@solongate/proxy 0.7.0 → 0.8.1

package/dist/index.js

@@ -63,21 +63,48 @@ async function sendAuditLog(apiKey, apiUrl, entry) {
 `);
   }
 }
+function ensureCatchAllAllow(policy) {
+  const hasCatchAllAllow = policy.rules.some(
+    (r) => r.effect === "ALLOW" && r.toolPattern === "*" && r.enabled !== false
+  );
+  if (hasCatchAllAllow) return policy;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return {
+    ...policy,
+    rules: [
+      ...policy.rules,
+      {
+        id: "_solongate-catch-all-allow",
+        description: "Auto-added: allow everything not explicitly denied",
+        effect: "ALLOW",
+        priority: 9999,
+        toolPattern: "*",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: now,
+        updatedAt: now
+      }
+    ]
+  };
+}
 function loadPolicy(source) {
-  if (typeof source === "object") return source;
-  if (PRESETS[source]) return PRESETS[source];
-  const filePath = resolve(source);
-  if (existsSync(filePath)) {
-    const content = readFileSync(filePath, "utf-8");
-    return JSON.parse(content);
+  let policy;
+  if (typeof source === "object") {
+    policy = source;
+  } else {
+    const filePath = resolve(source);
+    if (existsSync(filePath)) {
+      const content = readFileSync(filePath, "utf-8");
+      policy = JSON.parse(content);
+    } else {
+      return DEFAULT_POLICY;
+    }
   }
-  throw new Error(
-    `Unknown policy "${source}". Use a preset (${Object.keys(PRESETS).join(", ")}), a JSON file path, or a PolicySet object.`
-  );
+  return ensureCatchAllAllow(policy);
 }
 function parseArgs(argv) {
   const args = argv.slice(2);
-  let policySource = "restricted";
+  let policySource;
   let name = "solongate-proxy";
   let verbose = false;
   let rateLimitPerTool;
@@ -159,7 +186,7 @@ function parseArgs(argv) {
       "Invalid API key format. Keys must start with 'sg_live_' or 'sg_test_'.\nGet your API key at https://solongate.com\n"
     );
   }
-  const resolvedPolicyPath = resolvePolicyPath(policySource);
+  const resolvedPolicyPath = policySource ? resolvePolicyPath(policySource) : null;
   if (configFile) {
     const filePath = resolve(configFile);
     const content = readFileSync(filePath, "utf-8");
@@ -167,7 +194,7 @@ function parseArgs(argv) {
     if (!fileConfig.upstream) {
       throw new Error('Config file must include "upstream" with at least "command" or "url"');
     }
-    const cfgPolicySource = fileConfig.policy ?? policySource;
+    const cfgPolicySource = fileConfig.policy ?? policySource ?? "policy.json";
     return {
       upstream: fileConfig.upstream,
       policy: loadPolicy(cfgPolicySource),
@@ -191,7 +218,7 @@ function parseArgs(argv) {
         // not used for URL-based transports
         url: upstreamUrl
       },
-      policy: loadPolicy(policySource),
+      policy: loadPolicy(policySource ?? "policy.json"),
       name,
       verbose,
       rateLimitPerTool,
@@ -205,7 +232,7 @@ function parseArgs(argv) {
   }
   if (upstreamArgs.length === 0) {
     throw new Error(
-      "No upstream server command provided.\n\nUsage: solongate-proxy [options] -- <command> [args...]\n\nExamples:\n  solongate-proxy -- node my-server.js\n  solongate-proxy --policy restricted -- npx @playwright/mcp@latest\n  solongate-proxy --upstream-url http://localhost:3001/mcp\n  solongate-proxy --config solongate.json\n"
+      "No upstream server command provided.\n\nUsage: solongate-proxy [options] -- <command> [args...]\n\nExamples:\n  solongate-proxy -- node my-server.js\n  solongate-proxy --policy ./policy.json -- npx @playwright/mcp@latest\n  solongate-proxy --upstream-url http://localhost:3001/mcp\n  solongate-proxy --config solongate.json\n"
     );
   }
   const [command, ...commandArgs] = upstreamArgs;
@@ -216,7 +243,7 @@ function parseArgs(argv) {
       args: commandArgs,
       env: { ...process.env }
     },
-    policy: loadPolicy(policySource),
+    policy: loadPolicy(policySource ?? "policy.json"),
     name,
     verbose,
     rateLimitPerTool,
@@ -229,303 +256,22 @@ function parseArgs(argv) {
   };
 }
 function resolvePolicyPath(source) {
-  if (PRESETS[source]) return null;
   const filePath = resolve(source);
   if (existsSync(filePath)) return filePath;
   return null;
 }
-var PRESETS;
+var DEFAULT_POLICY;
 var init_config = __esm({
   "src/config.ts"() {
     "use strict";
-    PRESETS = {
-      restricted: {
-        id: "restricted",
-        name: "Restricted",
-        description: "Blocks dangerous commands (rm -rf, curl|bash, dd, etc.), allows safe tools with path restrictions",
-        version: 1,
-        rules: [
-          {
-            id: "deny-dangerous-commands",
-            description: "Block dangerous shell commands",
-            effect: "DENY",
-            priority: 50,
-            toolPattern: "*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            commandConstraints: {
-              denied: [
-                "rm -rf *",
-                "rm -r /*",
-                "mkfs*",
-                "dd if=*",
-                "curl*|*bash*",
-                "curl*|*sh*",
-                "wget*|*bash*",
-                "wget*|*sh*",
-                "shutdown*",
-                "reboot*",
-                "kill -9*",
-                "chmod*777*",
-                "iptables*",
-                "passwd*",
-                "useradd*",
-                "userdel*"
-              ]
-            },
-            createdAt: "",
-            updatedAt: ""
-          },
-          {
-            id: "deny-sensitive-paths",
-            description: "Block access to sensitive files",
-            effect: "DENY",
-            priority: 51,
-            toolPattern: "*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            pathConstraints: {
-              denied: [
-                "**/.env*",
-                "**/.ssh/**",
-                "**/.aws/**",
-                "**/.kube/**",
-                "**/credentials*",
-                "**/secrets*",
-                "**/*.pem",
-                "**/*.key",
-                "/etc/passwd",
-                "/etc/shadow",
-                "/proc/**",
-                "/dev/**"
-              ]
-            },
-            createdAt: "",
-            updatedAt: ""
-          },
-          {
-            id: "allow-rest",
-            description: "Allow all other tool calls",
-            effect: "ALLOW",
-            priority: 1e3,
-            toolPattern: "*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            createdAt: "",
-            updatedAt: ""
-          }
-        ],
-        createdAt: "",
-        updatedAt: ""
-      },
