palaryn 0.5.7 → 0.6.0

package/src/dlp/nemo-backend.ts

@@ -1,6 +1,7 @@
 import { execFileSync } from 'child_process';
 import { DLPBackend, DLPDetection } from './interfaces';
 import { DLPSeverity } from '../types/tool-result';
+import { CircuitBreaker } from './circuit-breaker';
 
 export interface NemoGuardrailsConfig {
   /** NeMo Guardrails API URL (e.g. 'http://nemo:8000'). */
@@ -25,15 +26,22 @@ export class NemoGuardrailsBackend implements DLPBackend {
 
   private readonly apiUrl: string;
   private readonly timeoutMs: number;
+  readonly circuitBreaker: CircuitBreaker;
 
   constructor(config: NemoGuardrailsConfig) {
     this.apiUrl = config.api_url.replace(/\/+$/, '');
     this.timeoutMs = config.timeout_ms ?? 5000;
+    this.circuitBreaker = new CircuitBreaker({ name: 'nemo', failureThreshold: 5, resetTimeoutMs: 30_000 });
   }
 
   scanString(value: string): DLPDetection[] {
     if (!value || value.length < 5) return [];
 
+    if (!this.circuitBreaker.allowRequest()) {
+      console.warn(`[NemoGuardrailsBackend] circuit OPEN — skipping external call`);
+      return [];
+    }
+
     try {
       const payload = JSON.stringify({
         messages: [{ role: 'user', content: value }],
@@ -53,8 +61,10 @@ export class NemoGuardrailsBackend implements DLPBackend {
         stdio: ['pipe', 'pipe', 'pipe'],
       });
 
+      this.circuitBreaker.recordSuccess();
       return this.parseResponse(stdout, value);
     } catch (err: unknown) {
+      this.circuitBreaker.recordFailure();
       const message = err instanceof Error ? err.message : String(err);
       console.warn(`[NemoGuardrailsBackend] scan failed: ${message}`);
       return [];

package/src/dlp/prompt-injection-patterns.ts

@@ -401,6 +401,43 @@ export const PROMPT_INJECTION_PATTERNS: DLPPattern[] = [
     pattern: /(?:you\s+have\s+)?no\s+(?:rules|limits|limitations|boundaries|restrictions|ethical\s+guidelines|safety\s+(?:measures|protocols|guidelines))/gi,
     severity: 'medium',
   },
+
+  // -----------------------------------------------------------------------
+  // Category 18: Policy/config self-modification (high)
+  // Detects instructions to modify the agent's own policy, config, or
+  // governance files — the most dangerous form of prompt injection as it
+  // can disable all security controls.
+  // -----------------------------------------------------------------------
+  {
+    name: 'prompt_injection_modify_policy',
+    pattern: /(?:modify|change|update|edit|overwrite|replace|rewrite|alter)\s+(?:the\s+|your\s+)?(?:policy|policies|policy[\s_-]*(?:pack|file|yaml|config|rules?))/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_write_policy_file',
+    pattern: /(?:write|save|create|output|put|dump)\s+(?:this\s+|the\s+following\s+)?(?:to|into|in)\s+(?:the\s+)?(?:policy|config|yaml|yml|configuration)\s*(?:file|pack)?/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_disable_security',
+    pattern: /(?:disable|turn\s+off|deactivate|remove|bypass|skip)\s+(?:all\s+)?(?:the\s+)?(?:security|DLP|firewall|policy|protection|enforcement|validation|rate[\s_-]*limit|budget[\s_-]*check|approval)/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_allow_all_policy',
+    pattern: /(?:set|change|make|switch)\s+(?:the\s+)?(?:default\s+)?(?:policy|effect|rule)\s+(?:to\s+)?(?:allow[\s_-]*all|permissive|allow\s+everything)/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_policy_pack_path',
+    pattern: /policy[\s_-]*packs?\/[^\s"']+\.ya?ml/gi,
+    severity: 'high',
+  },
+  {
+    name: 'prompt_injection_remove_rules',
+    pattern: /(?:remove|delete|clear|empty|wipe)\s+(?:all\s+)?(?:the\s+)?(?:policy\s+)?(?:rules?|restrictions?|blocklist|denylist|deny\s+rules?)/gi,
+    severity: 'high',
+  },
 ];
 
