@solongate/proxy 0.5.9 → 0.6.0

package/dist/index.js

@@ -664,15 +664,42 @@ function installHooks() {
   const auditPath = join(hooksDir, "audit.mjs");
   writeFileSync2(auditPath, AUDIT_SCRIPT);
   console.log(`  Created ${auditPath}`);
+  const claudeDir = resolve2(".claude");
+  mkdirSync(claudeDir, { recursive: true });
+  const settingsPath = join(claudeDir, "settings.json");
+  const settings = {
+    hooks: {
+      PreToolUse: [
+        {
+          matcher: "",
+          hooks: [
+            { type: "command", command: "node .solongate/hooks/guard.mjs" }
+          ]
+        }
+      ],
+      PostToolUse: [
+        {
+          matcher: "",
+          hooks: [
+            { type: "command", command: "node .solongate/hooks/audit.mjs" }
+          ]
+        }
+      ]
+    }
+  };
+  let existing = {};
+  try {
+    existing = JSON.parse(readFileSync3(settingsPath, "utf-8"));
+  } catch {
+  }
+  const merged = { ...existing, hooks: settings.hooks };
+  writeFileSync2(settingsPath, JSON.stringify(merged, null, 2) + "\n");
+  console.log(`  Created ${settingsPath}`);
   console.log("");
-  console.log("  Hooks installed in .solongate/hooks/");
-  console.log("  guard.mjs  \u2192 blocks dangerous calls (pre-execution)");
+  console.log("  Hooks installed:");
+  console.log("  guard.mjs  \u2192 blocks policy-violating calls (pre-execution)");
   console.log("  audit.mjs  \u2192 logs all calls to dashboard (post-execution)");
-  console.log("");
-  console.log("  To activate hooks in your MCP client:");
-  console.log("  Claude Code \u2192 .claude/settings.json");
-  console.log("  Cursor      \u2192 .cursor/settings.json");
-  console.log("  Or run: node .solongate/hooks/guard.mjs (stdin: JSON)");
+  console.log("  .claude/settings.json \u2192 hooks activated for Claude Code");
 }
 function ensureEnvFile() {
   const envPath = resolve2(".env");
@@ -778,6 +805,8 @@ async function main() {
   if (alreadyProtected.length === serverNames.length) {
     console.log("  All servers are already protected by SolonGate!");
     ensureEnvFile();
+    console.log("");
+    installHooks();
     process.exit(0);
   }
   if (!options.all) {
@@ -917,150 +946,213 @@ var init_init = __esm({
     sleep = (ms) => new Promise((r) => setTimeout(r, ms));
     GUARD_SCRIPT = `#!/usr/bin/env node
 /**
- * SolonGate Guard Hook for Claude Code (PreToolUse)
- * Blocks dangerous tool calls BEFORE they execute.
+ * SolonGate Policy Guard Hook (PreToolUse)
+ * Reads policy.json and blocks tool calls that violate constraints.
  * Exit code 2 = BLOCK, exit code 0 = ALLOW.
  * Auto-installed by: npx @solongate/proxy init
  */
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
 
 const API_KEY = process.env.SOLONGATE_API_KEY || '';
 const API_URL = process.env.SOLONGATE_API_URL || 'https://api.solongate.com';
 
