@solongate/proxy 0.47.7 → 0.48.1

package/dist/init.d.ts

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+/**
+ * solongate init — Automatically wrap MCP servers with SolonGate protection.
+ *
+ * Reads your existing MCP configuration, wraps each server with the
+ * SolonGate proxy, and writes the protected configuration back.
+ *
+ * Usage:
+ *   solongate-init [options]
+ *
+ * Options:
+ *   --config <path>     Path to MCP config file (default: auto-detect)
+ *   --policy <file>     Custom policy JSON file (auto-detects policy.json)
+ *   --all               Protect all servers without prompting
+ *   --dry-run           Show what would change without writing
+ *   --restore           Restore original config from backup
+ */
+export {};

package/dist/inject.d.ts

@@ -0,0 +1,19 @@
+#!/usr/bin/env node
+/**
+ * solongate inject — Auto-inject SolonGate SDK into an existing MCP server.
+ *
+ * Detects a TypeScript MCP server project, installs the SDK, and makes minimal
+ * source code changes to add SolonGate protection. Creates a backup so
+ * changes can be reverted with --restore.
+ *
+ * Usage:
+ *   solongate-proxy inject [options]
+ *
+ * Options:
+ *   --file <path>       Entry file to modify (default: auto-detect)
+ *   --dry-run           Preview changes without writing
+ *   --restore           Restore from backup
+ *   --skip-install      Don't install SDK package
+ *   -h, --help          Show help
+ */
+export {};

package/dist/lib.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @solongate/proxy — Library exports.
+ *
+ * Re-exports SDK classes (SolonGate, SecureMcpServer, RateLimiter, etc.)
+ * so that external consumers can import from '@solongate/proxy' without
+ * needing a separate @solongate/sdk package.
+ */
+export { SolonGate, LicenseError } from './sdk/solongate.js';
+export { SecureMcpServer, type SecureMcpServerOptions } from './sdk/secure-server.js';
+export { interceptToolCall, ExfiltrationChainTracker, type InterceptorOptions } from './sdk/interceptor.js';
+export { resolveConfig, DEFAULT_CONFIG, type SolonGateConfig } from './sdk/config.js';
+export { SecurityLogger } from './sdk/logger.js';
+export { TokenIssuer } from './sdk/token-issuer.js';
+export { ServerVerifier, type SignedMcpRequest, type SignatureValidationResult } from './sdk/server-verifier.js';
+export { RateLimiter, type RateLimitResult } from './sdk/rate-limiter.js';
+export { TrustLevel, Permission, PolicyEffect, type PolicyRule, type PolicySet, type PolicyDecision, type SecurityContext, type ExecutionRequest, type ExecutionResult, type ToolCapability, type McpCallToolParams, type McpCallToolResult, type CapabilityToken, type TokenConfig, type InputGuardConfig, type ThreatType, type DetectedThreat, type SanitizationResult, SolonGateError, PolicyDeniedError, SchemaValidationError, RateLimitError as CoreRateLimitError, InputGuardError, NetworkError, createSecurityContext, createDeniedToolResult, validateToolInput, sanitizeInput, detectPathTraversal, detectShellInjection, detectWildcardAbuse, detectSSRF, detectSQLInjection, detectExfiltration, detectBoundaryEscape, checkLengthLimits, checkEntropyLimits, scanResponse, RESPONSE_WARNING_MARKER, BOUNDARY_PREFIX, BOUNDARY_SUFFIX, tagUserInput, stripBoundaryTags, type ResponseScanConfig, type ResponseThreatType, type ResponseThreat, type ResponseScanResult, type TaggedArguments, } from './core/index.js';
+export { PolicyEngine, PolicyStore, type PolicyVersion, type PolicyDiff, createDefaultDenyPolicySet, createPermissivePolicySet, createReadOnlyPolicySet, } from './policy-engine/index.js';
+export { SolonGateProxy } from './proxy.js';

package/dist/lib.js

@@ -6150,8 +6150,7 @@ var init_src = __esm({
   }
 });
 
