sovr-mcp-proxy 6.0.1 → 7.0.0

package/dist/cli.js

@@ -9775,6 +9775,973 @@ Failed: ${this.stats.failedChecks}`
   }
 });
 
+// src/toolReplacement.ts
+var toolReplacement_exports = {};
+__export(toolReplacement_exports, {
+  DEFAULT_TARGET_TOOLS: () => DEFAULT_TARGET_TOOLS,
+  DEFAULT_TOOL_REPLACEMENT_CONFIG: () => DEFAULT_TOOL_REPLACEMENT_CONFIG,
+  describeMode: () => describeMode,
+  parseMode: () => parseMode,
+  shouldIntercept: () => shouldIntercept,
+  transformToolList: () => transformToolList
+});
+function transformToolList(upstreamTools, config) {
+  const removedTools = [];
+  const addedTools = [];
+  const wrappedTools = [];
+  let resultTools = [];
+  switch (config.mode) {
+    case "exclusive": {
+      for (const tool of upstreamTools) {
+        if (isTargetTool(tool.name, config.targetTools)) {
+          removedTools.push(tool.name);
+        } else {
+          resultTools.push(tool);
+        }
+      }
+      resultTools.push(SOVR_EXEC_TOOL);
+      addedTools.push(SOVR_EXEC_TOOL.name);
+      break;
+    }
+    case "enforce": {
+      for (const tool of upstreamTools) {
+        if (isTargetTool(tool.name, config.targetTools)) {
+          resultTools.push({
+            ...tool,
+            description: `[SOVR-ENFORCED] ${tool.description || ""} \u2014 All calls are policy-checked by SOVR before execution.`
+          });
+          wrappedTools.push(tool.name);
+        } else {
+          resultTools.push(tool);
+        }
+      }
+      resultTools.push(SOVR_EXEC_TOOL);
+      addedTools.push(SOVR_EXEC_TOOL.name);
+      break;
+    }
+    case "advisory": {
+      resultTools = [...upstreamTools];
+      resultTools.push(SOVR_EXEC_TOOL);
+      addedTools.push(SOVR_EXEC_TOOL.name);
+      break;
+    }
+    case "monitor":
+    default: {
+      resultTools = [...upstreamTools];
+      break;
+    }
+  }
+  if (config.addStatusTool) {
+    resultTools.push(SOVR_STATUS_TOOL);
+    addedTools.push(SOVR_STATUS_TOOL.name);
+  }
+  if (config.addAuditTool) {
+    resultTools.push(SOVR_AUDIT_TOOL);
+    addedTools.push(SOVR_AUDIT_TOOL.name);
+  }
+  return { tools: resultTools, removedTools, addedTools, wrappedTools };
+}
+function isTargetTool(toolName, targets) {
+  const lowerName = toolName.toLowerCase();
+  return targets.some((target) => {
+    const lowerTarget = target.toLowerCase();
+    if (lowerName === lowerTarget) return true;
+    if (lowerTarget.includes("*")) {
+      const regex = new RegExp(
+        "^" + lowerTarget.replace(/\*/g, ".*").replace(/\?/g, ".") + "$"
+      );
+      return regex.test(lowerName);
+    }
+    return false;
+  });
+}
+function shouldIntercept(toolName, config) {
+  switch (config.mode) {
+    case "exclusive":
+      if (toolName === "sovr_exec") {
+        return { intercept: true, reason: "exclusive-mode: all exec calls routed through SOVR" };
+      }
+      if (isTargetTool(toolName, config.targetTools)) {
+        return { intercept: true, reason: "exclusive-mode: native tool blocked, use sovr_exec" };
+      }
+      return { intercept: false, reason: "non-exec tool, passthrough" };
+    case "enforce":
+      if (toolName === "sovr_exec" || isTargetTool(toolName, config.targetTools)) {
+        return { intercept: true, reason: "enforce-mode: policy check required" };
+      }
+      return { intercept: false, reason: "non-exec tool, passthrough" };
+    case "advisory":
+      if (toolName === "sovr_exec") {
+        return { intercept: true, reason: "advisory-mode: SOVR exec call" };
+      }
+      if (isTargetTool(toolName, config.targetTools)) {
+        return { intercept: false, reason: "advisory-mode: native tool allowed with warning" };
+      }
+      return { intercept: false, reason: "non-exec tool, passthrough" };
+    case "monitor":
+    default:
+      return { intercept: false, reason: "monitor-mode: all tools passthrough" };
+  }
+}
+function describeMode(config) {
+  switch (config.mode) {
+    case "exclusive":
+      return `EXCLUSIVE MODE: Native execution tools (${config.targetTools.join(", ")}) are REMOVED. The LLM can ONLY execute commands through sovr_exec. Bypass is impossible.`;
+    case "enforce":
+      return `ENFORCE MODE: Native execution tools are wrapped with SOVR policy checks. All command executions are evaluated before running. Dangerous commands are blocked.`;
+    case "advisory":
+      return `ADVISORY MODE: Native tools remain available. SOVR tools are added alongside. Warnings are logged for risky commands but execution is not blocked.`;
+    case "monitor":
+      return `MONITOR MODE: All tools pass through unchanged. SOVR only logs activity. No enforcement or blocking.`;
+  }
+}
+function parseMode(input) {
+  const normalized = input.toLowerCase().trim();
+  if (["exclusive", "enforce", "advisory", "monitor"].includes(normalized)) {
+    return normalized;
+  }
+  throw new Error(
+    `Invalid mode: "${input}". Valid modes: exclusive, enforce, advisory, monitor`
+  );
+}
+var DEFAULT_TARGET_TOOLS, SOVR_EXEC_TOOL, SOVR_STATUS_TOOL, SOVR_AUDIT_TOOL, DEFAULT_TOOL_REPLACEMENT_CONFIG;
+var init_toolReplacement = __esm({
+  "src/toolReplacement.ts"() {
+    "use strict";
+    DEFAULT_TARGET_TOOLS = [
+      // Claude Code native tools
+      "Bash",
+      "bash",
+      "shell",
+      "execute_command",
+      "run_command",
+      "terminal",
+      // Cursor / Windsurf / Continue
+      "run_terminal_command",
+      "execute_shell",
+      "shell_exec",
+      // Generic patterns
+      "exec",
+      "system",
+      "subprocess"
+    ];
+    SOVR_EXEC_TOOL = {
+      name: "sovr_exec",
+      description: "Execute a shell command through the SOVR Responsibility Layer. All commands are evaluated against security policies before execution. Dangerous commands (rm -rf, DROP TABLE, etc.) will be blocked. This is the ONLY way to execute commands \u2014 use this for ALL shell operations.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          command: {
+            type: "string",
+            description: "The shell command to execute. Will be policy-checked before running."
+          },
+          workdir: {
+            type: "string",
+            description: "Working directory for the command (optional)."
+          },
+          timeout: {
+            type: "number",
+            description: "Timeout in milliseconds (default: 300000 = 5 min)."
+          }
+        },
+        required: ["command"]
+      }
+    };
+    SOVR_STATUS_TOOL = {
+      name: "sovr_status",
+      description: "Check the current SOVR security status, including active policies, recent decisions, and system health. Use this to understand what commands are allowed or blocked.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          verbose: {
+            type: "boolean",
+            description: "Include detailed policy information (default: false)."
+          }
+        }
+      }
+    };
+    SOVR_AUDIT_TOOL = {
+      name: "sovr_audit",
+      description: "View the SOVR audit log of recent command evaluations. Shows what was allowed, blocked, or escalated.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          limit: {
+            type: "number",
+            description: "Number of recent entries to show (default: 10)."
+          },
+          filter: {
+            type: "string",
+            enum: ["all", "allowed", "blocked", "escalated"],
+            description: "Filter by decision type (default: all)."
+          }
+        }
+      }
+    };
+    DEFAULT_TOOL_REPLACEMENT_CONFIG = {
+      mode: "enforce",
+      targetTools: DEFAULT_TARGET_TOOLS,
+      addStatusTool: true,
+      addAuditTool: true
+    };
+  }
+});
+
+// src/commandNormalizer.ts
+var commandNormalizer_exports = {};
+__export(commandNormalizer_exports, {
+  getBaseCommand: () => getBaseCommand,
+  hasDestructiveEquivalent: () => hasDestructiveEquivalent,
+  hasEncodingTricks: () => hasEncodingTricks,
+  normalize: () => normalize,
+  summarize: () => summarize
+});
+function normalize(command) {
+  const original = command;
+  const segments = [];
+  const suspicion_reasons = [];
+  const trimmed = command.trim();
+  if (!trimmed) {
+    return { segments: [], suspicious: false, suspicion_reasons: [], original };
+  }
+  for (const enc of ENCODING_PATTERNS) {
+    if (enc.pattern.test(trimmed)) {
+      suspicion_reasons.push(`${enc.name}: ${enc.risk}`);
+    }
+  }
+  for (const deq of DESTRUCTIVE_EQUIVALENTS) {
+    if (deq.pattern.test(trimmed)) {
+      suspicion_reasons.push(`Destructive equivalent detected: ${deq.description}`);
+    }
+  }
+  const chainSegments = splitChains(trimmed);
+  for (const chainSeg of chainSegments) {
+    const pipeSegments = splitPipes(chainSeg);
+    for (const pipeSeg of pipeSegments) {
+      const unwrapped = unwrapCommand(pipeSeg.trim());
+      if (unwrapped.unwrapped) {
+        segments.push({
+          raw: pipeSeg.trim(),
+          effective: unwrapped.effective,
+          type: "unwrapped",
+          warnings: unwrapped.warnings
+        });
+        const inner = normalize(unwrapped.effective);
+        for (const innerSeg of inner.segments) {
+          if (innerSeg.effective !== unwrapped.effective) {
+            segments.push(innerSeg);
+          }
+        }
+        suspicion_reasons.push(...inner.suspicion_reasons);
+      } else {
+        const type = pipeSegments.length > 1 ? "pipe-segment" : chainSegments.length > 1 ? "chain-segment" : "direct";
+        segments.push({
+          raw: pipeSeg.trim(),
+          effective: pipeSeg.trim(),
+          type,
+          warnings: []
+        });
+      }
+    }
+  }
+  const subshells = extractSubshells(trimmed);
+  for (const sub of subshells) {
+    segments.push({
+      raw: trimmed,
+      effective: sub,
+      type: "subshell",
+      warnings: ["Subshell command extracted for evaluation"]
+    });
+  }
+  return {
+    segments,
+    suspicious: suspicion_reasons.length > 0,
+    suspicion_reasons,
+    original
+  };
+}