 // ---------------------------------------------------------------------------

package/src/dlp/text-normalizer.ts

@@ -6,6 +6,9 @@
  * into canonical ASCII text before pattern matching.
  */
 
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const punycode = require('punycode/');
+
 // ---------------------------------------------------------------------------
 // Zero-width character stripping
 // ---------------------------------------------------------------------------
@@ -13,9 +16,10 @@
 /** Regex matching zero-width and invisible Unicode characters.
  *  Comprehensive list covering: zero-width spaces/joiners, soft hyphen, BOM,
  *  directional marks/isolates, word joiners, invisible operators,
- *  combining grapheme joiner, Arabic letter mark, and deprecated formatting chars.
+ *  combining grapheme joiner, Arabic letter mark, deprecated formatting chars,
+ *  and Unicode Tags block (U+E0001-U+E007F, deprecated language tags).
  */
-export const ZERO_WIDTH_REGEX = /[\u200B\u200C\u200D\u00AD\uFEFF\u200E\u200F\u034F\u061C\u180E\u2060\u2061\u2062\u2063\u2064\u2066\u2067\u2068\u2069\u206A\u206B\u206C\u206D\u206E\u206F]/g;
+export const ZERO_WIDTH_REGEX = /[\u200B\u200C\u200D\u00AD\uFEFF\u200E\u200F\u034F\u061C\u180E\u2060\u2061\u2062\u2063\u2064\u2066\u2067\u2068\u2069\u206A\u206B\u206C\u206D\u206E\u206F\u{E0001}-\u{E007F}]/gu;
 
 // ---------------------------------------------------------------------------
 // Homoglyph map (visually similar characters -> ASCII equivalents)
@@ -263,23 +267,39 @@ function stripEmojisBetweenLetters(input: string): string {
  * Normalize text for bypass-resistant pattern matching.
  *
  * Applies transformations in order:
- * 1. Strip zero-width / invisible Unicode characters
+ * 1. Strip zero-width / invisible Unicode characters (incl. Unicode Tags block)
  * 2. Unicode NFKC normalization (collapses fullwidth, ligatures, etc.)
  * 3. Decode HTML entities (named + numeric)
- * 4. Decode URL percent-encoding
+ * 4. Decode URL percent-encoding (multi-pass, up to 3 iterations)
+ * 4.5. Decode Punycode domains (xn-- labels -> Unicode -> homoglyph collapse)
  * 5. Collapse homoglyphs (Cyrillic/Greek lookalikes -> ASCII)
  * 6. Collapse repeated whitespace to single space
  *
  * @param input - The raw text to normalize.
  * @returns The normalized text suitable for pattern matching.
  */
+/**
+ * Decode Punycode (xn--) domain labels to Unicode.
+ * Enables homoglyph normalization to collapse Punycode-encoded lookalike domains.
+ */
+function decodePunycodeDomains(input: string): string {
+  // Match xn-- labels in domain-like contexts (dot-separated labels)
+  return input.replace(/\bxn--[a-z0-9-]+(?:\.[a-z0-9-]+)*/gi, (domain) => {
+    try {
+      return punycode.toUnicode(domain);
+    } catch {
+      return domain; // Leave as-is if decode fails
+    }
+  });
+}
+
 export function normalizeText(input: string): string {
   // Early exit for very short strings
   if (input.length === 0) return input;
 
   let text = input;
 
-  // 1. Strip zero-width characters
+  // 1. Strip zero-width characters (including Unicode Tags block U+E0001-E007F)
   text = text.replace(ZERO_WIDTH_REGEX, '');
 
   // 2. NFKC normalization (fullwidth -> ASCII, ligatures -> components, etc.)
@@ -296,8 +316,17 @@ export function normalizeText(input: string): string {
   // 3. Decode HTML entities
   text = decodeHTMLEntities(text);
 
