npm - @solongate/proxy - Versions diffs - 0.47.6 → 0.48.0 - Mend

@solongate/proxy 0.47.6 → 0.48.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -8682,7 +8682,7 @@ var PolicyRuleSchema = z.object({
   effect: z.enum(["ALLOW", "DENY"]),
   priority: z.number().int().min(0).max(1e4).default(1e3),
   toolPattern: z.string().min(1).max(512),
-  permission: z.enum(["READ", "WRITE", "EXECUTE"]).optional(),
+  permission: z.enum(["READ", "WRITE", "EXECUTE", "NETWORK"]).optional(),
   minimumTrustLevel: z.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
   argumentConstraints: z.record(z.unknown()).optional(),
   pathConstraints: z.object({

package/dist/init.js CHANGED Viewed

File without changes

package/dist/lib.js CHANGED Viewed

@@ -6269,7 +6269,7 @@ var PolicyRuleSchema = z.object({
   effect: z.enum(["ALLOW", "DENY"]),
   priority: z.number().int().min(0).max(1e4).default(1e3),
   toolPattern: z.string().min(1).max(512),
-  permission: z.enum(["READ", "WRITE", "EXECUTE"]).optional(),
+  permission: z.enum(["READ", "WRITE", "EXECUTE", "NETWORK"]).optional(),
   minimumTrustLevel: z.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
   argumentConstraints: z.record(z.unknown()).optional(),
   pathConstraints: z.object({

package/hooks/audit.mjs CHANGED Viewed

@@ -34,6 +34,137 @@ function loadGlobalCloudConfig() {
   } catch { return {}; }
 }
+// ── Ghost paths (PostToolUse twin of guard.mjs) ──
+// The guard's PreToolUse hook blocks MUTATIONS to hidden paths; here we make
+// hidden paths invisible to READS and LISTINGS by rewriting the tool output the
+// model sees (Claude Code `updatedToolOutput`). The matcher below is mirrored
+// verbatim from guard.mjs — keep the two in sync. Config is read from the policy
+// cache the guard just wrote (same PreToolUse call), so no extra API request.
+function ghostGlobToRegExp(glob) {
+  let re = '';
+  for (let i = 0; i < glob.length; i++) {
+    const c = glob[i];
+    if (c === '*') {
+      if (glob[i + 1] === '*') { re += '.*'; i++; }
+      else re += '[^/]*';
+    } else if (c === '?') re += '[^/]';
+    else if ('\\^$.|+()[]{}'.indexOf(c) !== -1) re += '\\' + c;
+    else re += c;
+  }
+  try { return new RegExp('^' + re + '$'); } catch { return null; }
+}
+function ghostMatch(targetPath, patterns) {
+  if (!targetPath || !Array.isArray(patterns) || patterns.length === 0) return false;
+  const norm = String(targetPath).replace(/\\/g, '/').replace(/\/+$/, '');
+  if (!norm) return false;
+  const segments = norm.split('/').filter(Boolean);
+  const base = segments.length ? segments[segments.length - 1] : norm;
+  for (let pat of patterns) {
+    pat = String(pat || '').trim();
+    if (!pat) continue;
+    let dirOnly = false;
+    if (pat.endsWith('/')) { dirOnly = true; pat = pat.slice(0, -1); }
+    if (!pat) continue;
+    const hasSlash = pat.indexOf('/') !== -1;
+    const hasWild = /[*?]/.test(pat);
+    const re = ghostGlobToRegExp(pat);
+    if (!re) continue;
+    if (dirOnly) {
+      if (!hasSlash && !hasWild) { if (segments.indexOf(pat) !== -1) return true; continue; }
+      let acc = '';
+      for (const s of segments) { acc = acc ? acc + '/' + s : s; if (re.test(acc) || re.test(s)) return true; }
+      continue;
+    }
+    if (!hasSlash) {
+      if (re.test(base)) return true;
+      if (segments.some((s) => re.test(s))) return true;
+      continue;
+    }
+    if (re.test(norm)) return true;
+  }
+  return false;
+}
+function ghostCleanToken(tok) {
+  let t = String(tok || '').trim();
+  t = t.replace(/^[<>|;&(]+/, '').replace(/[);&|]+$/, '');
+  t = t.replace(/^['"]+/, '').replace(/['"]+$/, '');
+  t = t.replace(/^\d*>>?/, '');
+  return t.trim();
+}
+// Drop listing lines that reference a ghost entry. `find`/glob output (one path
+// per line) drops the whole line; multi-column `ls -l` rows drop entirely; a
+// bare space-separated `ls` row drops only the matching names.