-      "read-only": {
-        id: "read-only",
-        name: "Read Only",
-        description: "Only allows read/list/get/search/query tools",
-        version: 1,
-        rules: [
-          {
-            id: "allow-read",
-            description: "Allow read tools",
-            effect: "ALLOW",
-            priority: 100,
-            toolPattern: "*read*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            createdAt: "",
-            updatedAt: ""
-          },
-          {
-            id: "allow-list",
-            description: "Allow list tools",
-            effect: "ALLOW",
-            priority: 101,
-            toolPattern: "*list*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            createdAt: "",
-            updatedAt: ""
-          },
-          {
-            id: "allow-get",
-            description: "Allow get tools",
-            effect: "ALLOW",
-            priority: 102,
-            toolPattern: "*get*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            createdAt: "",
-            updatedAt: ""
-          },
-          {
-            id: "allow-search",
-            description: "Allow search tools",
-            effect: "ALLOW",
-            priority: 103,
-            toolPattern: "*search*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            createdAt: "",
-            updatedAt: ""
-          },
-          {
-            id: "allow-query",
-            description: "Allow query tools",
-            effect: "ALLOW",
-            priority: 104,
-            toolPattern: "*query*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            createdAt: "",
-            updatedAt: ""
-          }
-        ],
-        createdAt: "",
-        updatedAt: ""
-      },
-      sandbox: {
-        id: "sandbox",
-        name: "Sandbox",
-        description: "Allows file ops within working directory only, blocks dangerous commands, allows safe shell commands",
-        version: 1,
-        rules: [
-          {
-            id: "deny-dangerous-commands",
-            description: "Block dangerous shell commands",
-            effect: "DENY",
-            priority: 50,
-            toolPattern: "*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            commandConstraints: {
-              denied: [
-                "rm -rf *",
-                "rm -r /*",
-                "mkfs*",
-                "dd if=*",
-                "curl*|*bash*",
-                "wget*|*sh*",
-                "shutdown*",
-                "reboot*",
-                "chmod*777*"
-              ]
-            },
-            createdAt: "",
-            updatedAt: ""
-          },
-          {
-            id: "allow-safe-commands",
-            description: "Allow safe shell commands only",
-            effect: "ALLOW",
-            priority: 100,
-            toolPattern: "*shell*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            commandConstraints: {
-              allowed: [
-                "ls*",
-                "cat*",
-                "head*",
-                "tail*",
-                "wc*",
-                "grep*",
-                "find*",
-                "echo*",
-                "pwd",
-                "whoami",
-                "date",
-                "env",
-                "git*",
-                "npm*",
-                "pnpm*",
-                "yarn*",
-                "node*",
-                "python*",
-                "pip*"
-              ]
-            },
-            createdAt: "",
-            updatedAt: ""
-          },
-          {
-            id: "deny-sensitive-paths",
-            description: "Block access to sensitive files",
-            effect: "DENY",
-            priority: 51,
-            toolPattern: "*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            pathConstraints: {
-              denied: [
-                "**/.env*",
-                "**/.ssh/**",
-                "**/.aws/**",
-                "**/credentials*",
-                "**/*.pem",
-                "**/*.key"
-              ]
-            },
-            createdAt: "",
-            updatedAt: ""
-          },
-          {
-            id: "allow-rest",
-            description: "Allow all other tools",
-            effect: "ALLOW",
-            priority: 1e3,
-            toolPattern: "*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            createdAt: "",
-            updatedAt: ""
-          }
-        ],
-        createdAt: "",
-        updatedAt: ""
-      },
-      permissive: {
-        id: "permissive",
-        name: "Permissive",
-        description: "Allows all tool calls (monitoring only)",
-        version: 1,
-        rules: [
-          {
-            id: "allow-all",
-            description: "Allow all",
-            effect: "ALLOW",
-            priority: 1e3,
-            toolPattern: "*",
-            permission: "EXECUTE",
-            minimumTrustLevel: "UNTRUSTED",
-            enabled: true,
-            createdAt: "",
-            updatedAt: ""
-          }
-        ],
-        createdAt: "",
-        updatedAt: ""
-      },
-      "deny-all": {
-        id: "deny-all",
-        name: "Deny All",
-        description: "Blocks all tool calls",
-        version: 1,
-        rules: [],
-        createdAt: "",
-        updatedAt: ""
-      }
+    DEFAULT_POLICY = {
+      id: "default",
+      name: "Default (Deny All)",
+      description: "Default-deny policy. Create rules in the dashboard or push a policy.json.",
+      version: 1,
+      rules: [],
+      createdAt: "",
+      updatedAt: ""
     };
   }
 });
@@ -591,18 +337,14 @@ function isAlreadyProtected(server) {
 function wrapServer(server, policy) {
   const env = { ...server.env ?? {} };
   env.SOLONGATE_API_KEY = "${SOLONGATE_API_KEY}";
+  const proxyArgs = ["-y", "@solongate/proxy"];
+  if (policy) {
+    proxyArgs.push("--policy", policy);
+  }
+  proxyArgs.push("--verbose", "--", server.command, ...server.args ?? []);
   return {
     command: "npx",
-    args: [
-      "-y",
-      "@solongate/proxy",
-      "--policy",
-      policy,
-      "--verbose",
-      "--",
-      server.command,
-      ...server.args ?? []
-    ],
+    args: proxyArgs,
     env
   };
 }
@@ -651,8 +393,7 @@ USAGE
 
 OPTIONS
   --config <path>     Path to MCP config file (default: auto-detect)
-  --policy <file>     Custom policy JSON file (default: restricted)
-                      Auto-detects policy.json in current directory
+  --policy <file>     Custom policy JSON file (auto-detects policy.json)
   --api-key <key>     SolonGate API key (sg_live_... or sg_test_...)