-// \u2500\u2500 Input Guard Patterns \u2500\u2500
-const PATH_TRAVERSAL = [
-  /\\.\\.\\//,  /\\\\.\\.\\\\\\\\/,  /%2e%2e/i,  /%2e\\./i,  /\\.%2e/i,  /%252e%252e/i,
-];
-const SENSITIVE_PATHS = [
-  /\\/etc\\/passwd/i, /\\/etc\\/shadow/i, /\\/proc\\//i,
-  /c:\\\\windows\\\\system32/i, /\\.env(\\.|$)/i,
-  /\\.aws\\/credentials/i, /\\.ssh\\/id_/i, /\\.kube\\/config/i,
-  /\\.git\\/config/i, /\\.npmrc/i, /\\.pypirc/i,
-];
-const SHELL_INJECTION = [
-  /\\$\\(/, /\\$\\{/, /\\\`/, /\\beval\\b/i, /\\bexec\\b/i, /\\bsystem\\b/i,
-  /%0a/i, /%0d/i,
-];
-const SSRF = [
-  /^https?:\\/\\/localhost\\b/i, /^https?:\\/\\/127\\./, /^https?:\\/\\/0\\.0\\.0\\.0/,
-  /^https?:\\/\\/10\\./, /^https?:\\/\\/172\\.(1[6-9]|2\\d|3[01])\\./,
-  /^https?:\\/\\/192\\.168\\./, /^https?:\\/\\/169\\.254\\./,
-  /metadata\\.google\\.internal/i,
-];
-const SSRF_IN_CMD = [
-  /https?:\\/\\/localhost\\b/i, /https?:\\/\\/127\\./, /https?:\\/\\/0\\.0\\.0\\.0/,
-  /https?:\\/\\/10\\./, /https?:\\/\\/172\\.(1[6-9]|2\\d|3[01])\\./,
-  /https?:\\/\\/192\\.168\\./, /https?:\\/\\/169\\.254\\./,
-  /metadata\\.google\\.internal/i,
-  /\\b127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/, /\\b0\\.0\\.0\\.0\\b/,
-  /\\b10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/,
-  /\\b172\\.(1[6-9]|2\\d|3[01])\\.\\d{1,3}\\.\\d{1,3}\\b/,
-  /\\b192\\.168\\.\\d{1,3}\\.\\d{1,3}\\b/,
-  /\\b169\\.254\\.\\d{1,3}\\.\\d{1,3}\\b/,
-];
-const SQL_INJECTION = [
-  /'\\s{0,20}(OR|AND)\\s{0,20}'.{0,200}'/i,
-  /'\\s{0,10};\\s{0,10}(DROP|DELETE|UPDATE|INSERT|ALTER|CREATE|EXEC)/i,
-  /UNION\\s+(ALL\\s+)?SELECT/i, /\\bSLEEP\\s*\\(/i, /\\bWAITFOR\\s+DELAY/i,
-];
+// \u2500\u2500 Glob Matching \u2500\u2500
+function matchGlob(str, pattern) {
+  if (pattern === '*') return true;
+  const s = str.toLowerCase();
+  const p = pattern.toLowerCase();
+  if (s === p) return true;
+  const startsW = p.startsWith('*');
+  const endsW = p.endsWith('*');
+  if (startsW && endsW) { const infix = p.slice(1, -1); return infix.length > 0 && s.includes(infix); }
+  if (startsW) return s.endsWith(p.slice(1));
+  if (endsW) return s.startsWith(p.slice(0, -1));
+  const idx = p.indexOf('*');
+  if (idx !== -1) {
+    const pre = p.slice(0, idx);
+    const suf = p.slice(idx + 1);
+    return s.startsWith(pre) && s.endsWith(suf) && s.length >= pre.length + suf.length;
+  }
+  return false;
+}
 
-// Dangerous command patterns for Bash tool
-const DANGEROUS_COMMANDS = [
-  /\\brm\\s+(-[a-zA-Z]*f|-[a-zA-Z]*r|--force|--recursive)/i,
-  /\\brm\\s+-rf\\b/i,
-  /\\bmkfs\\b/i, /\\bdd\\s+if=/i,
-  /\\b(shutdown|reboot|halt|poweroff)\\b/i,
-  /\\bchmod\\s+777\\b/,
-  /\\bcurl\\b.{0,200}\\|\\s*(sh|bash)\\b/i,
-  /\\bwget\\b.{0,200}\\|\\s*(sh|bash)\\b/i,
-  /\\bnc\\s+-[a-z]*l/i,  // netcat listener
-  />(\\s*)\\/dev\\/sd/,   // writing to raw disk
-  /\\bgit\\s+push\\s+.*--force\\b/i,
-  /\\bgit\\s+reset\\s+--hard\\b/i,
-];
+// \u2500\u2500 Path Glob (supports **) \u2500\u2500
+function matchPathGlob(path, pattern) {
+  const p = path.replace(/\\\\\\\\/g, '/').toLowerCase();
+  const g = pattern.replace(/\\\\\\\\/g, '/').toLowerCase();
+  if (p === g) return true;
+  if (g.includes('**')) {
+    const parts = g.split('**');
+    if (parts.length === 2) {
+      const [pre, suf] = parts;
+      const matchPre = !pre || p.startsWith(pre) || p.includes(pre);
+      const matchSuf = !suf || p.endsWith(suf) || p.includes(suf.slice(1));
+      return matchPre && matchSuf;
+    }
+  }
+  return matchGlob(p, g);
+}
 
-function checkPath(val) {
-  if (typeof val !== 'string' || val.length < 2) return null;
-  for (const p of PATH_TRAVERSAL) if (p.test(val)) return 'Path traversal detected';
-  for (const p of SENSITIVE_PATHS) if (p.test(val)) return 'Sensitive file access blocked';
-  return null;
+// \u2500\u2500 Extract Functions (deep scan all string values) \u2500\u2500
+function scanStrings(obj) {
+  const strings = [];
+  function walk(v) {
+    if (typeof v === 'string' && v.trim()) strings.push(v.trim());
+    else if (Array.isArray(v)) v.forEach(walk);
+    else if (v && typeof v === 'object') Object.values(v).forEach(walk);
+  }
+  walk(obj);
+  return strings;
 }
 
-function checkValue(val) {
-  if (typeof val !== 'string' || val.length < 2) return null;
-  for (const p of SSRF) if (p.test(val)) return 'SSRF attempt blocked';
-  for (const p of SQL_INJECTION) if (p.test(val)) return 'SQL injection detected';
-  if (val.length > 10000) return 'Input too long (max 10000 chars)';
-  return null;
+function looksLikeFilename(s) {
+  if (s.startsWith('.')) return true;
+  if (/\\.\\w+$/.test(s)) return true;
+  const known = ['id_rsa','id_dsa','id_ecdsa','id_ed25519','authorized_keys','known_hosts','makefile','dockerfile'];
+  return known.includes(s.toLowerCase());
+}
+
+function extractFilenames(args) {
+  const names = new Set();
+  for (const s of scanStrings(args)) {
+    if (/^https?:\\/\\//i.test(s)) continue;
+    if (s.includes('/') || s.includes('\\\\')) {
+      const base = s.replace(/\\\\\\\\/g, '/').split('/').pop();
+      if (base) names.add(base);
+      continue;
+    }
+    if (s.includes(' ')) {
+      for (const tok of s.split(/\\s+/)) {
+        if (tok.includes('/') || tok.includes('\\\\')) {
+          const b = tok.replace(/\\\\\\\\/g, '/').split('/').pop();
+          if (b && looksLikeFilename(b)) names.add(b);
+        } else if (looksLikeFilename(tok)) names.add(tok);
+      }
+      continue;
+    }
+    if (looksLikeFilename(s)) names.add(s);
+  }
+  return [...names];
+}
+
+function extractUrls(args) {
+  const urls = new Set();
+  for (const s of scanStrings(args)) {
+    if (/^https?:\\/\\//i.test(s)) { urls.add(s); continue; }
+    if (s.includes(' ')) {
+      for (const tok of s.split(/\\s+/)) {
+        if (/^https?:\\/\\//i.test(tok)) urls.add(tok);
+      }
+    }
+  }
+  return [...urls];
+}
+
+function extractCommands(args) {
+  const cmds = [];
+  const fields = ['command', 'cmd', 'function', 'script', 'shell'];
+  if (typeof args === 'object' && args) {
+    for (const [k, v] of Object.entries(args)) {
+      if (fields.includes(k.toLowerCase()) && typeof v === 'string') cmds.push(v);
+    }
+  }
+  return cmds;
+}
+
+function extractPaths(args) {
+  const paths = [];
+  for (const s of scanStrings(args)) {
+    if (/^https?:\\/\\//i.test(s)) continue;
+    if (s.includes('/') || s.includes('\\\\') || s.startsWith('.')) paths.push(s);
+  }
+  return paths;
 }
 
-// Arguments that contain file paths
-const PATH_ARGS = ['file_path', 'path', 'pattern', 'directory', 'url', 'uri', 'notebook_path'];
+// \u2500\u2500 Policy Evaluation \u2500\u2500
+function evaluate(policy, args) {
+  if (!policy || !policy.rules) return null;
+  const denyRules = policy.rules
+    .filter(r => r.effect === 'DENY' && r.enabled !== false)
+    .sort((a, b) => (a.priority || 100) - (b.priority || 100));
 
