@solongate/sdk 0.1.1

package/dist/index.js

@@ -0,0 +1,927 @@
+import { DEFAULT_INPUT_GUARD_CONFIG, UNSAFE_CONFIGURATION_WARNINGS, createSecurityContext, Permission, RateLimitError, createDeniedToolResult, sanitizeInput, SchemaValidationError, PolicyDeniedError, MIN_SECRET_LENGTH, DEFAULT_TOKEN_TTL_SECONDS, TOKEN_ALGORITHM, RATE_LIMIT_WINDOW_MS, RATE_LIMIT_MAX_ENTRIES, TrustLevel } from '@solongate/core';
+export { RateLimitError as CoreRateLimitError, InputGuardError, NetworkError, Permission, PolicyDeniedError, PolicyEffect, SchemaValidationError, SolonGateError, TrustLevel, checkEntropyLimits, checkLengthLimits, createDeniedToolResult, createSecurityContext, detectPathTraversal, detectSQLInjection, detectSSRF, detectShellInjection, detectWildcardAbuse, sanitizeInput, validateToolInput } from '@solongate/core';
+import { PolicyStore, PolicyEngine } from '@solongate/policy-engine';
+export { PolicyEngine, PolicyStore, createDefaultDenyPolicySet, createReadOnlyPolicySet } from '@solongate/policy-engine';
+import { randomUUID, createHmac } from 'crypto';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+
+// src/solongate.ts
+var DEFAULT_CONFIG = Object.freeze({
+  validateSchemas: true,
+  enableLogging: true,
+  logLevel: "info",
+  evaluationTimeoutMs: 100,
+  verboseErrors: false,
+  globalRateLimitPerMinute: 600,
+  rateLimitPerTool: 60,
+  tokenTtlSeconds: 30,
+  inputGuardConfig: DEFAULT_INPUT_GUARD_CONFIG,
+  enableVersionedPolicies: true
+});
+function resolveConfig(userConfig) {
+  const warnings = [];
+  const config = { ...DEFAULT_CONFIG, ...userConfig };
+  if (!config.validateSchemas) {
+    warnings.push(UNSAFE_CONFIGURATION_WARNINGS.DISABLED_VALIDATION);
+  }
+  if (config.globalRateLimitPerMinute === 0) {
+    warnings.push(UNSAFE_CONFIGURATION_WARNINGS.RATE_LIMIT_ZERO);
+  }
+  if (config.verboseErrors) {
+    warnings.push(
+      "Verbose errors enabled: internal error details will be sent to the LLM."
+    );
+  }
+  if (config.tokenSecret && config.tokenSecret.length < 32) {
+    warnings.push(
+      "Token secret is shorter than 32 characters. Use a longer secret for production."
+    );
+  }
+  return { config, warnings };
+}
+async function interceptToolCall(params, upstreamCall, options) {
+  const requestId = randomUUID();
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const context = createSecurityContext({ requestId });
+  const request = {
+    context,
+    toolName: params.name,
+    serverName: "default",
+    arguments: params.arguments ?? {},
+    requiredPermission: Permission.EXECUTE,
+    timestamp
+  };
+  if (options.rateLimiter) {
+    if (options.rateLimitPerTool) {
+      const toolLimit = options.rateLimiter.checkLimit(
+        params.name,
+        options.rateLimitPerTool
+      );
+      if (!toolLimit.allowed) {
+        const result = {
+          status: "ERROR",
+          request,
+          error: new RateLimitError(params.name, options.rateLimitPerTool),
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        };
+        options.onDecision?.(result);
+        return createDeniedToolResult(
+          `Rate limit exceeded for tool "${params.name}"`
+        );
+      }
+    }
+    if (options.globalRateLimitPerMinute) {
+      const globalLimit = options.rateLimiter.checkGlobalLimit(
+        options.globalRateLimitPerMinute
+      );
+      if (!globalLimit.allowed) {
+        const result = {
+          status: "ERROR",
+          request,
+          error: new RateLimitError("*", options.globalRateLimitPerMinute),
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        };
+        options.onDecision?.(result);
+        return createDeniedToolResult("Global rate limit exceeded");
+      }
+    }
+  }
+  if (options.validateSchemas && params.arguments) {
+    const guardConfig = options.inputGuardConfig ?? DEFAULT_INPUT_GUARD_CONFIG;
+    const sanitization = sanitizeInput("arguments", params.arguments, guardConfig);
+    if (!sanitization.safe) {
+      const threatDescriptions = sanitization.threats.map(
+        (t) => `${t.type}: ${t.description} (field: ${t.field})`