-  // 4. Decode URL percent-encoding
-  text = decodeURLEncoding(text);
+  // 4. Decode URL percent-encoding (multi-pass for layered encoding like %2569 -> %69 -> i)
+  let prevText: string;
+  let passes = 0;
+  do {
+    prevText = text;
+    text = decodeURLEncoding(text);
+    passes++;
+  } while (text !== prevText && passes < 3);
+
+  // 4.5 Decode Punycode domains (xn-- labels -> Unicode for homoglyph matching)
+  text = decodePunycodeDomains(text);
 
   // 5. Collapse homoglyphs
   text = text.replace(homoglyphRegex, (ch) => HOMOGLYPH_MAP[ch] || ch);

package/src/dlp/tool-patterns.ts

@@ -1,4 +1,39 @@
 import { DLPPattern } from './patterns';
+import { DLPBackend, DLPDetection } from './interfaces';
+import { DLPSeverity } from '../types/tool-result';
+
+/**
+ * DLP backend that scans for sensitive file paths in tool arguments.
+ * Detects references to policy packs, .env files, and governance config
+ * that could indicate a policy self-modification attack.
+ */
+export class SensitiveFileBackend implements DLPBackend {
+  readonly name = 'sensitive_file';
+
+  scanString(value: string): DLPDetection[] {
+    const detections: DLPDetection[] = [];
+    if (value.length < 4) return detections;
+
+    for (const pat of SENSITIVE_FILE_PATTERNS) {
+      pat.pattern.lastIndex = 0;
+      let m: RegExpExecArray | null;
+      while ((m = pat.pattern.exec(value)) !== null) {
+        detections.push({
+          pattern_name: pat.name,
+          severity: pat.severity as DLPSeverity,
+          match: m[0],
+          start: m.index,
+          end: m.index + m[0].length,
+        });
+        if (m[0].length === 0) {
+          pat.pattern.lastIndex++;
+        }
+      }
+      pat.pattern.lastIndex = 0;
+    }
+    return detections;
+  }
+}
 
 // Shell injection patterns
 export const SHELL_INJECTION_PATTERNS: DLPPattern[] = [
@@ -13,9 +48,30 @@ export const SHELL_INJECTION_PATTERNS: DLPPattern[] = [
 // Path traversal patterns
 export const PATH_TRAVERSAL_PATTERNS: DLPPattern[] = [
   { name: 'path_traversal', pattern: /\.\.\//g, severity: 'high' },
+  { name: 'path_traversal_backslash', pattern: /\.\.\\/g, severity: 'high' },
   { name: 'path_traversal_encoded', pattern: /%2e%2e%2f/gi, severity: 'high' },
+  { name: 'path_traversal_double_encoded', pattern: /%252e%252e/gi, severity: 'high' },
   { name: 'path_null_byte', pattern: /%00/g, severity: 'high' },
   { name: 'path_absolute_unix', pattern: /^\/(?:etc|proc|sys|dev|root|var\/log)\//g, severity: 'high' },
+  { name: 'path_home_sensitive', pattern: /~\/\./g, severity: 'high' },
+];
+
+// Sensitive file access patterns
+export const SENSITIVE_FILE_PATTERNS: DLPPattern[] = [
+  { name: 'sensitive_file_ssh', pattern: /\.ssh\/(?:id_rsa|id_ed25519|authorized_keys|known_hosts|config)/gi, severity: 'high' },
+  { name: 'sensitive_file_aws', pattern: /\.aws\/(?:credentials|config)/gi, severity: 'high' },
+  { name: 'sensitive_file_kube', pattern: /\.kube\/config/gi, severity: 'high' },
+  { name: 'sensitive_file_terraform', pattern: /\.terraform\//gi, severity: 'high' },
+  { name: 'sensitive_file_docker', pattern: /\.docker\/config\.json/gi, severity: 'high' },
+  { name: 'sensitive_file_npmrc', pattern: /\.npmrc/gi, severity: 'medium' },
+  { name: 'sensitive_file_gitconfig', pattern: /\.gitconfig/gi, severity: 'low' },
+  { name: 'sensitive_file_shadow', pattern: /\/etc\/shadow/gi, severity: 'high' },
+  { name: 'sensitive_file_shell_rc', pattern: /\.(?:bashrc|zshrc|profile|bash_history|zsh_history)/gi, severity: 'medium' },
+  // Palaryn governance / policy files — modification disables security controls
+  { name: 'sensitive_file_policy_pack', pattern: /policy[\s_-]*packs?\/[^\s"']*\.ya?ml/gi, severity: 'high' },
+  { name: 'sensitive_file_policy_yaml', pattern: /(?:^|[\\/])(?:policy|policies|rules)\.ya?ml/gi, severity: 'high' },
+  { name: 'sensitive_file_env', pattern: /(?:^|[\\/\s"'])\.env(?:\.\w+)?(?=$|[\s"'\\/])/gi, severity: 'high' },
+  { name: 'sensitive_file_palaryn_config', pattern: /palaryn[\s_-]*(?:config|settings)\.(?:ya?ml|json|toml)/gi, severity: 'high' },
 ];
 