   --all               Protect all servers without prompting
   -h, --help          Show this help message
@@ -870,7 +611,7 @@ async function main() {
     console.log("  Invalid API key format. Must start with sg_live_ or sg_test_");
     process.exit(1);
   }
-  let policyValue = "restricted";
+  let policyValue;
   if (options.policy) {
     const policyPath = resolve2(options.policy);
     if (existsSync3(policyPath)) {
@@ -886,7 +627,7 @@ async function main() {
       policyValue = "./policy.json";
       console.log(`  Policy:  ${defaultPolicy} (auto-detected)`);
     } else {
-      console.log(`  Policy:  restricted (default)`);
+      console.log(`  Policy:  cloud-managed (fetched via API key)`);
     }
   }
   await sleep(300);
@@ -1726,7 +1467,7 @@ function parseCreateArgs(argv) {
   const args = argv.slice(2);
   const opts = {
     name: "",
-    policy: "restricted",
+    policy: "",
     noInstall: false
   };
   for (let i = 0; i < args.length; i++) {
@@ -1769,13 +1510,13 @@ USAGE
   npx @solongate/proxy create <name> [options]
 
 OPTIONS
-  --policy <preset>   Policy preset (default: restricted)
+  --policy <file>     Policy JSON file (default: cloud-managed)
   --no-install        Skip dependency installation
   -h, --help          Show this help message
 
 EXAMPLES
   npx @solongate/proxy create my-server
-  npx @solongate/proxy create db-tools --policy read-only
+  npx @solongate/proxy create db-tools --policy ./policy.json
 `);
 }
 function createProject(dir, name, _policy) {
@@ -2440,6 +2181,14 @@ var PolicyRuleSchema = z.object({
     allowed: z.array(z.string()).optional(),
     denied: z.array(z.string()).optional()
   }).optional(),
+  filenameConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional()
+  }).optional(),
+  urlConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional()
+  }).optional(),
   enabled: z.boolean().default(true),
   createdAt: z.string().datetime(),
   updatedAt: z.string().datetime()
@@ -2625,11 +2374,48 @@ function matchSegmentGlob(segment, pattern) {
   }
   return segment === pattern;
 }
+var PATH_FIELDS = /* @__PURE__ */ new Set([
+  "path",
+  "file",
+  "file_path",
+  "filepath",
+  "filename",
+  "directory",
+  "dir",
+  "folder",
+  "source",
+  "destination",
+  "dest",
+  "target",
+  "input",
+  "output",
+  "cwd",
+  "root",
+  "notebook_path"
+]);
 function extractPathArguments(args) {
   const paths = [];
-  for (const value of Object.values(args)) {
-    if (typeof value === "string" && (value.includes("/") || value.includes("\\"))) {
-      paths.push(value);
+  const seen = /* @__PURE__ */ new Set();
+  function addPath(value) {
+    const trimmed = value.trim();
+    if (trimmed && !seen.has(trimmed)) {
+      seen.add(trimmed);
+      paths.push(trimmed);
+    }
+  }
+  for (const [key, value] of Object.entries(args)) {
+    if (typeof value !== "string") continue;
+    if (PATH_FIELDS.has(key.toLowerCase())) {
+      addPath(value);
+      continue;
+    }
+    if (value.includes("/") || value.includes("\\")) {
+      addPath(value);
+      continue;
+    }
+    if (value.startsWith(".")) {
+      addPath(value);
+      continue;
     }
   }
   return paths;
@@ -2643,15 +2429,62 @@ var COMMAND_FIELDS = /* @__PURE__ */ new Set([
   "shell",
   "exec",
   "sql",
-  "expression"
+  "expression",
+  "function"
 ]);
+var COMMAND_HEURISTICS = [
+  /^(sh|bash|cmd|powershell|zsh|fish)\s+-c\s+/i,
+  // shell -c "..."