+      );
+      const result = {
+        status: "ERROR",
+        request,
+        error: new SchemaValidationError(params.name, threatDescriptions),
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      options.onDecision?.(result);
+      const reason = options.verboseErrors ? `Input validation failed: ${sanitization.threats.length} threat(s) detected` : "Input validation failed.";
+      return createDeniedToolResult(reason);
+    }
+  }
+  const decision = options.policyEngine.evaluate(request);
+  if (decision.effect === "DENY") {
+    const result = {
+      status: "DENIED",
+      request,
+      decision,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    options.onDecision?.(result);
+    const reason = options.verboseErrors ? decision.reason : "Tool execution denied by security policy.";
+    return createDeniedToolResult(reason);
+  }
+  let capabilityToken;
+  if (options.tokenIssuer) {
+    capabilityToken = options.tokenIssuer.issue(
+      requestId,
+      [Permission.EXECUTE],
+      [params.name]
+    );
+  }
+  if (options.serverVerifier && capabilityToken) {
+    options.serverVerifier.createSignedRequest(params, capabilityToken);
+  }
+  try {
+    const startTime = performance.now();
+    const toolResult = await upstreamCall(params);
+    const durationMs = performance.now() - startTime;
+    if (options.rateLimiter) {
+      options.rateLimiter.recordCall(params.name);
+    }
+    const result = {
+      status: "ALLOWED",
+      request,
+      decision,
+      toolResult,
+      durationMs,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    options.onDecision?.(result);
+    return toolResult;
+  } catch (error) {
+    const result = {
+      status: "ERROR",
+      request,
+      error: error instanceof Error ? new PolicyDeniedError(params.name, error.message) : new PolicyDeniedError(params.name, "Unknown upstream error"),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    options.onDecision?.(result);
+    throw error;
+  }
+}
+
+// src/logger.ts
+var LOG_LEVEL_ORDER = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+var SecurityLogger = class {
+  minLevel;
+  enabled;
+  constructor(options) {
+    this.minLevel = options.level;
+    this.enabled = options.enabled;
+  }
+  logDecision(result) {
+    if (!this.enabled) return;
+    const entry = {
+      type: "security_decision",
+      status: result.status,
+      toolName: result.request.toolName,
+      permission: result.request.requiredPermission,
+      trustLevel: result.request.context.trustLevel,
+      requestId: result.request.context.requestId,
+      timestamp: result.timestamp,
+      ...result.status === "ALLOWED" && { durationMs: result.durationMs },
+      ...result.status === "DENIED" && { reason: result.decision.reason },
+      ...result.status === "ERROR" && { error: result.error.code }
+    };
+    if (result.status === "DENIED" || result.status === "ERROR") {
+      this.log("warn", entry);
+    } else {
+      this.log("info", entry);
+    }
+  }
+  log(level, data) {
+    if (LOG_LEVEL_ORDER[level] < LOG_LEVEL_ORDER[this.minLevel]) return;
+    const output = JSON.stringify({ level, ...data });
+    switch (level) {
+      case "error":
+        console.error(`[SolonGate] ${output}`);
+        break;
+      case "warn":
+        console.warn(`[SolonGate] ${output}`);
+        break;
+      case "debug":
+        console.debug(`[SolonGate] ${output}`);
+        break;
+      default:
+        console.info(`[SolonGate] ${output}`);
+    }
+  }
+};
+var TokenIssuer = class {
+  secret;
+  ttlSeconds;
+  issuer;
+  usedNonces = /* @__PURE__ */ new Set();
+  revokedTokens = /* @__PURE__ */ new Set();
+  constructor(config) {
+    if (config.secret.length < MIN_SECRET_LENGTH) {
+      throw new Error(
+        `Token secret must be at least ${MIN_SECRET_LENGTH} characters`
+      );
+    }
+    this.secret = config.secret;
+    this.ttlSeconds = config.ttlSeconds || DEFAULT_TOKEN_TTL_SECONDS;
+    this.issuer = config.issuer;
+  }
+  /**
+   * Issues a signed capability token.