 // SQL injection patterns
@@ -27,9 +83,16 @@ export const SQL_INJECTION_PATTERNS: DLPPattern[] = [
   { name: 'sql_info_schema', pattern: /INFORMATION_SCHEMA/gi, severity: 'high' },
 ];
 
+// Data exfiltration size check (body > 5KB with external URL)
+export const DATA_EXFIL_PATTERNS: DLPPattern[] = [
+  { name: 'shell_curl_wget', pattern: /\b(?:curl|wget)\s+https?:\/\//gi, severity: 'high' },
+];
+
 /** All tool-specific DLP patterns combined */
 export const TOOL_DLP_PATTERNS: DLPPattern[] = [
   ...SHELL_INJECTION_PATTERNS,
   ...PATH_TRAVERSAL_PATTERNS,
+  ...SENSITIVE_FILE_PATTERNS,
   ...SQL_INJECTION_PATTERNS,
+  ...DATA_EXFIL_PATTERNS,
 ];

package/src/executor/filesystem-executor.ts

@@ -10,6 +10,24 @@ import { FilesystemExecutorConfig } from '../types/config';
  * Handles tool calls with tool name `file.*` (e.g., file.read, file.write).
  * All paths are resolved relative to and contained within base_dir.
  */
+/**
+ * Hardcoded protected path patterns that CANNOT be written to or deleted.
+ * This is a defense-in-depth measure against policy self-modification attacks
+ * where a prompt injection instructs the agent to overwrite governance files.
+ * These paths are blocked regardless of config, allowlist, or policy settings.
+ */
+const PROTECTED_PATH_PATTERNS = [
+  /policy[\s_-]*packs?\//i,
+  /\.env(?:\.\w+)?$/i,
+  /palaryn[\s_-]*config\./i,
+];
+
+const PROTECTED_FILENAMES = [
+  'policy.yaml', 'policy.yml', 'policies.yaml', 'policies.yml',
+  'rules.yaml', 'rules.yml',
+  '.env', '.env.local', '.env.production', '.env.development',
+];
+
 export class FilesystemExecutor implements ToolExecutor {
   private config: FilesystemExecutorConfig;
   private resolvedBaseDir: string;
@@ -19,6 +37,29 @@ export class FilesystemExecutor implements ToolExecutor {
     this.resolvedBaseDir = path.resolve(config.base_dir);
   }
 
+  /**
+   * Check if a file path targets a protected governance/config file.
+   * This is a hardcoded safeguard that cannot be disabled by configuration.
+   */
+  private isProtectedPath(filePath: string): boolean {
+    const normalized = filePath.replace(/\\/g, '/');
+    const basename = path.basename(normalized).toLowerCase();
+
+    // Check against protected filenames
+    if (PROTECTED_FILENAMES.includes(basename)) {
+      return true;
+    }
+
+    // Check against protected path patterns
+    for (const pattern of PROTECTED_PATH_PATTERNS) {
+      if (pattern.test(normalized)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
   async execute(toolCall: ToolCall): Promise<ToolOutput> {
     const action = this.resolveAction(toolCall);
 
