@solongate/proxy 0.47.1 → 0.47.3

package/hooks/guard.mjs

@@ -31,7 +31,7 @@ import { createHash } from 'node:crypto';
 // the installed hook self-updates when the cloud version is higher (see
 // maybeSelfUpdate). This is what makes guard fixes propagate without a manual
 // reinstall — the same trust model as the OPA WASM this hook already runs.
-const HOOK_VERSION = 5;
+const HOOK_VERSION = 14;
 
 // Safe file read with size limit (1MB max) to prevent DoS via large files
 const MAX_FILE_READ = 1024 * 1024; // 1MB
@@ -526,6 +526,7 @@ const TAMPER_PROTECTED_GLOBS = [
   '**' + TAMPER_SG + '/.pi-config-cache.json',
   '**' + TAMPER_SG + '/cloud-guard.json',
   '**' + TAMPER_SG + '/.opa-wasm-*.json',
+  '**' + TAMPER_SG + '/.ratelimit-*.json',
   // Persistent host data (DB + audit JSONL) at ~/.solongate/data
   '**' + TAMPER_SG + '/data/**',
   // Customer install layout (zip extracted as solongate/)
@@ -626,6 +627,107 @@ function tamperCheck(toolName, args) {
   return null;
 }
 
+// ── Extra security layers (rate limit, egress allowlist, DLP block) ──
+// These are configured per-project in the dashboard and delivered to the guard
+// via /policies/active (security). All fail OPEN: any error here returns null
+// (allow) so a config glitch never bricks the agent. Tamper protection and
+// policy are unaffected and still run.
+
+// DLP patterns mirror the server's set (apps/api/src/lib/security-layers.ts).
+// Mirrors apps/api/src/lib/security-layers.ts DLP_PATTERNS. Provider-specific
+// rules plus generic Bearer / secret-assignment catch-alls for the long tail.
+const DLP_PATTERNS = [
+  { name: 'AWS access key', re: /AKIA[0-9A-Z]{16}/ },
+  { name: 'private key block', re: /-----BEGIN [A-Z ]*PRIVATE KEY-----/ },
+  { name: 'Anthropic key', re: /sk-ant-[A-Za-z0-9_-]{20,}/ },
+  { name: 'OpenAI key', re: /sk-(proj-)?[A-Za-z0-9_-]{20,}/ },
+  { name: 'GitHub token', re: /gh[pousr]_[A-Za-z0-9]{20,}/ },
+  { name: 'GitHub fine-grained PAT', re: /github_pat_[A-Za-z0-9_]{20,}/ },
+  { name: 'GitLab token', re: /glpat-[A-Za-z0-9_-]{20,}/ },
+  { name: 'Slack token', re: /xox[baprs]-[A-Za-z0-9-]{10,}/ },
+  { name: 'Google API key', re: /AIza[0-9A-Za-z_-]{35}/ },
+  { name: 'Stripe key', re: /[sr]k_(live|test)_[A-Za-z0-9]{20,}/ },
+  { name: 'SendGrid key', re: /SG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}/ },
+  { name: 'Twilio key', re: /SK[0-9a-fA-F]{32}/ },
+  { name: 'npm token', re: /npm_[A-Za-z0-9]{36}/ },
+  { name: 'JWT', re: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/ },
+  { name: 'Bearer token', re: /bearer\s+[A-Za-z0-9._-]{20,}/i },
+  { name: 'secret assignment', re: /(api[_-]?key|secret|token|password|passwd|access[_-]?key)["']?\s*[:=]\s*["']?[A-Za-z0-9/+_.-]{12,}/i },
+];
+
+// Scan args against the enabled built-in patterns + any user custom patterns.
+// `cfg` = { patterns: string[], custom: {name,re}[] }.
+function dlpScan(args, cfg) {
+  if (!cfg) return null;
+  let text = '';
+  try { text = JSON.stringify(args || {}); } catch { return null; }
+  const allow = new Set(Array.isArray(cfg.patterns) ? cfg.patterns : []);
+  for (const p of DLP_PATTERNS) {
+    if (allow.has(p.name) && p.re.test(text)) return p.name;
+  }
+  for (const c of Array.isArray(cfg.custom) ? cfg.custom : []) {
+    try { if (new RegExp(c.re).test(text)) return c.name || 'custom pattern'; } catch { /* skip invalid */ }
+  }
+  return null;
+}
+
+// Multi-window sliding rate limit, persisted under ~/.solongate (tamper-protected
+// from the agent, writable by the guard). One timestamps file per agent, pruned
+// to the last 24h and capped for performance; counts this agent's calls within
+// each enabled window (minute/hour/day). Returns the exceeded window or null.
+const RL_WINDOWS = [
+  { key: 'perDay', ms: 86400000, label: 'day' },
+  { key: 'perHour', ms: 3600000, label: 'hour' },
+  { key: 'perMinute', ms: 60000, label: 'minute' },
+];
+function rateLimitCheck(agentKey, limits) {
+  try {
+    const file = join(resolve(homedir(), '.solongate'), '.ratelimit-' + agentKey + '.json');
+    const now = Date.now();
+    let stamps = [];
+    if (existsSync(file)) {
+      try { stamps = JSON.parse(readFileSync(file, 'utf-8')); } catch { stamps = []; }
+    }
+    if (!Array.isArray(stamps)) stamps = [];
+    // Prune to the longest window (24h) and cap size to bound work/IO.
+    stamps = stamps.filter((t) => typeof t === 'number' && now - t < 86400000);
+    if (stamps.length > 50000) stamps = stamps.slice(-50000);
+    // Check each enabled window against the current count (before adding now).
+    for (const w of RL_WINDOWS) {
+      const limit = limits[w.key];
+      if (limit > 0) {
+        const count = stamps.reduce((n, t) => (now - t < w.ms ? n + 1 : n), 0);
+        if (count >= limit) return { window: w.label, limit };
+      }
+    }
+    stamps.push(now);
+    try { writeFileSync(file, JSON.stringify(stamps)); } catch {}
+    return null;
+  } catch {
+    return null; // fail open
+  }
+}
+
+// Runs all enabled enforcement layers; returns a deny reason or null (allow).
+function securityLayerCheck(toolName, args, cfg, agentKey) {
+  if (!cfg) return null;
+  try {
+    if (cfg.dlpBlock) {
+      const hit = dlpScan(args, cfg.dlpBlock);
+      if (hit) return 'Security layer (DLP): blocked - arguments contain a ' + hit +
+        '. Blocked by SolonGate - check your dashboard for details.';
+    }
+    if (cfg.rateLimit) {
+      const hit = rateLimitCheck(agentKey, cfg.rateLimit);
+      if (hit) {
+        return 'Security layer (rate limit): exceeded ' + hit.limit + ' calls/' + hit.window +
+          ' for this agent. Blocked by SolonGate - check your dashboard to review or adjust the limit.';
+      }
+    }
+  } catch { /* fail open */ }
+  return null;
+}
+
 // ── Policy Evaluation ──
 
