scoped EXECUTE rule would never fire. Tokenizing yields "src/app.js".
+      for (const tok of s.split(/[\s;|&><()`'"]+/)) add(tok);
+    } else {
+      add(s);
+    }
   }
   return paths;
 }
@@ -456,6 +526,7 @@ const TAMPER_PROTECTED_GLOBS = [
   '**' + TAMPER_SG + '/.pi-config-cache.json',
   '**' + TAMPER_SG + '/cloud-guard.json',
   '**' + TAMPER_SG + '/.opa-wasm-*.json',
+  '**' + TAMPER_SG + '/.ratelimit-*.json',
   // Persistent host data (DB + audit JSONL) at ~/.solongate/data
   '**' + TAMPER_SG + '/data/**',
   // Customer install layout (zip extracted as solongate/)
@@ -556,6 +627,107 @@ function tamperCheck(toolName, args) {
   return null;
 }
 
+// ── Extra security layers (rate limit, egress allowlist, DLP block) ──
+// These are configured per-project in the dashboard and delivered to the guard
+// via /policies/active (security). All fail OPEN: any error here returns null
+// (allow) so a config glitch never bricks the agent. Tamper protection and
+// policy are unaffected and still run.
+
+// DLP patterns mirror the server's set (apps/api/src/lib/security-layers.ts).
+// Mirrors apps/api/src/lib/security-layers.ts DLP_PATTERNS. Provider-specific
+// rules plus generic Bearer / secret-assignment catch-alls for the long tail.
+const DLP_PATTERNS = [
+  { name: 'AWS access key', re: /AKIA[0-9A-Z]{16}/ },
+  { name: 'private key block', re: /-----BEGIN [A-Z ]*PRIVATE KEY-----/ },
+  { name: 'Anthropic key', re: /sk-ant-[A-Za-z0-9_-]{20,}/ },
+  { name: 'OpenAI key', re: /sk-(proj-)?[A-Za-z0-9_-]{20,}/ },
+  { name: 'GitHub token', re: /gh[pousr]_[A-Za-z0-9]{20,}/ },
+  { name: 'GitHub fine-grained PAT', re: /github_pat_[A-Za-z0-9_]{20,}/ },
+  { name: 'GitLab token', re: /glpat-[A-Za-z0-9_-]{20,}/ },
+  { name: 'Slack token', re: /xox[baprs]-[A-Za-z0-9-]{10,}/ },
+  { name: 'Google API key', re: /AIza[0-9A-Za-z_-]{35}/ },
+  { name: 'Stripe key', re: /[sr]k_(live|test)_[A-Za-z0-9]{20,}/ },
+  { name: 'SendGrid key', re: /SG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}/ },
+  { name: 'Twilio key', re: /SK[0-9a-fA-F]{32}/ },
+  { name: 'npm token', re: /npm_[A-Za-z0-9]{36}/ },
+  { name: 'JWT', re: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/ },
+  { name: 'Bearer token', re: /bearer\s+[A-Za-z0-9._-]{20,}/i },
+  { name: 'secret assignment', re: /(api[_-]?key|secret|token|password|passwd|access[_-]?key)["']?\s*[:=]\s*["']?[A-Za-z0-9/+_.-]{12,}/i },
+];
+
+// Scan args against the enabled built-in patterns + any user custom patterns.
+// `cfg` = { patterns: string[], custom: {name,re}[] }.
+function dlpScan(args, cfg) {
+  if (!cfg) return null;
+  let text = '';
+  try { text = JSON.stringify(args || {}); } catch { return null; }
+  const allow = new Set(Array.isArray(cfg.patterns) ? cfg.patterns : []);
+  for (const p of DLP_PATTERNS) {
+    if (allow.has(p.name) && p.re.test(text)) return p.name;
+  }
+  for (const c of Array.isArray(cfg.custom) ? cfg.custom : []) {
+    try { if (new RegExp(c.re).test(text)) return c.name || 'custom pattern'; } catch { /* skip invalid */ }
+  }
+  return null;
+}
+
+// Multi-window sliding rate limit, persisted under ~/.solongate (tamper-protected
+// from the agent, writable by the guard). One timestamps file per agent, pruned
+// to the last 24h and capped for performance; counts this agent's calls within
+// each enabled window (minute/hour/day). Returns the exceeded window or null.