-function checkBashCommand(cmd) {
-  if (typeof cmd !== 'string') return null;
-  for (const p of DANGEROUS_COMMANDS) if (p.test(cmd)) return 'Dangerous command blocked: ' + cmd.slice(0, 80);
-  for (const p of SSRF_IN_CMD) if (p.test(cmd)) return 'SSRF attempt blocked in command: ' + cmd.slice(0, 80);
+  for (const rule of denyRules) {
+    // Filename constraints
+    if (rule.filenameConstraints && rule.filenameConstraints.denied) {
+      const filenames = extractFilenames(args);
+      for (const fn of filenames) {
+        for (const pat of rule.filenameConstraints.denied) {
+          if (matchGlob(fn, pat)) return 'Blocked by policy: filename "' + fn + '" matches "' + pat + '"';
+        }
+      }
+    }
+    // URL constraints
+    if (rule.urlConstraints && rule.urlConstraints.denied) {
+      const urls = extractUrls(args);
+      for (const url of urls) {
+        for (const pat of rule.urlConstraints.denied) {
+          if (matchGlob(url, pat)) return 'Blocked by policy: URL "' + url + '" matches "' + pat + '"';
+        }
+      }
+    }
+    // Command constraints
+    if (rule.commandConstraints && rule.commandConstraints.denied) {
+      const cmds = extractCommands(args);
+      for (const cmd of cmds) {
+        for (const pat of rule.commandConstraints.denied) {
+          if (matchGlob(cmd, pat)) return 'Blocked by policy: command "' + cmd.slice(0,60) + '" matches "' + pat + '"';
+        }
+      }
+    }
+    // Path constraints
+    if (rule.pathConstraints && rule.pathConstraints.denied) {
+      const paths = extractPaths(args);
+      for (const p of paths) {
+        for (const pat of rule.pathConstraints.denied) {
+          if (matchPathGlob(p, pat)) return 'Blocked by policy: path "' + p + '" matches "' + pat + '"';
+        }
+      }
+    }
+  }
   return null;
 }
 
+// \u2500\u2500 Main \u2500\u2500
 let input = '';
 process.stdin.on('data', c => input += c);
 process.stdin.on('end', async () => {
   try {
     const data = JSON.parse(input);
-    const tool = data.tool_name || '';
     const args = data.tool_input || {};
-    const start = Date.now();
-
-    let threat = null;
-
-    // Check Bash commands for dangerous patterns
-    if (tool === 'Bash' && args.command) {
-      threat = checkBashCommand(args.command);
-    }
 
-    // Check arguments based on type
-    if (!threat) {
-      for (const [key, val] of Object.entries(args)) {
-        if (tool === 'Bash' && key === 'command') continue;
-        if (key === 'content' || key === 'new_source' || key === 'new_string' || key === 'old_string' || key === 'description') continue;
-        if (PATH_ARGS.includes(key)) {
-          threat = checkPath(val);
-        } else {
-          threat = checkValue(val);
-        }
-        if (threat) { threat = threat + ' (in ' + key + ')'; break; }
-      }
+    // Load policy
+    let policy;
+    try {
+      policy = JSON.parse(readFileSync(resolve('policy.json'), 'utf-8'));
+    } catch {
+      process.exit(0); // No policy = allow all
     }
 
-    const ms = Date.now() - start;
+    const reason = evaluate(policy, args);
 
-    if (threat) {
-      // Send DENY audit log \u2014 MUST await before exit or fetch dies
+    if (reason) {
       if (API_KEY && API_KEY.startsWith('sg_live_')) {
         try {
           await fetch(API_URL + '/api/v1/audit-logs', {
             method: 'POST',
             headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
             body: JSON.stringify({
-              tool, arguments: Object.fromEntries(Object.entries(args).map(([k,v]) =>
-                [k, typeof v === 'string' && v.length > 200 ? v.slice(0,200)+'...' : v])),
-              decision: 'DENY', reason: threat, source: 'claude-code-guard',
-              evaluationTimeMs: ms,
+              tool: data.tool_name || '', arguments: args,
+              decision: 'DENY', reason, source: 'claude-code-guard',
             }),
             signal: AbortSignal.timeout(3000),
           });
         } catch {}
       }
-      // Exit 2 = BLOCK. Write to both stdout and stderr for visibility.
-      const msg = 'SOLONGATE BLOCKED: ' + threat;
-      process.stdout.write(msg);
-      process.stderr.write(msg);
+      process.stderr.write(reason);
       process.exit(2);
     }
-  } catch {
-    // On error, allow (fail-open)
-  }
+  } catch {}
   process.exit(0);
 });
 `;