@@ -102,6 +143,11 @@ export class FilesystemExecutor implements ToolExecutor {
     if (!filePath || typeof filePath !== 'string') {
       throw new Error('Missing or invalid "path" argument for file.write');
     }
+
+    // Hardcoded protection: block writes to governance/policy/config files
+    if (this.isProtectedPath(filePath)) {
+      throw new Error(`Write denied: "${filePath}" is a protected governance/config file and cannot be modified by agent tool calls`);
+    }
     if (content === undefined || content === null) {
       throw new Error('Missing "content" argument for file.write');
     }
@@ -138,6 +184,11 @@ export class FilesystemExecutor implements ToolExecutor {
       throw new Error('Missing or invalid "path" argument for file.delete');
     }
 
+    // Hardcoded protection: block deleting governance/policy/config files
+    if (this.isProtectedPath(filePath)) {
+      throw new Error(`Delete denied: "${filePath}" is a protected governance/config file and cannot be deleted by agent tool calls`);
+    }
+
     const resolved = this.resolveSafePath(filePath);
 
     const stat = await fs.stat(resolved);

package/src/metrics/collector.ts

@@ -31,6 +31,7 @@ export class GatewayMetrics {
   // Histograms
   private requestDuration: promClient.Histogram;
   private costPerRequest: promClient.Histogram;
+  private policyEvaluationSeconds: promClient.Histogram;
 
   // Gauge
   private activeApprovals: promClient.Gauge;
@@ -69,6 +70,15 @@ export class GatewayMetrics {
       registers: [this.registry],
     });
 
+    // palaryn_policy_evaluation_seconds
+    this.policyEvaluationSeconds = new promClient.Histogram({
+      name: 'palaryn_policy_evaluation_seconds',
+      help: 'Time spent evaluating policy rules',
+      labelNames: ['engine'],
+      buckets: [0.001, 0.005, 0.01, 0.05, 0.1, 0.5, 1.0],
+      registers: [this.registry],
+    });
+
     // palaryn_dlp_detections_total
     this.dlpDetectionsTotal = new promClient.Counter({
       name: 'palaryn_dlp_detections_total',
@@ -220,6 +230,13 @@ export class GatewayMetrics {
     this.policyDecisionsTotal.inc({ decision, rule_id: ruleId });
   }
 
+  /**
+   * Record policy evaluation duration.
+   */
+  recordPolicyEvaluation(engine: string, durationSeconds: number): void {
+    this.policyEvaluationSeconds.observe({ engine }, durationSeconds);
+  }
+
   /**
    * Record a DLP detection event.
    */

package/src/policy/engine.ts

@@ -1,6 +1,9 @@
 import * as fs from 'fs';
 import * as net from 'net';
 import * as yaml from 'js-yaml';
+import { logger } from '../server/logger';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const punycode = require('punycode/');
 import { ToolCall } from '../types/tool-call';
 import {
   PolicyDecision,
@@ -353,13 +356,13 @@ export class PolicyEngine {
     }
     // ReDoS protection: block patterns with nested quantifiers or excessive length
     if (!PolicyEngine.isSafeRegex(pattern)) {
-      console.warn(`PolicyEngine: rejecting potentially unsafe regex pattern (ReDoS risk): "${pattern.slice(0, 100)}..."`);
+      logger.warn('Rejecting potentially unsafe regex pattern (ReDoS risk)', { component: 'policy-engine', pattern: pattern.slice(0, 100) });
       return null;
     }
     try {
       re = new RegExp(pattern);
     } catch (err) {
-      console.warn(`PolicyEngine: invalid regex pattern "${pattern}": ${err instanceof Error ? err.message : String(err)}`);
+      logger.warn('Invalid regex pattern', { component: 'policy-engine', pattern, error: err instanceof Error ? err.message : String(err) });
       return null;
     }
     // Evict oldest entry if at capacity
@@ -775,6 +778,36 @@ export class PolicyEngine {
       if (!conditions.provider_tool_types.includes(toolType as string)) return false;
     }
 