+const RL_WINDOWS = [
+  { key: 'perDay', ms: 86400000, label: 'day' },
+  { key: 'perHour', ms: 3600000, label: 'hour' },
+  { key: 'perMinute', ms: 60000, label: 'minute' },
+];
+function rateLimitCheck(agentKey, limits) {
+  try {
+    const file = join(resolve(homedir(), '.solongate'), '.ratelimit-' + agentKey + '.json');
+    const now = Date.now();
+    let stamps = [];
+    if (existsSync(file)) {
+      try { stamps = JSON.parse(readFileSync(file, 'utf-8')); } catch { stamps = []; }
+    }
+    if (!Array.isArray(stamps)) stamps = [];
+    // Prune to the longest window (24h) and cap size to bound work/IO.
+    stamps = stamps.filter((t) => typeof t === 'number' && now - t < 86400000);
+    if (stamps.length > 50000) stamps = stamps.slice(-50000);
+    // Check each enabled window against the current count (before adding now).
+    for (const w of RL_WINDOWS) {
+      const limit = limits[w.key];
+      if (limit > 0) {
+        const count = stamps.reduce((n, t) => (now - t < w.ms ? n + 1 : n), 0);
+        if (count >= limit) return { window: w.label, limit };
+      }
+    }
+    stamps.push(now);
+    try { writeFileSync(file, JSON.stringify(stamps)); } catch {}
+    return null;
+  } catch {
+    return null; // fail open
+  }
+}
+
+// Runs all enabled enforcement layers; returns a deny reason or null (allow).
+function securityLayerCheck(toolName, args, cfg, agentKey) {
+  if (!cfg) return null;
+  try {
+    if (cfg.dlpBlock) {
+      const hit = dlpScan(args, cfg.dlpBlock);
+      if (hit) return 'Security layer (DLP): blocked - arguments contain a ' + hit +
+        '. Blocked by SolonGate - check your dashboard for details.';
+    }
+    if (cfg.rateLimit) {
+      const hit = rateLimitCheck(agentKey, cfg.rateLimit);
+      if (hit) {
+        return 'Security layer (rate limit): exceeded ' + hit.limit + ' calls/' + hit.window +
+          ' for this agent. Blocked by SolonGate - check your dashboard to review or adjust the limit.';
+      }
+    }
+  } catch { /* fail open */ }
+  return null;
+}
+
 // ── Policy Evaluation ──
 
 // Permission filter: a rule with rule.permission set only applies to tool
@@ -582,7 +754,7 @@ function patternsOf(constraint) {
   return Array.isArray(list) && list.length > 0 ? list : null;
 }
 
-function ruleMatches(rule, args) {
+function ruleMatches(rule, args, isExec) {
   const fnPats = patternsOf(rule.filenameConstraints);
   if (fnPats) {
     const filenames = extractFilenames(args);
@@ -612,7 +784,7 @@ function ruleMatches(rule, args) {
   }
   const pathPats = patternsOf(rule.pathConstraints);
   if (pathPats) {
-    const paths = extractPaths(args);
+    const paths = extractPaths(args, isExec);
     for (const p of paths) {
       for (const pat of pathPats) {
         if (matchPathGlob(p, pat)) return { kind: 'path', value: p, pattern: pat };
@@ -630,13 +802,14 @@ function evaluate(policy, args, toolName) {
   if (!policy || !policy.rules) return null;
   const enabledRules = policy.rules.filter(r => r.enabled !== false);
   const mode = policy.mode === 'whitelist' ? 'whitelist' : 'denylist';
+  const isExec = /bash|shell|exec|powershell|cmd|run|eval/.test((toolName || '').toLowerCase());
 
   // DENY pass — runs in both modes. DENY wins over ALLOW.
