@solongate/proxy 0.47.6 → 0.47.7

package/dist/index.js

@@ -8682,7 +8682,7 @@ var PolicyRuleSchema = z.object({
   effect: z.enum(["ALLOW", "DENY"]),
   priority: z.number().int().min(0).max(1e4).default(1e3),
   toolPattern: z.string().min(1).max(512),
-  permission: z.enum(["READ", "WRITE", "EXECUTE"]).optional(),
+  permission: z.enum(["READ", "WRITE", "EXECUTE", "NETWORK"]).optional(),
   minimumTrustLevel: z.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
   argumentConstraints: z.record(z.unknown()).optional(),
   pathConstraints: z.object({

package/dist/lib.js

@@ -6269,7 +6269,7 @@ var PolicyRuleSchema = z.object({
   effect: z.enum(["ALLOW", "DENY"]),
   priority: z.number().int().min(0).max(1e4).default(1e3),
   toolPattern: z.string().min(1).max(512),
-  permission: z.enum(["READ", "WRITE", "EXECUTE"]).optional(),
+  permission: z.enum(["READ", "WRITE", "EXECUTE", "NETWORK"]).optional(),
   minimumTrustLevel: z.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
   argumentConstraints: z.record(z.unknown()).optional(),
   pathConstraints: z.object({

package/hooks/audit.mjs

@@ -34,6 +34,137 @@ function loadGlobalCloudConfig() {
   } catch { return {}; }
 }
 