+  /^(sudo|doas)\s+/i,
+  // privilege escalation
+  /^\w+\s+&&\s+/,
+  // cmd1 && cmd2
+  /^\w+\s*\|\s*\w+/,
+  // cmd1 | cmd2
+  /^\w+\s*;\s*\w+/,
+  // cmd1; cmd2
+  /^(curl|wget|nc|ncat)\s+/i,
+  // network commands
+  /^(rm|del|rmdir)\s+/i,
+  // destructive commands
+  /^(cat|type|more|less)\s+.*[/\\]/i
+  // file read commands with paths
+];
 function extractCommandArguments(args) {
   const commands = [];
-  for (const [key, value] of Object.entries(args)) {
-    if (typeof value !== "string") continue;
-    if (COMMAND_FIELDS.has(key.toLowerCase())) {
-      commands.push(value);
+  const seen = /* @__PURE__ */ new Set();
+  function addCommand(value) {
+    const trimmed = value.trim();
+    if (trimmed && !seen.has(trimmed)) {
+      seen.add(trimmed);
+      commands.push(trimmed);
+    }
+  }
+  function scanValue(key, value) {
+    if (typeof value === "string") {
+      if (COMMAND_FIELDS.has(key.toLowerCase())) {
+        addCommand(value);
+        return;
+      }
+      for (const pattern of COMMAND_HEURISTICS) {
+        if (pattern.test(value)) {
+          addCommand(value);
+          return;
+        }
+      }
     }
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        scanValue(key, item);
+      }
+    } else if (typeof value === "object" && value !== null) {
+      for (const [k, v] of Object.entries(value)) {
+        scanValue(k, v);
+      }
+    }
+  }
+  for (const [key, value] of Object.entries(args)) {
+    scanValue(key, value);
   }
   return commands;
 }
@@ -2697,6 +2530,224 @@ function isCommandAllowed(command, constraints) {
   }
   return true;
 }
+function extractFilenames(args) {
+  const filenames = [];
+  const seen = /* @__PURE__ */ new Set();
+  function addFilename(name) {
+    const trimmed = name.trim();
+    if (trimmed && !seen.has(trimmed)) {
+      seen.add(trimmed);
+      filenames.push(trimmed);
+    }
+  }
+  function scanValue(value) {
+    if (typeof value === "string") {
+      const trimmed = value.trim();
+      if (!trimmed) return;
+      if (/^https?:\/\//i.test(trimmed)) return;
+      if (trimmed.includes("/") || trimmed.includes("\\")) {
+        const normalized = trimmed.replace(/\\/g, "/");
+        const parts = normalized.split("/");
+        const basename = parts[parts.length - 1];
+        if (basename && basename.length > 0) {
+          addFilename(basename);
+        }
+        return;
+      }
+      if (trimmed.includes(" ")) {
+        for (const token of trimmed.split(/\s+/)) {
+          if (token.includes("/") || token.includes("\\")) {
+            const parts = token.replace(/\\/g, "/").split("/");
+            const basename = parts[parts.length - 1];
+            if (basename && looksLikeFilename(basename)) addFilename(basename);
+          } else if (looksLikeFilename(token)) {
+            addFilename(token);
+          }
+        }
+        return;
+      }
+      if (looksLikeFilename(trimmed)) {
+        addFilename(trimmed);
+      }
+      return;
+    }
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        scanValue(item);
+      }
+    } else if (typeof value === "object" && value !== null) {
+      for (const v of Object.values(value)) {
+        scanValue(v);
+      }
+    }
+  }
+  for (const value of Object.values(args)) {
+    scanValue(value);
+  }
+  return filenames;
+}
+function looksLikeFilename(s) {
+  if (s.startsWith(".")) return true;
+  if (/\.\w+$/.test(s)) return true;
+  const knownFiles = /* @__PURE__ */ new Set([
+    "id_rsa",
+    "id_dsa",
+    "id_ecdsa",
+    "id_ed25519",
+    "authorized_keys",
+    "known_hosts",
+    "makefile",
+    "dockerfile",
+    "vagrantfile",
+    "gemfile",
+    "rakefile",
+    "procfile"
+  ]);
+  if (knownFiles.has(s.toLowerCase())) return true;
+  return false;
+}
+function matchFilenamePattern(filename, pattern) {
+  if (pattern === "*") return true;
+  const normalizedFilename = filename.toLowerCase();
+  const normalizedPattern = pattern.toLowerCase();
+  if (normalizedFilename === normalizedPattern) return true;
+  const startsWithStar = normalizedPattern.startsWith("*");
+  const endsWithStar = normalizedPattern.endsWith("*");
+  if (startsWithStar && endsWithStar) {
+    const infix = normalizedPattern.slice(1, -1);
+    return infix.length > 0 && normalizedFilename.includes(infix);
+  }
+  if (startsWithStar) {
+    const suffix = normalizedPattern.slice(1);
+    return normalizedFilename.endsWith(suffix);
+  }
+  if (endsWithStar) {
+    const prefix = normalizedPattern.slice(0, -1);
+    return normalizedFilename.startsWith(prefix);
+  }
+  const starIdx = normalizedPattern.indexOf("*");
+  if (starIdx !== -1) {
+    const prefix = normalizedPattern.slice(0, starIdx);
+    const suffix = normalizedPattern.slice(starIdx + 1);
+    return normalizedFilename.startsWith(prefix) && normalizedFilename.endsWith(suffix) && normalizedFilename.length >= prefix.length + suffix.length;
+  }
+  return false;
+}
+function isFilenameAllowed(filename, constraints) {
+  if (constraints.denied && constraints.denied.length > 0) {
+    for (const pattern of constraints.denied) {
+      if (matchFilenamePattern(filename, pattern)) {
+        return false;
+      }
+    }
+  }
+  if (constraints.allowed && constraints.allowed.length > 0) {
+    let matchesAllowed = false;
+    for (const pattern of constraints.allowed) {
+      if (matchFilenamePattern(filename, pattern)) {
+        matchesAllowed = true;
+        break;
+      }
+    }
+    if (!matchesAllowed) return false;
+  }
+  return true;
+}
+var URL_FIELDS = /* @__PURE__ */ new Set([
+  "url",
+  "href",
+  "uri",
+  "endpoint",
+  "link",
+  "src",
+  "source",
+  "target",
+  "redirect",
+  "callback",
+  "webhook"
+]);
+function extractUrlArguments(args) {
+  const urls = [];
+  const seen = /* @__PURE__ */ new Set();
+  function addUrl(value) {
+    const trimmed = value.trim();
+    if (trimmed && !seen.has(trimmed)) {
+      seen.add(trimmed);
+      urls.push(trimmed);
+    }
+  }
+  function scanValue(key, value) {
+    if (typeof value === "string") {
+      const lower = key.toLowerCase();
+      if (URL_FIELDS.has(lower)) {
+        addUrl(value);
+        return;
+      }
+      if (/https?:\/\//i.test(value)) {
+        addUrl(value);
+        return;
+      }
+      if (/^[a-zA-Z0-9]([a-zA-Z0-9-]*\.)+[a-zA-Z]{2,}(\/.*)?$/.test(value)) {
+        addUrl(value);
+        return;
+      }
+    }
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        scanValue(key, item);
+      }
+    } else if (typeof value === "object" && value !== null) {
+      for (const [k, v] of Object.entries(value)) {
+        scanValue(k, v);
+      }
+    }
+  }
+  for (const [key, value] of Object.entries(args)) {
+    scanValue(key, value);
+  }
+  return urls;
+}
+function matchUrlPattern(url, pattern) {
+  if (pattern === "*") return true;
+  const normalizedUrl = url.trim().toLowerCase();
+  const normalizedPattern = pattern.trim().toLowerCase();
+  if (normalizedPattern === normalizedUrl) return true;
+  const startsWithStar = normalizedPattern.startsWith("*");
+  const endsWithStar = normalizedPattern.endsWith("*");
+  if (startsWithStar && endsWithStar) {
+    const infix = normalizedPattern.slice(1, -1);
+    return infix.length > 0 && normalizedUrl.includes(infix);
+  }
+  if (endsWithStar) {
+    const prefix = normalizedPattern.slice(0, -1);
+    return normalizedUrl.startsWith(prefix);
+  }
+  if (startsWithStar) {
+    const suffix = normalizedPattern.slice(1);
+    return normalizedUrl.endsWith(suffix);
+  }
+  return false;
+}
+function isUrlAllowed(url, constraints) {
+  if (constraints.denied && constraints.denied.length > 0) {
+    for (const pattern of constraints.denied) {
+      if (matchUrlPattern(url, pattern)) {
+        return false;
+      }
+    }
+  }
+  if (constraints.allowed && constraints.allowed.length > 0) {
+    let matchesAllowed = false;
+    for (const pattern of constraints.allowed) {
+      if (matchUrlPattern(url, pattern)) {
+        matchesAllowed = true;
+        break;
+      }
+    }
+    if (!matchesAllowed) return false;
+  }
+  return true;
+}
 function ruleMatchesRequest(rule, request) {
   if (!rule.enabled) return false;
   if (rule.permission !== request.requiredPermission) return false;
@@ -2725,6 +2776,22 @@ function ruleMatchesRequest(rule, request) {
       if (!satisfied) return false;
     }
   }
+  if (rule.filenameConstraints) {
+    const satisfied = filenameConstraintsMatch(rule.filenameConstraints, request.arguments);
+    if (rule.effect === "DENY") {
+      if (satisfied) return false;
+    } else {
+      if (!satisfied) return false;
+    }
+  }
+  if (rule.urlConstraints) {
+    const satisfied = urlConstraintsMatch(rule.urlConstraints, request.arguments);
+    if (rule.effect === "DENY") {
+      if (satisfied) return false;
+    } else {
+      if (!satisfied) return false;
+    }
+  }
   return true;
 }
 function toolPatternMatches(pattern, toolName) {
@@ -2815,6 +2882,16 @@ function commandConstraintsMatch(constraints, args) {
   if (commands.length === 0) return true;
   return commands.every((cmd) => isCommandAllowed(cmd, constraints));
 }
+function filenameConstraintsMatch(constraints, args) {
+  const filenames = extractFilenames(args);
+  if (filenames.length === 0) return true;
+  return filenames.every((name) => isFilenameAllowed(name, constraints));
+}
+function urlConstraintsMatch(constraints, args) {
+  const urls = extractUrlArguments(args);
+  if (urls.length === 0) return true;
+  return urls.every((url) => isUrlAllowed(url, constraints));
+}
 function evaluatePolicy(policySet, request) {
   const startTime = performance.now();
   const sortedRules = [...policySet.rules].sort(
@@ -3195,6 +3272,11 @@ function resolveConfig(userConfig) {
       "Token secret is shorter than 32 characters. Use a longer secret for production."
     );
   }
+  if (config.apiUrl && config.apiUrl.startsWith("http://") && !config.apiUrl.startsWith("http://localhost") && !config.apiUrl.startsWith("http://127.0.0.1")) {
+    warnings.push(
+      "API URL uses plaintext HTTP. API keys will be sent unencrypted. Use HTTPS in production."
+    );
+  }
   return { config, warnings };
 }
 async function interceptToolCall(params, upstreamCall, options) {
@@ -3700,6 +3782,12 @@ var SolonGate = class {
   async validateLicense() {
     if (this.licenseValidated) return;
     if (this.apiKey.startsWith("sg_test_")) {
+      const nodeEnv = typeof process !== "undefined" ? process.env.NODE_ENV : "";
+      if (nodeEnv === "production") {
+        throw new LicenseError(
+          "Test API keys (sg_test_) cannot be used in production. Use a sg_live_ key instead."