+   */
+  issue(requestId, permissions, toolScope, serverScope = ["*"], pathScope) {
+    const now = Math.floor(Date.now() / 1e3);
+    const jti = randomUUID();
+    const payload = {
+      jti,
+      iss: this.issuer,
+      sub: requestId,
+      iat: now,
+      exp: now + this.ttlSeconds,
+      permissions: [...permissions],
+      toolScope: [...toolScope],
+      serverScope: [...serverScope],
+      ...pathScope && { pathScope: [...pathScope] }
+    };
+    return this.sign(payload);
+  }
+  /**
+   * Verifies a capability token and consumes the nonce (single-use).
+   */
+  verify(token) {
+    const parsed = this.parseAndVerify(token);
+    if (!parsed.valid || !parsed.payload) {
+      return parsed;
+    }
+    const payload = parsed.payload;
+    const now = Math.floor(Date.now() / 1e3);
+    if (payload.exp <= now) {
+      return { valid: false, reason: "Token expired" };
+    }
+    if (this.revokedTokens.has(payload.jti)) {
+      return { valid: false, reason: "Token has been revoked" };
+    }
+    if (this.usedNonces.has(payload.jti)) {
+      return { valid: false, reason: "Token already used (replay detected)" };
+    }
+    this.usedNonces.add(payload.jti);
+    return { valid: true, payload };
+  }
+  /**
+   * Revokes a token by its ID.
+   */
+  revoke(jti) {
+    this.revokedTokens.add(jti);
+  }
+  /**
+   * Checks if a token ID has been revoked.
+   */
+  isRevoked(jti) {
+    return this.revokedTokens.has(jti);
+  }
+  // --- Internal helpers ---
+  sign(payload) {
+    const header = base64UrlEncode(JSON.stringify({ alg: TOKEN_ALGORITHM, typ: "JWT" }));
+    const body = base64UrlEncode(JSON.stringify(payload));
+    const signature = this.computeSignature(`${header}.${body}`);
+    return `${header}.${body}.${signature}`;
+  }
+  parseAndVerify(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return { valid: false, reason: "Invalid token format" };
+    }
+    const [header, body, signature] = parts;
+    const expectedSignature = this.computeSignature(`${header}.${body}`);
+    if (signature !== expectedSignature) {
+      return { valid: false, reason: "Invalid token signature" };
+    }
+    try {
+      const payload = JSON.parse(base64UrlDecode(body));
+      return { valid: true, payload };
+    } catch {
+      return { valid: false, reason: "Invalid token payload" };
+    }
+  }
+  computeSignature(data) {
+    return base64UrlEncode(
+      createHmac("sha256", this.secret).update(data).digest("base64")
+    );
+  }
+};
+function base64UrlEncode(str) {
+  return Buffer.from(str).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(str) {
+  const padded = str + "=".repeat((4 - str.length % 4) % 4);
+  return Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString();
+}
+var ServerVerifier = class {
+  gatewaySecret;
+  maxAgeMs;
+  usedNonces = /* @__PURE__ */ new Set();
+  constructor(config) {
+    if (config.gatewaySecret.length < 32) {
+      throw new Error("Gateway secret must be at least 32 characters");
+    }
+    this.gatewaySecret = config.gatewaySecret;
+    this.maxAgeMs = config.maxAgeMs ?? 6e4;
+  }
+  /**
+   * Computes HMAC signature for request data.
+   */
+  signRequest(params, capabilityToken) {
+    const data = JSON.stringify({ params, capabilityToken });
+    return createHmac("sha256", this.gatewaySecret).update(data).digest("hex");
+  }
+  /**
+   * Verifies the HMAC signature of request data.