   const denyRules = enabledRules
     .filter(r => r.effect === 'DENY' && permissionApplies(r, toolName))
     .sort((a, b) => (a.priority || 100) - (b.priority || 100));
   for (const rule of denyRules) {
-    const m = ruleMatches(rule, args);
+    const m = ruleMatches(rule, args, isExec);
     if (m) return 'Blocked by policy: ' + m.kind + ' "' + m.value + '" matches "' + m.pattern + '"';
   }
 
@@ -648,7 +821,7 @@ function evaluate(policy, args, toolName) {
     }
     let matched = false;
     for (const rule of allowRules) {
-      if (ruleMatches(rule, args)) { matched = true; break; }
+      if (ruleMatches(rule, args, isExec)) { matched = true; break; }
     }
     if (!matched) {
       return 'Blocked by policy: strict whitelist mode — request does not match any ALLOW rule';
@@ -835,7 +1008,7 @@ async function evaluateWithOpa(policy, args, toolName, cwd) {
       permission: guessPermission(toolName),
       trust_level: 'TRUSTED',
       arguments: expandedArgs,
-      paths: extractPaths(accessArgs),
+      paths: extractPaths(accessArgs, isExecTool),
       commands: extractCommands(expandedArgs),
       urls: extractUrls(accessArgs),
       filenames: extractFilenames(accessArgs),
@@ -984,32 +1157,44 @@ process.stdin.on('end', async () => {
     // fallback for when the API is unreachable.
     const hookCwd = data.cwd || process.cwd();
     let policy;
+    // Self-protection (tamper guard) defaults ON. The cloud per-project setting
+    // can turn it off; delivered via /policies/active and cached alongside the
+    // policy. Any failure to read it leaves protection ON (fail safe).
+    let selfProtectEnabled = true;
+    // Extra security layers (rate limit, egress, DLP block) delivered by the
+    // cloud. Null = none configured. Fail open if unread.
+    let securityCfg = null;
     // Cache keyed by agent_id so different agents in different terminals
     // don't share a stale cached policy.
     const agentKey = (AGENT_ID || 'default').replace(/[^a-zA-Z0-9_-]/g, '_');
     const policyCacheFile = join(resolve(homedir(), '.solongate'), '.policy-cache-' + agentKey + '.json');
-    const POLICY_TTL_MS = 10_000;
+    const POLICY_TTL_MS = 3_000;
     try {
       let dashboardPolicy = null;
       // Try cache first
       try {
         if (existsSync(policyCacheFile)) {
           const cached = JSON.parse(readFileSync(policyCacheFile, 'utf-8'));
-          if (cached && cached._ts && Date.now() - cached._ts < POLICY_TTL_MS && cached.policy) {
-            dashboardPolicy = cached.policy;
+          if (cached && cached._ts && Date.now() - cached._ts < POLICY_TTL_MS) {
+            if (cached.policy) dashboardPolicy = cached.policy;
+            if (typeof cached.selfProtect === 'boolean') selfProtectEnabled = cached.selfProtect;
+            if (cached.security !== undefined) securityCfg = cached.security;
           }
         }
       } catch {}
       // Refresh from API if cache expired
       if (!dashboardPolicy) {
         try {
-          const res = await fetch(API_URL + '/api/v1/policies/active?agent_id=' + encodeURIComponent(AGENT_ID || ''), { headers: AUTH_HEADERS, signal: AbortSignal.timeout(8000) });
+          // Report our installed version (hv) so the dashboard can show whether
+          // this guard is on the latest build.
+          const res = await fetch(API_URL + '/api/v1/policies/active?agent_id=' + encodeURIComponent(AGENT_ID || '') + '&hv=' + HOOK_VERSION, { headers: AUTH_HEADERS, signal: AbortSignal.timeout(8000) });
           if (res.ok) {
             const body = await res.json();
-            if (body && body.policy) {
-              dashboardPolicy = body.policy;
-              try { writeFileSync(policyCacheFile, JSON.stringify({ _ts: Date.now(), policy: dashboardPolicy })); } catch {}
-            }
+            // Capture the self-protection flag even when no cloud policy is set.