+function ghostStripLines(text, pats) {
+  const lines = String(text).split('\n');
+  const kept = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed) { kept.push(line); continue; }
+    if (ghostMatch(trimmed, pats)) continue; // full-path listing line
+    const toks = trimmed.split(/\s+/);
+    const anyHit = toks.some((t) => ghostMatch(ghostCleanToken(t), pats));
+    if (!anyHit) { kept.push(line); continue; }
+    if (toks.length > 3) continue; // ls -l style row → drop entirely
+    const remaining = toks.filter((t) => !ghostMatch(ghostCleanToken(t), pats));
+    if (remaining.length === 0) continue;
+    kept.push(remaining.join('  '));
+  }
+  return kept.join('\n');
+}
+// Read ghost patterns from the policy cache the guard wrote on the matching
+// PreToolUse call. Same agent-key derivation as guard.mjs.
+function loadGhostPatterns() {
+  try {
+    const sel = (process.env.SOLONGATE_AGENT_ID || process.argv[2] || 'default').replace(/[^a-zA-Z0-9_-]/g, '_');
+    const f = resolve(homedir(), '.solongate', '.policy-cache-' + sel + '.json');
+    if (!existsSync(f)) return [];
+    const c = JSON.parse(readFileSync(f, 'utf-8'));
+    const g = c && c.security && c.security.ghost;
+    return g && Array.isArray(g.patterns) ? g.patterns : [];
+  } catch { return []; }
+}
+// Returns the rewritten output text, or null if nothing is hidden.
+function buildGhostOutput(toolName, toolInput, toolResponse, toolOutput, pats) {
+  if (!Array.isArray(pats) || pats.length === 0) return null;
+  const name = toolName || '';
+  const getText = () => {
+    if (typeof toolResponse === 'string') return toolResponse;
+    if (toolResponse && typeof toolResponse.stdout === 'string') return toolResponse.stdout;
+    if (toolResponse && typeof toolResponse.content === 'string') return toolResponse.content;
+    if (typeof toolOutput === 'string' && toolOutput) return toolOutput;
+    return null;
+  };
+  try {
+    // Direct read of a hidden file → looks like it doesn't exist.
+    if (name === 'Read' || name === 'NotebookRead') {
+      const p = toolInput && (toolInput.file_path || toolInput.notebook_path);
+      if (p && ghostMatch(p, pats)) return p + ': No such file or directory';
+      return null;
+    }
+    if (name === 'Bash' || name === 'BashOutput') {
+      const text = getText();
+      if (text == null) return null;
+      const cmd = String((toolInput && toolInput.command) || '');
+      for (const raw of cmd.split(/\s+/)) {
+        const t = ghostCleanToken(raw);
+        // A command that names the hidden path directly (cat A/Y/.data, ls A/Y)
+        // → not-found, regardless of what the command actually returned.
+        if (t && t[0] !== '-' && ghostMatch(t, pats)) return t + ': No such file or directory';
+      }
+      const stripped = ghostStripLines(text, pats);
+      return stripped === text ? null : stripped;
+    }
+    // Listing-style tools → strip hidden entries from the result.
+    if (name === 'Glob' || name === 'Grep' || name === 'LS') {
+      const text = getText();
+      if (text == null) return null;
+      const stripped = ghostStripLines(text, pats);
+      return stripped === text ? null : stripped;
+    }
+  } catch { /* fail open */ }
+  return null;
+}
 function guessPermission(toolName) {
   const name = (toolName || '').toLowerCase();
   if (name.includes('exec') || name.includes('shell') || name.includes('run') || name.includes('eval') || name === 'bash') return 'EXECUTE';
@@ -96,6 +227,21 @@ process.stdin.on('end', async () => {
     const toolOutput = data.tool_output || data.toolOutput || '';
     const resultJson = data.result_json ? (typeof data.result_json === 'string' ? data.result_json : JSON.stringify(data.result_json)) : '';
+    // Ghost paths: rewrite the output the model sees so hidden files/dirs are
+    // stripped from listings and direct reads look like "no such file". Emit the
+    // updated output BEFORE the (fire-and-forget) audit log. Fail-open: any
+    // error leaves the original output untouched.
+    try {
+      const ghostText = buildGhostOutput(toolName, toolInput, toolResponse, toolOutput, loadGhostPatterns());
+      if (typeof ghostText === 'string') {
+        // updatedToolOutput must be a PLAIN STRING (an object form is silently
+        // ignored by Claude Code). This replaces the tool result the model sees.
+        process.stdout.write(JSON.stringify({
+          hookSpecificOutput: { hookEventName: 'PostToolUse', updatedToolOutput: ghostText },
+        }));
+      }
+    } catch {}
     const hasError = guardDenied ||
       toolResponse.error ||
       toolResponse.exitCode > 0 ||

package/hooks/guard.bundled.mjs CHANGED Viewed

@@ -6535,7 +6535,7 @@ import { resolve, join } from "node:path";
 import { homedir } from "node:os";
 import { gunzipSync } from "node:zlib";
 import { createHash } from "node:crypto";
-var HOOK_VERSION = 14;
+var HOOK_VERSION = 17;
 var MAX_FILE_READ = 1024 * 1024;
 function safeReadFileSync(filePath, encoding = "utf-8") {
   try {
@@ -6662,6 +6662,12 @@ function allowTool() {
   }
   process.exit(0);
 }
+function rewriteTool(updatedInput) {
+  process.stdout.write(JSON.stringify({
+    hookSpecificOutput: { hookEventName: "PreToolUse", permissionDecision: "allow", updatedInput }
+  }));
+  process.exit(0);
+}
 function writeDenyFlag(toolName) {
   try {
     const flagDir = resolve(".solongate");
@@ -7027,6 +7033,160 @@ function dlpScan(args, cfg) {
   }
   return null;
 }
+function ghostGlobToRegExp(glob) {
+  let re = "";
+  for (let i = 0; i < glob.length; i++) {
+    const c = glob[i];
+    if (c === "*") {
+      if (glob[i + 1] === "*") {
+        re += ".*";
+        i++;
+      } else
+        re += "[^/]*";
+    } else if (c === "?")
+      re += "[^/]";
+    else if ("\\^$.|+()[]{}".indexOf(c) !== -1)
+      re += "\\" + c;
+    else
+      re += c;
+  }
+  try {
+    return new RegExp("^" + re + "$");
+  } catch {
+    return null;
+  }
+}
+function ghostMatch(targetPath, patterns) {
+  if (!targetPath || !Array.isArray(patterns) || patterns.length === 0)
+    return false;
+  const norm = String(targetPath).replace(/\\/g, "/").replace(/\/+$/, "");
+  if (!norm)
+    return false;
+  const segments = norm.split("/").filter(Boolean);
+  const base = segments.length ? segments[segments.length - 1] : norm;
+  for (let pat of patterns) {
+    pat = String(pat || "").trim();
+    if (!pat)
+      continue;
+    let dirOnly = false;
+    if (pat.endsWith("/")) {
+      dirOnly = true;
+      pat = pat.slice(0, -1);
+    }
+    if (!pat)
+      continue;
+    const hasSlash = pat.indexOf("/") !== -1;
+    const hasWild = /[*?]/.test(pat);
+    const re = ghostGlobToRegExp(pat);
+    if (!re)
+      continue;
+    if (dirOnly) {
+      if (!hasSlash && !hasWild) {
+        if (segments.indexOf(pat) !== -1)
+          return true;
+        continue;
+      }
+      let acc = "";
+      for (const s of segments) {
+        acc = acc ? acc + "/" + s : s;
+        if (re.test(acc) || re.test(s))
+          return true;
+      }
+      continue;
+    }
+    if (!hasSlash) {
+      if (re.test(base))
+        return true;
+      if (segments.some((s) => re.test(s)))
+        return true;
+      continue;
+    }
+    if (re.test(norm))
+      return true;
+  }
+  return false;
+}
+function ghostCleanToken(tok) {
+  let t = String(tok || "").trim();
+  t = t.replace(/^[<>|;&(]+/, "").replace(/[);&|]+$/, "");
+  t = t.replace(/^['"]+/, "").replace(/['"]+$/, "");
+  t = t.replace(/^\d*>>?/, "");
+  return t.trim();
+}
+function ghostBlock(toolName, args, ghostCfg) {
+  if (!ghostCfg || !Array.isArray(ghostCfg.patterns) || ghostCfg.patterns.length === 0)
+    return null;
+  const pats = ghostCfg.patterns;
+  const name = toolName || "";
+  const notFound = (p) => p + ": No such file or directory";
+  try {
+    if (name === "Write" || name === "Edit" || name === "MultiEdit" || name === "NotebookEdit" || name === "Read" || name === "NotebookRead" || name === "LS") {
+      const p = args?.file_path || args?.notebook_path || args?.path || "";
+      if (p && ghostMatch(p, pats))
+        return notFound(p);
+      return null;
+    }
+    if (name === "Glob" || name === "Grep") {
+      const p = args?.path || "";
+      const pat = args?.pattern || args?.glob || "";
+      if (p && ghostMatch(p, pats))
+        return notFound(p);
+      if (pat && ghostMatch(pat, pats))
+        return notFound(String(pat));
+      return null;
+    }
+    if (name === "Bash" || name === "BashOutput" || guessPermission(name) === "EXECUTE") {
+      const cmd = String(args?.command || "");
+      if (!cmd)
+        return null;
+      for (const raw of cmd.split(/\s+/)) {
+        const tok = ghostCleanToken(raw);
+        if (tok && tok.indexOf("-") !== 0 && ghostMatch(tok, pats))
+          return notFound(tok);
+      }
+    }
+  } catch {
+  }
+  return null;
+}
+function ghostListingRewrite(args, ghostCfg) {
+  if (!ghostCfg || !Array.isArray(ghostCfg.patterns) || ghostCfg.patterns.length === 0)
+    return null;
+  const cmd = String(args?.command || "");
+  if (!cmd)
+    return null;
+  if (/[|>;&\n`]/.test(cmd))
+    return null;
+  if (!/^\s*(ls|ll|dir|find|tree|exa|lsd|fd)(\s|$)/.test(cmd))
+    return null;
+  const alts = [];
+  for (let p of ghostCfg.patterns) {
+    p = String(p).replace(/\/$/, "");
+    if (!p)
+      continue;
+    let re = "";
+    for (let i = 0; i < p.length; i++) {
+      const c = p[i];
+      if (c === "*") {
+        if (p[i + 1] === "*") {
+          re += ".*";
+          i++;
+        } else
+          re += "[^/]*";
+      } else if (c === "?")