+        );
+      }
       this.licenseValidated = true;
       return;
     }
@@ -3866,6 +3954,361 @@ var SolonGate = class {
   }
 };
 
+// ../core/dist/index.js
+import { z as z2 } from "zod";
+var Permission2 = {
+  READ: "READ",
+  WRITE: "WRITE",
+  EXECUTE: "EXECUTE"
+};
+var PermissionSchema = z2.enum(["READ", "WRITE", "EXECUTE"]);
+var NO_PERMISSIONS = Object.freeze(
+  /* @__PURE__ */ new Set()
+);
+var READ_ONLY = Object.freeze(
+  /* @__PURE__ */ new Set([Permission2.READ])
+);
+var PolicyRuleSchema2 = z2.object({
+  id: z2.string().min(1).max(256),
+  description: z2.string().max(1024),
+  effect: z2.enum(["ALLOW", "DENY"]),
+  priority: z2.number().int().min(0).max(1e4).default(1e3),
+  toolPattern: z2.string().min(1).max(512),
+  permission: z2.enum(["READ", "WRITE", "EXECUTE"]).optional(),
+  minimumTrustLevel: z2.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
+  argumentConstraints: z2.record(z2.unknown()).optional(),
+  pathConstraints: z2.object({
+    allowed: z2.array(z2.string()).optional(),
+    denied: z2.array(z2.string()).optional(),
+    rootDirectory: z2.string().optional(),
+    allowSymlinks: z2.boolean().optional()
+  }).optional(),
+  commandConstraints: z2.object({
+    allowed: z2.array(z2.string()).optional(),
+    denied: z2.array(z2.string()).optional()
+  }).optional(),
+  filenameConstraints: z2.object({
+    allowed: z2.array(z2.string()).optional(),
+    denied: z2.array(z2.string()).optional()
+  }).optional(),
+  urlConstraints: z2.object({
+    allowed: z2.array(z2.string()).optional(),
+    denied: z2.array(z2.string()).optional()
+  }).optional(),
+  enabled: z2.boolean().default(true),
+  createdAt: z2.string().datetime(),
+  updatedAt: z2.string().datetime()
+});
+var PolicySetSchema2 = z2.object({
+  id: z2.string().min(1).max(256),
+  name: z2.string().min(1).max(256),
+  description: z2.string().max(2048),
+  version: z2.number().int().min(0),
+  rules: z2.array(PolicyRuleSchema2),
+  createdAt: z2.string().datetime(),
+  updatedAt: z2.string().datetime()
+});
+var SECURITY_CONTEXT_TIMEOUT_MS = 5 * 60 * 1e3;
+var DEFAULT_INPUT_GUARD_CONFIG2 = Object.freeze({
+  pathTraversal: true,
+  shellInjection: true,
+  wildcardAbuse: true,
+  lengthLimit: 4096,
+  entropyLimit: true,
+  ssrf: true,
+  sqlInjection: true
+});
+var PATH_TRAVERSAL_PATTERNS = [
+  /\.\.\//,
+  // ../
+  /\.\.\\/,
+  // ..\
+  /%2e%2e/i,
+  // URL-encoded ..
+  /%2e\./i,
+  // partial URL-encoded
+  /\.%2e/i,
+  // partial URL-encoded
+  /%252e%252e/i,
+  // double URL-encoded
+  /\.\.\0/
+  // null byte variant
+];
+var SENSITIVE_PATHS = [
+  /\/etc\/passwd/i,
+  /\/etc\/shadow/i,
+  /\/proc\//i,
+  /\/dev\//i,
+  /c:\\windows\\system32/i,
+  /c:\\windows\\syswow64/i,
+  /\/root\//i,
+  /~\//,
+  /\.env(\.|$)/i,
+  // .env, .env.local, .env.production
+  /\.aws\/credentials/i,
+  // AWS credentials
+  /\.ssh\/id_/i,
+  // SSH keys
+  /\.kube\/config/i,
+  // Kubernetes config
+  /wp-config\.php/i,
+  // WordPress config
+  /\.git\/config/i,
+  // Git config
+  /\.npmrc/i,
+  // npm credentials
+  /\.pypirc/i
+  // PyPI credentials
+];
+function detectPathTraversal(value) {
+  for (const pattern of PATH_TRAVERSAL_PATTERNS) {
+    if (pattern.test(value)) return true;
+  }
+  for (const pattern of SENSITIVE_PATHS) {
+    if (pattern.test(value)) return true;
+  }
+  return false;
+}
+var SHELL_INJECTION_PATTERNS = [
+  /[;|&`]/,
+  // Command separators and backtick execution
+  /\$\(/,
+  // Command substitution $(...)