+    // --- Referrer/provenance conditions ---
+    if (conditions.has_referrer !== undefined) {
+      const hasReferrer = !!toolCall.context?.referrer_url;
+      if (conditions.has_referrer !== hasReferrer) {
+        return false;
+      }
+    }
+
+    if (conditions.referrer_domains && conditions.referrer_domains.length > 0) {
+      const referrerUrl = toolCall.context?.referrer_url;
+      if (!referrerUrl) {
+        // Rule requires specific referrer domain but no referrer is present — no match.
+        return false;
+      }
+      const referrerDomain = this.extractDomain(referrerUrl);
+      if (!referrerDomain || !this.isDomainInList(referrerDomain, conditions.referrer_domains)) {
+        return false;
+      }
+    }
+
+    if (conditions.referrer_domains_blocklist && conditions.referrer_domains_blocklist.length > 0) {
+      const referrerUrl = toolCall.context?.referrer_url;
+      if (referrerUrl) {
+        const referrerDomain = this.extractDomain(referrerUrl);
+        if (referrerDomain && this.isDomainInList(referrerDomain, conditions.referrer_domains_blocklist)) {
+          return false;
+        }
+      }
+    }
+
     // --- DLP conditions (only evaluated when dlpContext is provided) ---
     if (conditions.dlp_detected !== undefined) {
       if (!dlpContext) return false; // DLP conditions require DLP context
@@ -812,7 +845,10 @@ export class PolicyEngine {
   private extractDomain(url: string): string | null {
     try {
       const parsed = new URL(url);
-      return parsed.hostname.toLowerCase();
+      let hostname = parsed.hostname.toLowerCase();
+      // Decode Punycode (xn--) domains to Unicode for consistent matching
+      try { hostname = punycode.toUnicode(hostname); } catch { /* leave as-is */ }
+      return hostname;
     } catch {
       return null;
     }

package/src/policy/opa-engine.ts

@@ -3,6 +3,7 @@ import * as https from 'https';
 import { URL } from 'url';
 import { ToolCall } from '../types/tool-call';
 import { PolicyDecision, PolicyEvalResult, PolicyTransformation } from '../types/policy';
+import { logger } from '../server/logger';
 import { OPAConfig } from '../types/config';
 
 /**
@@ -79,7 +80,7 @@ export class OPAEngine {
             throw new Error(`OPA server URL must not use private/reserved IP address in production: "${hostname}"`);
           }
           // In development, allow but warn
-          console.warn(`[OPAEngine] WARNING: OPA server URL points to private address "${hostname}". This would be blocked in production.`);
+          logger.warn('OPA server URL points to private address — blocked in production', { component: 'opa-engine', hostname });
         }
 
         // Normalize: remove trailing slashes for consistency

package/src/server/app.ts

@@ -43,7 +43,7 @@ import { StripeClient, WebhookHandler, createWebhookRouter, createBillingRouter,
 import { createPlanEnforcerMiddleware } from '../billing/plan-enforcer';
 import { FilePersistedStores } from '../storage/file-persistence';
 import { hashPassword } from '../auth/password';
-import { log as devLog } from './logger';
+import { log as devLog, logger } from './logger';
 
 const MAX_TRACKED_IPS = 10000;
 
@@ -262,6 +262,12 @@ export function createApp(config: GatewayConfig, externalSaaSStores?: Partial<Sa
     gateway.setStores({ policyStore: saasStores.policyStore });
   }
 