+        re += "[^/]";
+      else if (".^$+(){}[]|\\/".indexOf(c) >= 0)
+        re += "\\" + c;
+      else
+        re += c;
+    }
+    alts.push(re);
+  }
+  if (alts.length === 0)
+    return null;
+  const ere = "(^|/| )(" + alts.join("|") + ")(/|$)";
+  return cmd + " | grep -vE '" + ere.replace(/'/g, "'\\''") + "'";
+}
 var RL_WINDOWS = [
   { key: "perDay", ms: 864e5, label: "day" },
   { key: "perHour", ms: 36e5, label: "hour" },
@@ -7476,6 +7636,48 @@ process.stdin.on("end", async () => {
     if (process.env.SOLONGATE_DEBUG) {
     }
     let reason = selfProtectEnabled ? tamperCheck(toolName, args) : null;
+    if (!reason && securityCfg && securityCfg.ghost) {
+      const ghostHit = ghostBlock(toolName, args, securityCfg.ghost);
+      if (ghostHit) {
+        try {
+          writeDenyFlag(toolName);
+        } catch {
+        }
+        try {
+          await fetch(API_URL + "/api/v1/audit-logs", {
+            method: "POST",
+            headers: { "Content-Type": "application/json", ...AUTH_HEADERS },
+            body: JSON.stringify({
+              tool: toolName,
+              arguments: args,
+              decision: "DENY",
+              reason: "ghost path (hidden from agent)",
+              permission: guessPermission(toolName),
+              source: `${AGENT_TYPE}-guard`,
+              agent_id: AGENT_TYPE,
+              agent_name: AGENT_NAME,
+              evaluation_time_ms: Date.now() - _evalStart
+            }),
+            signal: AbortSignal.timeout(3e3)
+          });
+        } catch {
+        }
+        await maybeSelfUpdate();
+        if (AGENT_TYPE === "gemini-cli") {
+          process.stdout.write(JSON.stringify({ decision: "deny", reason: ghostHit }));
+          process.exit(0);
+        }
+        process.stderr.write(ghostHit);
+        process.exit(2);
+      }
+      if (AGENT_TYPE !== "gemini-cli" && toolName === "Bash") {
+        const rw = ghostListingRewrite(args, securityCfg.ghost);
+        if (rw) {
+          await maybeSelfUpdate();
+          rewriteTool({ command: rw });
+        }
+      }
+    }
     if (!reason)
       reason = securityLayerCheck(toolName, args, securityCfg, agentKey);
     if (process.env.SOLONGATE_DEBUG) {

package/hooks/guard.mjs CHANGED Viewed

@@ -31,7 +31,7 @@ import { createHash } from 'node:crypto';
 // the installed hook self-updates when the cloud version is higher (see
 // maybeSelfUpdate). This is what makes guard fixes propagate without a manual
 // reinstall — the same trust model as the OPA WASM this hook already runs.
-const HOOK_VERSION = 14;
+const HOOK_VERSION = 17;
 // Safe file read with size limit (1MB max) to prevent DoS via large files
 const MAX_FILE_READ = 1024 * 1024; // 1MB
@@ -188,6 +188,16 @@ function allowTool() {
   process.exit(0);
 }
+// Allow the tool but REPLACE its input (Claude Code `updatedInput`). Used by the
+// ghost layer to rewrite a listing command so hidden entries are filtered out of
+// its output — the agent never sees them. Claude Code only.
+function rewriteTool(updatedInput) {
+  process.stdout.write(JSON.stringify({
+    hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'allow', updatedInput },
+  }));
+  process.exit(0);
+}
 // Write flag file so stop.mjs knows a tool call (DENY) happened and doesn't log extra ALLOW
 function writeDenyFlag(toolName) {
   try {
@@ -671,6 +681,159 @@ function dlpScan(args, cfg) {
   return null;
 }
+// ── Ghost paths ──
+// Files/dirs matching a ghost glob are INVISIBLE to the agent. This module is
+// mirrored verbatim in audit.mjs (the PostToolUse twin that strips them from
+// output). Keep the two copies in sync.