+function splitChains(command) {
+  return splitRespectingQuotes(command, /\s*(?:&&|\|\||;)\s*/);
+}
+function splitPipes(command) {
+  return splitRespectingQuotes(command, /\s*\|(?!\|)\s*/);
+}
+function splitRespectingQuotes(input, delimiter) {
+  const segments = [];
+  let current = "";
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let escaped = false;
+  let i = 0;
+  while (i < input.length) {
+    const char = input[i];
+    if (escaped) {
+      current += char;
+      escaped = false;
+      i++;
+      continue;
+    }
+    if (char === "\\") {
+      escaped = true;
+      current += char;
+      i++;
+      continue;
+    }
+    if (char === "'" && !inDoubleQuote) {
+      inSingleQuote = !inSingleQuote;
+      current += char;
+      i++;
+      continue;
+    }
+    if (char === '"' && !inSingleQuote) {
+      inDoubleQuote = !inDoubleQuote;
+      current += char;
+      i++;
+      continue;
+    }
+    if (!inSingleQuote && !inDoubleQuote) {
+      const remaining = input.slice(i);
+      const match = remaining.match(delimiter);
+      if (match && match.index === 0) {
+        if (current.trim()) {
+          segments.push(current.trim());
+        }
+        current = "";
+        i += match[0].length;
+        continue;
+      }
+    }
+    current += char;
+    i++;
+  }
+  if (current.trim()) {
+    segments.push(current.trim());
+  }
+  return segments.length > 0 ? segments : [input];
+}
+function unwrapCommand(command) {
+  for (const wrapper of SHELL_WRAPPERS) {
+    const match = command.match(wrapper.pattern);
+    if (match) {
+      const inner = wrapper.extract(match);
+      if (inner) {
+        return {
+          unwrapped: true,
+          effective: inner.trim(),
+          wrapper: wrapper.name,
+          warnings: [`Unwrapped from ${wrapper.name}: "${command}" \u2192 "${inner.trim()}"`]
+        };
+      }
+    }
+  }
+  return { unwrapped: false, effective: command, warnings: [] };
+}
+function extractSubshells(command) {
+  const subshells = [];
+  const dollarParen = /\$\(([^)]+)\)/g;
+  let match;
+  while ((match = dollarParen.exec(command)) !== null) {
+    if (match[1]) subshells.push(match[1].trim());
+  }
+  const backtick = /`([^`]+)`/g;
+  while ((match = backtick.exec(command)) !== null) {
+    if (match[1]) subshells.push(match[1].trim());
+  }
+  return subshells;
+}
+function getBaseCommand(command) {
+  const trimmed = command.trim();
+  const firstSpace = trimmed.indexOf(" ");
+  return firstSpace === -1 ? trimmed : trimmed.slice(0, firstSpace);
+}
+function hasDestructiveEquivalent(command) {
+  const matches = [];
+  for (const deq of DESTRUCTIVE_EQUIVALENTS) {
+    if (deq.pattern.test(command)) {
+      matches.push({ equivalent: deq.equivalent, description: deq.description });
+    }
+  }
+  return { found: matches.length > 0, matches };
+}
+function hasEncodingTricks(command) {
+  const tricks = [];
+  for (const enc of ENCODING_PATTERNS) {
+    if (enc.pattern.test(command)) {
+      tricks.push({ name: enc.name, risk: enc.risk });
+    }
+  }
+  return { found: tricks.length > 0, tricks };
+}
+function summarize(result) {
+  const lines = [];
+  lines.push(`Original: ${result.original}`);
+  lines.push(`Segments: ${result.segments.length}`);
+  lines.push(`Suspicious: ${result.suspicious}`);
+  if (result.suspicion_reasons.length > 0) {
+    lines.push(`Suspicion reasons:`);
+    for (const reason of result.suspicion_reasons) {
+      lines.push(`  - ${reason}`);
+    }
+  }
+  lines.push(`Segments:`);
+  for (const seg of result.segments) {
+    lines.push(`  [${seg.type}] ${seg.effective}`);
+    for (const w of seg.warnings) {
+      lines.push(`    \u26A0 ${w}`);
+    }
+  }
+  return lines.join("\n");
+}
+var SHELL_WRAPPERS, ENCODING_PATTERNS, DESTRUCTIVE_EQUIVALENTS;
+var init_commandNormalizer = __esm({
+  "src/commandNormalizer.ts"() {
+    "use strict";
+    SHELL_WRAPPERS = [
+      // bash -c "cmd" / sh -c "cmd"
+      {
+        pattern: /^(?:bash|sh|zsh|dash|ksh)\s+-c\s+(?:"([^"]+)"|'([^']+)'|(\S+))/,
+        extract: (m) => m[1] || m[2] || m[3] || "",
+        name: "shell -c"
+      },
+      // env cmd args...
+      {
+        pattern: /^env\s+(?:-\S+\s+)*(?:\S+=\S+\s+)*(.+)/,
+        extract: (m) => m[1] || "",
+        name: "env"
+      },
+      // xargs cmd
+      {
+        pattern: /^xargs\s+(?:-\S+\s+)*(.+)/,
+        extract: (m) => m[1] || "",
+        name: "xargs"
+      },
+      // sudo cmd
+      {
+        pattern: /^sudo\s+(?:-\S+\s+)*(.+)/,
+        extract: (m) => m[1] || "",
+        name: "sudo"
+      },
+      // nohup cmd
+      {
+        pattern: /^nohup\s+(.+?)(?:\s*&\s*)?$/,
+        extract: (m) => m[1] || "",
+        name: "nohup"
+      },
+      // timeout N cmd
+      {
+        pattern: /^timeout\s+\d+[smhd]?\s+(.+)/,
+        extract: (m) => m[1] || "",
+        name: "timeout"
+      },
+      // nice -n N cmd
+      {
+        pattern: /^nice\s+(?:-n\s+\d+\s+)?(.+)/,
+        extract: (m) => m[1] || "",
+        name: "nice"
+      },
+      // strace / ltrace cmd
+      {
+        pattern: /^(?:strace|ltrace)\s+(?:-\S+\s+)*(.+)/,
+        extract: (m) => m[1] || "",
+        name: "trace"
+      },
+      // watch -n N cmd
+      {
+        pattern: /^watch\s+(?:-n\s+\d+\s+)?(.+)/,
+        extract: (m) => m[1] || "",
+        name: "watch"
+      }
+    ];
+    ENCODING_PATTERNS = [
+      // echo "base64" | base64 -d | bash
+      {
+        pattern: /base64\s+(?:-d|--decode)/,
+        name: "base64-decode",
+        risk: "Command may be hidden via base64 encoding"
+      },
+      // printf '\x72\x6d' (hex encoding)
+      {
+        pattern: /printf\s+.*\\x[0-9a-fA-F]{2}/,
+        name: "hex-printf",
+        risk: "Command may be hidden via hex encoding in printf"
+      },
+      // $'\x72\x6d' (ANSI-C quoting)
+      {
+        pattern: /\$'[^']*\\x[0-9a-fA-F]{2}/,
+        name: "ansi-c-quoting",
+        risk: "Command may be hidden via ANSI-C quoting"
+      },
+      // python -c "import os; os.system('rm -rf /')"
+      {
+        pattern: /python[23]?\s+-c\s+/,
+        name: "python-exec",
+        risk: "Arbitrary code execution via Python"
+      },
+      // perl -e "system('rm -rf /')"
+      {
+        pattern: /perl\s+-e\s+/,
+        name: "perl-exec",
+        risk: "Arbitrary code execution via Perl"
+      },
+      // ruby -e "system('rm -rf /')"
+      {
+        pattern: /ruby\s+-e\s+/,
+        name: "ruby-exec",
+        risk: "Arbitrary code execution via Ruby"
+      },
+      // eval "cmd"
+      {
+        pattern: /\beval\s+/,
+        name: "eval",
+        risk: "Dynamic command evaluation"
+      },
+      // curl ... | bash
+      {
+        pattern: /curl\s+.*\|\s*(?:bash|sh|zsh)/,
+        name: "curl-pipe-shell",
+        risk: "Remote code execution via curl | bash"
+      },
+      // wget ... -O - | bash
+      {
+        pattern: /wget\s+.*\|\s*(?:bash|sh|zsh)/,
+        name: "wget-pipe-shell",
+        risk: "Remote code execution via wget | bash"
+      }
+    ];
+    DESTRUCTIVE_EQUIVALENTS = [
+      // find / -delete (equivalent to rm -rf)
+      { pattern: /find\s+.*-delete/, equivalent: "rm -rf", description: "find -delete is equivalent to rm -rf" },
+      // find / -exec rm {} (equivalent to rm -rf)
+      { pattern: /find\s+.*-exec\s+rm/, equivalent: "rm -rf", description: "find -exec rm is equivalent to rm -rf" },
+      // TRUNCATE TABLE (equivalent to DELETE FROM)
+      { pattern: /TRUNCATE\s+TABLE/i, equivalent: "DELETE FROM", description: "TRUNCATE TABLE is equivalent to DELETE FROM" },
+      // dd if=/dev/zero of=/ (disk wipe)
+      { pattern: /dd\s+.*of=\//, equivalent: "disk-wipe", description: "dd writing to root is destructive" },
+      // mkfs (format disk)
+      { pattern: /mkfs/, equivalent: "disk-format", description: "mkfs formats a disk" },
+      // shred (secure delete)
+      { pattern: /shred\s+/, equivalent: "secure-delete", description: "shred securely deletes files" },
+      // chmod 777 / (open permissions)
+      { pattern: /chmod\s+777\s+\//, equivalent: "open-permissions", description: "chmod 777 / opens all permissions" },
+      // chown root (change ownership)
+      { pattern: /chown\s+.*\//, equivalent: "change-ownership", description: "chown on root paths is dangerous" },
+      // iptables -F (flush firewall)
+      { pattern: /iptables\s+-F/, equivalent: "flush-firewall", description: "iptables -F flushes all firewall rules" }
+    ];
+  }
+});
+
+// src/whitelistEngine.ts
+var whitelistEngine_exports = {};
+__export(whitelistEngine_exports, {
+  PRESETS: () => PRESETS,
+  PRESET_DEVELOPER: () => PRESET_DEVELOPER,
+  PRESET_PRODUCTION: () => PRESET_PRODUCTION,
+  PRESET_READONLY: () => PRESET_READONLY,
+  WhitelistEngine: () => WhitelistEngine,
+  autoLoadPolicy: () => autoLoadPolicy,
+  generatePolicyFile: () => generatePolicyFile,
+  loadPolicy: () => loadPolicy
+});
+function matchPattern(command, pattern) {
+  const normalizedCmd = command.trim().replace(/\s+/g, " ");
+  const normalizedPattern = pattern.trim().replace(/\s+/g, " ");
+  const regexStr = "^" + normalizedPattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".") + "$";
+  try {
+    return new RegExp(regexStr).test(normalizedCmd);
+  } catch {
+    return false;
+  }
+}
+function loadPolicy(filePath) {
+  if (!(0, import_node_fs5.existsSync)(filePath)) {
+    throw new Error(`Policy file not found: ${filePath}`);
+  }
+  const raw = (0, import_node_fs5.readFileSync)(filePath, "utf-8");
+  try {
+    return JSON.parse(raw);
+  } catch {
+  }
+  return parseSimpleYaml(raw);
+}
+function autoLoadPolicy(projectDir) {
+  const candidates = [
+    (0, import_node_path5.join)(projectDir, ".sovr", "policy.json"),
+    (0, import_node_path5.join)(projectDir, ".sovr", "policy.yaml"),
+    (0, import_node_path5.join)(projectDir, ".sovr", "policy.yml"),
+    (0, import_node_path5.join)(projectDir, "sovr.policy.json")
+  ];
+  for (const candidate of candidates) {
+    if ((0, import_node_fs5.existsSync)(candidate)) {