+  /\$\{/,
+  // Variable expansion ${...}
+  />\s*/,
+  // Output redirect
+  /<\s*/,
+  // Input redirect
+  /&&/,
+  // AND chaining
+  /\|\|/,
+  // OR chaining
+  /\beval\b/i,
+  // eval command
+  /\bexec\b/i,
+  // exec command
+  /\bsystem\b/i,
+  // system call
+  /%0a/i,
+  // URL-encoded newline
+  /%0d/i,
+  // URL-encoded carriage return
+  /%09/i,
+  // URL-encoded tab
+  /\r\n/,
+  // CRLF injection
+  /\n/
+  // Newline (command separator on Unix)
+];
+function detectShellInjection(value) {
+  for (const pattern of SHELL_INJECTION_PATTERNS) {
+    if (pattern.test(value)) return true;
+  }
+  return false;
+}
+var MAX_WILDCARDS_PER_VALUE = 3;
+function detectWildcardAbuse(value) {
+  if (value.includes("**")) return true;
+  const wildcardCount = (value.match(/\*/g) || []).length;
+  if (wildcardCount > MAX_WILDCARDS_PER_VALUE) return true;
+  return false;
+}
+var SSRF_PATTERNS = [
+  /^https?:\/\/localhost\b/i,
+  /^https?:\/\/127\.\d{1,3}\.\d{1,3}\.\d{1,3}/,
+  /^https?:\/\/0\.0\.0\.0/,
+  /^https?:\/\/\[::1\]/,
+  // IPv6 loopback
+  /^https?:\/\/10\.\d{1,3}\.\d{1,3}\.\d{1,3}/,
+  // 10.x.x.x
+  /^https?:\/\/172\.(1[6-9]|2\d|3[01])\./,
+  // 172.16-31.x.x
+  /^https?:\/\/192\.168\./,
+  // 192.168.x.x
+  /^https?:\/\/169\.254\./,
+  // Link-local / AWS metadata
+  /metadata\.google\.internal/i,
+  // GCP metadata
+  /^https?:\/\/metadata\b/i,
+  // Generic metadata endpoint
+  // IPv6 bypass patterns
+  /^https?:\/\/\[fe80:/i,
+  // IPv6 link-local
+  /^https?:\/\/\[fc00:/i,
+  // IPv6 unique local
+  /^https?:\/\/\[fd[0-9a-f]{2}:/i,
+  // IPv6 unique local (fd00::/8)
+  /^https?:\/\/\[::ffff:127\./i,
+  // IPv4-mapped IPv6 loopback
+  /^https?:\/\/\[::ffff:10\./i,
+  // IPv4-mapped IPv6 private
+  /^https?:\/\/\[::ffff:172\.(1[6-9]|2\d|3[01])\./i,
+  // IPv4-mapped IPv6 private
+  /^https?:\/\/\[::ffff:192\.168\./i,
+  // IPv4-mapped IPv6 private
+  /^https?:\/\/\[::ffff:169\.254\./i,
+  // IPv4-mapped IPv6 link-local
+  // Hex IP bypass (e.g., 0x7f000001 = 127.0.0.1)
+  /^https?:\/\/0x[0-9a-f]+\b/i,
+  // Octal IP bypass (e.g., 0177.0.0.1 = 127.0.0.1)
+  /^https?:\/\/0[0-7]{1,3}\./
+];
+function detectDecimalIP(value) {
+  const match = value.match(/^https?:\/\/(\d{8,10})(?:[:/]|$)/);
+  if (!match || !match[1]) return false;
+  const decimal = parseInt(match[1], 10);
+  if (isNaN(decimal) || decimal > 4294967295) return false;
+  return decimal >= 2130706432 && decimal <= 2147483647 || // 127.0.0.0/8
+  decimal >= 167772160 && decimal <= 184549375 || // 10.0.0.0/8
+  decimal >= 2886729728 && decimal <= 2887778303 || // 172.16.0.0/12
+  decimal >= 3232235520 && decimal <= 3232301055 || // 192.168.0.0/16
+  decimal >= 2851995648 && decimal <= 2852061183 || // 169.254.0.0/16
+  decimal === 0;
+}
+function detectSSRF(value) {
+  for (const pattern of SSRF_PATTERNS) {
+    if (pattern.test(value)) return true;
+  }
+  if (detectDecimalIP(value)) return true;
+  return false;
+}
+var SQL_INJECTION_PATTERNS = [
+  /'\s{0,20}(OR|AND)\s{0,20}'.{0,200}'/i,
+  // ' OR '1'='1 — bounded to prevent ReDoS
+  /'\s{0,10};\s{0,10}(DROP|DELETE|UPDATE|INSERT|ALTER|CREATE|EXEC)/i,
+  // '; DROP TABLE
+  /UNION\s+(ALL\s+)?SELECT/i,
+  // UNION SELECT
+  /--\s*$/m,
+  // SQL comment at end of line
+  /\/\*.{0,500}?\*\//,
+  // SQL block comment — bounded + non-greedy
+  /\bSLEEP\s*\(/i,
+  // Time-based injection
+  /\bBENCHMARK\s*\(/i,
+  // MySQL benchmark
+  /\bWAITFOR\s+DELAY/i,
+  // MSSQL delay
+  /\b(LOAD_FILE|INTO\s+OUTFILE|INTO\s+DUMPFILE)\b/i
+  // File operations
+];
+function detectSQLInjection(value) {
+  for (const pattern of SQL_INJECTION_PATTERNS) {
+    if (pattern.test(value)) return true;
+  }
+  return false;
+}
+function checkLengthLimits(value, maxLength = 4096) {
+  return value.length <= maxLength;
+}
+var ENTROPY_THRESHOLD = 4.5;
+var MIN_LENGTH_FOR_ENTROPY_CHECK = 32;
+function checkEntropyLimits(value) {
+  if (value.length < MIN_LENGTH_FOR_ENTROPY_CHECK) return true;
+  const entropy = calculateShannonEntropy(value);
+  return entropy <= ENTROPY_THRESHOLD;
+}
+function calculateShannonEntropy(str) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const char of str) {
+    freq.set(char, (freq.get(char) ?? 0) + 1);
+  }
+  let entropy = 0;
+  const len = str.length;
+  for (const count of freq.values()) {
+    const p = count / len;
+    if (p > 0) {
+      entropy -= p * Math.log2(p);
+    }
+  }
+  return entropy;
+}
+function sanitizeInput(field, value, config = DEFAULT_INPUT_GUARD_CONFIG2) {
+  const threats = [];
+  if (typeof value !== "string") {
+    if (typeof value === "object" && value !== null) {
+      return sanitizeObject(field, value, config);
+    }
+    return { safe: true, threats: [] };
+  }
+  if (config.pathTraversal && detectPathTraversal(value)) {
+    threats.push({
+      type: "PATH_TRAVERSAL",
+      field,
+      value: truncate(value, 100),
+      description: "Path traversal pattern detected"
+    });
+  }
+  if (config.shellInjection && detectShellInjection(value)) {
+    threats.push({
+      type: "SHELL_INJECTION",
+      field,
+      value: truncate(value, 100),
+      description: "Shell injection pattern detected"
+    });
+  }
+  if (config.wildcardAbuse && detectWildcardAbuse(value)) {
+    threats.push({
+      type: "WILDCARD_ABUSE",
+      field,
+      value: truncate(value, 100),
+      description: "Wildcard abuse pattern detected"
+    });
+  }
+  if (!checkLengthLimits(value, config.lengthLimit)) {
+    threats.push({
+      type: "LENGTH_EXCEEDED",
+      field,
+      value: `[${value.length} chars]`,
+      description: `Value exceeds maximum length of ${config.lengthLimit}`
+    });
+  }
+  if (config.entropyLimit && !checkEntropyLimits(value)) {
+    threats.push({
+      type: "HIGH_ENTROPY",
+      field,
+      value: truncate(value, 100),
+      description: "High entropy string detected - possible encoded payload"
+    });
+  }
+  if (config.ssrf && detectSSRF(value)) {
+    threats.push({
+      type: "SSRF",
+      field,
+      value: truncate(value, 100),
+      description: "Server-side request forgery pattern detected \u2014 internal/metadata URL blocked"
+    });
+  }
+  if (config.sqlInjection && detectSQLInjection(value)) {
+    threats.push({
+      type: "SQL_INJECTION",
+      field,
+      value: truncate(value, 100),
+      description: "SQL injection pattern detected"
+    });
+  }
+  return { safe: threats.length === 0, threats };
+}
+function sanitizeObject(basePath, obj, config) {
+  const threats = [];
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < obj.length; i++) {
+      const result = sanitizeInput(`${basePath}[${i}]`, obj[i], config);
+      threats.push(...result.threats);
+    }
+  } else {
+    for (const [key, val] of Object.entries(obj)) {
+      const result = sanitizeInput(`${basePath}.${key}`, val, config);
+      threats.push(...result.threats);
+    }
+  }
+  return { safe: threats.length === 0, threats };
+}
+function truncate(str, maxLen) {
+  return str.length > maxLen ? str.slice(0, maxLen) + "..." : str;
+}
+
 // src/proxy.ts
 init_config();
 
@@ -4131,7 +4574,12 @@ var SolonGateProxy = class {
     const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
     if (this.config.apiKey) {
       if (this.config.apiKey.startsWith("sg_test_")) {
-        log2("Using test API key \u2014 skipping online validation.");
+        const nodeEnv = process.env.NODE_ENV ?? "";
+        if (nodeEnv === "production") {
+          log2("ERROR: Test API keys (sg_test_) cannot be used in production. Use a sg_live_ key.");
+          process.exit(1);
+        }
+        log2("Using test API key \u2014 skipping online validation (non-production mode).");
       } else {
         log2(`Validating license with ${apiUrl}...`);
         try {
@@ -4332,7 +4780,26 @@ var SolonGateProxy = class {
     });
     this.server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
       if (!this.client) throw new Error("Upstream client disconnected");
-      return await this.client.readResource({ uri: request.params.uri });
+      const uri = request.params.uri;
+      const uriCheck = sanitizeInput("resource.uri", uri);
+      if (!uriCheck.safe) {
+        const threats = uriCheck.threats.map((t) => `${t.type}: ${t.description}`).join("; ");
+        log2(`DENY resource read: ${uri} \u2014 ${threats}`);
+        throw new Error(`Resource URI blocked by security policy: ${threats}`);
+      }
+      if (/^file:\/\//i.test(uri)) {
+        const path = uri.replace(/^file:\/\/\/?/i, "/");
+        if (detectPathTraversal(path)) {
+          log2(`DENY resource read: ${uri} \u2014 path traversal in file URI`);
+          throw new Error("Resource URI blocked: path traversal detected");
+        }
+      }
+      if (/^https?:\/\//i.test(uri) && detectSSRF(uri)) {
+        log2(`DENY resource read: ${uri} \u2014 SSRF pattern`);
+        throw new Error("Resource URI blocked: internal/metadata URL not allowed");
+      }
+      log2(`Resource read: ${uri}`);
+      return await this.client.readResource({ uri });
     });
     this.server.setRequestHandler(ListResourceTemplatesRequestSchema, async () => {
       if (!this.client) return { resourceTemplates: [] };
@@ -4352,9 +4819,19 @@ var SolonGateProxy = class {
     });
     this.server.setRequestHandler(GetPromptRequestSchema, async (request) => {
       if (!this.client) throw new Error("Upstream client disconnected");
+      const args = request.params.arguments;
+      if (args && typeof args === "object") {
+        const argsCheck = sanitizeInput("prompt.arguments", args);
+        if (!argsCheck.safe) {
+          const threats = argsCheck.threats.map((t) => `${t.type}: ${t.description}`).join("; ");
+          log2(`DENY prompt get: ${request.params.name} \u2014 ${threats}`);
+          throw new Error(`Prompt arguments blocked by security policy: ${threats}`);
+        }
+      }
+      log2(`Prompt get: ${request.params.name}`);
       return await this.client.getPrompt({
         name: request.params.name,
-        arguments: request.params.arguments
+        arguments: args
       });
     });
   }