+//
+// Split of responsibility:
+//   - PreToolUse (here): block MUTATIONS (write/edit/delete/move) targeting a
+//     ghost path, returning a plain "No such file or directory" — never a
+//     SolonGate/policy message — so the path looks like it simply doesn't exist.
+//   - PostToolUse (audit.mjs): strip ghost entries from listings and rewrite
+//     direct reads to not-found. Reads are NOT blocked here so the agent gets a
+//     natural "missing file" rather than a visible hook block.
+function ghostGlobToRegExp(glob) {
+  let re = '';
+  for (let i = 0; i < glob.length; i++) {
+    const c = glob[i];
+    if (c === '*') {
+      if (glob[i + 1] === '*') { re += '.*'; i++; }
+      else re += '[^/]*';
+    } else if (c === '?') re += '[^/]';
+    else if ('\\^$.|+()[]{}'.indexOf(c) !== -1) re += '\\' + c;
+    else re += c;
+  }
+  try { return new RegExp('^' + re + '$'); } catch { return null; }
+}
+// True if `targetPath` is ghosted by any pattern. A bare name (`.data`) matches
+// that entry anywhere in the path; a trailing `/` (`secrets/`) ghosts a whole
+// directory subtree; a pattern with `/` is matched against the full path.
+function ghostMatch(targetPath, patterns) {
+  if (!targetPath || !Array.isArray(patterns) || patterns.length === 0) return false;
+  const norm = String(targetPath).replace(/\\/g, '/').replace(/\/+$/, '');
+  if (!norm) return false;
+  const segments = norm.split('/').filter(Boolean);
+  const base = segments.length ? segments[segments.length - 1] : norm;
+  for (let pat of patterns) {
+    pat = String(pat || '').trim();
+    if (!pat) continue;
+    let dirOnly = false;
+    if (pat.endsWith('/')) { dirOnly = true; pat = pat.slice(0, -1); }
+    if (!pat) continue;
+    const hasSlash = pat.indexOf('/') !== -1;
+    const hasWild = /[*?]/.test(pat);
+    const re = ghostGlobToRegExp(pat);
+    if (!re) continue;
+    if (dirOnly) {
+      // Directory: ghost the dir itself and everything under it.
+      if (!hasSlash && !hasWild) { if (segments.indexOf(pat) !== -1) return true; continue; }
+      let acc = '';
+      for (const s of segments) { acc = acc ? acc + '/' + s : s; if (re.test(acc) || re.test(s)) return true; }
+      continue;
+    }
+    if (!hasSlash) {
+      // Name glob: match basename or any single path segment.
+      if (re.test(base)) return true;
+      if (segments.some((s) => re.test(s))) return true;
+      continue;
+    }
+    // Path glob (contains '/'): match the full normalized path.
+    if (re.test(norm)) return true;
+  }
+  return false;
+}
+// Strip shell decoration from a token so it can be tested as a path:
+// surrounding quotes, redirection operators, trailing punctuation.
+function ghostCleanToken(tok) {
+  let t = String(tok || '').trim();
+  t = t.replace(/^[<>|;&(]+/, '').replace(/[);&|]+$/, '');
+  t = t.replace(/^['"]+/, '').replace(/['"]+$/, '');
+  t = t.replace(/^\d*>>?/, ''); // strip leading redirection like 2>
+  return t.trim();
+}
+// Returns a plain not-found message if a tool DIRECTLY targets a ghost path —
+// read OR write — else null. Reads are sealed too: a hidden file must be
+// inaccessible, not merely unlisted, so `cat A/Y/.data` looks as absent as
+// `rm A/Y`. Listing a PARENT dir that only CONTAINS a ghost child is NOT a
+// direct hit (no token equals the ghost) and falls through to the listing
+// rewrite. Never returns a branded/policy string.
+function ghostBlock(toolName, args, ghostCfg) {
+  if (!ghostCfg || !Array.isArray(ghostCfg.patterns) || ghostCfg.patterns.length === 0) return null;
+  const pats = ghostCfg.patterns;
+  const name = (toolName || '');
+  const notFound = (p) => p + ': No such file or directory';
+  try {
+    // Tools that carry an explicit path argument.
+    if (name === 'Write' || name === 'Edit' || name === 'MultiEdit' || name === 'NotebookEdit' ||
+        name === 'Read' || name === 'NotebookRead' || name === 'LS') {
+      const p = args?.file_path || args?.notebook_path || args?.path || '';
+      if (p && ghostMatch(p, pats)) return notFound(p);
+      return null;
+    }
+    if (name === 'Glob' || name === 'Grep') {
+      const p = args?.path || '';
+      const pat = args?.pattern || args?.glob || '';
+      if (p && ghostMatch(p, pats)) return notFound(p);
+      if (pat && ghostMatch(pat, pats)) return notFound(String(pat));
+      return null;
+    }
+    // Bash & other exec: deny if any token directly names a ghost path. Seals
+    // direct reads (cat/head/less/…) and mutations (rm/mv/…) alike. A listing of
+    // a parent dir has no ghost token and falls through to the rewrite.
+    if (name === 'Bash' || name === 'BashOutput' || guessPermission(name) === 'EXECUTE') {
+      const cmd = String(args?.command || '');
+      if (!cmd) return null;
+      for (const raw of cmd.split(/\s+/)) {
+        const tok = ghostCleanToken(raw);
+        if (tok && tok.indexOf('-') !== 0 && ghostMatch(tok, pats)) return notFound(tok);
+      }
+    }
+  } catch { /* fail open */ }
+  return null;
+}
+// Shell single-quote a string.
+function ghostShq(s) { return "'" + String(s).replace(/'/g, "'\\''") + "'"; }
+// If `args.command` is a simple directory listing, return a rewritten command
+// that pipes its output through a filter dropping the ghost entries — so the
+// agent never sees them. Returns null when there's nothing to rewrite. Only
+// touches bare `ls` listings (no pipe/redirect/compound) to stay safe; richer
+// output formats are handled by the PostToolUse filter on clients that honor it.
+function ghostListingRewrite(args, ghostCfg) {
+  if (!ghostCfg || !Array.isArray(ghostCfg.patterns) || ghostCfg.patterns.length === 0) return null;
+  const cmd = String(args?.command || '');
+  if (!cmd) return null;
+  if (/[|>;&\n`]/.test(cmd)) return null;                            // no shell composition
+  if (!/^\s*(ls|ll|dir|find|tree|exa|lsd|fd)(\s|$)/.test(cmd)) return null;
+  // Translate each hidden glob to an ERE alternative, then match it as a whole
+  // path component, the whole line, or the trailing token — covers `ls`,
+  // `ls -la`, `find` and `tree`. A trailing slash (dir) is dropped.
+  const alts = [];
+  for (let p of ghostCfg.patterns) {
+    p = String(p).replace(/\/$/, '');
+    if (!p) continue;
+    let re = '';
+    for (let i = 0; i < p.length; i++) {
+      const c = p[i];
+      if (c === '*') { if (p[i + 1] === '*') { re += '.*'; i++; } else re += '[^/]*'; }
+      else if (c === '?') re += '[^/]';
+      else if ('.^$+(){}[]|\\/'.indexOf(c) >= 0) re += '\\' + c;
+      else re += c;
+    }
+    alts.push(re);
+  }
+  if (alts.length === 0) return null;
+  // grep -vE drops any line where a hidden name appears as a path component, the
+  // whole line, or the final token. Single-quoted so the shell leaves it intact.