-// ../core/dist/index.js
-import { z } from "zod";
+// src/core/errors.ts
 var SolonGateError = class extends Error {
   code;
   timestamp;
@@ -6228,11 +6227,16 @@ var NetworkError = class extends SolonGateError {
     this.name = "NetworkError";
   }
 };
+
+// src/core/trust.ts
 var TrustLevel = {
   UNTRUSTED: "UNTRUSTED",
   VERIFIED: "VERIFIED",
   TRUSTED: "TRUSTED"
 };
+
+// src/core/permissions.ts
+import { z } from "zod";
 var Permission = {
   READ: "READ",
   WRITE: "WRITE",
@@ -6259,50 +6263,55 @@ var NO_PERMISSIONS = Object.freeze(
 var READ_ONLY = Object.freeze(
   /* @__PURE__ */ new Set([Permission.READ])
 );
+
+// src/core/policy.ts
+import { z as z2 } from "zod";
 var PolicyEffect = {
   ALLOW: "ALLOW",
   DENY: "DENY"
 };
-var PolicyRuleSchema = z.object({
-  id: z.string().min(1).max(256),
-  description: z.string().max(1024),
-  effect: z.enum(["ALLOW", "DENY"]),
-  priority: z.number().int().min(0).max(1e4).default(1e3),
-  toolPattern: z.string().min(1).max(512),
-  permission: z.enum(["READ", "WRITE", "EXECUTE", "NETWORK"]).optional(),
-  minimumTrustLevel: z.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
-  argumentConstraints: z.record(z.unknown()).optional(),
-  pathConstraints: z.object({
-    allowed: z.array(z.string()).optional(),
-    denied: z.array(z.string()).optional(),
-    rootDirectory: z.string().optional(),
-    allowSymlinks: z.boolean().optional()
+var PolicyRuleSchema = z2.object({
+  id: z2.string().min(1).max(256),
+  description: z2.string().max(1024),
+  effect: z2.enum(["ALLOW", "DENY"]),
+  priority: z2.number().int().min(0).max(1e4).default(1e3),
+  toolPattern: z2.string().min(1).max(512),
+  permission: z2.enum(["READ", "WRITE", "EXECUTE", "NETWORK"]).optional(),
+  minimumTrustLevel: z2.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
+  argumentConstraints: z2.record(z2.unknown()).optional(),
+  pathConstraints: z2.object({
+    allowed: z2.array(z2.string()).optional(),
+    denied: z2.array(z2.string()).optional(),
+    rootDirectory: z2.string().optional(),
+    allowSymlinks: z2.boolean().optional()
   }).optional(),
-  commandConstraints: z.object({
-    allowed: z.array(z.string()).optional(),
-    denied: z.array(z.string()).optional()
+  commandConstraints: z2.object({
+    allowed: z2.array(z2.string()).optional(),
+    denied: z2.array(z2.string()).optional()
   }).optional(),
-  filenameConstraints: z.object({
-    allowed: z.array(z.string()).optional(),
-    denied: z.array(z.string()).optional()
+  filenameConstraints: z2.object({
+    allowed: z2.array(z2.string()).optional(),
+    denied: z2.array(z2.string()).optional()
   }).optional(),
-  urlConstraints: z.object({
-    allowed: z.array(z.string()).optional(),
-    denied: z.array(z.string()).optional()
+  urlConstraints: z2.object({
+    allowed: z2.array(z2.string()).optional(),
+    denied: z2.array(z2.string()).optional()
   }).optional(),
-  enabled: z.boolean().default(true),
-  createdAt: z.string().datetime(),
-  updatedAt: z.string().datetime()
+  enabled: z2.boolean().default(true),
+  createdAt: z2.string().datetime(),
+  updatedAt: z2.string().datetime()
 });
-var PolicySetSchema = z.object({
-  id: z.string().min(1).max(256),
-  name: z.string().min(1).max(256),
-  description: z.string().max(2048),
-  version: z.number().int().min(0),
-  rules: z.array(PolicyRuleSchema),
-  createdAt: z.string().datetime(),
-  updatedAt: z.string().datetime()
+var PolicySetSchema = z2.object({
+  id: z2.string().min(1).max(256),
+  name: z2.string().min(1).max(256),
+  description: z2.string().max(2048),
+  version: z2.number().int().min(0),
+  rules: z2.array(PolicyRuleSchema),
+  createdAt: z2.string().datetime(),
+  updatedAt: z2.string().datetime()
 });
+
+// src/core/context.ts
 function createSecurityContext(params) {
   return {
     trustLevel: "UNTRUSTED",
@@ -6313,6 +6322,8 @@ function createSecurityContext(params) {
     ...params
   };
 }
+
+// src/core/constants.ts
 var DEFAULT_POLICY_EFFECT = "DENY";
 var MAX_RULES_PER_POLICY_SET = 1e3;
 var MAX_ARGUMENT_DEPTH = 10;
@@ -6333,6 +6344,8 @@ var UNSAFE_CONFIGURATION_WARNINGS = {
   RATE_LIMIT_ZERO: "A rate limit of 0 means unlimited calls. This removes protection against runaway loops.",
   DISABLED_VALIDATION: "Disabling schema validation removes input sanitization protections."
 };
+
+// src/core/mcp-types.ts
 function createDeniedToolResult(reason) {
   return {
     content: [
@@ -6348,6 +6361,9 @@ function createDeniedToolResult(reason) {
     isError: true
   };
 }
+
+// src/core/schema-validator.ts
+import { z as z3 } from "zod";
 var DEFAULT_OPTIONS = {
   maxDepth: MAX_ARGUMENT_DEPTH,
   maxSizeBytes: MAX_ARGUMENTS_SIZE_BYTES,
@@ -6423,6 +6439,8 @@ function measureDepth(value, currentDepth) {
   }
   return maxChildDepth;
 }
+
+// src/core/input-guard.ts
 var DEFAULT_INPUT_GUARD_CONFIG = Object.freeze({
   pathTraversal: true,
   shellInjection: true,
@@ -6797,6 +6815,8 @@ function sanitizeObject(basePath, obj, config) {
 function truncate(str, maxLen) {
   return str.length > maxLen ? str.slice(0, maxLen) + "..." : str;
 }
+
+// src/core/response-scanner.ts
 var DEFAULT_RESPONSE_SCAN_CONFIG = Object.freeze({
   injectedInstruction: true,
   hiddenDirective: true,
@@ -6906,6 +6926,8 @@ var RESPONSE_WARNING_MARKER = "[SOLONGATE WARNING: response may contain injected
 function truncate2(str, maxLen) {
   return str.length > maxLen ? str.slice(0, maxLen) + "..." : str;
 }
+
+// src/core/context-boundary.ts
 function tagUserInput(args) {
   return tagObject(args);
 }
@@ -6931,13 +6953,13 @@ function tagObject(obj) {
 function stripBoundaryTags(text) {
   return text.replaceAll(BOUNDARY_PREFIX, "").replaceAll(BOUNDARY_SUFFIX, "");
 }
+
+// src/core/capability-token.ts
 var DEFAULT_TOKEN_TTL_SECONDS = 30;
 var TOKEN_ALGORITHM = "HS256";
 var MIN_SECRET_LENGTH = 32;
 
-// ../policy-engine/dist/index.js
-import { gunzipSync } from "zlib";
-import { createHash, randomUUID } from "crypto";
+// src/policy-engine/validator.ts
 function validatePolicySet(input) {
   const errors = [];
   const warnings = [];
@@ -6987,6 +7009,8 @@ function validatePolicySet(input) {
     warnings
   };
 }
+
+// src/policy-engine/warnings.ts
 function analyzeSecurityWarnings(policySet) {
   const warnings = [];
   for (const rule of policySet.rules) {
@@ -7028,6 +7052,8 @@ function analyzeRuleWarnings(rule) {
   }
   return warnings;
 }
+
+// src/policy-engine/defaults.ts
 function createDefaultDenyPolicySet() {
   const now = (/* @__PURE__ */ new Date()).toISOString();
   return {
@@ -7151,6 +7177,11 @@ function createReadOnlyPolicySet(toolPattern) {
     updatedAt: now
   };
 }
+
+// src/policy-engine/opa/opa-evaluator.ts
+import { gunzipSync } from "zlib";
+
+// src/policy-engine/path-matcher.ts
 var PATH_FIELDS = /* @__PURE__ */ new Set([
   "path",
   "file",
@@ -7197,6 +7228,8 @@ function extractPathArguments(args) {
   }
   return paths;
 }
+
+// src/policy-engine/command-matcher.ts
 var COMMAND_FIELDS = /* @__PURE__ */ new Set([
   "command",
   "cmd",
@@ -7318,6 +7351,8 @@ function extractCommandArguments(args) {
   commands.push(...expanded);
   return commands;
 }
+
+// src/policy-engine/url-matcher.ts
 var URL_FIELDS = /* @__PURE__ */ new Set([
   "url",
   "href",
@@ -7372,6 +7407,8 @@ function extractUrlArguments(args) {
   }
   return urls;
 }
+
+// src/policy-engine/filename-matcher.ts
 var SENSITIVE_FILENAMES = [
   ".env",
   ".env.local",
@@ -7559,6 +7596,8 @@ function looksLikeFilename(s) {
   if (KNOWN_EXTENSIONLESS_FILES.has(s.toLowerCase())) return true;
   return false;
 }
+
+// src/policy-engine/opa/request-adapter.ts
 function toOpaInput(request) {
   const args = request.arguments ?? {};
   return {
@@ -7572,6 +7611,8 @@ function toOpaInput(request) {
     filenames: extractFilenames(args)
   };
 }
+
+// src/policy-engine/opa/opa-evaluator.ts
 var loadPolicyFn = null;
 async function getLoadPolicy() {
   if (!loadPolicyFn) {
@@ -7674,6 +7715,8 @@ var OpaEvaluator = class {
     this.policy.setData(data);
   }
 };
+
+// src/policy-engine/engine.ts
 var PolicyEngine = class {
   policySet;
   timeoutMs;
@@ -7776,11 +7819,16 @@ var PolicyEngine = class {
     this.policySet = createDefaultDenyPolicySet();
   }
 };
+
+// src/policy-engine/matcher.ts
 var TRUST_LEVEL_ORDER = {
   [TrustLevel.UNTRUSTED]: 0,
   [TrustLevel.VERIFIED]: 1,
   [TrustLevel.TRUSTED]: 2
 };
+
+// src/policy-engine/policy-store.ts
+import { createHash } from "crypto";
 function stableStringify(val) {
   return JSON.stringify(
     val,
@@ -7882,6 +7930,13 @@ var PolicyStore = class {
   }
 };
 