+  // Inject workspace store for plan enforcement inside the gateway pipeline
+  // (covers MCP bridge and proxy entry points, not just Express middleware)
+  if (saasStores.workspaceStore) {
+    gateway.setStores({ workspaceStore: saasStores.workspaceStore });
+  }
+
   // Register noop executors for non-HTTP tools (e.g. pre-flight validation from Android)
   gateway.registerExecutor('web_search', new NoopExecutor({ body: { validated: true, tool: 'web_search' } }));
   gateway.registerExecutor('chat.completion', new NoopExecutor({ body: { validated: true, tool: 'chat.completion' } }));
@@ -500,10 +506,13 @@ export function createApp(config: GatewayConfig, externalSaaSStores?: Partial<Sa
   const rbacPolicyWrite = createRBACMiddleware(config.auth, 'policy:write');
 
   // Admin routes (require auth + admin:full permission)
-  // Auth + RBAC middleware mounted directly with the router to prevent route decoupling
-  const adminRouter = createAdminRouter(gateway, config);
+  // Deprecated: use React SPA frontend instead (FRONTEND_ENABLED=true).
+  // Server-rendered admin is kept as fallback when frontend is disabled.
   const rbacAdmin = createRBACMiddleware(config.auth, 'admin:full');
-  app.use('/admin', authMiddleware, rbacAdmin, adminRouter);
+  if (!config.frontend?.enabled) {
+    const adminRouter = createAdminRouter(gateway, config);
+    app.use('/admin', authMiddleware, rbacAdmin, adminRouter);
+  }
 
   // Plan enforcer middleware — blocks calls when workspace exceeds plan limits
   const planEnforcerMiddleware = createPlanEnforcerMiddleware({
@@ -568,13 +577,13 @@ export function createApp(config: GatewayConfig, externalSaaSStores?: Partial<Sa
       }
       // S3: Never leak raw error messages to clients (may contain internal paths, IPs, secrets)
       if (result.error) {
-        console.error('[tool-execute] Gateway error:', result.error);
+        logger.error('Gateway error', { component: 'tool-execute', error: result.error });
         result.error = 'Tool execution failed';
       }
       res.status(httpStatus).json(result);
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : 'Unknown error';
-      console.error('[tool-execute] Execution error:', errorMessage);
+      logger.error('Execution error', { component: 'tool-execute', error: errorMessage });
       sendError(res, 500, ErrorCode.TOOL_EXECUTION_ERROR, 'Tool execution failed');
     }
   });
@@ -635,13 +644,13 @@ export function createApp(config: GatewayConfig, externalSaaSStores?: Partial<Sa
             headers: proxyResult.headers,
           }, pre);
         } catch (postErr) {
-          console.error('[post-execute] Failed:', postErr instanceof Error ? postErr.message : postErr);
+          logger.error('Post-execute failed', { component: 'stream-proxy', error: postErr instanceof Error ? postErr.message : postErr });
           // Don't fail the response — it's already sent for streaming
         }
 
       } catch (err) {
         const errorMessage = err instanceof Error ? err.message : 'Unknown error';
-        console.error('[stream-proxy] Execution error:', errorMessage);
+        logger.error('Execution error', { component: 'stream-proxy', error: errorMessage });
         if (!res.headersSent) {
           sendError(res, 502, ErrorCode.TOOL_EXECUTION_ERROR, 'Stream proxy failed');
         } else {
@@ -684,7 +693,7 @@ export function createApp(config: GatewayConfig, externalSaaSStores?: Partial<Sa
       }
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : 'Unknown error';
-      console.error('[tool-approve] Error:', errorMessage);
+      logger.error('Approval error', { component: 'tool-approve', error: errorMessage });
       sendError(res, 500, ErrorCode.INTERNAL_ERROR, 'Approval processing failed');
     }
   });
@@ -751,7 +760,7 @@ export function createApp(config: GatewayConfig, externalSaaSStores?: Partial<Sa
       res.json({ status: 'ok' });
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : 'Unknown error';
-      console.error('[usage-report] Error:', errorMessage);
+      logger.error('Usage report error', { component: 'usage-report', error: errorMessage });
       sendError(res, 500, ErrorCode.INTERNAL_ERROR, 'Usage reporting failed');
     }
   });