+  const ere = '(^|/| )(' + alts.join('|') + ')(/|$)';
+  return cmd + " | grep -vE '" + ere.replace(/'/g, "'\\''") + "'";
+}
 // Multi-window sliding rate limit, persisted under ~/.solongate (tamper-protected
 // from the agent, writable by the guard). One timestamps file per agent, pruned
 // to the last 24h and capped for performance; counts this agent's calls within
@@ -1238,6 +1401,41 @@ process.stdin.on('end', async () => {
     // Tamper / self-protection — runs before policy eval. ON by default; the
     // per-project cloud setting can disable it (fail safe: stays on if unread).
     let reason = selfProtectEnabled ? tamperCheck(toolName, args) : null;
+    // Ghost paths — handled BEFORE the other layers and emitted as a STEALTH
+    // block: a mutating op on a hidden path is denied with a bare OS-style
+    // "No such file or directory" and NOTHING else (no ROUTE line, no SolonGate
+    // wording), so the agent can't tell the path is protected — it just looks
+    // absent. (Reads/listings aren't blocked; the PostToolUse hook strips them.)
+    if (!reason && securityCfg && securityCfg.ghost) {
+      const ghostHit = ghostBlock(toolName, args, securityCfg.ghost);
+      if (ghostHit) {
+        try { writeDenyFlag(toolName); } catch {}
+        try {
+          await fetch(API_URL + '/api/v1/audit-logs', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', ...AUTH_HEADERS },
+            body: JSON.stringify({
+              tool: toolName, arguments: args, decision: 'DENY',
+              reason: 'ghost path (hidden from agent)',
+              permission: guessPermission(toolName),
+              source: `${AGENT_TYPE}-guard`, agent_id: AGENT_TYPE, agent_name: AGENT_NAME,
+              evaluation_time_ms: Date.now() - _evalStart,
+            }),
+            signal: AbortSignal.timeout(3000),
+          });
+        } catch {}
+        await maybeSelfUpdate();
+        if (AGENT_TYPE === 'gemini-cli') { process.stdout.write(JSON.stringify({ decision: 'deny', reason: ghostHit })); process.exit(0); }
+        process.stderr.write(ghostHit);
+        process.exit(2);
+      }
+      // No direct hit: if this is a listing command, rewrite it so hidden
+      // entries are filtered out of its output (Claude Code only).
+      if (AGENT_TYPE !== 'gemini-cli' && toolName === 'Bash') {
+        const rw = ghostListingRewrite(args, securityCfg.ghost);
+        if (rw) { await maybeSelfUpdate(); rewriteTool({ command: rw }); }
+      }
+    }
     // Extra security layers run after tamper, before policy. Block reason wins
     // immediately (BLACK). Fail-open by design.
     if (!reason) reason = securityLayerCheck(toolName, args, securityCfg, agentKey);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.47.6",
+  "version": "0.48.0",
   "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {
@@ -23,13 +23,6 @@
     "hooks",
     "README.md"
   ],
-  "scripts": {
-    "build": "tsup && pnpm build:hooks",
-    "build:hooks": "node scripts/bundle-hooks.mjs",
-    "dev": "tsx src/index.ts",
-    "typecheck": "tsc --noEmit",
-    "clean": "rm -rf dist .turbo"
-  },
   "keywords": [
     "ai-tool-security",
     "ai-tool-proxy",
@@ -65,12 +58,19 @@
   },
   "devDependencies": {
     "@open-policy-agent/opa-wasm": "^1.10.0",
-    "@solongate/core": "workspace:*",
-    "@solongate/policy-engine": "workspace:*",
-    "@solongate/tsconfig": "workspace:*",
     "esbuild": "^0.19.12",
     "tsup": "^8.3.0",
     "tsx": "^4.19.0",
-    "typescript": "^5.7.0"
+    "typescript": "^5.7.0",
+    "@solongate/core": "0.5.0",
+    "@solongate/policy-engine": "0.3.1",
+    "@solongate/tsconfig": "0.0.0"
+  },
+  "scripts": {
+    "build": "tsup && pnpm build:hooks",
+    "build:hooks": "node scripts/bundle-hooks.mjs",
+    "dev": "tsx src/index.ts",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist .turbo"
   }
-}
+}