+// ── Ghost paths (PostToolUse twin of guard.mjs) ──
+// The guard's PreToolUse hook blocks MUTATIONS to hidden paths; here we make
+// hidden paths invisible to READS and LISTINGS by rewriting the tool output the
+// model sees (Claude Code `updatedToolOutput`). The matcher below is mirrored
+// verbatim from guard.mjs — keep the two in sync. Config is read from the policy
+// cache the guard just wrote (same PreToolUse call), so no extra API request.
+function ghostGlobToRegExp(glob) {
+  let re = '';
+  for (let i = 0; i < glob.length; i++) {
+    const c = glob[i];
+    if (c === '*') {
+      if (glob[i + 1] === '*') { re += '.*'; i++; }
+      else re += '[^/]*';
+    } else if (c === '?') re += '[^/]';
+    else if ('\\^$.|+()[]{}'.indexOf(c) !== -1) re += '\\' + c;
+    else re += c;
+  }
+  try { return new RegExp('^' + re + '$'); } catch { return null; }
+}
+function ghostMatch(targetPath, patterns) {
+  if (!targetPath || !Array.isArray(patterns) || patterns.length === 0) return false;
+  const norm = String(targetPath).replace(/\\/g, '/').replace(/\/+$/, '');
+  if (!norm) return false;
+  const segments = norm.split('/').filter(Boolean);
+  const base = segments.length ? segments[segments.length - 1] : norm;
+  for (let pat of patterns) {
+    pat = String(pat || '').trim();
+    if (!pat) continue;
+    let dirOnly = false;
+    if (pat.endsWith('/')) { dirOnly = true; pat = pat.slice(0, -1); }
+    if (!pat) continue;
+    const hasSlash = pat.indexOf('/') !== -1;
+    const hasWild = /[*?]/.test(pat);
+    const re = ghostGlobToRegExp(pat);
+    if (!re) continue;
+    if (dirOnly) {
+      if (!hasSlash && !hasWild) { if (segments.indexOf(pat) !== -1) return true; continue; }
+      let acc = '';
+      for (const s of segments) { acc = acc ? acc + '/' + s : s; if (re.test(acc) || re.test(s)) return true; }
+      continue;
+    }
+    if (!hasSlash) {
+      if (re.test(base)) return true;
+      if (segments.some((s) => re.test(s))) return true;
+      continue;
+    }
+    if (re.test(norm)) return true;
+  }
+  return false;
+}
+function ghostCleanToken(tok) {
+  let t = String(tok || '').trim();
+  t = t.replace(/^[<>|;&(]+/, '').replace(/[);&|]+$/, '');
+  t = t.replace(/^['"]+/, '').replace(/['"]+$/, '');
+  t = t.replace(/^\d*>>?/, '');
+  return t.trim();
+}
+// Drop listing lines that reference a ghost entry. `find`/glob output (one path
+// per line) drops the whole line; multi-column `ls -l` rows drop entirely; a
+// bare space-separated `ls` row drops only the matching names.
+function ghostStripLines(text, pats) {
+  const lines = String(text).split('\n');
+  const kept = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed) { kept.push(line); continue; }
+    if (ghostMatch(trimmed, pats)) continue; // full-path listing line
+    const toks = trimmed.split(/\s+/);
+    const anyHit = toks.some((t) => ghostMatch(ghostCleanToken(t), pats));
+    if (!anyHit) { kept.push(line); continue; }
+    if (toks.length > 3) continue; // ls -l style row → drop entirely
+    const remaining = toks.filter((t) => !ghostMatch(ghostCleanToken(t), pats));
+    if (remaining.length === 0) continue;
+    kept.push(remaining.join('  '));
+  }
+  return kept.join('\n');
+}
+// Read ghost patterns from the policy cache the guard wrote on the matching
+// PreToolUse call. Same agent-key derivation as guard.mjs.
+function loadGhostPatterns() {
+  try {
+    const sel = (process.env.SOLONGATE_AGENT_ID || process.argv[2] || 'default').replace(/[^a-zA-Z0-9_-]/g, '_');
+    const f = resolve(homedir(), '.solongate', '.policy-cache-' + sel + '.json');
+    if (!existsSync(f)) return [];
+    const c = JSON.parse(readFileSync(f, 'utf-8'));
+    const g = c && c.security && c.security.ghost;
+    return g && Array.isArray(g.patterns) ? g.patterns : [];
+  } catch { return []; }
+}
+// Returns the rewritten output text, or null if nothing is hidden.
+function buildGhostOutput(toolName, toolInput, toolResponse, toolOutput, pats) {
+  if (!Array.isArray(pats) || pats.length === 0) return null;
+  const name = toolName || '';
+  const getText = () => {
+    if (typeof toolResponse === 'string') return toolResponse;
+    if (toolResponse && typeof toolResponse.stdout === 'string') return toolResponse.stdout;
+    if (toolResponse && typeof toolResponse.content === 'string') return toolResponse.content;
+    if (typeof toolOutput === 'string' && toolOutput) return toolOutput;
+    return null;
+  };
+  try {
+    // Direct read of a hidden file → looks like it doesn't exist.
+    if (name === 'Read' || name === 'NotebookRead') {
+      const p = toolInput && (toolInput.file_path || toolInput.notebook_path);
+      if (p && ghostMatch(p, pats)) return p + ': No such file or directory';
+      return null;
+    }
+    if (name === 'Bash' || name === 'BashOutput') {
+      const text = getText();
+      if (text == null) return null;
+      const cmd = String((toolInput && toolInput.command) || '');
+      for (const raw of cmd.split(/\s+/)) {
+        const t = ghostCleanToken(raw);
+        // A command that names the hidden path directly (cat A/Y/.data, ls A/Y)
+        // → not-found, regardless of what the command actually returned.
+        if (t && t[0] !== '-' && ghostMatch(t, pats)) return t + ': No such file or directory';
+      }
+      const stripped = ghostStripLines(text, pats);
+      return stripped === text ? null : stripped;
+    }
+    // Listing-style tools → strip hidden entries from the result.
+    if (name === 'Glob' || name === 'Grep' || name === 'LS') {
+      const text = getText();
+      if (text == null) return null;
+      const stripped = ghostStripLines(text, pats);
+      return stripped === text ? null : stripped;
+    }
+  } catch { /* fail open */ }
+  return null;
+}
+
 function guessPermission(toolName) {
   const name = (toolName || '').toLowerCase();
   if (name.includes('exec') || name.includes('shell') || name.includes('run') || name.includes('eval') || name === 'bash') return 'EXECUTE';
@@ -96,6 +227,19 @@ process.stdin.on('end', async () => {
     const toolOutput = data.tool_output || data.toolOutput || '';
     const resultJson = data.result_json ? (typeof data.result_json === 'string' ? data.result_json : JSON.stringify(data.result_json)) : '';
 