 // Permission filter: a rule with rule.permission set only applies to tool
@@ -1055,6 +1157,13 @@ process.stdin.on('end', async () => {
     // fallback for when the API is unreachable.
     const hookCwd = data.cwd || process.cwd();
     let policy;
+    // Self-protection (tamper guard) defaults ON. The cloud per-project setting
+    // can turn it off; delivered via /policies/active and cached alongside the
+    // policy. Any failure to read it leaves protection ON (fail safe).
+    let selfProtectEnabled = true;
+    // Extra security layers (rate limit, egress, DLP block) delivered by the
+    // cloud. Null = none configured. Fail open if unread.
+    let securityCfg = null;
     // Cache keyed by agent_id so different agents in different terminals
     // don't share a stale cached policy.
     const agentKey = (AGENT_ID || 'default').replace(/[^a-zA-Z0-9_-]/g, '_');
@@ -1066,21 +1175,26 @@ process.stdin.on('end', async () => {
       try {
         if (existsSync(policyCacheFile)) {
           const cached = JSON.parse(readFileSync(policyCacheFile, 'utf-8'));
-          if (cached && cached._ts && Date.now() - cached._ts < POLICY_TTL_MS && cached.policy) {
-            dashboardPolicy = cached.policy;
+          if (cached && cached._ts && Date.now() - cached._ts < POLICY_TTL_MS) {
+            if (cached.policy) dashboardPolicy = cached.policy;
+            if (typeof cached.selfProtect === 'boolean') selfProtectEnabled = cached.selfProtect;
+            if (cached.security !== undefined) securityCfg = cached.security;
           }
         }
       } catch {}
       // Refresh from API if cache expired
       if (!dashboardPolicy) {
         try {
-          const res = await fetch(API_URL + '/api/v1/policies/active?agent_id=' + encodeURIComponent(AGENT_ID || ''), { headers: AUTH_HEADERS, signal: AbortSignal.timeout(8000) });
+          // Report our installed version (hv) so the dashboard can show whether
+          // this guard is on the latest build.
+          const res = await fetch(API_URL + '/api/v1/policies/active?agent_id=' + encodeURIComponent(AGENT_ID || '') + '&hv=' + HOOK_VERSION, { headers: AUTH_HEADERS, signal: AbortSignal.timeout(8000) });
           if (res.ok) {
             const body = await res.json();
-            if (body && body.policy) {
-              dashboardPolicy = body.policy;
-              try { writeFileSync(policyCacheFile, JSON.stringify({ _ts: Date.now(), policy: dashboardPolicy })); } catch {}
-            }
+            // Capture the self-protection flag even when no cloud policy is set.
+            if (typeof body?.self_protection_enabled === 'boolean') selfProtectEnabled = body.self_protection_enabled;
+            if (body?.security !== undefined) securityCfg = body.security;
+            if (body && body.policy) dashboardPolicy = body.policy;
+            try { writeFileSync(policyCacheFile, JSON.stringify({ _ts: Date.now(), policy: dashboardPolicy || null, selfProtect: selfProtectEnabled, security: securityCfg })); } catch {}
           }
         } catch {}
       }
@@ -1121,8 +1235,12 @@ process.stdin.on('end', async () => {
 
     if (process.env.SOLONGATE_DEBUG) {
     }
-    // Hardcoded tamper protection — runs unconditionally, before policy eval.
-    let reason = tamperCheck(toolName, args);
+    // Tamper / self-protection — runs before policy eval. ON by default; the
+    // per-project cloud setting can disable it (fail safe: stays on if unread).
+    let reason = selfProtectEnabled ? tamperCheck(toolName, args) : null;
+    // Extra security layers run after tamper, before policy. Block reason wins
+    // immediately (BLACK). Fail-open by design.
+    if (!reason) reason = securityLayerCheck(toolName, args, securityCfg, agentKey);
     if (process.env.SOLONGATE_DEBUG) {
     }
     // OPA WASM is the SOLE policy engine. With no policy configured for this
@@ -1143,17 +1261,19 @@ process.stdin.on('end', async () => {
     } else if (policy && policy.rules) {
       const opaResult = await evaluateWithOpa(policy, args, toolName, hookCwd);
       if (opaResult === undefined) {
-        // OPA produced no decision (no WASM bundle, runtime missing, fetch error).
-        // Honor policy-mode defaults instead of a blanket fail-closed:
-        //   whitelist (default-deny): fail CLOSED — nothing is allowed without an
-        //     explicit ALLOW match, so an unavailable engine must block.
-        //   denylist  (default-allow): fail OPEN — the engine being down means no
-        //     DENY rule could match, and denylist's default IS allow. Blocking
-        //     everything here is whitelist behavior and wrong for a denylist policy
-        //     (it bricks every tool call during any transient WASM hiccup).
-        // Tamper protection already ran above and is unaffected either way.
-        if (policy.mode === 'whitelist') {
-          reason = '[SolonGate OPA] Policy WASM unavailable — failing closed (DENY). Ensure the SolonGate API is reachable so policies compile to WASM.';
+        // OPA produced no decision (no WASM bundle yet, runtime missing, fetch
+        // error). This happens on COLD START — the first call(s) in a session
+        // before the policy + WASM are cached. Don't leave an enforcement gap:
+        // run the deterministic, WASM-free JS evaluator so DENY rules (e.g.
+        // secret-file protection) and whitelist defaults apply IMMEDIATELY, from
+        // the very first call. evaluate() implements both modes:
+        //   - returns a deny reason  → block (DENY match, or whitelist no-match)
+        //   - returns null           → allow (denylist default / whitelist match)
+        // This closes the "worked, but late" window where a denylist policy used
+        // to fail OPEN until WASM warmed up.
+        const legacy = evaluate(policy, args, toolName);
+        if (typeof legacy === 'string') {
+          reason = legacy;
           opaRoute = 'black';
         } else {
           opaRoute = 'white';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.47.1",
+  "version": "0.47.3",
   "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {