@solongate/proxy 0.47.7 → 0.48.0

package/hooks/audit.mjs

@@ -234,8 +234,10 @@ process.stdin.on('end', async () => {
     try {
       const ghostText = buildGhostOutput(toolName, toolInput, toolResponse, toolOutput, loadGhostPatterns());
       if (typeof ghostText === 'string') {
+        // updatedToolOutput must be a PLAIN STRING (an object form is silently
+        // ignored by Claude Code). This replaces the tool result the model sees.
         process.stdout.write(JSON.stringify({
-          hookSpecificOutput: { hookEventName: 'PostToolUse', updatedToolOutput: { type: 'text', text: ghostText } },
+          hookSpecificOutput: { hookEventName: 'PostToolUse', updatedToolOutput: ghostText },
         }));
       }
     } catch {}

package/hooks/guard.bundled.mjs

@@ -6535,7 +6535,7 @@ import { resolve, join } from "node:path";
 import { homedir } from "node:os";
 import { gunzipSync } from "node:zlib";
 import { createHash } from "node:crypto";
-var HOOK_VERSION = 15;
+var HOOK_VERSION = 17;
 var MAX_FILE_READ = 1024 * 1024;
 function safeReadFileSync(filePath, encoding = "utf-8") {
   try {
@@ -6662,6 +6662,12 @@ function allowTool() {
   }
   process.exit(0);
 }
+function rewriteTool(updatedInput) {
+  process.stdout.write(JSON.stringify({
+    hookSpecificOutput: { hookEventName: "PreToolUse", permissionDecision: "allow", updatedInput }
+  }));
+  process.exit(0);
+}
 function writeDenyFlag(toolName) {
   try {
     const flagDir = resolve(".solongate");
@@ -7107,7 +7113,6 @@ function ghostCleanToken(tok) {
   t = t.replace(/^\d*>>?/, "");
   return t.trim();
 }
-var GHOST_MUTATORS = /(^|[\s;&|])(rm|mv|cp|dd|truncate|tee|chmod|chown|ln|mkdir|rmdir|touch|install|shred|unlink|rsync|sed\s+-i)([\s;&|]|$)/;
 function ghostBlock(toolName, args, ghostCfg) {
   if (!ghostCfg || !Array.isArray(ghostCfg.patterns) || ghostCfg.patterns.length === 0)
     return null;
@@ -7115,20 +7120,26 @@ function ghostBlock(toolName, args, ghostCfg) {
   const name = toolName || "";
   const notFound = (p) => p + ": No such file or directory";
   try {
-    if (name === "Write" || name === "Edit" || name === "MultiEdit" || name === "NotebookEdit") {
+    if (name === "Write" || name === "Edit" || name === "MultiEdit" || name === "NotebookEdit" || name === "Read" || name === "NotebookRead" || name === "LS") {
       const p = args?.file_path || args?.notebook_path || args?.path || "";
       if (p && ghostMatch(p, pats))
         return notFound(p);
       return null;
     }
+    if (name === "Glob" || name === "Grep") {
+      const p = args?.path || "";
+      const pat = args?.pattern || args?.glob || "";
+      if (p && ghostMatch(p, pats))
+        return notFound(p);
+      if (pat && ghostMatch(pat, pats))
+        return notFound(String(pat));
+      return null;
+    }
     if (name === "Bash" || name === "BashOutput" || guessPermission(name) === "EXECUTE") {
       const cmd = String(args?.command || "");
       if (!cmd)
         return null;
-      if (!GHOST_MUTATORS.test(cmd))
-        return null;
-      const tokens = cmd.split(/\s+/);
-      for (const raw of tokens) {
+      for (const raw of cmd.split(/\s+/)) {
         const tok = ghostCleanToken(raw);
         if (tok && tok.indexOf("-") !== 0 && ghostMatch(tok, pats))
           return notFound(tok);
@@ -7138,6 +7149,44 @@ function ghostBlock(toolName, args, ghostCfg) {
   }
   return null;
 }
+function ghostListingRewrite(args, ghostCfg) {
+  if (!ghostCfg || !Array.isArray(ghostCfg.patterns) || ghostCfg.patterns.length === 0)
+    return null;
+  const cmd = String(args?.command || "");
+  if (!cmd)
+    return null;
+  if (/[|>;&\n`]/.test(cmd))
+    return null;
+  if (!/^\s*(ls|ll|dir|find|tree|exa|lsd|fd)(\s|$)/.test(cmd))
+    return null;
+  const alts = [];
+  for (let p of ghostCfg.patterns) {
+    p = String(p).replace(/\/$/, "");
+    if (!p)
+      continue;
+    let re = "";
+    for (let i = 0; i < p.length; i++) {
+      const c = p[i];
+      if (c === "*") {
+        if (p[i + 1] === "*") {
+          re += ".*";
+          i++;
+        } else
+          re += "[^/]*";
+      } else if (c === "?")
+        re += "[^/]";
+      else if (".^$+(){}[]|\\/".indexOf(c) >= 0)
+        re += "\\" + c;
+      else
+        re += c;
+    }
+    alts.push(re);
+  }
+  if (alts.length === 0)
+    return null;
+  const ere = "(^|/| )(" + alts.join("|") + ")(/|$)";
+  return cmd + " | grep -vE '" + ere.replace(/'/g, "'\\''") + "'";
+}
 var RL_WINDOWS = [
   { key: "perDay", ms: 864e5, label: "day" },
   { key: "perHour", ms: 36e5, label: "hour" },
@@ -7621,6 +7670,13 @@ process.stdin.on("end", async () => {
         process.stderr.write(ghostHit);
         process.exit(2);
       }
+      if (AGENT_TYPE !== "gemini-cli" && toolName === "Bash") {
+        const rw = ghostListingRewrite(args, securityCfg.ghost);
+        if (rw) {
+          await maybeSelfUpdate();
+          rewriteTool({ command: rw });
+        }
+      }
     }
     if (!reason)
       reason = securityLayerCheck(toolName, args, securityCfg, agentKey);

package/hooks/guard.mjs

@@ -31,7 +31,7 @@ import { createHash } from 'node:crypto';
 // the installed hook self-updates when the cloud version is higher (see
 // maybeSelfUpdate). This is what makes guard fixes propagate without a manual
 // reinstall — the same trust model as the OPA WASM this hook already runs.
-const HOOK_VERSION = 15;
+const HOOK_VERSION = 17;
 
 // Safe file read with size limit (1MB max) to prevent DoS via large files
 const MAX_FILE_READ = 1024 * 1024; // 1MB
@@ -188,6 +188,16 @@ function allowTool() {
   process.exit(0);
 }
 
+// Allow the tool but REPLACE its input (Claude Code `updatedInput`). Used by the
+// ghost layer to rewrite a listing command so hidden entries are filtered out of
+// its output — the agent never sees them. Claude Code only.
+function rewriteTool(updatedInput) {
+  process.stdout.write(JSON.stringify({
+    hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'allow', updatedInput },
+  }));
+  process.exit(0);
+}
+
 // Write flag file so stop.mjs knows a tool call (DENY) happened and doesn't log extra ALLOW
 function writeDenyFlag(toolName) {
   try {
@@ -745,32 +755,39 @@ function ghostCleanToken(tok) {
   return t.trim();
 }
 
-// Bash verbs that MUTATE a target path. A read-ish command (cat/ls/grep/find…)
-// is intentionally absent: those are not blocked, they are stripped/rewritten
-// by the PostToolUse hook so the agent sees a natural empty/missing result.
-const GHOST_MUTATORS = /(^|[\s;&|])(rm|mv|cp|dd|truncate|tee|chmod|chown|ln|mkdir|rmdir|touch|install|shred|unlink|rsync|sed\s+-i)([\s;&|]|$)/;
-
-// Returns a plain not-found message if a MUTATING op targets a ghost path,
-// else null. Never returns a branded/policy string.
+// Returns a plain not-found message if a tool DIRECTLY targets a ghost path —
+// read OR write — else null. Reads are sealed too: a hidden file must be
+// inaccessible, not merely unlisted, so `cat A/Y/.data` looks as absent as
+// `rm A/Y`. Listing a PARENT dir that only CONTAINS a ghost child is NOT a
+// direct hit (no token equals the ghost) and falls through to the listing
+// rewrite. Never returns a branded/policy string.
 function ghostBlock(toolName, args, ghostCfg) {
   if (!ghostCfg || !Array.isArray(ghostCfg.patterns) || ghostCfg.patterns.length === 0) return null;
   const pats = ghostCfg.patterns;
   const name = (toolName || '');
   const notFound = (p) => p + ': No such file or directory';
   try {
-    // File-mutating tools carry an explicit path.
-    if (name === 'Write' || name === 'Edit' || name === 'MultiEdit' || name === 'NotebookEdit') {
+    // Tools that carry an explicit path argument.
+    if (name === 'Write' || name === 'Edit' || name === 'MultiEdit' || name === 'NotebookEdit' ||
+        name === 'Read' || name === 'NotebookRead' || name === 'LS') {
       const p = args?.file_path || args?.notebook_path || args?.path || '';
       if (p && ghostMatch(p, pats)) return notFound(p);
       return null;
     }
-    // Bash: block only when a ghost path is the target of a mutating verb.
+    if (name === 'Glob' || name === 'Grep') {
+      const p = args?.path || '';
+      const pat = args?.pattern || args?.glob || '';
+      if (p && ghostMatch(p, pats)) return notFound(p);
+      if (pat && ghostMatch(pat, pats)) return notFound(String(pat));
+      return null;
+    }
+    // Bash & other exec: deny if any token directly names a ghost path. Seals
+    // direct reads (cat/head/less/…) and mutations (rm/mv/…) alike. A listing of
+    // a parent dir has no ghost token and falls through to the rewrite.
     if (name === 'Bash' || name === 'BashOutput' || guessPermission(name) === 'EXECUTE') {
       const cmd = String(args?.command || '');
       if (!cmd) return null;
-      if (!GHOST_MUTATORS.test(cmd)) return null;
-      const tokens = cmd.split(/\s+/);
-      for (const raw of tokens) {
+      for (const raw of cmd.split(/\s+/)) {
         const tok = ghostCleanToken(raw);
         if (tok && tok.indexOf('-') !== 0 && ghostMatch(tok, pats)) return notFound(tok);
       }
@@ -779,6 +796,44 @@ function ghostBlock(toolName, args, ghostCfg) {
   return null;
 }
 
+// Shell single-quote a string.
+function ghostShq(s) { return "'" + String(s).replace(/'/g, "'\\''") + "'"; }
+
+// If `args.command` is a simple directory listing, return a rewritten command
+// that pipes its output through a filter dropping the ghost entries — so the
+// agent never sees them. Returns null when there's nothing to rewrite. Only
+// touches bare `ls` listings (no pipe/redirect/compound) to stay safe; richer
+// output formats are handled by the PostToolUse filter on clients that honor it.
+function ghostListingRewrite(args, ghostCfg) {
+  if (!ghostCfg || !Array.isArray(ghostCfg.patterns) || ghostCfg.patterns.length === 0) return null;
+  const cmd = String(args?.command || '');
+  if (!cmd) return null;
+  if (/[|>;&\n`]/.test(cmd)) return null;                            // no shell composition
+  if (!/^\s*(ls|ll|dir|find|tree|exa|lsd|fd)(\s|$)/.test(cmd)) return null;
+  // Translate each hidden glob to an ERE alternative, then match it as a whole
+  // path component, the whole line, or the trailing token — covers `ls`,
+  // `ls -la`, `find` and `tree`. A trailing slash (dir) is dropped.
+  const alts = [];
+  for (let p of ghostCfg.patterns) {
+    p = String(p).replace(/\/$/, '');
+    if (!p) continue;
+    let re = '';
+    for (let i = 0; i < p.length; i++) {
+      const c = p[i];
+      if (c === '*') { if (p[i + 1] === '*') { re += '.*'; i++; } else re += '[^/]*'; }
+      else if (c === '?') re += '[^/]';
+      else if ('.^$+(){}[]|\\/'.indexOf(c) >= 0) re += '\\' + c;
+      else re += c;
+    }
+    alts.push(re);
+  }
+  if (alts.length === 0) return null;
+  // grep -vE drops any line where a hidden name appears as a path component, the
+  // whole line, or the final token. Single-quoted so the shell leaves it intact.
+  const ere = '(^|/| )(' + alts.join('|') + ')(/|$)';
+  return cmd + " | grep -vE '" + ere.replace(/'/g, "'\\''") + "'";
+}
+
 // Multi-window sliding rate limit, persisted under ~/.solongate (tamper-protected
 // from the agent, writable by the guard). One timestamps file per agent, pruned
 // to the last 24h and capped for performance; counts this agent's calls within
@@ -1374,6 +1429,12 @@ process.stdin.on('end', async () => {
         process.stderr.write(ghostHit);
         process.exit(2);
       }
+      // No direct hit: if this is a listing command, rewrite it so hidden
+      // entries are filtered out of its output (Claude Code only).
+      if (AGENT_TYPE !== 'gemini-cli' && toolName === 'Bash') {
+        const rw = ghostListingRewrite(args, securityCfg.ghost);
+        if (rw) { await maybeSelfUpdate(); rewriteTool({ command: rw }); }
+      }
     }
     // Extra security layers run after tamper, before policy. Block reason wins
     // immediately (BLACK). Fail-open by design.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.47.7",
+  "version": "0.48.0",
   "description": "AI tool security proxy — protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {
@@ -23,13 +23,6 @@
     "hooks",
     "README.md"
   ],
-  "scripts": {
-    "build": "tsup && pnpm build:hooks",
-    "build:hooks": "node scripts/bundle-hooks.mjs",
-    "dev": "tsx src/index.ts",
-    "typecheck": "tsc --noEmit",
-    "clean": "rm -rf dist .turbo"
-  },
   "keywords": [
     "ai-tool-security",
     "ai-tool-proxy",
@@ -65,12 +58,19 @@
   },
   "devDependencies": {
     "@open-policy-agent/opa-wasm": "^1.10.0",
-    "@solongate/core": "workspace:*",
-    "@solongate/policy-engine": "workspace:*",
-    "@solongate/tsconfig": "workspace:*",
     "esbuild": "^0.19.12",
     "tsup": "^8.3.0",
     "tsx": "^4.19.0",
-    "typescript": "^5.7.0"
+    "typescript": "^5.7.0",
+    "@solongate/core": "0.5.0",
+    "@solongate/policy-engine": "0.3.1",
+    "@solongate/tsconfig": "0.0.0"
+  },
+  "scripts": {
+    "build": "tsup && pnpm build:hooks",
+    "build:hooks": "node scripts/bundle-hooks.mjs",
+    "dev": "tsx src/index.ts",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist .turbo"
   }
-}
+}