+   */
+  verifySignature(params, capabilityToken, signature) {
+    const expected = this.signRequest(params, capabilityToken);
+    if (expected.length !== signature.length) return false;
+    let result = 0;
+    for (let i = 0; i < expected.length; i++) {
+      result |= expected.charCodeAt(i) ^ signature.charCodeAt(i);
+    }
+    return result === 0;
+  }
+  /**
+   * Creates a complete signed request including timestamp and nonce.
+   */
+  createSignedRequest(params, capabilityToken) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const nonce = randomUUID();
+    const signature = this.signRequest(params, capabilityToken);
+    return {
+      params,
+      capabilityToken,
+      signature,
+      timestamp,
+      nonce
+    };
+  }
+  /**
+   * Validates a complete signed request including timestamp, nonce, and signature.
+   */
+  validateSignedRequest(request) {
+    const requestTime = new Date(request.timestamp).getTime();
+    const now = Date.now();
+    if (isNaN(requestTime)) {
+      return { valid: false, reason: "Invalid timestamp" };
+    }
+    if (now - requestTime > this.maxAgeMs) {
+      return { valid: false, reason: "Request too old" };
+    }
+    if (requestTime > now + 3e4) {
+      return { valid: false, reason: "Request timestamp in the future" };
+    }
+    if (this.usedNonces.has(request.nonce)) {
+      return { valid: false, reason: "Duplicate nonce (replay detected)" };
+    }
+    if (!this.verifySignature(request.params, request.capabilityToken, request.signature)) {
+      return { valid: false, reason: "Invalid signature" };
+    }
+    this.usedNonces.add(request.nonce);
+    return { valid: true };
+  }
+};
+var RateLimiter = class {
+  windowMs;
+  records = /* @__PURE__ */ new Map();
+  globalRecords = [];
+  constructor(options) {
+    this.windowMs = options?.windowMs ?? RATE_LIMIT_WINDOW_MS;
+  }
+  /**
+   * Checks if a tool call is within the rate limit.
+   * Does NOT record the call - use recordCall() after successful execution.
+   */
+  checkLimit(toolName, limitPerWindow) {
+    const now = Date.now();
+    const windowStart = now - this.windowMs;
+    const records = this.getActiveRecords(toolName, windowStart);
+    const count = records.length;
+    const allowed = count < limitPerWindow;
+    const remaining = Math.max(0, limitPerWindow - count);
+    const resetAt = records.length > 0 ? records[0].timestamp + this.windowMs : now + this.windowMs;
+    return { allowed, remaining, resetAt };
+  }
+  /**
+   * Checks the global rate limit across all tools.
+   */
+  checkGlobalLimit(limitPerWindow) {
+    const now = Date.now();
+    const windowStart = now - this.windowMs;
+    this.globalRecords = this.globalRecords.filter(
+      (r) => r.timestamp > windowStart
+    );
+    const count = this.globalRecords.length;
+    const allowed = count < limitPerWindow;
+    const remaining = Math.max(0, limitPerWindow - count);
+    const resetAt = this.globalRecords.length > 0 ? this.globalRecords[0].timestamp + this.windowMs : now + this.windowMs;
+    return { allowed, remaining, resetAt };
+  }
+  /**
+   * Atomically checks and records a tool call.
+   * Prevents TOCTOU race conditions between check and record.
+   * Returns the rate limit result; if allowed, the call is already recorded.
+   */
+  checkAndRecord(toolName, limitPerWindow, globalLimit) {
+    const result = this.checkLimit(toolName, limitPerWindow);
+    if (!result.allowed) {
+      return result;
+    }
+    if (globalLimit !== void 0) {
+      const globalResult = this.checkGlobalLimit(globalLimit);
+      if (!globalResult.allowed) {
+        return globalResult;
+      }
+    }
+    this.recordCall(toolName);
+    return result;
+  }
+  /**
+   * Records a tool call for rate limiting.
+   * Call this after successful execution.