+      return loadPolicy(candidate);
+    }
+  }
+  return null;
+}
+function parseSimpleYaml(raw) {
+  const lines = raw.split("\n");
+  const policy = {
+    version: "1.0",
+    mode: "whitelist",
+    rules: []
+  };
+  let currentRule = null;
+  let inRules = false;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    if (trimmed.startsWith("version:")) {
+      policy.version = trimmed.split(":").slice(1).join(":").trim().replace(/['"]/g, "");
+    } else if (trimmed.startsWith("mode:")) {
+      policy.mode = trimmed.split(":").slice(1).join(":").trim().replace(/['"]/g, "");
+    } else if (trimmed === "rules:") {
+      inRules = true;
+    } else if (inRules && trimmed.startsWith("- pattern:")) {
+      if (currentRule?.pattern) {
+        policy.rules.push(currentRule);
+      }
+      currentRule = {
+        pattern: trimmed.replace("- pattern:", "").trim().replace(/['"]/g, ""),
+        allow: true,
+        enabled: true
+      };
+    } else if (inRules && currentRule) {
+      if (trimmed.startsWith("allow:")) {
+        currentRule.allow = trimmed.includes("true");
+      } else if (trimmed.startsWith("description:")) {
+        currentRule.description = trimmed.split(":").slice(1).join(":").trim().replace(/['"]/g, "");
+      } else if (trimmed.startsWith("require_approval:")) {
+        currentRule.require_approval = trimmed.includes("true");
+      } else if (trimmed.startsWith("max_args:")) {
+        currentRule.max_args = parseInt(trimmed.split(":")[1].trim());
+      } else if (trimmed.startsWith("priority:")) {
+        currentRule.priority = parseInt(trimmed.split(":")[1].trim());
+      }
+    }
+  }
+  if (currentRule?.pattern) {
+    policy.rules.push(currentRule);
+  }
+  return policy;
+}
+function generatePolicyFile(preset, format = "yaml") {
+  const policy = PRESETS[preset];
+  if (!policy) {
+    throw new Error(`Unknown preset: ${preset}. Available: ${Object.keys(PRESETS).join(", ")}`);
+  }
+  if (format === "json") {
+    return JSON.stringify(policy, null, 2);
+  }
+  let yaml = `# SOVR Whitelist Policy
+`;
+  yaml += `# Preset: ${preset}
+`;
+  yaml += `# Generated: ${(/* @__PURE__ */ new Date()).toISOString()}
+
+`;
+  yaml += `version: "${policy.version}"
+`;
+  yaml += `mode: ${policy.mode}
+
+`;
+  yaml += `rules:
+`;
+  for (const rule of policy.rules) {
+    yaml += `  - pattern: "${rule.pattern}"
+`;
+    yaml += `    allow: ${rule.allow}
+`;
+    if (rule.description) yaml += `    description: "${rule.description}"
+`;
+    if (rule.require_approval) yaml += `    require_approval: true
+`;
+    if (rule.max_args !== void 0) yaml += `    max_args: ${rule.max_args}
+`;
+    yaml += `
+`;
+  }
+  if (policy.settings) {
+    yaml += `settings:
+`;
+    for (const [key, value] of Object.entries(policy.settings)) {
+      yaml += `  ${key}: ${value}
+`;
+    }
+  }
+  return yaml;
+}
+var import_node_fs5, import_node_path5, PRESET_READONLY, PRESET_DEVELOPER, PRESET_PRODUCTION, PRESETS, WhitelistEngine;
+var init_whitelistEngine = __esm({
+  "src/whitelistEngine.ts"() {
+    "use strict";
+    import_node_fs5 = require("fs");
+    import_node_path5 = require("path");
+    PRESET_READONLY = {
+      version: "1.0",
+      mode: "whitelist",
+      rules: [
+        { pattern: "ls *", allow: true, description: "List directory" },
+        { pattern: "cat *", allow: true, description: "Read file" },
+        { pattern: "head *", allow: true, description: "Read file head" },
+        { pattern: "tail *", allow: true, description: "Read file tail" },
+        { pattern: "find *", allow: true, description: "Find files", max_args: 10 },
+        { pattern: "grep *", allow: true, description: "Search in files" },
+        { pattern: "wc *", allow: true, description: "Word count" },
+        { pattern: "file *", allow: true, description: "File type" },
+        { pattern: "pwd", allow: true, description: "Print working directory" },
+        { pattern: "whoami", allow: true, description: "Current user" },
+        { pattern: "date", allow: true, description: "Current date" },
+        { pattern: "echo *", allow: true, description: "Echo text" }
+      ],
+      settings: {
+        max_command_length: 500,
+        allow_env_expansion: false,
+        allow_subshell: false,
+        allow_pipes: true,
+        allow_chains: false,
+        allow_redirects: false
+      }
+    };
+    PRESET_DEVELOPER = {
+      version: "1.0",
+      mode: "whitelist",
+      rules: [
+        // Read operations
+        ...PRESET_READONLY.rules,
+        // Git (safe operations)
+        { pattern: "git status", allow: true, description: "Git status" },
+        { pattern: "git diff *", allow: true, description: "Git diff" },
+        { pattern: "git log *", allow: true, description: "Git log" },
+        { pattern: "git branch *", allow: true, description: "Git branch" },
+        { pattern: "git add *", allow: true, description: "Git add" },
+        { pattern: "git commit *", allow: true, description: "Git commit" },
+        { pattern: "git push *", allow: true, require_approval: true, description: "Git push (requires approval)" },
+        { pattern: "git pull *", allow: true, description: "Git pull" },
+        { pattern: "git checkout *", allow: true, description: "Git checkout" },
+        { pattern: "git stash *", allow: true, description: "Git stash" },
+        // Node.js / npm
+        { pattern: "node *", allow: true, description: "Run Node.js" },
+        { pattern: "npm run *", allow: true, description: "Run npm script" },
+        { pattern: "npm test", allow: true, description: "Run tests" },
+        { pattern: "npm install *", allow: true, description: "Install packages" },
+        { pattern: "npx *", allow: true, description: "Run npx" },
+        { pattern: "pnpm *", allow: true, description: "Run pnpm" },
+        { pattern: "yarn *", allow: true, description: "Run yarn" },
+        // Python
+        { pattern: "python3 *", allow: true, description: "Run Python", max_args: 20 },
+        { pattern: "pip install *", allow: true, description: "Install Python packages" },
+        { pattern: "pip3 install *", allow: true, description: "Install Python packages" },
+        // Build tools
+        { pattern: "make *", allow: true, description: "Run make" },
+        { pattern: "cargo *", allow: true, description: "Run cargo" },
+        // File operations (limited)
+        { pattern: "mkdir *", allow: true, description: "Create directory" },
+        { pattern: "cp *", allow: true, description: "Copy files" },
+        { pattern: "mv *", allow: true, description: "Move files" },
+        { pattern: "touch *", allow: true, description: "Create empty file" },
+        // Dangerous operations — require approval
+        { pattern: "rm *", allow: true, require_approval: true, description: "Delete files (requires approval)" },
+        { pattern: "npm publish *", allow: true, require_approval: true, description: "Publish package (requires approval)" },
+        { pattern: "docker *", allow: true, require_approval: true, description: "Docker operations (requires approval)" }
+      ],
+      settings: {
+        max_command_length: 2e3,
+        allow_env_expansion: true,
+        allow_subshell: false,
+        allow_pipes: true,
+        allow_chains: true,
+        allow_redirects: true
+      }
+    };
+    PRESET_PRODUCTION = {
+      version: "1.0",
+      mode: "whitelist",
+      rules: [
+        { pattern: "echo *", allow: true, description: "Echo" },
+        { pattern: "date", allow: true, description: "Date" },
+        { pattern: "uptime", allow: true, description: "Uptime" },
+        { pattern: "df *", allow: true, description: "Disk usage" },
+        { pattern: "free *", allow: true, description: "Memory usage" },
+        { pattern: "ps *", allow: true, description: "Process list" },
+        { pattern: "curl *", allow: true, require_approval: true, description: "HTTP request (requires approval)" }
+      ],
+      default_action: "deny",
+      settings: {
+        max_command_length: 500,
+        allow_env_expansion: false,
+        allow_subshell: false,
+        allow_pipes: false,
+        allow_chains: false,
+        allow_redirects: false
+      }
+    };
+    PRESETS = {
+      readonly: PRESET_READONLY,
+      developer: PRESET_DEVELOPER,
+      production: PRESET_PRODUCTION
+    };
+    WhitelistEngine = class {
+      policy;
+      constructor(policy) {
+        this.policy = policy;
+        this.policy.rules.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+      }
+      /**
+       * Evaluate a command against the whitelist policy.
+       */
+      evaluate(command) {
+        const violations = [];
+        const structuralCheck = this.checkStructural(command);
+        violations.push(...structuralCheck.violations);
+        if (structuralCheck.blocked) {
+          return {
+            allowed: false,
+            require_approval: false,
+            reason: `Structural violation: ${violations.join(", ")}`,
+            risk: "critical",
+            violations
+          };
+        }
+        const enabledRules = this.policy.rules.filter((r) => r.enabled !== false);
+        for (const rule of enabledRules) {
+          if (matchPattern(command, rule.pattern)) {
+            if (rule.max_args !== void 0) {
+              const argCount = command.split(/\s+/).length - 1;
+              if (argCount > rule.max_args) {
+                violations.push(`Too many arguments: ${argCount} > ${rule.max_args}`);
+                return {
+                  allowed: false,
+                  require_approval: false,
+                  matched_rule: rule,
+                  reason: `Argument limit exceeded for pattern "${rule.pattern}"`,
+                  risk: "high",
+                  violations
+                };
+              }
+            }
+            if (rule.allow) {
+              return {
+                allowed: true,
+                require_approval: rule.require_approval ?? false,
+                matched_rule: rule,
+                reason: rule.description || `Matched whitelist pattern: ${rule.pattern}`,
+                risk: rule.require_approval ? "medium" : "low",
+                violations
+              };
+            } else {
+              return {
+                allowed: false,
+                require_approval: false,
+                matched_rule: rule,
+                reason: rule.description || `Matched blacklist pattern: ${rule.pattern}`,
+                risk: "high",
+                violations
+              };
+            }
+          }
+        }
+        switch (this.policy.mode) {
+          case "whitelist":
+            return {
+              allowed: false,
+              require_approval: false,
+              reason: `No whitelist rule matches command. In whitelist mode, unlisted commands are DENIED.`,
+              risk: "high",
+              violations
+            };
+          case "blacklist":
+            return {
+              allowed: true,
+              require_approval: false,
+              reason: "No blacklist rule matches. Command allowed by default.",
+              risk: "medium",
+              violations
+            };
+          case "hybrid": {
+            const defaultAction = this.policy.default_action || "deny";
+            return {
+              allowed: defaultAction === "allow",
+              require_approval: defaultAction === "escalate",
+              reason: `No rule matches. Hybrid mode default: ${defaultAction}`,
+              risk: defaultAction === "allow" ? "medium" : "high",
+              violations
+            };
+          }
+        }
+      }
+      /**
+       * Check structural constraints (pipes, chains, subshells, etc.)
+       */
+      checkStructural(command) {
+        const violations = [];
+        const settings = this.policy.settings || {};
+        if (settings.max_command_length && command.length > settings.max_command_length) {
+          violations.push(`Command too long: ${command.length} > ${settings.max_command_length}`);
+        }
+        if (settings.allow_subshell === false) {
+          if (/\$\(/.test(command) || /`[^`]+`/.test(command)) {
+            violations.push("Subshell execution not allowed");
+          }
+        }
+        if (settings.allow_pipes === false) {
+          if (/\|(?!\|)/.test(command)) {
+            violations.push("Pipe chains not allowed");
+          }
+        }
+        if (settings.allow_chains === false) {
+          if (/[;&]|&&|\|\|/.test(command)) {
+            violations.push("Command chaining not allowed");
+          }
+        }
+        if (settings.allow_redirects === false) {
+          if (/[<>]|>>/.test(command)) {
+            violations.push("Output redirection not allowed");
+          }
+        }
+        if (settings.allow_env_expansion === false) {
+          if (/\$[A-Za-z_]/.test(command) || /\$\{/.test(command)) {
+            violations.push("Environment variable expansion not allowed");
+          }
+        }
+        return {
+          blocked: violations.length > 0,
+          violations
+        };
+      }
+      /**
+       * Get the current policy.
+       */
+      getPolicy() {
+        return { ...this.policy };
+      }
+      /**
+       * Add a rule dynamically.
+       */
+      addRule(rule) {
+        this.policy.rules.push(rule);
+        this.policy.rules.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+      }
+      /**
+       * Remove a rule by pattern.
+       */
+      removeRule(pattern) {
+        const idx = this.policy.rules.findIndex((r) => r.pattern === pattern);
+        if (idx >= 0) {
+          this.policy.rules.splice(idx, 1);
+          return true;
+        }
+        return false;
+      }
+      /**
+       * List all rules.
+       */
+      listRules() {
+        return [...this.policy.rules];
+      }
+    };
+  }
+});
+
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
@@ -9857,11 +10824,15 @@ async function checkVersionGate(packageName, currentVersion, apiKey) {
 }
 async function cli(args) {
   const { PolicyEngine: PolicyEngine2, DEFAULT_RULES: DEFAULT_RULES2 } = await Promise.resolve().then(() => (init_engine(), engine_exports));
+  const { transformToolList: transformToolList2, shouldIntercept: shouldIntercept2, parseMode: parseMode2 } = await Promise.resolve().then(() => (init_toolReplacement(), toolReplacement_exports));
+  const { normalize: normalizeCommand, summarize: summarizeNormalization } = await Promise.resolve().then(() => (init_commandNormalizer(), commandNormalizer_exports));
   let upstreamCmd = "";
   let upstreamArgs = [];
   let rulesFile = null;
   let verbose = false;
   let startupTimeoutMs = 3e4;
+  let mode = "enforce";
+  let whitelistPreset = null;
   for (let i = 0; i < args.length; i++) {
     switch (args[i]) {
       case "--upstream":
@@ -9883,14 +10854,39 @@ async function cli(args) {
       case "-t":
         startupTimeoutMs = parseInt(args[++i] ?? "30000", 10);
         break;
+      case "--mode":
+      case "-m":
+        mode = args[++i] ?? "enforce";
+        break;
+      case "--whitelist":
+      case "-w":
+        whitelistPreset = args[++i] ?? null;
+        break;
+      default: {
+        const modeMatch = args[i]?.match(/^--mode=(.+)$/);
+        if (modeMatch) {
+          mode = modeMatch[1];
+          break;
+        }
+        const wlMatch = args[i]?.match(/^--whitelist=(.+)$/);
+        if (wlMatch) {
+          whitelistPreset = wlMatch[1];
+          break;
+        }
+      }
     }
   }
   if (!upstreamCmd) {
     process.stderr.write(
-      'Usage: sovr-mcp-proxy --upstream "command args..." [--rules policy.json] [--timeout 30000] [--verbose]\n'
+      'Usage: sovr-mcp-proxy --upstream "command args..." [--mode=exclusive|enforce|advisory|monitor] [--whitelist=preset|path] [--verbose]\n'
     );
     process.exit(1);
   }
+  if (!["exclusive", "enforce", "advisory", "monitor"].includes(mode)) {
+    process.stderr.write(`[SOVR] Invalid mode: ${mode}. Must be: exclusive|enforce|advisory|monitor
+`);
+    process.exit(1);
+  }
   let rules = DEFAULT_RULES2;
   if (rulesFile) {
     const fs = await import("fs");
@@ -9898,6 +10894,26 @@ async function cli(args) {
     const parsed = JSON.parse(content);
     rules = parsed.rules ?? parsed;
   }
+  const { WhitelistEngine: WhitelistEngine2, PRESETS: WL_PRESETS } = await Promise.resolve().then(() => (init_whitelistEngine(), whitelistEngine_exports));
+  let whitelist = null;
+  if (whitelistPreset) {
+    const presetNames = Object.keys(WL_PRESETS);
+    if (presetNames.includes(whitelistPreset)) {
+      whitelist = new WhitelistEngine2(WL_PRESETS[whitelistPreset]);
+    } else {
+      try {
+        const fs = await import("fs");
+        const content = fs.readFileSync(whitelistPreset, "utf-8");
+        const parsed = JSON.parse(content);
+        whitelist = new WhitelistEngine2(parsed);
+      } catch (err) {
+        process.stderr.write(`[SOVR] Failed to load whitelist from ${whitelistPreset}: ${err.message}
+`);
+        process.exit(1);
+      }
+    }
+  }
+  const validatedMode = parseMode2(mode);
   const engine = new PolicyEngine2({
     rules,
     audit_log: true,
@@ -9910,6 +10926,24 @@ async function cli(args) {
       }
     }
   });
+  process.stderr.write(`
+`);
+  process.stderr.write(`  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+`);
+  process.stderr.write(`  \u2551  SOVR MCP Proxy v${PROXY_VERSION}                      \u2551
+`);
+  process.stderr.write(`  \u2551  Mode: ${mode.toUpperCase().padEnd(40)}\u2551
+`);
+  if (whitelist) {
+    process.stderr.write(`  \u2551  Whitelist: ${(whitelistPreset ?? "custom").padEnd(35)}\u2551
+`);
+  }
+  process.stderr.write(`  \u2551  Upstream: ${upstreamCmd.substring(0, 36).padEnd(36)}\u2551
+`);
+  process.stderr.write(`  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+`);
+  process.stderr.write(`
+`);
   const proxy = new McpProxy({
     engine,
     upstream: { command: upstreamCmd, args: upstreamArgs },
@@ -9926,8 +10960,37 @@ async function cli(args) {
         `[ESCALATED] ${info.toolName}: ${info.decision.reason}
 `
       );
+    },
+    onIntercept: (info) => {
+      if (info.arguments?.command && typeof info.arguments.command === "string") {
+        const normalized = normalizeCommand(info.arguments.command);
+        if (verbose) {
+          process.stderr.write(`[SOVR] Normalized: ${summarizeNormalization(normalized)}
+`);
+          if (normalized.suspicious) {
+            process.stderr.write(`[SOVR] \u26A0 Suspicious: ${normalized.suspicion_reasons.join(", ")}
+`);
+          }
+        }
+      }
+      if (whitelist && info.arguments?.command && typeof info.arguments.command === "string") {
+        const wlResult = whitelist.evaluate(info.arguments.command);
+        if (!wlResult.allowed && (validatedMode === "enforce" || validatedMode === "exclusive")) {
+          if (verbose) {
+            process.stderr.write(`[SOVR] Whitelist DENIED: ${wlResult.reason}
+`);
+          }
+        }
+      }
     }
   });
+  if (validatedMode === "exclusive") {
+    proxy.on("intercept", () => {
+      if (verbose) {
+        process.stderr.write("[SOVR] Exclusive mode: all tool calls routed through SOVR\n");
+      }
+    });
+  }
   await proxy.start();
 }
 var import_node_child_process2, import_node_events, PROXY_VERSION, SOVR_MIN_VERSION_URL, SOVR_DASHBOARD_URL2, McpProxy, index_default;
@@ -9937,7 +11000,7 @@ var init_index = __esm({
     import_node_child_process2 = require("child_process");
     import_node_events = require("events");
     init_usageTracker();
-    PROXY_VERSION = "5.2.0";
+    PROXY_VERSION = "7.0.0";
     SOVR_MIN_VERSION_URL = "https://api.sovr.inc/api/sovr/v1/version/check";
     SOVR_DASHBOARD_URL2 = "https://sovr.inc/dashboard/api-keys";
     McpProxy = class extends import_node_events.EventEmitter {
@@ -10684,6 +11747,305 @@ var init_index = __esm({
   }
 });
 
+// src/hooksAdapter.ts
+var hooksAdapter_exports = {};
+__export(hooksAdapter_exports, {
+  detectClaudeCode: () => detectClaudeCode,
+  generateAuditHookScript: () => generateAuditHookScript,
+  generateHookScript: () => generateHookScript,
+  generateHooksConfig: () => generateHooksConfig,
+  installHooks: () => installHooks,
+  uninstallHooks: () => uninstallHooks
+});
+function generateHookScript(config) {
+  const failExit = config.failMode === "closed" ? 2 : 0;
+  const endpoint = config.endpoint || "http://localhost:45557";
+  const apiKeyRef = config.apiKey ? `"${config.apiKey}"` : '"${SOVR_API_KEY:-}"';
+  return `#!/bin/bash
+# SOVR PreToolUse Hook for Claude Code
+# Generated by: npx sovr-mcp-proxy init --claude-code
+# 
+# This hook intercepts ALL tool calls and evaluates them against
+# SOVR security policies BEFORE Claude Code executes them.
+#
+# Exit codes:
+#   0 = ALLOW (proceed with tool call)
+#   2 = BLOCK (reject tool call)
+#
+# Environment:
+#   SOVR_API_KEY     \u2014 API key for SOVR authentication
+#   SOVR_ENDPOINT    \u2014 SOVR daemon endpoint (default: ${endpoint})
+#   SOVR_FAIL_MODE   \u2014 'open' (default) or 'closed'
+#   SOVR_HOOK_DEBUG  \u2014 Set to '1' for debug logging
+
+set -euo pipefail
+
+# Configuration
+SOVR_ENDPOINT="\${SOVR_ENDPOINT:-${endpoint}}"
+SOVR_API_KEY=${apiKeyRef}
+SOVR_FAIL_MODE="\${SOVR_FAIL_MODE:-${config.failMode || "open"}}"
+SOVR_HOOK_DEBUG="\${SOVR_HOOK_DEBUG:-0}"
+FAIL_EXIT=${failExit}
+
+# Debug logging
+debug() {
+  if [ "$SOVR_HOOK_DEBUG" = "1" ]; then
+    echo "[SOVR-HOOK $(date -u +%H:%M:%S)] $*" >&2
+  fi
+}
+
+# Read hook input from stdin
+INPUT=$(cat)
+debug "Input: $INPUT"
+
+# Extract tool name and input from JSON
+TOOL_NAME=$(echo "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "unknown")
+TOOL_INPUT=$(echo "$INPUT" | grep -o '"tool_input":{[^}]*}' | head -1 2>/dev/null || echo "{}")
+
+debug "Tool: $TOOL_NAME"
+
+# Skip non-dangerous tools (read-only operations)
+case "$TOOL_NAME" in
+  Read|View|LS|Glob|Grep|TodoRead|WebFetch|WebSearch)
+    debug "SKIP: Read-only tool $TOOL_NAME"
+    exit 0
+    ;;
+esac
+
+# Extract command for Bash tools
+COMMAND=""
+case "$TOOL_NAME" in
+  Bash|bash|shell|execute_command)
+    COMMAND=$(echo "$TOOL_INPUT" | grep -o '"command":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+    ;;
+  Write|Edit|MultiEdit)
+    COMMAND=$(echo "$TOOL_INPUT" | grep -o '"file_path":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+    ;;
+esac
+
+debug "Command: $COMMAND"
+
+# Call SOVR daemon for evaluation
+RESPONSE=$(curl -s -X POST "$SOVR_ENDPOINT/api/hook/evaluate" \\
+  -H "Content-Type: application/json" \\
+  -H "X-SOVR-API-Key: $SOVR_API_KEY" \\
+  -d "{
+    \\"tool_name\\": \\"$TOOL_NAME\\",
+    \\"command\\": $(echo "$COMMAND" | python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' 2>/dev/null || echo '""'),
+    \\"channel\\": \\"hooks\\",
+    \\"context\\": {
+      \\"platform\\": \\"claude-code\\",
+      \\"hook_event\\": \\"PreToolUse\\"
+    }
+  }" \\
+  --connect-timeout 3 --max-time 5 2>/dev/null) || {
+  debug "SOVR daemon unreachable, fail-$SOVR_FAIL_MODE"
+  exit $FAIL_EXIT
+}
+
+debug "Response: $RESPONSE"
+
+# Parse verdict
+VERDICT=$(echo "$RESPONSE" | grep -o '"verdict":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+REASON=$(echo "$RESPONSE" | grep -o '"reason":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "Policy evaluation failed")
+
+case "$VERDICT" in
+  allow)
+    debug "ALLOWED: $TOOL_NAME"
+    exit 0
+    ;;
+  deny)
+    debug "BLOCKED: $TOOL_NAME \u2014 $REASON"
+    # Output block reason as JSON for Claude Code to display
+    echo "{\\"error\\": \\"SOVR Policy Violation: $REASON\\"}"
+    exit 2
+    ;;
+  escalate)
+    debug "ESCALATED: $TOOL_NAME \u2014 requires approval"
+    echo "{\\"error\\": \\"SOVR: This action requires human approval. Reason: $REASON\\"}"
+    exit 2
+    ;;
+  *)
+    debug "UNKNOWN verdict: $VERDICT, fail-$SOVR_FAIL_MODE"
+    exit $FAIL_EXIT
+    ;;
+esac
+`;
+}
+function generateAuditHookScript(config) {
+  const endpoint = config.endpoint || "http://localhost:45557";
+  const apiKeyRef = config.apiKey ? `"${config.apiKey}"` : '"${SOVR_API_KEY:-}"';
+  return `#!/bin/bash
+# SOVR PostToolUse Audit Hook for Claude Code
+# Records tool execution results for audit trail
+set -euo pipefail
+
+SOVR_ENDPOINT="\${SOVR_ENDPOINT:-${endpoint}}"
+SOVR_API_KEY=${apiKeyRef}
+
+INPUT=$(cat)
+TOOL_NAME=$(echo "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "unknown")
+
+# Fire-and-forget audit log
+curl -s -X POST "$SOVR_ENDPOINT/api/hook/audit" \\
+  -H "Content-Type: application/json" \\
+  -H "X-SOVR-API-Key: $SOVR_API_KEY" \\
+  -d "{
+    \\"tool_name\\": \\"$TOOL_NAME\\",
+    \\"event\\": \\"PostToolUse\\",
+    \\"timestamp\\": $(date +%s)000
+  }" \\
+  --connect-timeout 2 --max-time 3 2>/dev/null &
+
+# Always allow (audit is non-blocking)
+exit 0
+`;
+}
+function generateHooksConfig(config) {
+  const hookScriptPath = getHookScriptPath();
+  const timeout = config.hookTimeout || DEFAULT_HOOK_TIMEOUT;
+  const hooks = {
+    PreToolUse: []
+  };
+  const patterns = config.toolPatterns || DEFAULT_TOOL_PATTERNS;
+  for (const pattern of patterns) {
+    hooks.PreToolUse.push({
+      matcher: { tool_name: pattern },
+      hooks: [{ command: hookScriptPath, timeout }]
+    });
+  }
+  if (config.addAuditHook) {
+    const auditScriptPath = getAuditHookScriptPath();
+    hooks.PostToolUse = patterns.map((pattern) => ({
+      matcher: { tool_name: pattern },
+      hooks: [{ command: auditScriptPath, timeout: 5 }]
+    }));
+  }
+  return hooks;
+}
+function installHooks(config) {
+  const settingsPath = config.settingsPath || getDefaultSettingsPath();
+  const hookScriptPath = getHookScriptPath();
+  const auditScriptPath = config.addAuditHook ? getAuditHookScriptPath() : void 0;
+  const settingsDir = (0, import_node_path6.dirname)(settingsPath);
+  const hooksDir = (0, import_node_path6.dirname)(hookScriptPath);
+  (0, import_node_fs6.mkdirSync)(settingsDir, { recursive: true });
+  (0, import_node_fs6.mkdirSync)(hooksDir, { recursive: true });
+  (0, import_node_fs6.writeFileSync)(hookScriptPath, generateHookScript(config), "utf-8");
+  (0, import_node_fs6.chmodSync)(hookScriptPath, 493);
+  if (auditScriptPath) {
+    (0, import_node_fs6.writeFileSync)(auditScriptPath, generateAuditHookScript(config), "utf-8");
+    (0, import_node_fs6.chmodSync)(auditScriptPath, 493);
+  }
+  let existingSettings = {};
+  let backup;
+  if ((0, import_node_fs6.existsSync)(settingsPath)) {
+    try {
+      const raw = (0, import_node_fs6.readFileSync)(settingsPath, "utf-8");
+      existingSettings = JSON.parse(raw);
+      backup = `${settingsPath}.sovr-backup.${Date.now()}`;
+      (0, import_node_fs6.writeFileSync)(backup, raw, "utf-8");
+    } catch {
+    }
+  }
+  const sovrHooks = generateHooksConfig(config);
+  const mergedHooks = {};
+  if (existingSettings.hooks) {
+    for (const [event, defs] of Object.entries(existingSettings.hooks)) {
+      mergedHooks[event] = defs.filter(
+        (d) => !d.hooks.some((h) => h.command.includes("sovr"))
+      );
+    }
+  }
+  for (const [event, defs] of Object.entries(sovrHooks)) {
+    if (!mergedHooks[event]) mergedHooks[event] = [];
+    mergedHooks[event].push(...defs);
+  }
+  const updatedSettings = {
+    ...existingSettings,
+    hooks: mergedHooks
+  };
+  (0, import_node_fs6.writeFileSync)(settingsPath, JSON.stringify(updatedSettings, null, 2), "utf-8");
+  return {
+    settingsPath,
+    hookScriptPath,
+    auditScriptPath,
+    installed: true,
+    backup
+  };
+}
+function uninstallHooks(config) {
+  const settingsPath = config?.settingsPath || getDefaultSettingsPath();
+  if (!(0, import_node_fs6.existsSync)(settingsPath)) {
+    return { removed: false, settingsPath };
+  }
+  try {
+    const raw = (0, import_node_fs6.readFileSync)(settingsPath, "utf-8");
+    const settings = JSON.parse(raw);
+    if (settings.hooks) {
+      for (const [event, defs] of Object.entries(settings.hooks)) {
+        settings.hooks[event] = defs.filter(
+          (d) => !d.hooks.some((h) => h.command.includes("sovr"))
+        );
+      }
+    }
+    (0, import_node_fs6.writeFileSync)(settingsPath, JSON.stringify(settings, null, 2), "utf-8");
+    return { removed: true, settingsPath };
+  } catch {
+    return { removed: false, settingsPath };
+  }
+}
+function getDefaultSettingsPath() {
+  return (0, import_node_path6.join)((0, import_node_os5.homedir)(), ".claude", "settings.json");
+}
+function getHookScriptPath() {
+  return (0, import_node_path6.join)((0, import_node_os5.homedir)(), ".sovr", "hooks", "sovr-pretool-hook.sh");
+}
+function getAuditHookScriptPath() {
+  return (0, import_node_path6.join)((0, import_node_os5.homedir)(), ".sovr", "hooks", "sovr-posttool-audit.sh");
+}
+function detectClaudeCode() {
+  const defaultPath = getDefaultSettingsPath();
+  if ((0, import_node_fs6.existsSync)((0, import_node_path6.dirname)(defaultPath))) {
+    return {
+      found: true,
+      settingsPath: defaultPath
+    };
+  }
+  const altPaths = [
+    (0, import_node_path6.join)((0, import_node_os5.homedir)(), ".config", "claude", "settings.json"),
+    (0, import_node_path6.join)((0, import_node_os5.homedir)(), "Library", "Application Support", "Claude", "settings.json")
+  ];
+  for (const p of altPaths) {
+    if ((0, import_node_fs6.existsSync)((0, import_node_path6.dirname)(p))) {
+      return { found: true, settingsPath: p };
+    }
+  }
+  return { found: false };
+}
+var import_node_fs6, import_node_path6, import_node_os5, DEFAULT_TOOL_PATTERNS, DEFAULT_HOOK_TIMEOUT;
+var init_hooksAdapter = __esm({
+  "src/hooksAdapter.ts"() {
+    "use strict";
+    import_node_fs6 = require("fs");
+    import_node_path6 = require("path");
+    import_node_os5 = require("os");
+    DEFAULT_TOOL_PATTERNS = [
+      "Bash",
+      "bash",
+      "shell",
+      "execute_command",
+      "Write",
+      // File write operations
+      "Edit",
+      // File edit operations
+      "MultiEdit"
+      // Multi-file edit operations
+    ];
+    DEFAULT_HOOK_TIMEOUT = 10;
+  }
+});
+
 // src/cli.ts
 var import_meta = {};
 async function main(args) {
@@ -10694,6 +12056,10 @@ async function main(args) {
       await initCli2(args.slice(1));
       return;
     }
+    case "hooks": {
+      await hooksCli(args.slice(1));
+      return;
+    }
     case "keys": {
       const { keysCli: keysCli2 } = await Promise.resolve().then(() => (init_apiKeyManager(), apiKeyManager_exports));
       await keysCli2(args.slice(1));
@@ -10718,11 +12084,11 @@ async function main(args) {
     case "--version":
     case "-V": {
       try {
-        const { readFileSync: readFileSync5 } = await import("fs");
-        const { join: join5, dirname: dirname3 } = await import("path");
+        const { readFileSync: readFileSync7 } = await import("fs");
+        const { join: join7, dirname: dirname4 } = await import("path");
         const { fileURLToPath } = await import("url");
-        const __dirname = dirname3(fileURLToPath(import_meta.url));
-        const pkg = JSON.parse(readFileSync5(join5(__dirname, "..", "package.json"), "utf-8"));
+        const __dirname = dirname4(fileURLToPath(import_meta.url));
+        const pkg = JSON.parse(readFileSync7(join7(__dirname, "..", "package.json"), "utf-8"));
         process.stderr.write(`sovr-mcp-proxy v${pkg.version}
 `);
       } catch {
@@ -10737,15 +12103,151 @@ async function main(args) {
     }
   }
 }
+async function hooksCli(args) {
+  const { installHooks: installHooks2, uninstallHooks: uninstallHooks2, detectClaudeCode: detectClaudeCode2, generateHooksConfig: generateHooksConfig2 } = await Promise.resolve().then(() => (init_hooksAdapter(), hooksAdapter_exports));
+  const subcommand = args[0] || "install";
+  let failMode = "open";
+  let sovrEndpoint = "http://localhost:3271";
+  let projectDir = process.cwd();
+  for (let i = 1; i < args.length; i++) {
+    if (args[i] === "--fail-closed") failMode = "closed";
+    if (args[i] === "--fail-open") failMode = "open";
+    if (args[i] === "--endpoint" && args[i + 1]) sovrEndpoint = args[++i];
+    if (args[i] === "--dir" && args[i + 1]) projectDir = args[++i];
+  }
+  const config = {
+    endpoint: sovrEndpoint,
+    failMode,
+    toolPatterns: ["Bash", "Write", "Edit", "MultiEdit", "NotebookEdit"],
+    addAuditHook: true
+  };
+  switch (subcommand) {
+    case "install": {
+      const hooksConfig = generateHooksConfig2(config);
+      const { generateHookScript: generateHookScript2, generateAuditHookScript: generateAuditHookScript2 } = await Promise.resolve().then(() => (init_hooksAdapter(), hooksAdapter_exports));
+      const preToolScript = generateHookScript2(config);
+      const postToolScript = config.addAuditHook ? generateAuditHookScript2(config) : null;
+      const fs = await import("fs");
+      const path = await import("path");
+      const settingsDir = path.join(projectDir, ".claude");
+      const settingsFile = path.join(settingsDir, "settings.json");
+      if (!fs.existsSync(settingsDir)) {
+        fs.mkdirSync(settingsDir, { recursive: true });
+      }
+      let existingSettings = {};
+      if (fs.existsSync(settingsFile)) {
+        try {
+          existingSettings = JSON.parse(fs.readFileSync(settingsFile, "utf-8"));
+        } catch {
+        }
+      }
+      const newSettings = {
+        ...existingSettings,
+        hooks: hooksConfig
+      };
+      fs.writeFileSync(settingsFile, JSON.stringify(newSettings, null, 2));
+      const scriptsDir = path.join(settingsDir, "hooks");
+      if (!fs.existsSync(scriptsDir)) {
+        fs.mkdirSync(scriptsDir, { recursive: true });
+      }
+      fs.writeFileSync(
+        path.join(scriptsDir, "sovr-pre-tool.sh"),
+        preToolScript,
+        { mode: 493 }
+      );
+      if (postToolScript) {
+        fs.writeFileSync(
+          path.join(scriptsDir, "sovr-post-tool.sh"),
+          postToolScript,
+          { mode: 493 }
+        );
+      }
+      process.stderr.write(`
+\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+\u2551          SOVR Claude Code Hooks Installed                    \u2551
+\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563
+\u2551                                                              \u2551
+\u2551  Settings:  ${settingsFile.padEnd(47)}\u2551
+\u2551  Scripts:   ${scriptsDir.padEnd(47)}\u2551
+\u2551  Fail mode: ${failMode.padEnd(47)}\u2551
+\u2551  Endpoint:  ${sovrEndpoint.padEnd(47)}\u2551
+\u2551                                                              \u2551
+\u2551  Every Bash/Write/Edit call will now pass through SOVR.      \u2551
+\u2551  Use 'sovr-mcp-proxy hooks status' to verify.                \u2551
+\u2551                                                              \u2551
+\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+`);
+      break;
+    }
+    case "uninstall": {
+      const fs = await import("fs");
+      const path = await import("path");
+      const settingsFile = path.join(projectDir, ".claude", "settings.json");
+      if (fs.existsSync(settingsFile)) {
+        try {
+          const settings = JSON.parse(fs.readFileSync(settingsFile, "utf-8"));
+          delete settings.hooks;
+          fs.writeFileSync(settingsFile, JSON.stringify(settings, null, 2));
+          process.stderr.write("[SOVR] Hooks removed from .claude/settings.json\n");
+        } catch (err) {
+          process.stderr.write(`[SOVR] Error removing hooks: ${err.message}
+`);
+        }
+      }
+      const scriptsDir = path.join(projectDir, ".claude", "hooks");
+      for (const f of ["sovr-pre-tool.sh", "sovr-post-tool.sh"]) {
+        const fp = path.join(scriptsDir, f);
+        if (fs.existsSync(fp)) fs.unlinkSync(fp);
+      }
+      process.stderr.write("[SOVR] Hooks uninstalled successfully.\n");
+      break;
+    }
+    case "status": {
+      const fs = await import("fs");
+      const path = await import("path");
+      const settingsFile = path.join(projectDir, ".claude", "settings.json");
+      if (!fs.existsSync(settingsFile)) {
+        process.stderr.write("[SOVR] No .claude/settings.json found. Hooks not installed.\n");
+        return;
+      }
+      try {
+        const settings = JSON.parse(fs.readFileSync(settingsFile, "utf-8"));
+        if (settings.hooks) {
+          const preHooks = settings.hooks.PreToolUse || [];
+          const postHooks = settings.hooks.PostToolUse || [];
+          process.stderr.write(`[SOVR] Hooks Status:
+`);
+          process.stderr.write(`  PreToolUse hooks:  ${preHooks.length}
+`);
+          process.stderr.write(`  PostToolUse hooks: ${postHooks.length}
+`);
+          process.stderr.write(`  Settings file:     ${settingsFile}
+`);
+        } else {
+          process.stderr.write("[SOVR] No hooks configured in settings.json\n");
+        }
+      } catch (err) {
+        process.stderr.write(`[SOVR] Error reading settings: ${err.message}
+`);
+      }
+      break;
+    }
+    default:
+      process.stderr.write(`Unknown hooks subcommand: ${subcommand}
+Usage: sovr-mcp-proxy hooks [install|uninstall|status]
+`);
+  }
+}
 function printHelp() {
   process.stderr.write(`
-sovr-mcp-proxy \u2014 The Responsibility Layer for AI Agents
+sovr-mcp-proxy v7.0.0 \u2014 The Responsibility Layer for AI Agents
 
 USAGE:
   sovr-mcp-proxy [COMMAND] [OPTIONS]
 
 COMMANDS:
   init              One-command setup for AI coding platforms
+  hooks             Install/manage Claude Code Hooks (PreToolUse)
   keys              Manage SOVR API keys
   usage             View usage statistics
   daemon            Manage persistent background daemon
@@ -10753,10 +12255,25 @@ COMMANDS:
 
 PROXY OPTIONS (default mode):
   --upstream, -u    Downstream MCP server command to wrap
+  --mode, -m        Security mode: exclusive|enforce|advisory|monitor
+                      exclusive  \u2014 Replace all native tools (strongest)
+                      enforce    \u2014 Intercept + block violations (default)
+                      advisory   \u2014 Warn but don't block
+                      monitor    \u2014 Silent audit only
+  --whitelist, -w   Whitelist preset or path: readonly|developer|production|<file>
   --rules, -r       Path to custom policy rules file
   --timeout, -t     Startup timeout in ms (default: 30000)
   --verbose, -v     Verbose output
 
+HOOKS OPTIONS:
+  install           Install Claude Code PreToolUse hooks (default)
+  uninstall         Remove SOVR hooks from .claude/settings.json
+  status            Show current hooks configuration
+  --fail-closed     Block on SOVR unreachable (default: fail-open)
+  --fail-open       Allow on SOVR unreachable
+  --endpoint URL    SOVR daemon endpoint (default: http://localhost:3271)
+  --dir PATH        Project directory (default: cwd)
+
 INIT OPTIONS:
   --claude-code     Configure Claude Code
   --claude-desktop  Configure Claude Desktop
@@ -10785,31 +12302,43 @@ DAEMON OPTIONS:
   --foreground      Run in foreground (for debugging)
   --verbose         Verbose logging
 
-EXAMPLES:
-  # One-command setup (auto-detect platforms)
-  npx sovr-mcp-proxy init
+SECURITY MODES:
+  \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+  \u2502 exclusive   \u2502 SOVR replaces native Bash/Shell tools.           \u2502
+  \u2502             \u2502 LLM can ONLY execute through sovr_exec.          \u2502
+  \u2502             \u2502 Bypass is architecturally impossible.             \u2502
+  \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+  \u2502 enforce     \u2502 Native tools preserved but all calls intercepted.\u2502
+  \u2502             \u2502 Violations are blocked with error response.       \u2502
+  \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+  \u2502 advisory    \u2502 Violations trigger warnings in stderr.            \u2502
+  \u2502             \u2502 Calls are still forwarded to upstream.            \u2502
+  \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+  \u2502 monitor     \u2502 Silent audit logging only.                        \u2502
+  \u2502             \u2502 No warnings, no blocking.                         \u2502
+  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
 
-  # Setup for Cursor with API key
-  npx sovr-mcp-proxy init --cursor --api-key sovr_sk_abc123
+WHITELIST PRESETS:
+  readonly    \u2014 git status/log/diff, ls, cat, find, grep (read-only ops)
+  developer   \u2014 readonly + git add/commit/push, npm/pnpm, tsc, eslint
+  production  \u2014 developer + docker, kubectl, terraform (with restrictions)
 
-  # Start proxy wrapping another MCP server
-  npx sovr-mcp-proxy --upstream "npx -y @modelcontextprotocol/server-filesystem /tmp"
+EXAMPLES:
+  # Maximum security: exclusive mode + readonly whitelist
+  npx sovr-mcp-proxy --upstream "npx @mcp/server-fs /tmp" --mode=exclusive --whitelist=readonly
 
-  # Check usage
-  npx sovr-mcp-proxy usage
+  # Developer workflow: enforce mode + developer whitelist
+  npx sovr-mcp-proxy --upstream "npx @mcp/server-fs ." --mode=enforce --whitelist=developer
 
-  # Manage keys
-  npx sovr-mcp-proxy keys add sovr_sk_abc123
+  # Install Claude Code hooks (no upstream needed)
+  npx sovr-mcp-proxy hooks install --fail-closed
 
-  # Start daemon (eliminates cold-start overhead)
-  npx sovr-mcp-proxy daemon start
+  # One-command setup (auto-detect platforms)
+  npx sovr-mcp-proxy init
 
-  # Start daemon with fail-closed mode
+  # Start daemon with fail-closed
   npx sovr-mcp-proxy daemon start --fail-closed
 
-  # Check daemon status
-  npx sovr-mcp-proxy daemon status
-
 ENVIRONMENT:
   SOVR_API_KEY      API key for authentication
   SOVR_ENDPOINT     Custom SOVR endpoint URL