+    // Ghost paths: rewrite the output the model sees so hidden files/dirs are
+    // stripped from listings and direct reads look like "no such file". Emit the
+    // updated output BEFORE the (fire-and-forget) audit log. Fail-open: any
+    // error leaves the original output untouched.
+    try {
+      const ghostText = buildGhostOutput(toolName, toolInput, toolResponse, toolOutput, loadGhostPatterns());
+      if (typeof ghostText === 'string') {
+        process.stdout.write(JSON.stringify({
+          hookSpecificOutput: { hookEventName: 'PostToolUse', updatedToolOutput: { type: 'text', text: ghostText } },
+        }));
+      }
+    } catch {}
+
     const hasError = guardDenied ||
       toolResponse.error ||
       toolResponse.exitCode > 0 ||

package/hooks/guard.bundled.mjs

@@ -6535,7 +6535,7 @@ import { resolve, join } from "node:path";
 import { homedir } from "node:os";
 import { gunzipSync } from "node:zlib";
 import { createHash } from "node:crypto";
-var HOOK_VERSION = 14;
+var HOOK_VERSION = 15;
 var MAX_FILE_READ = 1024 * 1024;
 function safeReadFileSync(filePath, encoding = "utf-8") {
   try {
@@ -7027,6 +7027,117 @@ function dlpScan(args, cfg) {
   }
   return null;
 }
+function ghostGlobToRegExp(glob) {
+  let re = "";
+  for (let i = 0; i < glob.length; i++) {
+    const c = glob[i];
+    if (c === "*") {
+      if (glob[i + 1] === "*") {
+        re += ".*";
+        i++;
+      } else
+        re += "[^/]*";
+    } else if (c === "?")
+      re += "[^/]";
+    else if ("\\^$.|+()[]{}".indexOf(c) !== -1)
+      re += "\\" + c;
+    else
+      re += c;
+  }
+  try {
+    return new RegExp("^" + re + "$");
+  } catch {
+    return null;
+  }
+}
+function ghostMatch(targetPath, patterns) {
+  if (!targetPath || !Array.isArray(patterns) || patterns.length === 0)
+    return false;
+  const norm = String(targetPath).replace(/\\/g, "/").replace(/\/+$/, "");
+  if (!norm)
+    return false;
+  const segments = norm.split("/").filter(Boolean);
+  const base = segments.length ? segments[segments.length - 1] : norm;
+  for (let pat of patterns) {
+    pat = String(pat || "").trim();
+    if (!pat)
+      continue;
+    let dirOnly = false;
+    if (pat.endsWith("/")) {
+      dirOnly = true;
+      pat = pat.slice(0, -1);
+    }
+    if (!pat)
+      continue;
+    const hasSlash = pat.indexOf("/") !== -1;
+    const hasWild = /[*?]/.test(pat);
+    const re = ghostGlobToRegExp(pat);
+    if (!re)
+      continue;
+    if (dirOnly) {
+      if (!hasSlash && !hasWild) {
+        if (segments.indexOf(pat) !== -1)
+          return true;
+        continue;
+      }
+      let acc = "";
+      for (const s of segments) {
+        acc = acc ? acc + "/" + s : s;
+        if (re.test(acc) || re.test(s))
+          return true;
+      }
+      continue;
+    }
+    if (!hasSlash) {
+      if (re.test(base))
+        return true;
+      if (segments.some((s) => re.test(s)))
+        return true;
+      continue;
+    }
+    if (re.test(norm))
+      return true;
+  }
+  return false;
+}
+function ghostCleanToken(tok) {
+  let t = String(tok || "").trim();
+  t = t.replace(/^[<>|;&(]+/, "").replace(/[);&|]+$/, "");
+  t = t.replace(/^['"]+/, "").replace(/['"]+$/, "");
+  t = t.replace(/^\d*>>?/, "");
+  return t.trim();
+}
+var GHOST_MUTATORS = /(^|[\s;&|])(rm|mv|cp|dd|truncate|tee|chmod|chown|ln|mkdir|rmdir|touch|install|shred|unlink|rsync|sed\s+-i)([\s;&|]|$)/;
+function ghostBlock(toolName, args, ghostCfg) {
+  if (!ghostCfg || !Array.isArray(ghostCfg.patterns) || ghostCfg.patterns.length === 0)
+    return null;
+  const pats = ghostCfg.patterns;
+  const name = toolName || "";
+  const notFound = (p) => p + ": No such file or directory";
+  try {
+    if (name === "Write" || name === "Edit" || name === "MultiEdit" || name === "NotebookEdit") {
+      const p = args?.file_path || args?.notebook_path || args?.path || "";
+      if (p && ghostMatch(p, pats))
+        return notFound(p);
+      return null;
+    }
+    if (name === "Bash" || name === "BashOutput" || guessPermission(name) === "EXECUTE") {
+      const cmd = String(args?.command || "");
+      if (!cmd)
+        return null;
+      if (!GHOST_MUTATORS.test(cmd))
+        return null;
+      const tokens = cmd.split(/\s+/);
+      for (const raw of tokens) {
+        const tok = ghostCleanToken(raw);
+        if (tok && tok.indexOf("-") !== 0 && ghostMatch(tok, pats))
+          return notFound(tok);
+      }
+    }
+  } catch {
+  }
+  return null;
+}
 var RL_WINDOWS = [
   { key: "perDay", ms: 864e5, label: "day" },
   { key: "perHour", ms: 36e5, label: "hour" },
@@ -7476,6 +7587,41 @@ process.stdin.on("end", async () => {
     if (process.env.SOLONGATE_DEBUG) {
     }
     let reason = selfProtectEnabled ? tamperCheck(toolName, args) : null;
+    if (!reason && securityCfg && securityCfg.ghost) {
+      const ghostHit = ghostBlock(toolName, args, securityCfg.ghost);
+      if (ghostHit) {
+        try {
+          writeDenyFlag(toolName);
+        } catch {
+        }
+        try {
+          await fetch(API_URL + "/api/v1/audit-logs", {
+            method: "POST",
+            headers: { "Content-Type": "application/json", ...AUTH_HEADERS },
+            body: JSON.stringify({
+              tool: toolName,
+              arguments: args,
+              decision: "DENY",
+              reason: "ghost path (hidden from agent)",
+              permission: guessPermission(toolName),
+              source: `${AGENT_TYPE}-guard`,
+              agent_id: AGENT_TYPE,
+              agent_name: AGENT_NAME,
+              evaluation_time_ms: Date.now() - _evalStart
+            }),
+            signal: AbortSignal.timeout(3e3)
+          });
+        } catch {
+        }
+        await maybeSelfUpdate();
+        if (AGENT_TYPE === "gemini-cli") {
+          process.stdout.write(JSON.stringify({ decision: "deny", reason: ghostHit }));
+          process.exit(0);
+        }
+        process.stderr.write(ghostHit);
+        process.exit(2);
+      }
+    }
     if (!reason)
       reason = securityLayerCheck(toolName, args, securityCfg, agentKey);
     if (process.env.SOLONGATE_DEBUG) {

package/hooks/guard.mjs

@@ -31,7 +31,7 @@ import { createHash } from 'node:crypto';
 // the installed hook self-updates when the cloud version is higher (see
 // maybeSelfUpdate). This is what makes guard fixes propagate without a manual
 // reinstall — the same trust model as the OPA WASM this hook already runs.
-const HOOK_VERSION = 14;
+const HOOK_VERSION = 15;
 
 // Safe file read with size limit (1MB max) to prevent DoS via large files
 const MAX_FILE_READ = 1024 * 1024; // 1MB
@@ -671,6 +671,114 @@ function dlpScan(args, cfg) {
   return null;
 }
 
+// ── Ghost paths ──
+// Files/dirs matching a ghost glob are INVISIBLE to the agent. This module is
+// mirrored verbatim in audit.mjs (the PostToolUse twin that strips them from
+// output). Keep the two copies in sync.
+//
+// Split of responsibility:
+//   - PreToolUse (here): block MUTATIONS (write/edit/delete/move) targeting a
+//     ghost path, returning a plain "No such file or directory" — never a
+//     SolonGate/policy message — so the path looks like it simply doesn't exist.
+//   - PostToolUse (audit.mjs): strip ghost entries from listings and rewrite
+//     direct reads to not-found. Reads are NOT blocked here so the agent gets a
+//     natural "missing file" rather than a visible hook block.
+function ghostGlobToRegExp(glob) {
+  let re = '';
+  for (let i = 0; i < glob.length; i++) {
+    const c = glob[i];
+    if (c === '*') {
+      if (glob[i + 1] === '*') { re += '.*'; i++; }
+      else re += '[^/]*';
+    } else if (c === '?') re += '[^/]';
+    else if ('\\^$.|+()[]{}'.indexOf(c) !== -1) re += '\\' + c;
+    else re += c;
+  }
+  try { return new RegExp('^' + re + '$'); } catch { return null; }
+}
+
+// True if `targetPath` is ghosted by any pattern. A bare name (`.data`) matches
+// that entry anywhere in the path; a trailing `/` (`secrets/`) ghosts a whole
+// directory subtree; a pattern with `/` is matched against the full path.
+function ghostMatch(targetPath, patterns) {
+  if (!targetPath || !Array.isArray(patterns) || patterns.length === 0) return false;
+  const norm = String(targetPath).replace(/\\/g, '/').replace(/\/+$/, '');
+  if (!norm) return false;
+  const segments = norm.split('/').filter(Boolean);
+  const base = segments.length ? segments[segments.length - 1] : norm;
+  for (let pat of patterns) {
+    pat = String(pat || '').trim();
+    if (!pat) continue;
+    let dirOnly = false;
+    if (pat.endsWith('/')) { dirOnly = true; pat = pat.slice(0, -1); }
+    if (!pat) continue;
+    const hasSlash = pat.indexOf('/') !== -1;
+    const hasWild = /[*?]/.test(pat);
+    const re = ghostGlobToRegExp(pat);
+    if (!re) continue;
+    if (dirOnly) {
+      // Directory: ghost the dir itself and everything under it.
+      if (!hasSlash && !hasWild) { if (segments.indexOf(pat) !== -1) return true; continue; }
+      let acc = '';
+      for (const s of segments) { acc = acc ? acc + '/' + s : s; if (re.test(acc) || re.test(s)) return true; }
+      continue;
+    }
+    if (!hasSlash) {
+      // Name glob: match basename or any single path segment.
+      if (re.test(base)) return true;
+      if (segments.some((s) => re.test(s))) return true;
+      continue;
+    }
+    // Path glob (contains '/'): match the full normalized path.
+    if (re.test(norm)) return true;
+  }
+  return false;
+}
+
+// Strip shell decoration from a token so it can be tested as a path:
+// surrounding quotes, redirection operators, trailing punctuation.
+function ghostCleanToken(tok) {
+  let t = String(tok || '').trim();
+  t = t.replace(/^[<>|;&(]+/, '').replace(/[);&|]+$/, '');
+  t = t.replace(/^['"]+/, '').replace(/['"]+$/, '');
+  t = t.replace(/^\d*>>?/, ''); // strip leading redirection like 2>
+  return t.trim();
+}
+
+// Bash verbs that MUTATE a target path. A read-ish command (cat/ls/grep/find…)
+// is intentionally absent: those are not blocked, they are stripped/rewritten
+// by the PostToolUse hook so the agent sees a natural empty/missing result.
+const GHOST_MUTATORS = /(^|[\s;&|])(rm|mv|cp|dd|truncate|tee|chmod|chown|ln|mkdir|rmdir|touch|install|shred|unlink|rsync|sed\s+-i)([\s;&|]|$)/;