+   */
+  recordCall(toolName) {
+    const now = Date.now();
+    const record = { timestamp: now };
+    const records = this.records.get(toolName) ?? [];
+    records.push(record);
+    if (records.length > RATE_LIMIT_MAX_ENTRIES) {
+      const windowStart = now - this.windowMs;
+      const cleaned = records.filter((r) => r.timestamp > windowStart);
+      this.records.set(toolName, cleaned);
+    } else {
+      this.records.set(toolName, records);
+    }
+    this.globalRecords.push(record);
+    if (this.globalRecords.length > RATE_LIMIT_MAX_ENTRIES) {
+      const windowStart = now - this.windowMs;
+      this.globalRecords = this.globalRecords.filter(
+        (r) => r.timestamp > windowStart
+      );
+    }
+  }
+  /**
+   * Gets usage stats for a tool.
+   */
+  getUsage(toolName) {
+    const now = Date.now();
+    const windowStart = now - this.windowMs;
+    const records = this.getActiveRecords(toolName, windowStart);
+    return { count: records.length, windowStart };
+  }
+  /**
+   * Resets rate tracking for a specific tool.
+   */
+  resetTool(toolName) {
+    this.records.delete(toolName);
+  }
+  /**
+   * Resets all rate tracking.
+   */
+  resetAll() {
+    this.records.clear();
+    this.globalRecords = [];
+  }
+  getActiveRecords(toolName, windowStart) {
+    const records = this.records.get(toolName) ?? [];
+    const active = records.filter((r) => r.timestamp > windowStart);
+    if (active.length !== records.length) {
+      this.records.set(toolName, active);
+    }
+    return active;
+  }
+};
+
+// src/solongate.ts
+var LicenseError = class extends Error {
+  constructor(message) {
+    super(
+      `${message}
+  Get your API key at https://solongate.com
+  Usage: new SolonGate({ name: '...', apiKey: 'sg_live_xxx' })`
+    );
+    this.name = "LicenseError";
+  }
+};
+var SolonGate = class {
+  policyEngine;
+  config;
+  logger;
+  configWarnings;
+  tokenIssuer;
+  serverVerifier;
+  rateLimiter;
+  apiKey;
+  licenseValidated = false;
+  constructor(options) {
+    const apiKey = options.apiKey || process.env.SOLONGATE_API_KEY || "";
+    if (!apiKey) {
+      throw new LicenseError("A valid SolonGate API key is required.");
+    }
+    if (!apiKey.startsWith("sg_live_") && !apiKey.startsWith("sg_test_")) {
+      throw new LicenseError(
+        "Invalid API key format. Keys must start with 'sg_live_' or 'sg_test_'."
+      );
+    }
+    this.apiKey = apiKey;
+    const { config, warnings } = resolveConfig(options.config);
+    this.config = config;
+    this.configWarnings = warnings;
+    this.logger = new SecurityLogger({
+      level: config.logLevel,
+      enabled: config.enableLogging
+    });
+    for (const warning of warnings) {
+      console.warn(`[SolonGate] WARNING: ${warning}`);
+    }
+    const store = config.enableVersionedPolicies ? new PolicyStore() : void 0;
+    this.policyEngine = new PolicyEngine({
+      policySet: options.policySet ?? config.policySet,
+      timeoutMs: config.evaluationTimeoutMs,
+      store
+    });
+    this.tokenIssuer = config.tokenSecret ? new TokenIssuer({
+      secret: config.tokenSecret,
+      ttlSeconds: config.tokenTtlSeconds,
+      algorithm: TOKEN_ALGORITHM,
+      issuer: config.tokenIssuer ?? options.name
+    }) : null;
+    this.serverVerifier = config.gatewaySecret ? new ServerVerifier({ gatewaySecret: config.gatewaySecret }) : null;
+    this.rateLimiter = new RateLimiter();
+  }
+  /**
+   * Validate the API key against the SolonGate cloud API.
+   * Called once on first executeToolCall. Throws LicenseError if invalid.
+   * Test keys (sg_test_) skip online validation.
+   */
+  async validateLicense() {
+    if (this.licenseValidated) return;
+    if (this.apiKey.startsWith("sg_test_")) {
+      this.licenseValidated = true;
+      return;
+    }
+    const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
+    try {
+      const res = await fetch(`${apiUrl}/api/v1/auth/me`, {
+        headers: {
+          "X-API-Key": this.apiKey,
+          "Authorization": `Bearer ${this.apiKey}`
+        },
+        signal: AbortSignal.timeout(1e4)
+      });
+      if (res.status === 401) {
+        throw new LicenseError("Invalid or expired API key.");
+      }
+      if (res.status === 403) {
+        throw new LicenseError("Your subscription is inactive. Renew at https://solongate.com");
+      }
+      this.licenseValidated = true;
+    } catch (err) {
+      if (err instanceof LicenseError) throw err;
+      throw new LicenseError(
+        "Unable to reach SolonGate license server. Check your internet connection."
+      );
+    }
+  }
+  /**
+   * Intercept and evaluate a tool call against the full security pipeline.
+   * If denied at any stage, returns an error result without calling upstream.
+   * If allowed, calls upstream and returns the result.
+   */
+  async executeToolCall(params, upstreamCall) {
+    await this.validateLicense();
+    return interceptToolCall(params, upstreamCall, {
+      policyEngine: this.policyEngine,
+      validateSchemas: this.config.validateSchemas,
+      verboseErrors: this.config.verboseErrors,
+      onDecision: (result) => this.logger.logDecision(result),
+      tokenIssuer: this.tokenIssuer ?? void 0,
+      serverVerifier: this.serverVerifier ?? void 0,
+      rateLimiter: this.rateLimiter,
+      inputGuardConfig: this.config.inputGuardConfig,
+      rateLimitPerTool: this.config.rateLimitPerTool,
+      globalRateLimitPerMinute: this.config.globalRateLimitPerMinute
+    });
+  }
+  /** Load a new policy set at runtime. */
+  loadPolicy(policySet, options) {
+    return this.policyEngine.loadPolicySet(policySet, options);
+  }
+  /** Get current security warnings. */
+  getWarnings() {
+    return [
+      ...this.configWarnings,
+      ...this.policyEngine.getSecurityWarnings().map((w) => `[${w.level}] ${w.message}`)
+    ];
+  }
+  /** Get the policy engine for direct access. */
+  getPolicyEngine() {
+    return this.policyEngine;
+  }
+  /** Get the rate limiter for direct access. */
+  getRateLimiter() {
+    return this.rateLimiter;
+  }
+  /** Get the token issuer (null if not configured). */
+  getTokenIssuer() {
+    return this.tokenIssuer;
+  }
+};
+var SecureMcpServer = class extends McpServer {
+  gate;
+  /**
+   * Create a secure MCP server.
+   *
+   * @param serverInfo - MCP server info (name, version)
+   * @param solongateOptions - SolonGate security options
+   * @param mcpOptions - Standard McpServer options (capabilities, etc.)
+   */
+  constructor(serverInfo, solongateOptions, mcpOptions) {
+    super(serverInfo, mcpOptions);
+    this.gate = new SolonGate({
+      name: serverInfo.name,
+      version: serverInfo.version,
+      apiKey: solongateOptions?.apiKey,
+      policySet: solongateOptions?.policySet,
+      config: solongateOptions?.config
+    });
+    const warnings = this.gate.getWarnings();
+    for (const w of warnings) {
+      console.warn(`[SolonGate] ${w}`);
+    }
+  }
+  /**
+   * Override tool() to auto-wrap handlers with SolonGate security pipeline.
+   *
+   * Supports all McpServer.tool() overloads — the handler (always the last
+   * argument) is transparently wrapped. Tool name, description, schema, and
+   * annotations pass through unchanged.
+   */
+  tool(name, ...rest) {
+    const handler = rest[rest.length - 1];
+    if (typeof handler !== "function") {
+      return super.tool.call(this, name, ...rest);
+    }
+    const toolName = name;
+    const gate = this.gate;
+    rest[rest.length - 1] = async (...callArgs) => {
+      const toolArgs = callArgs.length > 1 && typeof callArgs[0] === "object" && callArgs[0] !== null ? callArgs[0] : {};
+      const result = await gate.executeToolCall(
+        { name: toolName, arguments: toolArgs },
+        async () => handler(...callArgs)
+      );
+      return { ...result, content: [...result.content] };
+    };
+    return super.tool.call(this, name, ...rest);
+  }
+  /**
+   * Override registerTool() to auto-wrap handlers with SolonGate security pipeline.
+   *
+   * This is the modern (non-deprecated) API for registering tools.
+   */
+  registerTool(name, config, cb) {
+    if (typeof cb !== "function") {
+      return super.registerTool.call(this, name, config, cb);
+    }
+    const toolName = name;
+    const gate = this.gate;
+    const wrappedCb = async (...callArgs) => {
+      const toolArgs = callArgs.length > 1 && typeof callArgs[0] === "object" && callArgs[0] !== null ? callArgs[0] : {};
+      const result = await gate.executeToolCall(
+        { name: toolName, arguments: toolArgs },
+        async () => cb(...callArgs)
+      );
+      return { ...result, content: [...result.content] };
+    };
+    return super.registerTool.call(this, name, config, wrappedCb);
+  }
+  /** Get the underlying SolonGate instance for direct access. */
+  getSolonGate() {
+    return this.gate;
+  }
+};
+var DEFAULT_API_URL = "https://api.solongate.com";
+var API_VERSION = "v1";
+var SDK_VERSION = "0.2.0";
+var APIError = class extends Error {
+  constructor(message, statusCode, requestId, code = "API_ERROR") {
+    super(message);
+    this.statusCode = statusCode;
+    this.requestId = requestId;
+    this.code = code;
+    this.name = "APIError";
+  }
+};
+var AuthenticationError = class extends APIError {
+  constructor(message = "Invalid API key") {
+    super(message, 401, void 0, "AUTHENTICATION_ERROR");
+    this.name = "AuthenticationError";
+  }
+};
+var RateLimitError2 = class extends APIError {
+  constructor(message, retryAfter) {
+    super(message, 429, void 0, "RATE_LIMIT_ERROR");
+    this.retryAfter = retryAfter;
+    this.name = "RateLimitError";
+  }
+};
+var PoliciesResource = class {
+  constructor(client) {
+    this.client = client;
+  }
+  async get(policyId = "default", version) {
+    const params = version ? `?version=${version}` : "";
+    return this.client.request("GET", `/policies/${policyId}${params}`);
+  }
+  async list() {
+    return this.client.request("GET", "/policies");
+  }
+  async create(policy) {
+    return this.client.request("POST", "/policies", policy);
+  }
+  async update(policyId, policy) {
+    return this.client.request("PUT", `/policies/${policyId}`, policy);
+  }
+};
+var TokensResource = class {
+  constructor(client) {
+    this.client = client;
+  }
+  async create(tool, scope, ttlSeconds = 30) {
+    const response = await this.client.request("POST", "/tokens", {
+      tool,
+      scope: scope || `EXECUTE:${tool}`,
+      ttl_seconds: ttlSeconds
+    });
+    return {
+      token: response.token,
+      tool: response.tool,
+      scope: response.scope,
+      expiresAt: response.expires_at,
+      nonce: response.nonce
+    };
+  }
+  async verify(token) {
+    return this.client.request("POST", "/tokens/verify", { token });
+  }
+};
+var ToolsResource = class {
+  constructor(client) {
+    this.client = client;
+  }
+  async list() {
+    return this.client.request("GET", "/tools");
+  }
+  async get(name) {
+    return this.client.request("GET", `/tools/${name}`);
+  }
+  async register(name, description, inputSchema, permissions = ["READ"]) {
+    return this.client.request("POST", "/tools", {
+      name,
+      description,
+      input_schema: inputSchema,
+      permissions
+    });
+  }
+  async update(name, data) {
+    return this.client.request("PUT", `/tools/${name}`, data);
+  }
+  async delete(name) {
+    return this.client.request("DELETE", `/tools/${name}`);
+  }
+};
+var SolonGateAPI = class {
+  apiKey;
+  apiUrl;
+  timeout;
+  maxRetries;
+  policies;
+  tokens;
+  tools;
+  constructor(config) {
+    if (typeof config === "string") {
+      config = { apiKey: config };
+    }
+    this.apiKey = config.apiKey || (typeof process !== "undefined" ? process.env.SOLONGATE_API_KEY : "") || "";
+    if (!this.apiKey) {
+      throw new AuthenticationError(
+        "API key is required. Provide apiKey in config or set SOLONGATE_API_KEY environment variable."
+      );
+    }
+    if (!this.apiKey.startsWith("sg_live_") && !this.apiKey.startsWith("sg_test_")) {
+      throw new AuthenticationError(
+        "Invalid API key format. Keys should start with 'sg_live_' or 'sg_test_'"
+      );
+    }
+    this.apiUrl = config.apiUrl || DEFAULT_API_URL;
+    this.timeout = config.timeout || 3e4;
+    this.maxRetries = config.maxRetries || 3;
+    this.policies = new PoliciesResource(this);
+    this.tokens = new TokensResource(this);
+    this.tools = new ToolsResource(this);
+  }
+  /**
+   * Make an API request.
+   * @internal
+   */
+  async request(method, path, body) {
+    const url = `${this.apiUrl}/api/${API_VERSION}${path}`;
+    let lastError;
+    for (let attempt = 0; attempt < this.maxRetries; attempt++) {
+      try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+        const response = await fetch(url, {
+          method,
+          headers: {
+            "X-API-Key": this.apiKey,
+            "Authorization": `Bearer ${this.apiKey}`,
+            "Content-Type": "application/json",
+            "User-Agent": `solongate-js/${SDK_VERSION}`
+          },
+          body: body ? JSON.stringify(body) : void 0,
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        if (response.status === 429) {
+          const retryAfter = parseInt(response.headers.get("Retry-After") || "1");
+          await new Promise((resolve) => setTimeout(resolve, retryAfter * 1e3));
+          continue;
+        }
+        if (response.status === 401) {
+          throw new AuthenticationError("Invalid API key");
+        }
+        if (!response.ok) {
+          const errorData = await response.json().catch(() => ({}));
+          throw new APIError(
+            errorData.error?.message || "Unknown error",
+            response.status,
+            response.headers.get("X-Request-Id") || void 0
+          );
+        }
+        return await response.json();
+      } catch (error) {
+        if (error instanceof APIError || error instanceof AuthenticationError) {
+          throw error;
+        }
+        lastError = error;
+      }
+    }
+    throw new APIError(lastError?.message || "Request failed");
+  }
+  /**
+   * Validate a tool call against policies.
+   *
+   * @example
+   * ```typescript
+   * const result = await api.validate('file.read', { path: '/home/user/doc.txt' });
+   * if (result.allowed) {
+   *   // Proceed with the tool call
+   * }
+   * ```
+   */
+  async validate(tool, args, options = {}) {
+    const startTime = performance.now();
+    const response = await this.request("POST", "/validate", {
+      tool,
+      arguments: args,
+      trust_level: options.trustLevel || TrustLevel.VERIFIED,
+      include_token: options.includeToken !== false
+    });
+    const latencyMs = performance.now() - startTime;
+    return {
+      allowed: response.allowed,
+      tool,
+      decision: response.decision ? {
+        effect: response.decision.effect,
+        matchedRule: response.decision.matched_rule,
+        reason: response.decision.reason,
+        timestamp: response.decision.evaluated_at,
+        evaluationTimeMs: 0
+      } : void 0,
+      token: response.token,
+      tokenExpiresAt: response.token_expires_at,
+      requestId: response.request_id,
+      latencyMs
+    };
+  }
+  /**
+   * Check if using live (production) API key.
+   */
+  isLiveMode() {
+    return this.apiKey.startsWith("sg_live_");
+  }
+  /**
+   * Check if using test (development) API key.
+   */
+  isTestMode() {
+    return this.apiKey.startsWith("sg_test_");
+  }
+};
+
+export { APIError, AuthenticationError, DEFAULT_CONFIG, LicenseError, RateLimitError2 as RateLimitError, RateLimiter, SecureMcpServer, SecurityLogger, ServerVerifier, SolonGate, SolonGateAPI, TokenIssuer, interceptToolCall, resolveConfig };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map