+// src/policy-engine/opa/rego-compiler.ts
+import { execFileSync } from "child_process";
+import { writeFileSync, readFileSync, mkdirSync, rmSync } from "fs";
+import { join } from "path";
+import { tmpdir } from "os";
+import { randomUUID } from "crypto";
+
 // src/sdk/config.ts
 var DEFAULT_CONFIG = Object.freeze({
   validateSchemas: true,
@@ -8935,13 +8990,13 @@ import {
   ListResourceTemplatesRequestSchema
 } from "@modelcontextprotocol/sdk/types.js";
 import { createServer as createHttpServer } from "http";
-import { resolve as resolve2, join as join2 } from "path";
-import { mkdirSync as mkdirSync2, appendFileSync } from "fs";
+import { resolve as resolve2, join as join3 } from "path";
+import { mkdirSync as mkdirSync3, appendFileSync } from "fs";
 
 // src/config.ts
-import { readFileSync, existsSync } from "fs";
+import { readFileSync as readFileSync2, existsSync } from "fs";
 import { appendFile } from "fs/promises";
-import { resolve, join } from "path";
+import { resolve, join as join2 } from "path";
 import { homedir } from "os";
 var DEFAULT_API_URL = "https://api.solongate.com";
 async function fetchCloudPolicy(apiKey, apiUrl, policyId) {
@@ -9041,7 +9096,7 @@ async function sendAuditLog(apiKey, apiUrl, entry) {
 }
 
 // src/sync.ts
-import { readFileSync as readFileSync2, writeFileSync, watch, existsSync as existsSync2 } from "fs";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, watch, existsSync as existsSync2 } from "fs";
 var log = (...args) => process.stderr.write(`[SolonGate Sync] ${args.map(String).join(" ")}
 `);
 var PolicySyncManager = class {
@@ -9130,7 +9185,7 @@ var PolicySyncManager = class {
         log("Policy file deleted \u2014 keeping current policy");
         return;
       }
-      const content = readFileSync2(filePath, "utf-8");
+      const content = readFileSync3(filePath, "utf-8");
       const newPolicy = JSON.parse(content);
       if (newPolicy.version <= this.localVersion) {
         newPolicy.version = Math.max(this.localVersion, this.cloudVersion) + 1;
@@ -9239,7 +9294,7 @@ var PolicySyncManager = class {
     try {
       const { id: _id, ...rest } = policy;
       const json = JSON.stringify(rest, null, 2) + "\n";
-      writeFileSync(this.localPath, json, "utf-8");
+      writeFileSync2(this.localPath, json, "utf-8");
     } catch (err) {
       log(`File write error: ${err instanceof Error ? err.message : String(err)}`);
     }
@@ -9516,8 +9571,8 @@ var SolonGateProxy = class {
             pid: process.pid
           };
           const debugDir = resolve2(".solongate");
-          mkdirSync2(debugDir, { recursive: true });
-          appendFileSync(join2(debugDir, ".debug-proxy"), JSON.stringify(debugInfo) + "\n");
+          mkdirSync3(debugDir, { recursive: true });
+          appendFileSync(join3(debugDir, ".debug-proxy"), JSON.stringify(debugInfo) + "\n");
         } catch {
         }
         if (clientVersion?.name && !this.config.agentName) {

package/dist/login.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/policy-engine/command-matcher.d.ts

@@ -0,0 +1,34 @@
+import type { PolicyRule } from '../core/index.js';
+type CommandConstraints = NonNullable<PolicyRule['commandConstraints']>;
+/**
+ * Extracts inner commands from subshell wrappers (bash -c, eval, etc.)
+ * Returns the original command plus any extracted inner commands.
+ */
+export declare function extractInnerCommands(command: string, depth?: number): string[];
+/**
+ * Extracts command-like arguments from tool call arguments.
+ * Uses known field names plus heuristic detection for command-like strings
+ * in any field, and recurses into nested objects/arrays.
+ */
+export declare function extractCommandArguments(args: Readonly<Record<string, unknown>>): string[];
+/**
+ * Glob-style command pattern matching.
+ * Matches against the command string (first word) or full command line.
+ *
+ * Patterns:
+ *   'ls'       → exact match on command name
+ *   'git*'     → command starts with 'git'
+ *   '*sql*'    → command contains 'sql'
+ *   'rm -rf *' → full command line starts with 'rm -rf '
+ */
+export declare function matchCommandPattern(command: string, pattern: string): boolean;
+/**
+ * Checks if a command is allowed by the given constraints.
+ *
+ * Evaluation order:
+ * 1. If denied list exists, command must NOT match any denied pattern
+ * 2. If allowed list exists, command must match at least one allowed pattern
+ * 3. If neither list exists, command is allowed (constraints are optional)
+ */
+export declare function isCommandAllowed(command: string, constraints: CommandConstraints): boolean;
+export {};

package/dist/policy-engine/defaults.d.ts

@@ -0,0 +1,23 @@
+import type { PolicySet } from '../core/index.js';
+/**
+ * Creates the default "deny all" policy set.
+ * This is the starting policy for any new SolonGate deployment.
+ */
+export declare function createDefaultDenyPolicySet(): PolicySet;
+/**
+ * Creates a permissive "allow all" policy set.
+ * Allows all tool executions — useful for development or when
+ * using SolonGate only for monitoring and audit logging.
+ */
+export declare function createPermissivePolicySet(): PolicySet;
+/**
+ * Creates a read-only policy set for a specific tool pattern.
+ * Allows reads for VERIFIED requests only.
+ */
+export declare function createReadOnlyPolicySet(toolPattern: string): PolicySet;
+/**
+ * Creates a sandboxed policy set for a given root directory.
+ * Allows file operations within rootDir, blocks dangerous commands,
+ * denies access to sensitive files.
+ */
+export declare function createSandboxedPolicySet(rootDir: string): PolicySet;

package/dist/policy-engine/engine.d.ts

@@ -0,0 +1,30 @@
+import type { PolicySet, PolicyDecision, ExecutionRequest } from '../core/index.js';
+import { type ValidationResult } from './validator.js';
+import { type SecurityWarning } from './warnings.js';
+import { PolicyStore, type PolicyVersion } from './policy-store.js';
+export declare class PolicyEngine {
+    private policySet;
+    private readonly timeoutMs;
+    private readonly store;
+    private opaEvaluator;
+    constructor(options?: {
+        policySet?: PolicySet;
+        timeoutMs?: number;
+        store?: PolicyStore;
+        wasmBundle?: BufferSource;
+    });
+    private _pendingWasm;
+    initOpa(): Promise<void>;
+    loadWasmBundle(wasmBundle: BufferSource): Promise<void>;
+    evaluate(request: ExecutionRequest): PolicyDecision;
+    getEvaluatorMode(): 'opa' | 'opa-unloaded';
+    loadPolicySet(policySet: PolicySet, options?: {
+        reason?: string;
+        createdBy?: string;
+    }): ValidationResult;
+    rollback(version: number): PolicyVersion;
+    getPolicySet(): Readonly<PolicySet>;
+    getSecurityWarnings(): readonly SecurityWarning[];
+    getStore(): PolicyStore | null;
+    reset(): void;
+}

package/dist/policy-engine/evaluator.d.ts

@@ -0,0 +1,13 @@
+import type { PolicySet, PolicyDecision, ExecutionRequest } from '../core/index.js';
+/**
+ * Evaluates a policy set against an execution request.
+ *
+ * Pure function: no side effects, no I/O, fully deterministic.
+ *
+ * Algorithm:
+ * 1. Sort rules by priority (ascending - lower number = higher priority)
+ * 2. Find the first matching rule
+ * 3. If a rule matches, return its effect
+ * 4. If no rule matches, return DENY (default-deny)
+ */
+export declare function evaluatePolicy(policySet: PolicySet, request: ExecutionRequest): PolicyDecision;

package/dist/policy-engine/filename-matcher.d.ts

@@ -0,0 +1,20 @@
+import type { PolicyRule } from '../core/index.js';
+type FilenameConstraints = NonNullable<PolicyRule['filenameConstraints']>;
+/**
+ * Extracts filenames from ALL string arguments using shell-agnostic scanning.
+ *
+ * Architecture: OS-permission style enforcement.
+ * Instead of trying to parse every shell trick, we strip ALL shell syntax
+ * and scan the raw text. If a protected filename appears in ANY form,
+ * it gets extracted and checked against policy constraints.
+ */
+export declare function extractFilenames(args: Readonly<Record<string, unknown>>): string[];
+/**
+ * Glob-style filename pattern matching (case-insensitive).
+ */
+export declare function matchFilenamePattern(filename: string, pattern: string): boolean;
+/**
+ * Checks if a filename is allowed by the given constraints.
+ */
+export declare function isFilenameAllowed(filename: string, constraints: FilenameConstraints): boolean;
+export {};

package/dist/policy-engine/index.d.ts

@@ -0,0 +1,12 @@
+export { PolicyEngine } from './engine.js';
+export { evaluatePolicy } from './evaluator.js';
+export { ruleMatchesRequest, toolPatternMatches, trustLevelMeetsMinimum } from './matcher.js';
+export { validatePolicyRule, validatePolicySet, type ValidationResult } from './validator.js';
+export { analyzeSecurityWarnings, type SecurityWarning } from './warnings.js';
+export { createDefaultDenyPolicySet, createPermissivePolicySet, createReadOnlyPolicySet, createSandboxedPolicySet } from './defaults.js';
+export { isPathAllowed, isWithinRoot, matchPathPattern, normalizePath, extractPathArguments, } from './path-matcher.js';
+export { isCommandAllowed, matchCommandPattern, extractCommandArguments, } from './command-matcher.js';
+export { isFilenameAllowed, matchFilenamePattern, extractFilenames, } from './filename-matcher.js';
+export { isUrlAllowed, matchUrlPattern, extractUrlArguments, } from './url-matcher.js';
+export { PolicyStore, type PolicyVersion, type PolicyDiff } from './policy-store.js';
+export { OpaEvaluator, convertPolicySetToRego, compileRegoToWasm, isOpaAvailable, toOpaInput, type OpaInput, type OpaDecision } from './opa/index.js';

package/dist/policy-engine/matcher.d.ts

@@ -0,0 +1,18 @@
+import type { PolicyRule, ExecutionRequest } from '../core/index.js';
+import { TrustLevel } from '../core/index.js';
+/**
+ * Pure function: determines if a policy rule matches an execution request.
+ * No side effects. No I/O. Fully deterministic.
+ */
+export declare function ruleMatchesRequest(rule: PolicyRule, request: ExecutionRequest): boolean;
+/**
+ * Glob-style tool name pattern matching.
+ * Supports:
+ *   '*'        → match all
+ *   'prefix*'  → starts with prefix
+ *   '*suffix'  → ends with suffix
+ *   '*infix*'  → contains infix
+ * Does NOT support regex (ReDoS prevention).
+ */
+export declare function toolPatternMatches(pattern: string, toolName: string): boolean;
+export declare function trustLevelMeetsMinimum(actual: TrustLevel, minimum: TrustLevel): boolean;

package/dist/policy-engine/opa/index.d.ts

@@ -0,0 +1,4 @@
+export { OpaEvaluator } from './opa-evaluator.js';
+export { convertPolicySetToRego } from './json-to-rego.js';
+export { compileRegoToWasm, isOpaAvailable } from './rego-compiler.js';
+export { toOpaInput, type OpaInput, type OpaDecision } from './request-adapter.js';

package/dist/policy-engine/opa/json-to-rego.d.ts

@@ -0,0 +1,2 @@
+import type { PolicySet } from '../../core/index.js';
+export declare function convertPolicySetToRego(policySet: PolicySet): string;

package/dist/policy-engine/opa/opa-evaluator.d.ts

@@ -0,0 +1,10 @@
+import type { PolicyDecision, ExecutionRequest } from '../../core/index.js';
+export declare class OpaEvaluator {
+    private policy;
+    private initialized;
+    loadBundle(wasmBundle: BufferSource): Promise<void>;
+    loadWasm(wasmBytes: BufferSource): Promise<void>;
+    evaluate(request: ExecutionRequest): PolicyDecision;
+    isReady(): boolean;
+    setData(data: unknown): void;
+}

package/dist/policy-engine/opa/rego-compiler.d.ts

@@ -0,0 +1,2 @@
+export declare function compileRegoToWasm(regoSource: string, entrypoint?: string): Promise<Buffer>;
+export declare function isOpaAvailable(): boolean;

package/dist/policy-engine/opa/request-adapter.d.ts

@@ -0,0 +1,17 @@
+import type { ExecutionRequest } from '../../core/index.js';
+export interface OpaInput {
+    tool_name: string;
+    permission: string;
+    trust_level: string;
+    arguments: Record<string, unknown>;
+    paths: string[];
+    commands: string[];
+    urls: string[];
+    filenames: string[];
+}
+export interface OpaDecision {
+    effect: 'ALLOW' | 'DENY';
+    reason: string;
+    matched_rule: string | null;
+}
+export declare function toOpaInput(request: ExecutionRequest): OpaInput;

package/dist/policy-engine/path-matcher.d.ts

@@ -0,0 +1,41 @@
+import type { PolicyRule } from '../core/index.js';
+type PathConstraints = NonNullable<PolicyRule['pathConstraints']>;
+/**
+ * Normalizes a file path for consistent matching.
+ * Resolves . and .. segments, normalizes separators.
+ */
+export declare function normalizePath(path: string): string;
+/**
+ * Checks if a path is within a root directory (sandbox boundary).
+ * Prevents escaping via .., symlinks, etc.
+ */
+export declare function isWithinRoot(path: string, root: string): boolean;
+/**
+ * Glob-style path pattern matching.
+ * Supports:
+ * - * matches any single path segment (not /)
+ * - ** matches any number of path segments
+ * - Exact match
+ *
+ * Does NOT support regex (ReDoS prevention).
+ */
+export declare function matchPathPattern(path: string, pattern: string): boolean;
+/**
+ * Checks if a path is allowed by the given constraints.
+ *
+ * Evaluation order:
+ * 1. If rootDirectory is set, path must be within it
+ * 2. If denied list exists, path must NOT match any denied pattern
+ * 3. If allowed list exists, path must match at least one allowed pattern
+ * 4. If neither list exists, path is allowed (constraints are optional)
+ */
+export declare function isPathAllowed(path: string, constraints: PathConstraints): boolean;
+/**
+ * Extracts path-like arguments from tool call arguments.
+ * Uses multiple heuristics:
+ * 1. Known path field names — always extract
+ * 2. Strings containing / or \ (original heuristic)
+ * 3. Strings starting with . (.env, ./foo)
+ */
+export declare function extractPathArguments(args: Readonly<Record<string, unknown>>): string[];
+export {};