+
+// Returns a plain not-found message if a MUTATING op targets a ghost path,
+// else null. Never returns a branded/policy string.
+function ghostBlock(toolName, args, ghostCfg) {
+  if (!ghostCfg || !Array.isArray(ghostCfg.patterns) || ghostCfg.patterns.length === 0) return null;
+  const pats = ghostCfg.patterns;
+  const name = (toolName || '');
+  const notFound = (p) => p + ': No such file or directory';
+  try {
+    // File-mutating tools carry an explicit path.
+    if (name === 'Write' || name === 'Edit' || name === 'MultiEdit' || name === 'NotebookEdit') {
+      const p = args?.file_path || args?.notebook_path || args?.path || '';
+      if (p && ghostMatch(p, pats)) return notFound(p);
+      return null;
+    }
+    // Bash: block only when a ghost path is the target of a mutating verb.
+    if (name === 'Bash' || name === 'BashOutput' || guessPermission(name) === 'EXECUTE') {
+      const cmd = String(args?.command || '');
+      if (!cmd) return null;
+      if (!GHOST_MUTATORS.test(cmd)) return null;
+      const tokens = cmd.split(/\s+/);
+      for (const raw of tokens) {
+        const tok = ghostCleanToken(raw);
+        if (tok && tok.indexOf('-') !== 0 && ghostMatch(tok, pats)) return notFound(tok);
+      }
+    }
+  } catch { /* fail open */ }
+  return null;
+}
+
 // Multi-window sliding rate limit, persisted under ~/.solongate (tamper-protected
 // from the agent, writable by the guard). One timestamps file per agent, pruned
 // to the last 24h and capped for performance; counts this agent's calls within
@@ -1238,6 +1346,35 @@ process.stdin.on('end', async () => {
     // Tamper / self-protection — runs before policy eval. ON by default; the
     // per-project cloud setting can disable it (fail safe: stays on if unread).
     let reason = selfProtectEnabled ? tamperCheck(toolName, args) : null;
+    // Ghost paths — handled BEFORE the other layers and emitted as a STEALTH
+    // block: a mutating op on a hidden path is denied with a bare OS-style
+    // "No such file or directory" and NOTHING else (no ROUTE line, no SolonGate
+    // wording), so the agent can't tell the path is protected — it just looks
+    // absent. (Reads/listings aren't blocked; the PostToolUse hook strips them.)
+    if (!reason && securityCfg && securityCfg.ghost) {
+      const ghostHit = ghostBlock(toolName, args, securityCfg.ghost);
+      if (ghostHit) {
+        try { writeDenyFlag(toolName); } catch {}
+        try {
+          await fetch(API_URL + '/api/v1/audit-logs', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', ...AUTH_HEADERS },
+            body: JSON.stringify({
+              tool: toolName, arguments: args, decision: 'DENY',
+              reason: 'ghost path (hidden from agent)',
+              permission: guessPermission(toolName),
+              source: `${AGENT_TYPE}-guard`, agent_id: AGENT_TYPE, agent_name: AGENT_NAME,
+              evaluation_time_ms: Date.now() - _evalStart,
+            }),
+            signal: AbortSignal.timeout(3000),
+          });
+        } catch {}
+        await maybeSelfUpdate();
+        if (AGENT_TYPE === 'gemini-cli') { process.stdout.write(JSON.stringify({ decision: 'deny', reason: ghostHit })); process.exit(0); }
+        process.stderr.write(ghostHit);
+        process.exit(2);
+      }
+    }
     // Extra security layers run after tamper, before policy. Block reason wins
     // immediately (BLACK). Fail-open by design.
     if (!reason) reason = securityLayerCheck(toolName, args, securityCfg, agentKey);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.47.6",
+  "version": "0.47.7",
   "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {