@tuent/sentinel 0.1.3 → 0.1.5

package/dist/{Sentinel-BVoMEF3F.d.ts → Sentinel-CJJ4iYDh.d.ts}

@@ -16,6 +16,7 @@ interface SkillNode {
     core?: boolean;
     sharable?: boolean;
     files?: string[];
+    eventCount?: number;
 }
 
 interface DataPoint {
@@ -29,6 +30,7 @@ interface DataPoint {
     files?: string[];
     sharable?: boolean;
     core?: boolean;
+    eventCount?: number;
 }
 
 interface StoredProfile {
@@ -89,16 +91,41 @@ declare class ProfileStore {
     private petalCount;
     private engine;
     private profile;
+    /** Snapshot (label → serialized point) of the on-disk-synced dataPoint set,
+     *  refreshed on every load/create/write. The base for save()'s three-way merge
+     *  of concurrent external writes — lets us tell "I deleted this" (in baseline,
+     *  gone from memory) from "another writer added this" (on disk, not in baseline). */
+    private baseline;
     constructor(options: {
         backend: StorageBackend;
         eventBus?: EventBus;
         petalCount?: number;
     });
     load(): Promise<StoredProfile | null>;
+    /** Snapshot the on-disk-synced dataPoint set for save()'s three-way merge. */
+    private captureBaseline;
     create(name: string): Promise<StoredProfile>;
     addPoint(point: DataPoint): Promise<void>;
     addPoints(points: DataPoint[]): void;
     save(): Promise<void>;
+    /**
+     * Three-way merge of a concurrent external write into the in-memory profile,
+     * invoked by save() when the backend reports the file changed since we last
+     * synced. Writers in this app are single-user but multi-process (agent scanner,
+     * diary watcher, dev server, CLI), so concurrent writes are real but rare.
+     *
+     * Model (base = the dataPoint set at our last load/write, see `baseline`):
+     *   - a point present in memory → kept as-is (the SAVING process's adds/edits
+     *     win on a same-point conflict — save() is an explicit "persist my state");
+     *   - a disk point whose label is NEW since baseline → another writer's
+     *     addition → preserved;
+     *   - a point we dropped (in baseline, absent from memory) → our deletion is
+     *     honored, UNLESS the other writer modified it (then their version is kept
+     *     so a concurrent edit is never silently lost).
+     * Net: nothing vanishes except a same-point simultaneous edit, resolved
+     * last-writer (this save) — a deliberate, documented tie-break.
+     */
+    private mergeExternalChanges;
     build(): SkillNode[];
     getProfile(): StoredProfile | null;
 }
@@ -264,8 +291,16 @@ interface SecurityFinding {
      * its dominant real-world cause is a recognized-tool set gone stale after a
      * Claude Code update, not agent misbehavior — counting it would turn every
      * cc update into a restriction ratchet.
-     */
-    type: "scope_violation" | "temporal_anomaly" | "access_pattern" | "volume_spike" | "unauthorized_target" | "role_violation" | "behavioral_absence" | "agent_quarantined" | "agent_restricted" | "intent_drift" | "hook_block" | "bash_analysis" | "workspace_mismatch" | "unknown_tool";
+     *
+     * `enforcement_error` is likewise non-eligible: it records that Sentinel's
+     * OWN enforcement machinery threw an internal error while screening a call
+     * (so the call was decided by posture, not by policy). The cause is a
+     * Sentinel bug or broken config, not agent misbehavior — counting it would
+     * compound a Sentinel-internal failure into an agent lockout. It is HIGH +
+     * actionable so it alerts and demands operator attention, but it never
+     * moves the escalation ladder.
+     */
+    type: "scope_violation" | "temporal_anomaly" | "access_pattern" | "volume_spike" | "unauthorized_target" | "role_violation" | "behavioral_absence" | "agent_quarantined" | "agent_restricted" | "intent_drift" | "hook_block" | "bash_analysis" | "workspace_mismatch" | "unknown_tool" | "enforcement_error";
     agentId: string;
     agentName: string;
     description: string;
@@ -380,7 +415,6 @@ interface SentinelConfig {
         mcpLogDir?: string;
         webhookPort?: number;
         webhookApiKey?: string;
-        roleDefinitionPath?: string;
         readExisting?: boolean;
     }[];
     alerts?: {
@@ -400,9 +434,6 @@ interface SentinelConfig {
             minKind?: "informational" | "actionable";
         }[];
     };
-    alertWebhook?: string;
-    baselineWindowDays?: number;
-    checkIntervalMs?: number;
 }
 /** A declared task/intent for an agent. */
 interface TaskIntent {
@@ -447,13 +478,18 @@ interface IntentAlignmentResult {
     bypassed?: boolean;
     bypassReason?: string | null;
 }
-/** Configuration for intent alignment scoring. */
+/**
+ * Configuration for intent alignment scoring.
+ *
+ * NOTE: the keywordBoost / acceptableActionBoost / baseScore /
+ * missingTaskScore knobs were removed — they were defined, defaulted, and
+ * typed but never read by any scoring path (vestiges of a pre-weighted
+ * scoring model superseded by SimilarityEngine.keywordSimilarity). They
+ * promised tunability that did not exist; the live weights are fixed in
+ * SimilarityEngine. defaultTtlMs is the only consumed numeric knob.
+ */
 interface IntentAlignmentConfig {
     defaultTtlMs: number;
-    keywordBoost: number;
-    acceptableActionBoost: number;
-    baseScore: number;
-    missingTaskScore: number;
     disableDefaultAcceptable?: boolean;
     denyAcceptable?: string[];
     similarityThreshold?: number;
@@ -864,6 +900,20 @@ declare class AuditTrail {
      * the file when an external append actually happened.
      */
     private reanchorFromDiskTail;
+    /**
+     * Scan the on-disk log backward for the last entry carrying a valid (64-hex)
+     * hash, SKIPPING torn/corrupt trailing lines, and return that hash (or null
+     * when no parseable hashed entry exists).
+     *
+     * Shared by open() (chain resume) and reanchorFromDiskTail() (live
+     * re-anchor). The earlier inline versions inspected only the LAST non-empty
+     * line and broke: a torn tail line (a partial write) left the head at genesis
+     * (open) or stale (reanchor), so the next append forked a fresh chain from
+     * genesis — destroying all prior linkage. Walking back leaves the torn line
+     * as a single localized gap that verify() still flags, while the chain head
+     * stays anchored to the last good entry.
+     */
+    private lastHashOnDisk;
     private readAllEntries;
     private loadCumulativeStats;
     /**
@@ -916,6 +966,54 @@ interface AgentClassifierConfig {
     minDurationMs: number;
 }
 
+interface SensitivityRule {
+    pattern: string;
+    sensitivity: number;
+    category: string;
+    description: string;
+}
+interface TargetSensitivityResult {
+    sensitivity: number;
+    category: string;
+    description: string;
+    matchedRule: string;
+    actionMultiplier: number;
+    effectiveScore: number;
+    groundedInRepoMap: boolean;
+}
+declare class TargetSensitivityScorer {
+    private rules;
+    private repoMap;
+    private repoRoot;
+    private overlay;
+    constructor(customRules?: SensitivityRule[], repoMap?: RepoSensitivityMap, repoRoot?: string, overlay?: SensitivityOverlay);
+    scoreTarget(target: string, action: string): TargetSensitivityResult;
+    /** Pattern-only scoring (Tier 2). Used directly by reject decisions. */
+    private _scoreByPatterns;
+    /**
+     * URL-aware component scoring (Sprint 6b W1 fix).
+     * Parses the URL, extracts path/query-values/fragment, decodes each once,
+     * scores each against forbidden-pattern rules, takes MAX.
+     */
+    private _scoreUrlTarget;
+    scoreEvent(event: AgentActivityEvent): TargetSensitivityResult;
+    /**
+     * Replaces the active repo sensitivity map. Pass null to clear.
+     * If newRepoRoot is provided, it overrides the map's repoRoot.
+     */
+    updateRepoMap(newMap: RepoSensitivityMap | null, newRepoRoot?: string): void;
+    /**
+     * Replaces the active sensitivity overlay. Pass null to clear.
+     */
+    updateOverlay(newOverlay: SensitivityOverlay | null): void;
+    /**
+     * Returns all pattern-based rules that match the target. Does NOT
+     * consult the repo map. Used by RepoSensitivityScanner during
+     * scan-time enumeration.
+     */
+    getAllMatchingRules(target: string): SensitivityRule[];
+}
+
 /** Lazy-init wrapper passed via RoleValidatorOptions so Sentinel can own the cache. */
 interface ForbiddenInodeCacheRef {
     getOrBuild: () => Set<bigint>;
@@ -1229,6 +1327,7 @@ declare class SentinelRunner {
     private _hookEngine?;
     private _maturityConfig?;
     private _validatorOptions?;
+    private _sensitivityScorer?;
     private intentTracker;
     private similarityEngine;
     private recentAlignmentScores;
@@ -1249,6 +1348,12 @@ declare class SentinelRunner {
     setMaturityConfig(config: Partial<BaselineMaturityConfig>): void;
     /** Set RoleValidator options (exception approval fn, audit callback). */
     setRoleValidatorOptions(options: RoleValidatorOptions): void;
+    /**
+     * Inject the facade's shared sensitivity scorer (overlay + repo map aware)
+     * so processEvent's validator scores identically to the facade's check().
+     * Must be called BEFORE start() builds the validator.
+     */
+    setSensitivityScorer(scorer: TargetSensitivityScorer): void;
     /** Set the behavioral baseline and start periodic gap checking. */
     setBaseline(baseline: AgentBaseline): void;
     /** Declare a new task intent for this agent. */
@@ -1265,6 +1370,12 @@ declare class SentinelRunner {
     getActiveTask(): TaskIntent | null;
     /** Expose the similarity engine for pre-execution intent checks. */
     getSimilarityEngine(): SimilarityEngine;
+    /**
+     * Read-only view of the rolling misaligned-score window, for the
+     * pre-execution gate (Sentinel.check) to apply the SAME sustained-drift
+     * severity upgrade as the recording path — without mutating the window.
+     */
+    getRecentAlignmentScores(): readonly number[];
     /**
      * Side-effect-free pre-execution gate: evaluate an event and fire pre_execution
      * hooks WITHOUT running processEvent's full pipeline.

package/dist/Sentinel-XP6NFG6Z.js

@@ -0,0 +1,10 @@
+import {
+  Sentinel
+} from "./chunk-7R6EA7JG.js";
+import "./chunk-M5EEVMLU.js";
+import "./chunk-SKE74CYZ.js";
+import "./chunk-NUXSUSYY.js";
+export {
+  Sentinel
+};
+//# sourceMappingURL=Sentinel-XP6NFG6Z.js.map

package/dist/{chunk-PDWWRZXF.js → chunk-2IPSTUNH.js}

@@ -16,6 +16,9 @@ var LogAdapter = class {
   pendingFragment = "";
   running = false;
   polling = false;
+  /** The in-flight poll (if any), so stop() can let it finish emitting its
+   *  already-read batch before persisting the cursor. */
+  pollInFlight = null;
   pollTimer = null;
   onEvent = null;
   readExisting;
@@ -33,6 +36,7 @@ var LogAdapter = class {
     if (this.running) return;
     this.onEvent = onEvent;
     this.running = true;
+    this.pendingFragment = "";
     const savedPosition = await this.loadCursor();
     if (savedPosition !== null) {
       this.lastReadPosition = savedPosition;
@@ -47,7 +51,9 @@ var LogAdapter = class {
     } else {
       this.lastReadPosition = 0;
     }
-    this.pollTimer = setInterval(() => this.poll(), this.pollIntervalMs);
+    this.pollTimer = setInterval(() => {
+      this.pollInFlight = this.poll();
+    }, this.pollIntervalMs);
     console.log(`LogAdapter watching ${this.logPath} for agent ${this.agentId}`);
   }
   async stop() {
@@ -55,6 +61,13 @@ var LogAdapter = class {
       clearInterval(this.pollTimer);
       this.pollTimer = null;
     }
+    if (this.pollInFlight) {
+      try {
+        await this.pollInFlight;
+      } catch {
+      }
+      this.pollInFlight = null;
+    }
     await this.saveCursor();
     this.running = false;
     this.onEvent = null;
@@ -66,7 +79,6 @@ var LogAdapter = class {
     try {
       const lines = await this.readNewLines();
       for (const line of lines) {
-        if (!this.running) break;
         const event = this.parseLine(line);
         if (event) {
           try {
@@ -194,10 +206,9 @@ var LogAdapter = class {
     try {
       const { writeFile, mkdir } = await import("fs/promises");
       await mkdir(this.stateDir, { recursive: true });
-      await writeFile(
-        path,
-        JSON.stringify({ position: this.lastReadPosition, logPath: this.logPath }) + "\n"
-      );
+      const fragmentBytes = Buffer.byteLength(this.pendingFragment, "utf-8");
+      const position = Math.max(0, this.lastReadPosition - fragmentBytes);
+      await writeFile(path, JSON.stringify({ position, logPath: this.logPath }) + "\n");
     } catch (err) {
       console.warn(`Failed to save log cursor: ${err}`);
     }
@@ -235,4 +246,4 @@ var LogAdapter = class {
 export {
   LogAdapter
 };
-//# sourceMappingURL=chunk-PDWWRZXF.js.map
+//# sourceMappingURL=chunk-2IPSTUNH.js.map

package/dist/{chunk-G74MMDKA.js → chunk-3WT3K5TH.js}

@@ -3,9 +3,8 @@ import {
 } from "./chunk-B5QKJHSV.js";
 import {
   discoverPolicy
-} from "./chunk-FMZWHT4M.js";
+} from "./chunk-B6S2PBS4.js";
 import {
-  DEFAULT_FORBIDDEN_PATTERNS,
   FORBIDDEN_BASENAMES,
   classifyDeny,
   isPositionallySafeMention,
@@ -14,16 +13,18 @@ import {
   scanBashCommand,
   scanContentForForbiddenBasenames,
   scanGlobPattern,
-  tokenizePaths
-} from "./chunk-JTR2E7RD.js";
+  tokenizePaths,
+  unionWithDefaultForbiddenPatterns
+} from "./chunk-M5EEVMLU.js";
 import {
+  DEFAULT_FORBIDDEN_PATTERNS,
   loadPolicy,
   policyToConfig,
   policyToRole
-} from "./chunk-WLIDSTS4.js";
+} from "./chunk-SKE74CYZ.js";
 
 // src/gateway/workspaceRouter.ts
-import { resolve, dirname } from "path";
+import { resolve, dirname, sep } from "path";
 
 // src/mergeRoles.ts
 function isWithinActiveHours(hour, range) {
@@ -251,15 +252,43 @@ async function resolveWorkspace(cwd, home) {
   const policyPath = discoverPolicy(start, home);
   let root = start;
   let workspaceRole = null;
+  const warnings = [];
   if (policyPath) {
-    const policy = await loadPolicy(policyPath);
+    let policy;
+    try {
+      policy = await loadPolicy(policyPath);
+    } catch (err) {
+      return {
+        ok: false,
+        reason: `the workspace's policy file failed to load (${err instanceof Error ? err.message : String(err)}) \u2014 refusing to serve the workspace without its policy`
+      };
+    }
+    const policyDir = dirname(resolve(policyPath));
+    root = policyDir;
     const repoRoot = policyToConfig(policy).repo?.root;
-    root = repoRoot ? resolve(repoRoot) : dirname(resolve(policyPath));
+    if (repoRoot) {
+      const declared = resolve(policyDir, repoRoot);
+      const homeAbs = resolve(home);
+      const declaredPrefix = declared.endsWith(sep) ? declared : declared + sep;
+      const containsPolicy = policyDir === declared || policyDir.startsWith(declaredPrefix);
+      const aboveHome = declared !== homeAbs && homeAbs.startsWith(declaredPrefix);
+      if (!containsPolicy) {
+        warnings.push(
+          `repo.root "${repoRoot}" (resolves to "${declared}") does not contain the policy file "${policyPath}" \u2014 anchoring to the policy's own directory "${policyDir}" instead`
+        );
+      } else if (aboveHome) {
+        warnings.push(
+          `repo.root "${repoRoot}" (resolves to "${declared}") reaches above the home directory \u2014 anchoring to the policy's own directory "${policyDir}" instead`
+        );
+      } else {
+        root = declared;
+      }
+    }
     workspaceRole = policyToRole(policy);
   }
   return {
     ok: true,
-    resolution: { root, agentId: deriveAgentId(root), policyPath, workspaceRole }
+    resolution: { root, agentId: deriveAgentId(root), policyPath, workspaceRole, warnings }
   };
 }
 function effectiveRole(ceiling, workspaceRole) {
@@ -347,11 +376,11 @@ var TranslatorRegistry = class {
 
 // src/gateway/runtimeConstructionResolvers.ts
 var MAX_RECURSION_DEPTH = 3;
-var INTERPRETER_RE = /\b(?:python[23]?|node|ruby|perl|php)\s+(?:-[cer])\s+(.+)/s;
+var INTERPRETER_RE = /\b(?:python|node|ruby|perl|php)[0-9.]*\s+(?:\S+\s+)*?-[cer]/;
 var NESTED_ENCODING_RE = /chr\(\d+\)|String\.fromCharCode|\\x[0-9a-fA-F]{2}|\\[0-7]{1,3}|printf\s/;
 var PRINTF_HEX_RE = /printf\s+['"]?[^'"]*\\x[0-9a-fA-F]{2}/;
 var PRINTF_OCT_RE = /printf\s+['"]?[^'"]*\\[0-7]{1,3}/;
-var B1_CONTEXT_RE = /(?:\bbase64\s+(?:-d|--decode)\b|\bopenssl\s+(?:enc\s+)?(?:-?base64\s+(?:-\w+\s+)*-d|-d\s+(?:-\w+\s+)*-?base64)\b)/;
+var B1_CONTEXT_RE = /(?:\bbase64\s+(?:--decode\b|-[a-zA-Z]*[dD][a-zA-Z]*\b)|\bopenssl\s+(?:enc\s+)?(?:-?base64\s+(?:-\w+\s+)*-d|-d\s+(?:-\w+\s+)*-?base64)\b)/;
 var ECHO_E_HEX_RE = /\becho\s+(?:-\w+\s+)*-\w*e\w*\b[^|;&\n]*\\x[0-9a-fA-F]{2}/;
 var ANSI_C_QUOTE_HEX_RE = /\$'[^']*\\x[0-9a-fA-F]{2}/;
 var ANSI_C_QUOTE_OCT_RE = /\$'[^']*\\[0-7]{1,3}/;
@@ -1032,17 +1061,25 @@ var ClaudeCodeTranslator = class {
 };
 
 // src/gateway/grepRewriter.ts
+function toRelativeExclusionGlob(pattern) {
+  return pattern.startsWith("/") ? "**" + pattern : pattern;
+}
 function buildGrepExclusions(forbiddenPatterns) {
   const flags = [];
   for (const pattern of forbiddenPatterns) {
-    flags.push("--glob", `!${pattern}`);
+    flags.push("--glob", `!${toRelativeExclusionGlob(pattern)}`);
   }
   return flags;
 }
 function isPathItselfForbidden(searchPath, forbiddenPatterns) {
   const matched = [];
   for (const pattern of forbiddenPatterns) {
-    if (matchGlobInsensitive(pattern, searchPath)) {
+    if (matchGlobInsensitive(pattern, searchPath) || // A directory-glob (`…/**`, e.g. `**/.ssh/**` or `/etc/**`) does NOT match
+    // the bare directory itself — the trailing `/.*` requires a char after the
+    // slash, so `matchGlob('**/.ssh/**', '/home/u/.ssh')` is false. When the
+    // SEARCH PATH *is* the forbidden directory, treat it as forbidden so it
+    // routes to DENY (no rewrite), not MODIFY.
+    pattern.endsWith("/**") && matchGlobInsensitive(pattern.slice(0, -3), searchPath)) {
       matched.push(pattern);
     }
   }
@@ -1116,6 +1153,8 @@ var SentinelGateway = class {
   releaseToken;
   /** Item D (F-8): disposition for unknown (non-MCP, unrecognized) tool names. */
   unknownTools;
+  /** Posture for an internal wrap() error: allow (fail-open, default) or block. */
+  onInternalError;
   /** Daemon-staleness build identity (content hash of the launched-from entry),
    *  reported via /health. "unknown" when not supplied by the launcher. */
   buildId;
@@ -1134,6 +1173,7 @@ var SentinelGateway = class {
     this.home = options.home ?? "";
     this.releaseToken = options.releaseToken ?? null;
     this.unknownTools = options.unknownTools ?? "warn";
+    this.onInternalError = options.onInternalError ?? "fail-open";
     this.buildId = options.buildId ?? "unknown";
     const internal = options;
     if (internal.registry) {
@@ -1424,6 +1464,9 @@ var SentinelGateway = class {
       return { ok: false, finding };
     }
     const { root, agentId, workspaceRole } = resolved.resolution;
+    for (const w of resolved.resolution.warnings) {
+      console.warn(`[SENTINEL GATEWAY] workspace-resolution warning (${agentId}): ${w}`);
+    }
     const ceiling = this.operatorCeiling;
     if (!ceiling) {
       const check = {
@@ -1450,7 +1493,24 @@ var SentinelGateway = class {
       name: agentId
     });
     this.sentinel.touchAgent(agentId);
-    return { ok: true, agentId };
+    return { ok: true, agentId, effectiveRole: merged.role };
+  }
+  /**
+   * Forbidden-pattern list for ONE request: the gateway's construction-time
+   * list unioned with the request's merged-role patterns (operator-ceiling ∩
+   * workspace yaml). Without this, a workspace's custom forbid targets were
+   * enforced by the role validator inside wrap() but never reached the
+   * gateway's own bash-L1 / Grep layers, which checked only the static list.
+   * Normalization is idempotent (the chokepoint globstar-prepend).
+   */
+  patternsForRequest(effectiveRole2) {
+    if (!effectiveRole2?.forbiddenTargetPatterns?.length) return this.forbiddenPatterns;
+    return [
+      .../* @__PURE__ */ new Set([
+        ...this.forbiddenPatterns,
+        ...effectiveRole2.forbiddenTargetPatterns.map(normalizeForbiddenPattern)
+      ])
+    ];
   }
   async handlePreToolUse(body, res, translator) {
     let payload;
@@ -1460,12 +1520,43 @@ var SentinelGateway = class {
       this.sendJson(res, 400, { error: "invalid JSON" });
       return;
     }
-    const event = translator.translatePreToolUse(payload);
+    let event;
+    try {
+      event = translator.translatePreToolUse(payload);
+    } catch (err) {
+      console.error("[SENTINEL GATEWAY] translator error (pre-tool-use):", err);
+      const ts = (/* @__PURE__ */ new Date()).toISOString();
+      const finding = {
+        severity: "HIGH",
+        kind: "actionable",
+        type: "enforcement_error",
+        agentId: this.agentId,
+        agentName: this.agentId,
+        description: `Enforcement error \u2014 the ${translator.agentType} translator threw while parsing a pre-tool-use payload: ${err instanceof Error ? err.message : String(err)}. The request was answered with an error (HTTP 500), not an allow.`,
+        evidence: {
+          action: "tool_invocation",
+          target: "(untranslatable pre-tool-use payload)",
+          timestamp: ts,
+          baselineComparison: "enforcement_internal_error"
+        },
+        recommendation: "Investigate the gateway daemon log for the underlying translator exception \u2014 the payload could not be screened.",
+        timestamp: ts,
+        decision: "deny"
+      };
+      try {
+        await this.sentinel.logFinding(this.agentId, finding);
+      } catch (logErr) {
+        console.error("[SENTINEL GATEWAY] failed to persist enforcement_error finding:", logErr);
+      }
+      this.sendJson(res, 500, { error: "translator error" });
+      return;
+    }
     if (!event) {
       this.sendJson(res, 400, { error: "unable to translate payload" });
       return;
     }
     let routingId = this.agentId;
+    let requestForbiddenPatterns = this.forbiddenPatterns;
     if (this.workspaceIsolation) {
       const routed = await this.resolveBPathRouting(
         event.metadata?.cwd,
@@ -1483,6 +1574,7 @@ var SentinelGateway = class {
       }
       routingId = routed.agentId;
       event.agentId = routingId;
+      requestForbiddenPatterns = this.patternsForRequest(routed.effectiveRole);
     }
     if (event.metadata?._unknownTool === "true") {
       const unknownName = event.metadata.ccToolName ?? event.primaryTarget;
@@ -1555,7 +1647,7 @@ var SentinelGateway = class {
       let matchedPath = null;
       let matchedPattern = null;
       for (const tokenPath of allTokenPaths) {
-        for (const pattern of this.forbiddenPatterns) {
+        for (const pattern of requestForbiddenPatterns) {
           if (matchGlobInsensitive(pattern, tokenPath)) {
             matchedPath = tokenPath;
             matchedPattern = pattern;
@@ -1737,7 +1829,7 @@ var SentinelGateway = class {
     if (ccToolName === "Grep") {
       const toolInput = parsedPayload.tool_input ?? {};
       const searchPath = typeof toolInput.path === "string" && toolInput.path.length > 0 ? toolInput.path : parsedPayload.cwd ?? ".";
-      const pathCheck = isPathItselfForbidden(searchPath, this.forbiddenPatterns);
+      const pathCheck = isPathItselfForbidden(searchPath, requestForbiddenPatterns);
       if (pathCheck.forbidden) {
         const finding2 = {
           severity: "HIGH",
@@ -1762,7 +1854,7 @@ var SentinelGateway = class {
         this.sendJson(res, 200, response);
         return;
       }
-      const exclusions = buildGrepExclusions(this.forbiddenPatterns);
+      const exclusions = buildGrepExclusions(requestForbiddenPatterns);
       const updatedInput = buildModifiedGrepInput(toolInput, exclusions);
       const finding = {
         severity: "MEDIUM",
@@ -1785,7 +1877,7 @@ var SentinelGateway = class {
       await this.sentinel.logFinding(routingId, finding);
       this.telemetry.recordToolCall(event.action, "pre", "allowed", 0);
       const ccTranslator = translator;
-      const excludedPatterns = this.forbiddenPatterns.join(", ");
+      const excludedPatterns = requestForbiddenPatterns.join(", ");
       const additionalContext = `Sentinel: this Grep search was modified to exclude forbidden paths. Excluded patterns: ${excludedPatterns}. To search specific forbidden files, use Read with explicit approval.`;
       if (typeof ccTranslator.formatPreToolUseModifyResponse === "function") {
         const response = ccTranslator.formatPreToolUseModifyResponse({
@@ -1883,7 +1975,37 @@ var SentinelGateway = class {
       this.sendJson(res, 200, response);
     } catch (err) {
       console.error("[SENTINEL GATEWAY] wrap() error:", err);
-      const response = translator.formatPreToolUseResponse({ blocked: false });
+      const failClosed = this.onInternalError === "fail-closed";
+      const errMessage = err instanceof Error ? err.message : String(err);
+      const finding = {
+        severity: "HIGH",
+        kind: "actionable",
+        type: "enforcement_error",
+        agentId: routingId,
+        agentName: event.agentName,
+        description: `Enforcement error \u2014 sentinel.wrap() threw while screening "${event.action}": ${errMessage}. The call was ${failClosed ? "BLOCKED" : "ALLOWED WITHOUT SCREENING"} (enforcement.onInternalError: ${this.onInternalError}).`,
+        evidence: {
+          action: event.action,
+          target: event.primaryTarget,
+          timestamp: event.timestamp,
+          baselineComparison: "enforcement_internal_error"
+        },
+        recommendation: `Investigate the gateway daemon log for the underlying exception \u2014 Sentinel's own enforcement failed, so this call was decided by posture, not policy. Set enforcement.onInternalError: "fail-closed" to block instead of allow while the cause is open.`,
+        timestamp: event.timestamp,
+        decision: failClosed ? "deny" : "allow"
+      };
+      try {
+        await this.sentinel.logFinding(routingId, finding);
+      } catch (logErr) {
+        console.error("[SENTINEL GATEWAY] failed to persist enforcement_error finding:", logErr);
+      }
+      this.telemetry.recordToolCall(
+        event.action,
+        "pre",
+        failClosed ? "blocked" : "allowed",
+        Date.now() - start
+      );
+      const response = failClosed ? translator.formatPreToolUseResponse({ blocked: true, finding }) : translator.formatPreToolUseResponse({ blocked: false });
       this.sendJson(res, 200, response);
     }
   }
@@ -2052,11 +2174,11 @@ async function runGatewayDaemon({
   port = DEFAULT_PORT,
   buildId
 }) {
-  const { Sentinel: SentinelClass } = await import("./Sentinel-5CQ6HKXS.js");
+  const { Sentinel: SentinelClass } = await import("./Sentinel-XP6NFG6Z.js");
   const { writePidFile, writeReleaseToken } = await import("./pidManager-DOGVN6ZT.js");
   const { homedir } = await import("os");
   const { randomBytes } = await import("crypto");
-  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2, policyToConfig: policyToConfig2 } = await import("./policyLoader-KZL2U4M2.js");
+  const { loadPolicy: loadPolicy2, policyToRole: policyToRole2, policyToConfig: policyToConfig2 } = await import("./policyLoader-NUPBBRKH.js");
   const sentinel = await SentinelClass.fromPolicy(policyPath);
   const baseline = await sentinel.computeBaseline("claude-code");
   sentinel.setBaseline("claude-code", baseline);
@@ -2075,7 +2197,12 @@ async function runGatewayDaemon({
     releaseToken,
     unknownTools: operatorConfig.enforcement?.unknownTools,
     allowUnknownTools: operatorConfig.enforcement?.allowUnknownTools,
-    buildId
+    onInternalError: operatorConfig.enforcement?.onInternalError,
+    buildId,
+    // The operator policy's custom forbid targets must reach the gateway's own
+    // bash-L1/Grep layers (defaults-as-floor union, same chokepoint as role
+    // construction) — previously the gateway saw only the built-in defaults.
+    forbiddenPatterns: unionWithDefaultForbiddenPatterns(operatorCeiling.forbiddenTargetPatterns)
   });
   await gateway.start();
   const home = homedir();
@@ -2088,4 +2215,4 @@ export {
   SentinelGateway,
   runGatewayDaemon
 };
-//# sourceMappingURL=chunk-G74MMDKA.js.map
+//# sourceMappingURL=chunk-3WT3K5TH.js.map