+            if (typeof body?.self_protection_enabled === 'boolean') selfProtectEnabled = body.self_protection_enabled;
+            if (body?.security !== undefined) securityCfg = body.security;
+            if (body && body.policy) dashboardPolicy = body.policy;
+            try { writeFileSync(policyCacheFile, JSON.stringify({ _ts: Date.now(), policy: dashboardPolicy || null, selfProtect: selfProtectEnabled, security: securityCfg })); } catch {}
           }
         } catch {}
       }
@@ -1050,16 +1235,21 @@ process.stdin.on('end', async () => {
 
     if (process.env.SOLONGATE_DEBUG) {
     }
-    // Hardcoded tamper protection — runs unconditionally, before policy eval.
-    let reason = tamperCheck(toolName, args);
+    // Tamper / self-protection — runs before policy eval. ON by default; the
+    // per-project cloud setting can disable it (fail safe: stays on if unread).
+    let reason = selfProtectEnabled ? tamperCheck(toolName, args) : null;
+    // Extra security layers run after tamper, before policy. Block reason wins
+    // immediately (BLACK). Fail-open by design.
+    if (!reason) reason = securityLayerCheck(toolName, args, securityCfg, agentKey);
     if (process.env.SOLONGATE_DEBUG) {
     }
     // OPA WASM is the SOLE policy engine. With no policy configured for this
     // agent we skip evaluation entirely (allow). With a policy present,
     // evaluateWithOpa returns a reason (DENY), null (ALLOW), or undefined when
-    // the WASM bundle could not be obtained at all — in which case we fail
-    // CLOSED rather than silently allowing. (The legacy JS evaluate() below is
-    // retained but no longer on the decision path — OPA decides everything.)
+    // the WASM bundle could not be obtained at all — in which case we fall back
+    // to the policy mode's default (whitelist → fail closed, denylist → fail
+    // open); see the branch below. (The legacy JS evaluate() below is retained
+    // but no longer on the decision path — OPA decides everything.)
     // Cloud routing is BINARY — WHITE (allow) / BLACK (block). There is NO AI
     // Judge in the cloud (that is an air-gap-only feature), so there is no GRAY
     // "send to the judge" lane: the OPA policy alone decides. Tamper protection
@@ -1071,8 +1261,23 @@ process.stdin.on('end', async () => {
     } else if (policy && policy.rules) {
       const opaResult = await evaluateWithOpa(policy, args, toolName, hookCwd);
       if (opaResult === undefined) {
-        reason = '[SolonGate OPA] Policy WASM unavailable — failing closed (DENY). Ensure the SolonGate API is reachable so policies compile to WASM.';
-        opaRoute = 'black';
+        // OPA produced no decision (no WASM bundle yet, runtime missing, fetch
+        // error). This happens on COLD START — the first call(s) in a session
+        // before the policy + WASM are cached. Don't leave an enforcement gap:
+        // run the deterministic, WASM-free JS evaluator so DENY rules (e.g.
+        // secret-file protection) and whitelist defaults apply IMMEDIATELY, from
+        // the very first call. evaluate() implements both modes:
+        //   - returns a deny reason  → block (DENY match, or whitelist no-match)
+        //   - returns null           → allow (denylist default / whitelist match)
+        // This closes the "worked, but late" window where a denylist policy used
+        // to fail OPEN until WASM warmed up.