package/dist/init.js

@@ -141,150 +141,213 @@ EXAMPLES
 }
 var GUARD_SCRIPT = `#!/usr/bin/env node
 /**
- * SolonGate Guard Hook for Claude Code (PreToolUse)
- * Blocks dangerous tool calls BEFORE they execute.
+ * SolonGate Policy Guard Hook (PreToolUse)
+ * Reads policy.json and blocks tool calls that violate constraints.
  * Exit code 2 = BLOCK, exit code 0 = ALLOW.
  * Auto-installed by: npx @solongate/proxy init
  */
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
 
 const API_KEY = process.env.SOLONGATE_API_KEY || '';
 const API_URL = process.env.SOLONGATE_API_URL || 'https://api.solongate.com';
 
-// \u2500\u2500 Input Guard Patterns \u2500\u2500
-const PATH_TRAVERSAL = [
-  /\\.\\.\\//,  /\\\\.\\.\\\\\\\\/,  /%2e%2e/i,  /%2e\\./i,  /\\.%2e/i,  /%252e%252e/i,
-];
-const SENSITIVE_PATHS = [
-  /\\/etc\\/passwd/i, /\\/etc\\/shadow/i, /\\/proc\\//i,
-  /c:\\\\windows\\\\system32/i, /\\.env(\\.|$)/i,
-  /\\.aws\\/credentials/i, /\\.ssh\\/id_/i, /\\.kube\\/config/i,
-  /\\.git\\/config/i, /\\.npmrc/i, /\\.pypirc/i,
-];
-const SHELL_INJECTION = [
-  /\\$\\(/, /\\$\\{/, /\\\`/, /\\beval\\b/i, /\\bexec\\b/i, /\\bsystem\\b/i,
-  /%0a/i, /%0d/i,
-];
-const SSRF = [
-  /^https?:\\/\\/localhost\\b/i, /^https?:\\/\\/127\\./, /^https?:\\/\\/0\\.0\\.0\\.0/,
-  /^https?:\\/\\/10\\./, /^https?:\\/\\/172\\.(1[6-9]|2\\d|3[01])\\./,
-  /^https?:\\/\\/192\\.168\\./, /^https?:\\/\\/169\\.254\\./,
-  /metadata\\.google\\.internal/i,
-];
-const SSRF_IN_CMD = [
-  /https?:\\/\\/localhost\\b/i, /https?:\\/\\/127\\./, /https?:\\/\\/0\\.0\\.0\\.0/,
-  /https?:\\/\\/10\\./, /https?:\\/\\/172\\.(1[6-9]|2\\d|3[01])\\./,
-  /https?:\\/\\/192\\.168\\./, /https?:\\/\\/169\\.254\\./,
-  /metadata\\.google\\.internal/i,
-  /\\b127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/, /\\b0\\.0\\.0\\.0\\b/,
-  /\\b10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/,
-  /\\b172\\.(1[6-9]|2\\d|3[01])\\.\\d{1,3}\\.\\d{1,3}\\b/,
-  /\\b192\\.168\\.\\d{1,3}\\.\\d{1,3}\\b/,
-  /\\b169\\.254\\.\\d{1,3}\\.\\d{1,3}\\b/,
-];
-const SQL_INJECTION = [
-  /'\\s{0,20}(OR|AND)\\s{0,20}'.{0,200}'/i,
-  /'\\s{0,10};\\s{0,10}(DROP|DELETE|UPDATE|INSERT|ALTER|CREATE|EXEC)/i,
-  /UNION\\s+(ALL\\s+)?SELECT/i, /\\bSLEEP\\s*\\(/i, /\\bWAITFOR\\s+DELAY/i,
-];
+// \u2500\u2500 Glob Matching \u2500\u2500
+function matchGlob(str, pattern) {
+  if (pattern === '*') return true;
+  const s = str.toLowerCase();
+  const p = pattern.toLowerCase();
+  if (s === p) return true;
+  const startsW = p.startsWith('*');
+  const endsW = p.endsWith('*');
+  if (startsW && endsW) { const infix = p.slice(1, -1); return infix.length > 0 && s.includes(infix); }
+  if (startsW) return s.endsWith(p.slice(1));
+  if (endsW) return s.startsWith(p.slice(0, -1));
+  const idx = p.indexOf('*');
+  if (idx !== -1) {
+    const pre = p.slice(0, idx);
+    const suf = p.slice(idx + 1);
+    return s.startsWith(pre) && s.endsWith(suf) && s.length >= pre.length + suf.length;
+  }
+  return false;
+}
 
-// Dangerous command patterns for Bash tool
-const DANGEROUS_COMMANDS = [
-  /\\brm\\s+(-[a-zA-Z]*f|-[a-zA-Z]*r|--force|--recursive)/i,
-  /\\brm\\s+-rf\\b/i,
-  /\\bmkfs\\b/i, /\\bdd\\s+if=/i,
-  /\\b(shutdown|reboot|halt|poweroff)\\b/i,
-  /\\bchmod\\s+777\\b/,
-  /\\bcurl\\b.{0,200}\\|\\s*(sh|bash)\\b/i,
-  /\\bwget\\b.{0,200}\\|\\s*(sh|bash)\\b/i,
-  /\\bnc\\s+-[a-z]*l/i,  // netcat listener
-  />(\\s*)\\/dev\\/sd/,   // writing to raw disk
-  /\\bgit\\s+push\\s+.*--force\\b/i,
-  /\\bgit\\s+reset\\s+--hard\\b/i,
-];
+// \u2500\u2500 Path Glob (supports **) \u2500\u2500
+function matchPathGlob(path, pattern) {
+  const p = path.replace(/\\\\\\\\/g, '/').toLowerCase();
+  const g = pattern.replace(/\\\\\\\\/g, '/').toLowerCase();
+  if (p === g) return true;
+  if (g.includes('**')) {
+    const parts = g.split('**');
+    if (parts.length === 2) {
+      const [pre, suf] = parts;
+      const matchPre = !pre || p.startsWith(pre) || p.includes(pre);
+      const matchSuf = !suf || p.endsWith(suf) || p.includes(suf.slice(1));
+      return matchPre && matchSuf;
+    }
+  }
+  return matchGlob(p, g);
+}
 
-function checkPath(val) {
-  if (typeof val !== 'string' || val.length < 2) return null;
-  for (const p of PATH_TRAVERSAL) if (p.test(val)) return 'Path traversal detected';
-  for (const p of SENSITIVE_PATHS) if (p.test(val)) return 'Sensitive file access blocked';
-  return null;
+// \u2500\u2500 Extract Functions (deep scan all string values) \u2500\u2500
+function scanStrings(obj) {
+  const strings = [];
+  function walk(v) {
+    if (typeof v === 'string' && v.trim()) strings.push(v.trim());
+    else if (Array.isArray(v)) v.forEach(walk);
+    else if (v && typeof v === 'object') Object.values(v).forEach(walk);
+  }
+  walk(obj);
+  return strings;
 }
 
-function checkValue(val) {
-  if (typeof val !== 'string' || val.length < 2) return null;
-  for (const p of SSRF) if (p.test(val)) return 'SSRF attempt blocked';
-  for (const p of SQL_INJECTION) if (p.test(val)) return 'SQL injection detected';
-  if (val.length > 10000) return 'Input too long (max 10000 chars)';
-  return null;
+function looksLikeFilename(s) {
+  if (s.startsWith('.')) return true;
+  if (/\\.\\w+$/.test(s)) return true;
+  const known = ['id_rsa','id_dsa','id_ecdsa','id_ed25519','authorized_keys','known_hosts','makefile','dockerfile'];
+  return known.includes(s.toLowerCase());
 }
 
-// Arguments that contain file paths
-const PATH_ARGS = ['file_path', 'path', 'pattern', 'directory', 'url', 'uri', 'notebook_path'];
+function extractFilenames(args) {
+  const names = new Set();
+  for (const s of scanStrings(args)) {
+    if (/^https?:\\/\\//i.test(s)) continue;
+    if (s.includes('/') || s.includes('\\\\')) {
+      const base = s.replace(/\\\\\\\\/g, '/').split('/').pop();
+      if (base) names.add(base);
+      continue;
+    }
+    if (s.includes(' ')) {
+      for (const tok of s.split(/\\s+/)) {
+        if (tok.includes('/') || tok.includes('\\\\')) {
+          const b = tok.replace(/\\\\\\\\/g, '/').split('/').pop();
+          if (b && looksLikeFilename(b)) names.add(b);
+        } else if (looksLikeFilename(tok)) names.add(tok);
+      }
+      continue;
+    }
+    if (looksLikeFilename(s)) names.add(s);
+  }
+  return [...names];
+}
+
+function extractUrls(args) {
+  const urls = new Set();
+  for (const s of scanStrings(args)) {
+    if (/^https?:\\/\\//i.test(s)) { urls.add(s); continue; }
+    if (s.includes(' ')) {
+      for (const tok of s.split(/\\s+/)) {
+        if (/^https?:\\/\\//i.test(tok)) urls.add(tok);
+      }
+    }
+  }
+  return [...urls];
+}
+
+function extractCommands(args) {
+  const cmds = [];
+  const fields = ['command', 'cmd', 'function', 'script', 'shell'];
+  if (typeof args === 'object' && args) {
+    for (const [k, v] of Object.entries(args)) {
+      if (fields.includes(k.toLowerCase()) && typeof v === 'string') cmds.push(v);
+    }
+  }
+  return cmds;
+}
 
-function checkBashCommand(cmd) {
-  if (typeof cmd !== 'string') return null;
-  for (const p of DANGEROUS_COMMANDS) if (p.test(cmd)) return 'Dangerous command blocked: ' + cmd.slice(0, 80);
-  for (const p of SSRF_IN_CMD) if (p.test(cmd)) return 'SSRF attempt blocked in command: ' + cmd.slice(0, 80);
+function extractPaths(args) {
+  const paths = [];
+  for (const s of scanStrings(args)) {
+    if (/^https?:\\/\\//i.test(s)) continue;
+    if (s.includes('/') || s.includes('\\\\') || s.startsWith('.')) paths.push(s);
+  }
+  return paths;
+}
+
+// \u2500\u2500 Policy Evaluation \u2500\u2500
+function evaluate(policy, args) {
+  if (!policy || !policy.rules) return null;
+  const denyRules = policy.rules
+    .filter(r => r.effect === 'DENY' && r.enabled !== false)
+    .sort((a, b) => (a.priority || 100) - (b.priority || 100));
+
+  for (const rule of denyRules) {
+    // Filename constraints
+    if (rule.filenameConstraints && rule.filenameConstraints.denied) {
+      const filenames = extractFilenames(args);
+      for (const fn of filenames) {
+        for (const pat of rule.filenameConstraints.denied) {
+          if (matchGlob(fn, pat)) return 'Blocked by policy: filename "' + fn + '" matches "' + pat + '"';
+        }
+      }
+    }
+    // URL constraints
+    if (rule.urlConstraints && rule.urlConstraints.denied) {
+      const urls = extractUrls(args);
+      for (const url of urls) {
+        for (const pat of rule.urlConstraints.denied) {
+          if (matchGlob(url, pat)) return 'Blocked by policy: URL "' + url + '" matches "' + pat + '"';
+        }
+      }
+    }
+    // Command constraints
+    if (rule.commandConstraints && rule.commandConstraints.denied) {
+      const cmds = extractCommands(args);
+      for (const cmd of cmds) {
+        for (const pat of rule.commandConstraints.denied) {
+          if (matchGlob(cmd, pat)) return 'Blocked by policy: command "' + cmd.slice(0,60) + '" matches "' + pat + '"';
+        }
+      }
+    }
+    // Path constraints
+    if (rule.pathConstraints && rule.pathConstraints.denied) {
+      const paths = extractPaths(args);
+      for (const p of paths) {
+        for (const pat of rule.pathConstraints.denied) {
+          if (matchPathGlob(p, pat)) return 'Blocked by policy: path "' + p + '" matches "' + pat + '"';
+        }
+      }
+    }
+  }
   return null;
 }
 
+// \u2500\u2500 Main \u2500\u2500
 let input = '';
 process.stdin.on('data', c => input += c);
 process.stdin.on('end', async () => {
   try {
     const data = JSON.parse(input);
-    const tool = data.tool_name || '';
     const args = data.tool_input || {};
-    const start = Date.now();
-
-    let threat = null;
 
-    // Check Bash commands for dangerous patterns
-    if (tool === 'Bash' && args.command) {
-      threat = checkBashCommand(args.command);
+    // Load policy
+    let policy;
+    try {
+      policy = JSON.parse(readFileSync(resolve('policy.json'), 'utf-8'));
+    } catch {
+      process.exit(0); // No policy = allow all
     }
 