+        const legacy = evaluate(policy, args, toolName);
+        if (typeof legacy === 'string') {
+          reason = legacy;
+          opaRoute = 'black';
+        } else {
+          opaRoute = 'white';
+        }
       } else if (typeof opaResult === 'string') {
         reason = opaResult; // explicit DENY
         opaRoute = 'black';
@@ -1106,8 +1311,10 @@ process.stdin.on('end', async () => {
         } catch {}
       }
       writeDenyFlag(toolName);
+      await maybeSelfUpdate();
       blockTool(reason);
     }
   } catch {}
+  await maybeSelfUpdate();
   allowTool();
 });

package/package.json

@@ -1,76 +1,76 @@
-{
-  "name": "@solongate/proxy",
-  "version": "0.47.0",
-  "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
-  "type": "module",
-  "bin": {
-    "solongate": "./dist/index.js",
-    "solongate-proxy": "./dist/index.js",
-    "solongate-init": "./dist/init.js",
-    "proxy": "./dist/index.js"
-  },
-  "main": "./dist/lib.js",
-  "exports": {
-    ".": {
-      "import": "./dist/lib.js"
-    },
-    "./cli": {
-      "import": "./dist/index.js"
-    }
-  },
-  "files": [
-    "dist",
-    "hooks",
-    "README.md"
-  ],
-  "scripts": {
-    "build": "tsup && pnpm build:hooks",
-    "build:hooks": "node scripts/bundle-hooks.mjs",
-    "dev": "tsx src/index.ts",
-    "typecheck": "tsc --noEmit",
-    "clean": "rm -rf dist .turbo"
-  },
-  "keywords": [
-    "ai-tool-security",
-    "ai-tool-proxy",
-    "security",
-    "proxy",
-    "gateway",
-    "firewall",
-    "ai-security",
-    "tool-security",
-    "claude",
-    "openclaw",
-    "solongate",
-    "prompt-injection",
-    "path-traversal",
-    "rate-limiting"
-  ],
-  "author": "SolonGate <hello@solongate.com>",
-  "license": "MIT",
-  "homepage": "https://solongate.com",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/solongate/solongate"
-  },
-  "engines": {
-    "node": ">=18.0.0"
-  },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.26.0",
-    "zod": "^3.25.0"
-  },
-  "optionalDependencies": {
-    "@huggingface/transformers": ">=3.0.0"
-  },
-  "devDependencies": {
-    "@open-policy-agent/opa-wasm": "^1.10.0",
-    "@solongate/core": "workspace:*",
-    "@solongate/policy-engine": "workspace:*",
-    "@solongate/tsconfig": "workspace:*",
-    "esbuild": "^0.19.12",
-    "tsup": "^8.3.0",
-    "tsx": "^4.19.0",
-    "typescript": "^5.7.0"
-  }
-}
+{
+  "name": "@solongate/proxy",
+  "version": "0.47.2",
+  "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
+  "type": "module",
+  "bin": {
+    "solongate": "./dist/index.js",
+    "solongate-proxy": "./dist/index.js",
+    "solongate-init": "./dist/init.js",
+    "proxy": "./dist/index.js"
+  },
+  "main": "./dist/lib.js",
+  "exports": {
+    ".": {
+      "import": "./dist/lib.js"
+    },
+    "./cli": {
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "hooks",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup && pnpm build:hooks",
+    "build:hooks": "node scripts/bundle-hooks.mjs",
+    "dev": "tsx src/index.ts",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist .turbo"
+  },
+  "keywords": [
+    "ai-tool-security",
+    "ai-tool-proxy",
+    "security",
+    "proxy",
+    "gateway",
+    "firewall",
+    "ai-security",
+    "tool-security",
+    "claude",
+    "openclaw",
+    "solongate",
+    "prompt-injection",
+    "path-traversal",
+    "rate-limiting"
+  ],
+  "author": "SolonGate <hello@solongate.com>",
+  "license": "MIT",
+  "homepage": "https://solongate.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/solongate/solongate"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "zod": "^3.25.0"
+  },
+  "optionalDependencies": {
+    "@huggingface/transformers": ">=3.0.0"
+  },
+  "devDependencies": {
+    "@open-policy-agent/opa-wasm": "^1.10.0",
+    "@solongate/core": "workspace:*",
+    "@solongate/policy-engine": "workspace:*",
+    "@solongate/tsconfig": "workspace:*",
+    "esbuild": "^0.19.12",
+    "tsup": "^8.3.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0"
+  }
+}