-    // Check arguments based on type
-    if (!threat) {
-      for (const [key, val] of Object.entries(args)) {
-        if (tool === 'Bash' && key === 'command') continue;
-        if (key === 'content' || key === 'new_source' || key === 'new_string' || key === 'old_string' || key === 'description') continue;
-        if (PATH_ARGS.includes(key)) {
-          threat = checkPath(val);
-        } else {
-          threat = checkValue(val);
-        }
-        if (threat) { threat = threat + ' (in ' + key + ')'; break; }
-      }
-    }
-
-    const ms = Date.now() - start;
+    const reason = evaluate(policy, args);
 
-    if (threat) {
-      // Send DENY audit log \u2014 MUST await before exit or fetch dies
+    if (reason) {
       if (API_KEY && API_KEY.startsWith('sg_live_')) {
         try {
           await fetch(API_URL + '/api/v1/audit-logs', {
             method: 'POST',
             headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
             body: JSON.stringify({
-              tool, arguments: Object.fromEntries(Object.entries(args).map(([k,v]) =>
-                [k, typeof v === 'string' && v.length > 200 ? v.slice(0,200)+'...' : v])),
-              decision: 'DENY', reason: threat, source: 'claude-code-guard',
-              evaluationTimeMs: ms,
+              tool: data.tool_name || '', arguments: args,
+              decision: 'DENY', reason, source: 'claude-code-guard',
             }),
             signal: AbortSignal.timeout(3000),
           });
         } catch {}
       }
-      // Exit 2 = BLOCK. Write to both stdout and stderr for visibility.
-      const msg = 'SOLONGATE BLOCKED: ' + threat;
-      process.stdout.write(msg);
-      process.stderr.write(msg);
+      process.stderr.write(reason);
       process.exit(2);
     }
-  } catch {
-    // On error, allow (fail-open)
-  }
+  } catch {}
   process.exit(0);
 });
 `;
@@ -354,15 +417,42 @@ function installHooks() {
   const auditPath = join(hooksDir, "audit.mjs");
   writeFileSync(auditPath, AUDIT_SCRIPT);
   console.log(`  Created ${auditPath}`);
+  const claudeDir = resolve(".claude");
+  mkdirSync(claudeDir, { recursive: true });
+  const settingsPath = join(claudeDir, "settings.json");
+  const settings = {
+    hooks: {
+      PreToolUse: [
+        {
+          matcher: "",
+          hooks: [
+            { type: "command", command: "node .solongate/hooks/guard.mjs" }
+          ]
+        }
+      ],
+      PostToolUse: [
+        {
+          matcher: "",
+          hooks: [
+            { type: "command", command: "node .solongate/hooks/audit.mjs" }
+          ]
+        }
+      ]
+    }
+  };
+  let existing = {};
+  try {
+    existing = JSON.parse(readFileSync(settingsPath, "utf-8"));
+  } catch {
+  }
+  const merged = { ...existing, hooks: settings.hooks };
+  writeFileSync(settingsPath, JSON.stringify(merged, null, 2) + "\n");
+  console.log(`  Created ${settingsPath}`);
   console.log("");
-  console.log("  Hooks installed in .solongate/hooks/");
-  console.log("  guard.mjs  \u2192 blocks dangerous calls (pre-execution)");
+  console.log("  Hooks installed:");
+  console.log("  guard.mjs  \u2192 blocks policy-violating calls (pre-execution)");
   console.log("  audit.mjs  \u2192 logs all calls to dashboard (post-execution)");
-  console.log("");
-  console.log("  To activate hooks in your MCP client:");
-  console.log("  Claude Code \u2192 .claude/settings.json");
-  console.log("  Cursor      \u2192 .cursor/settings.json");
-  console.log("  Or run: node .solongate/hooks/guard.mjs (stdin: JSON)");
+  console.log("  .claude/settings.json \u2192 hooks activated for Claude Code");
 }
 function ensureEnvFile() {
   const envPath = resolve(".env");
@@ -468,6 +558,8 @@ async function main() {
   if (alreadyProtected.length === serverNames.length) {
     console.log("  All servers are already protected by SolonGate!");
     ensureEnvFile();
+    console.log("");
+    installHooks();
     process.exit(0);
   }
   if (!options.all) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.5.9",
+  "version": "0.6.0",
   "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {