sovr-mcp-proxy 6.0.1 → 7.0.0

package/dist/index.js

@@ -5208,6 +5208,973 @@ var init_engine = __esm({
   }
 });
 
+// src/toolReplacement.ts
+var toolReplacement_exports = {};
+__export(toolReplacement_exports, {
+  DEFAULT_TARGET_TOOLS: () => DEFAULT_TARGET_TOOLS,
+  DEFAULT_TOOL_REPLACEMENT_CONFIG: () => DEFAULT_TOOL_REPLACEMENT_CONFIG,
+  describeMode: () => describeMode,
+  parseMode: () => parseMode,
+  shouldIntercept: () => shouldIntercept,
+  transformToolList: () => transformToolList
+});
+function transformToolList(upstreamTools, config) {
+  const removedTools = [];
+  const addedTools = [];
+  const wrappedTools = [];
+  let resultTools = [];
+  switch (config.mode) {
+    case "exclusive": {
+      for (const tool of upstreamTools) {
+        if (isTargetTool(tool.name, config.targetTools)) {
+          removedTools.push(tool.name);
+        } else {
+          resultTools.push(tool);
+        }
+      }
+      resultTools.push(SOVR_EXEC_TOOL);
+      addedTools.push(SOVR_EXEC_TOOL.name);
+      break;
+    }
+    case "enforce": {
+      for (const tool of upstreamTools) {
+        if (isTargetTool(tool.name, config.targetTools)) {
+          resultTools.push({
+            ...tool,
+            description: `[SOVR-ENFORCED] ${tool.description || ""} \u2014 All calls are policy-checked by SOVR before execution.`
+          });
+          wrappedTools.push(tool.name);
+        } else {
+          resultTools.push(tool);
+        }
+      }
+      resultTools.push(SOVR_EXEC_TOOL);
+      addedTools.push(SOVR_EXEC_TOOL.name);
+      break;
+    }
+    case "advisory": {
+      resultTools = [...upstreamTools];
+      resultTools.push(SOVR_EXEC_TOOL);
+      addedTools.push(SOVR_EXEC_TOOL.name);
+      break;
+    }
+    case "monitor":
+    default: {
+      resultTools = [...upstreamTools];
+      break;
+    }
+  }
+  if (config.addStatusTool) {
+    resultTools.push(SOVR_STATUS_TOOL);
+    addedTools.push(SOVR_STATUS_TOOL.name);
+  }
+  if (config.addAuditTool) {
+    resultTools.push(SOVR_AUDIT_TOOL);
+    addedTools.push(SOVR_AUDIT_TOOL.name);
+  }
+  return { tools: resultTools, removedTools, addedTools, wrappedTools };
+}
+function isTargetTool(toolName, targets) {
+  const lowerName = toolName.toLowerCase();
+  return targets.some((target) => {
+    const lowerTarget = target.toLowerCase();
+    if (lowerName === lowerTarget) return true;
+    if (lowerTarget.includes("*")) {
+      const regex = new RegExp(
+        "^" + lowerTarget.replace(/\*/g, ".*").replace(/\?/g, ".") + "$"
+      );
+      return regex.test(lowerName);
+    }
+    return false;
+  });
+}
+function shouldIntercept(toolName, config) {
+  switch (config.mode) {
+    case "exclusive":
+      if (toolName === "sovr_exec") {
+        return { intercept: true, reason: "exclusive-mode: all exec calls routed through SOVR" };
+      }
+      if (isTargetTool(toolName, config.targetTools)) {
+        return { intercept: true, reason: "exclusive-mode: native tool blocked, use sovr_exec" };
+      }
+      return { intercept: false, reason: "non-exec tool, passthrough" };
+    case "enforce":
+      if (toolName === "sovr_exec" || isTargetTool(toolName, config.targetTools)) {
+        return { intercept: true, reason: "enforce-mode: policy check required" };
+      }
+      return { intercept: false, reason: "non-exec tool, passthrough" };
+    case "advisory":
+      if (toolName === "sovr_exec") {
+        return { intercept: true, reason: "advisory-mode: SOVR exec call" };
+      }
+      if (isTargetTool(toolName, config.targetTools)) {
+        return { intercept: false, reason: "advisory-mode: native tool allowed with warning" };
+      }
+      return { intercept: false, reason: "non-exec tool, passthrough" };
+    case "monitor":
+    default:
+      return { intercept: false, reason: "monitor-mode: all tools passthrough" };
+  }
+}
+function describeMode(config) {
+  switch (config.mode) {
+    case "exclusive":
+      return `EXCLUSIVE MODE: Native execution tools (${config.targetTools.join(", ")}) are REMOVED. The LLM can ONLY execute commands through sovr_exec. Bypass is impossible.`;
+    case "enforce":
+      return `ENFORCE MODE: Native execution tools are wrapped with SOVR policy checks. All command executions are evaluated before running. Dangerous commands are blocked.`;
+    case "advisory":
+      return `ADVISORY MODE: Native tools remain available. SOVR tools are added alongside. Warnings are logged for risky commands but execution is not blocked.`;
+    case "monitor":
+      return `MONITOR MODE: All tools pass through unchanged. SOVR only logs activity. No enforcement or blocking.`;
+  }
+}
+function parseMode(input) {
+  const normalized = input.toLowerCase().trim();
+  if (["exclusive", "enforce", "advisory", "monitor"].includes(normalized)) {
+    return normalized;
+  }
+  throw new Error(
+    `Invalid mode: "${input}". Valid modes: exclusive, enforce, advisory, monitor`
+  );
+}
+var DEFAULT_TARGET_TOOLS, SOVR_EXEC_TOOL, SOVR_STATUS_TOOL, SOVR_AUDIT_TOOL, DEFAULT_TOOL_REPLACEMENT_CONFIG;
+var init_toolReplacement = __esm({
+  "src/toolReplacement.ts"() {
+    "use strict";
+    DEFAULT_TARGET_TOOLS = [
+      // Claude Code native tools
+      "Bash",
+      "bash",
+      "shell",
+      "execute_command",
+      "run_command",
+      "terminal",
+      // Cursor / Windsurf / Continue
+      "run_terminal_command",
+      "execute_shell",
+      "shell_exec",
+      // Generic patterns
+      "exec",
+      "system",
+      "subprocess"
+    ];
+    SOVR_EXEC_TOOL = {
+      name: "sovr_exec",
+      description: "Execute a shell command through the SOVR Responsibility Layer. All commands are evaluated against security policies before execution. Dangerous commands (rm -rf, DROP TABLE, etc.) will be blocked. This is the ONLY way to execute commands \u2014 use this for ALL shell operations.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          command: {
+            type: "string",
+            description: "The shell command to execute. Will be policy-checked before running."
+          },
+          workdir: {
+            type: "string",
+            description: "Working directory for the command (optional)."
+          },
+          timeout: {
+            type: "number",
+            description: "Timeout in milliseconds (default: 300000 = 5 min)."
+          }
+        },
+        required: ["command"]
+      }
+    };
+    SOVR_STATUS_TOOL = {
+      name: "sovr_status",
+      description: "Check the current SOVR security status, including active policies, recent decisions, and system health. Use this to understand what commands are allowed or blocked.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          verbose: {
+            type: "boolean",
+            description: "Include detailed policy information (default: false)."
+          }
+        }
+      }
+    };
+    SOVR_AUDIT_TOOL = {
+      name: "sovr_audit",
+      description: "View the SOVR audit log of recent command evaluations. Shows what was allowed, blocked, or escalated.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          limit: {
+            type: "number",
+            description: "Number of recent entries to show (default: 10)."
+          },
+          filter: {
+            type: "string",
+            enum: ["all", "allowed", "blocked", "escalated"],
+            description: "Filter by decision type (default: all)."
+          }
+        }
+      }
+    };
+    DEFAULT_TOOL_REPLACEMENT_CONFIG = {
+      mode: "enforce",
+      targetTools: DEFAULT_TARGET_TOOLS,
+      addStatusTool: true,
+      addAuditTool: true
+    };
+  }
+});
+
+// src/commandNormalizer.ts
+var commandNormalizer_exports = {};
+__export(commandNormalizer_exports, {
+  getBaseCommand: () => getBaseCommand,
+  hasDestructiveEquivalent: () => hasDestructiveEquivalent,
+  hasEncodingTricks: () => hasEncodingTricks,
+  normalize: () => normalize,
+  summarize: () => summarize
+});
+function normalize(command) {
+  const original = command;
+  const segments = [];
+  const suspicion_reasons = [];
+  const trimmed = command.trim();
+  if (!trimmed) {
+    return { segments: [], suspicious: false, suspicion_reasons: [], original };
+  }
+  for (const enc of ENCODING_PATTERNS) {
+    if (enc.pattern.test(trimmed)) {
+      suspicion_reasons.push(`${enc.name}: ${enc.risk}`);
+    }
+  }
+  for (const deq of DESTRUCTIVE_EQUIVALENTS) {
+    if (deq.pattern.test(trimmed)) {
+      suspicion_reasons.push(`Destructive equivalent detected: ${deq.description}`);
+    }
+  }
+  const chainSegments = splitChains(trimmed);
+  for (const chainSeg of chainSegments) {
+    const pipeSegments = splitPipes(chainSeg);
+    for (const pipeSeg of pipeSegments) {
+      const unwrapped = unwrapCommand(pipeSeg.trim());
+      if (unwrapped.unwrapped) {
+        segments.push({
+          raw: pipeSeg.trim(),
+          effective: unwrapped.effective,
+          type: "unwrapped",
+          warnings: unwrapped.warnings
+        });
+        const inner = normalize(unwrapped.effective);
+        for (const innerSeg of inner.segments) {
+          if (innerSeg.effective !== unwrapped.effective) {
+            segments.push(innerSeg);
+          }
+        }
+        suspicion_reasons.push(...inner.suspicion_reasons);
+      } else {
+        const type = pipeSegments.length > 1 ? "pipe-segment" : chainSegments.length > 1 ? "chain-segment" : "direct";
+        segments.push({
+          raw: pipeSeg.trim(),
+          effective: pipeSeg.trim(),
+          type,
+          warnings: []
+        });
+      }
+    }
+  }
+  const subshells = extractSubshells(trimmed);
+  for (const sub of subshells) {
+    segments.push({
+      raw: trimmed,
+      effective: sub,
+      type: "subshell",
+      warnings: ["Subshell command extracted for evaluation"]
+    });
+  }
+  return {
+    segments,
+    suspicious: suspicion_reasons.length > 0,
+    suspicion_reasons,
+    original
+  };
+}
+function splitChains(command) {
+  return splitRespectingQuotes(command, /\s*(?:&&|\|\||;)\s*/);
+}
+function splitPipes(command) {
+  return splitRespectingQuotes(command, /\s*\|(?!\|)\s*/);
+}
+function splitRespectingQuotes(input, delimiter) {
+  const segments = [];
+  let current = "";
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let escaped = false;
+  let i = 0;
+  while (i < input.length) {
+    const char = input[i];
+    if (escaped) {
+      current += char;
+      escaped = false;
+      i++;
+      continue;
+    }
+    if (char === "\\") {
+      escaped = true;
+      current += char;
+      i++;
+      continue;
+    }
+    if (char === "'" && !inDoubleQuote) {
+      inSingleQuote = !inSingleQuote;
+      current += char;
+      i++;
+      continue;
+    }
+    if (char === '"' && !inSingleQuote) {
+      inDoubleQuote = !inDoubleQuote;
+      current += char;
+      i++;
+      continue;
+    }
+    if (!inSingleQuote && !inDoubleQuote) {
+      const remaining = input.slice(i);
+      const match = remaining.match(delimiter);
+      if (match && match.index === 0) {
+        if (current.trim()) {
+          segments.push(current.trim());
+        }
+        current = "";
+        i += match[0].length;
+        continue;
+      }
+    }
+    current += char;
+    i++;
+  }
+  if (current.trim()) {
+    segments.push(current.trim());
+  }
+  return segments.length > 0 ? segments : [input];
+}
+function unwrapCommand(command) {
+  for (const wrapper of SHELL_WRAPPERS) {
+    const match = command.match(wrapper.pattern);
+    if (match) {
+      const inner = wrapper.extract(match);
+      if (inner) {
+        return {
+          unwrapped: true,
+          effective: inner.trim(),
+          wrapper: wrapper.name,
+          warnings: [`Unwrapped from ${wrapper.name}: "${command}" \u2192 "${inner.trim()}"`]
+        };
+      }
+    }
+  }
+  return { unwrapped: false, effective: command, warnings: [] };
+}
+function extractSubshells(command) {
+  const subshells = [];
+  const dollarParen = /\$\(([^)]+)\)/g;
+  let match;
+  while ((match = dollarParen.exec(command)) !== null) {
+    if (match[1]) subshells.push(match[1].trim());
+  }
+  const backtick = /`([^`]+)`/g;
+  while ((match = backtick.exec(command)) !== null) {
+    if (match[1]) subshells.push(match[1].trim());
+  }
+  return subshells;
+}
+function getBaseCommand(command) {
+  const trimmed = command.trim();
+  const firstSpace = trimmed.indexOf(" ");
+  return firstSpace === -1 ? trimmed : trimmed.slice(0, firstSpace);
+}
+function hasDestructiveEquivalent(command) {
+  const matches = [];
+  for (const deq of DESTRUCTIVE_EQUIVALENTS) {
+    if (deq.pattern.test(command)) {
+      matches.push({ equivalent: deq.equivalent, description: deq.description });
+    }
+  }
+  return { found: matches.length > 0, matches };
+}
+function hasEncodingTricks(command) {
+  const tricks = [];
+  for (const enc of ENCODING_PATTERNS) {
+    if (enc.pattern.test(command)) {
+      tricks.push({ name: enc.name, risk: enc.risk });
+    }
+  }
+  return { found: tricks.length > 0, tricks };
+}
+function summarize(result) {
+  const lines = [];
+  lines.push(`Original: ${result.original}`);
+  lines.push(`Segments: ${result.segments.length}`);
+  lines.push(`Suspicious: ${result.suspicious}`);
+  if (result.suspicion_reasons.length > 0) {
+    lines.push(`Suspicion reasons:`);
+    for (const reason of result.suspicion_reasons) {
+      lines.push(`  - ${reason}`);
+    }
+  }
+  lines.push(`Segments:`);
+  for (const seg of result.segments) {
+    lines.push(`  [${seg.type}] ${seg.effective}`);
+    for (const w of seg.warnings) {
+      lines.push(`    \u26A0 ${w}`);
+    }
+  }
+  return lines.join("\n");
+}
+var SHELL_WRAPPERS, ENCODING_PATTERNS, DESTRUCTIVE_EQUIVALENTS;
+var init_commandNormalizer = __esm({
+  "src/commandNormalizer.ts"() {
+    "use strict";
+    SHELL_WRAPPERS = [
+      // bash -c "cmd" / sh -c "cmd"
+      {
+        pattern: /^(?:bash|sh|zsh|dash|ksh)\s+-c\s+(?:"([^"]+)"|'([^']+)'|(\S+))/,
+        extract: (m) => m[1] || m[2] || m[3] || "",
+        name: "shell -c"
+      },
+      // env cmd args...
+      {
+        pattern: /^env\s+(?:-\S+\s+)*(?:\S+=\S+\s+)*(.+)/,
+        extract: (m) => m[1] || "",
+        name: "env"
+      },
+      // xargs cmd
+      {
+        pattern: /^xargs\s+(?:-\S+\s+)*(.+)/,
+        extract: (m) => m[1] || "",
+        name: "xargs"
+      },
+      // sudo cmd
+      {
+        pattern: /^sudo\s+(?:-\S+\s+)*(.+)/,
+        extract: (m) => m[1] || "",
+        name: "sudo"
+      },
+      // nohup cmd
+      {
+        pattern: /^nohup\s+(.+?)(?:\s*&\s*)?$/,
+        extract: (m) => m[1] || "",
+        name: "nohup"
+      },
+      // timeout N cmd
+      {
+        pattern: /^timeout\s+\d+[smhd]?\s+(.+)/,
+        extract: (m) => m[1] || "",
+        name: "timeout"
+      },
+      // nice -n N cmd
+      {
+        pattern: /^nice\s+(?:-n\s+\d+\s+)?(.+)/,
+        extract: (m) => m[1] || "",
+        name: "nice"
+      },
+      // strace / ltrace cmd
+      {
+        pattern: /^(?:strace|ltrace)\s+(?:-\S+\s+)*(.+)/,
+        extract: (m) => m[1] || "",
+        name: "trace"
+      },
+      // watch -n N cmd
+      {
+        pattern: /^watch\s+(?:-n\s+\d+\s+)?(.+)/,
+        extract: (m) => m[1] || "",
+        name: "watch"
+      }
+    ];
+    ENCODING_PATTERNS = [
+      // echo "base64" | base64 -d | bash
+      {
+        pattern: /base64\s+(?:-d|--decode)/,
+        name: "base64-decode",
+        risk: "Command may be hidden via base64 encoding"
+      },
+      // printf '\x72\x6d' (hex encoding)
+      {
+        pattern: /printf\s+.*\\x[0-9a-fA-F]{2}/,
+        name: "hex-printf",
+        risk: "Command may be hidden via hex encoding in printf"
+      },
+      // $'\x72\x6d' (ANSI-C quoting)
+      {
+        pattern: /\$'[^']*\\x[0-9a-fA-F]{2}/,
+        name: "ansi-c-quoting",
+        risk: "Command may be hidden via ANSI-C quoting"
+      },
+      // python -c "import os; os.system('rm -rf /')"
+      {
+        pattern: /python[23]?\s+-c\s+/,
+        name: "python-exec",
+        risk: "Arbitrary code execution via Python"
+      },
+      // perl -e "system('rm -rf /')"
+      {
+        pattern: /perl\s+-e\s+/,
+        name: "perl-exec",
+        risk: "Arbitrary code execution via Perl"
+      },
+      // ruby -e "system('rm -rf /')"
+      {
+        pattern: /ruby\s+-e\s+/,
+        name: "ruby-exec",
+        risk: "Arbitrary code execution via Ruby"
+      },
+      // eval "cmd"
+      {
+        pattern: /\beval\s+/,
+        name: "eval",
+        risk: "Dynamic command evaluation"
+      },
+      // curl ... | bash
+      {
+        pattern: /curl\s+.*\|\s*(?:bash|sh|zsh)/,
+        name: "curl-pipe-shell",
+        risk: "Remote code execution via curl | bash"
+      },
+      // wget ... -O - | bash
+      {
+        pattern: /wget\s+.*\|\s*(?:bash|sh|zsh)/,
+        name: "wget-pipe-shell",
+        risk: "Remote code execution via wget | bash"
+      }
+    ];
+    DESTRUCTIVE_EQUIVALENTS = [
+      // find / -delete (equivalent to rm -rf)
+      { pattern: /find\s+.*-delete/, equivalent: "rm -rf", description: "find -delete is equivalent to rm -rf" },
+      // find / -exec rm {} (equivalent to rm -rf)
+      { pattern: /find\s+.*-exec\s+rm/, equivalent: "rm -rf", description: "find -exec rm is equivalent to rm -rf" },
+      // TRUNCATE TABLE (equivalent to DELETE FROM)
+      { pattern: /TRUNCATE\s+TABLE/i, equivalent: "DELETE FROM", description: "TRUNCATE TABLE is equivalent to DELETE FROM" },
+      // dd if=/dev/zero of=/ (disk wipe)
+      { pattern: /dd\s+.*of=\//, equivalent: "disk-wipe", description: "dd writing to root is destructive" },
+      // mkfs (format disk)
+      { pattern: /mkfs/, equivalent: "disk-format", description: "mkfs formats a disk" },
+      // shred (secure delete)
+      { pattern: /shred\s+/, equivalent: "secure-delete", description: "shred securely deletes files" },
+      // chmod 777 / (open permissions)
+      { pattern: /chmod\s+777\s+\//, equivalent: "open-permissions", description: "chmod 777 / opens all permissions" },
+      // chown root (change ownership)
+      { pattern: /chown\s+.*\//, equivalent: "change-ownership", description: "chown on root paths is dangerous" },
+      // iptables -F (flush firewall)
+      { pattern: /iptables\s+-F/, equivalent: "flush-firewall", description: "iptables -F flushes all firewall rules" }
+    ];
+  }
+});
+
+// src/whitelistEngine.ts
+var whitelistEngine_exports = {};
+__export(whitelistEngine_exports, {
+  PRESETS: () => PRESETS,
+  PRESET_DEVELOPER: () => PRESET_DEVELOPER,
+  PRESET_PRODUCTION: () => PRESET_PRODUCTION,
+  PRESET_READONLY: () => PRESET_READONLY,
+  WhitelistEngine: () => WhitelistEngine,
+  autoLoadPolicy: () => autoLoadPolicy,
+  generatePolicyFile: () => generatePolicyFile,
+  loadPolicy: () => loadPolicy
+});
+function matchPattern(command, pattern) {
+  const normalizedCmd = command.trim().replace(/\s+/g, " ");
+  const normalizedPattern = pattern.trim().replace(/\s+/g, " ");
+  const regexStr = "^" + normalizedPattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".") + "$";
+  try {
+    return new RegExp(regexStr).test(normalizedCmd);
+  } catch {
+    return false;
+  }
+}
+function loadPolicy(filePath) {
+  if (!(0, import_node_fs2.existsSync)(filePath)) {
+    throw new Error(`Policy file not found: ${filePath}`);
+  }
+  const raw = (0, import_node_fs2.readFileSync)(filePath, "utf-8");
+  try {
+    return JSON.parse(raw);
+  } catch {
+  }
+  return parseSimpleYaml(raw);
+}
+function autoLoadPolicy(projectDir) {
+  const candidates = [
+    (0, import_node_path2.join)(projectDir, ".sovr", "policy.json"),
+    (0, import_node_path2.join)(projectDir, ".sovr", "policy.yaml"),
+    (0, import_node_path2.join)(projectDir, ".sovr", "policy.yml"),
+    (0, import_node_path2.join)(projectDir, "sovr.policy.json")
+  ];
+  for (const candidate of candidates) {
+    if ((0, import_node_fs2.existsSync)(candidate)) {
+      return loadPolicy(candidate);
+    }
+  }
+  return null;
+}
+function parseSimpleYaml(raw) {
+  const lines = raw.split("\n");
+  const policy = {
+    version: "1.0",
+    mode: "whitelist",
+    rules: []
+  };
+  let currentRule = null;
+  let inRules = false;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    if (trimmed.startsWith("version:")) {
+      policy.version = trimmed.split(":").slice(1).join(":").trim().replace(/['"]/g, "");
+    } else if (trimmed.startsWith("mode:")) {
+      policy.mode = trimmed.split(":").slice(1).join(":").trim().replace(/['"]/g, "");
+    } else if (trimmed === "rules:") {
+      inRules = true;
+    } else if (inRules && trimmed.startsWith("- pattern:")) {
+      if (currentRule?.pattern) {
+        policy.rules.push(currentRule);
+      }
+      currentRule = {
+        pattern: trimmed.replace("- pattern:", "").trim().replace(/['"]/g, ""),
+        allow: true,
+        enabled: true
+      };
+    } else if (inRules && currentRule) {
+      if (trimmed.startsWith("allow:")) {
+        currentRule.allow = trimmed.includes("true");
+      } else if (trimmed.startsWith("description:")) {
+        currentRule.description = trimmed.split(":").slice(1).join(":").trim().replace(/['"]/g, "");
+      } else if (trimmed.startsWith("require_approval:")) {
+        currentRule.require_approval = trimmed.includes("true");
+      } else if (trimmed.startsWith("max_args:")) {
+        currentRule.max_args = parseInt(trimmed.split(":")[1].trim());
+      } else if (trimmed.startsWith("priority:")) {
+        currentRule.priority = parseInt(trimmed.split(":")[1].trim());
+      }
+    }
+  }
+  if (currentRule?.pattern) {
+    policy.rules.push(currentRule);
+  }
+  return policy;
+}
+function generatePolicyFile(preset, format = "yaml") {
+  const policy = PRESETS[preset];
+  if (!policy) {
+    throw new Error(`Unknown preset: ${preset}. Available: ${Object.keys(PRESETS).join(", ")}`);
+  }
+  if (format === "json") {
+    return JSON.stringify(policy, null, 2);
+  }
+  let yaml = `# SOVR Whitelist Policy
+`;
+  yaml += `# Preset: ${preset}
+`;
+  yaml += `# Generated: ${(/* @__PURE__ */ new Date()).toISOString()}
+
+`;
+  yaml += `version: "${policy.version}"
+`;
+  yaml += `mode: ${policy.mode}
+
+`;
+  yaml += `rules:
+`;
+  for (const rule of policy.rules) {
+    yaml += `  - pattern: "${rule.pattern}"
+`;
+    yaml += `    allow: ${rule.allow}
+`;
+    if (rule.description) yaml += `    description: "${rule.description}"
+`;
+    if (rule.require_approval) yaml += `    require_approval: true
+`;
+    if (rule.max_args !== void 0) yaml += `    max_args: ${rule.max_args}
+`;
+    yaml += `
+`;
+  }
+  if (policy.settings) {
+    yaml += `settings:
+`;
+    for (const [key, value] of Object.entries(policy.settings)) {
+      yaml += `  ${key}: ${value}
+`;
+    }
+  }
+  return yaml;
+}
+var import_node_fs2, import_node_path2, PRESET_READONLY, PRESET_DEVELOPER, PRESET_PRODUCTION, PRESETS, WhitelistEngine;
+var init_whitelistEngine = __esm({
+  "src/whitelistEngine.ts"() {
+    "use strict";
+    import_node_fs2 = require("fs");
+    import_node_path2 = require("path");
+    PRESET_READONLY = {
+      version: "1.0",
+      mode: "whitelist",
+      rules: [
+        { pattern: "ls *", allow: true, description: "List directory" },
+        { pattern: "cat *", allow: true, description: "Read file" },
+        { pattern: "head *", allow: true, description: "Read file head" },
+        { pattern: "tail *", allow: true, description: "Read file tail" },
+        { pattern: "find *", allow: true, description: "Find files", max_args: 10 },
+        { pattern: "grep *", allow: true, description: "Search in files" },
+        { pattern: "wc *", allow: true, description: "Word count" },
+        { pattern: "file *", allow: true, description: "File type" },
+        { pattern: "pwd", allow: true, description: "Print working directory" },
+        { pattern: "whoami", allow: true, description: "Current user" },
+        { pattern: "date", allow: true, description: "Current date" },
+        { pattern: "echo *", allow: true, description: "Echo text" }
+      ],
+      settings: {
+        max_command_length: 500,
+        allow_env_expansion: false,
+        allow_subshell: false,
+        allow_pipes: true,
+        allow_chains: false,
+        allow_redirects: false
+      }
+    };
+    PRESET_DEVELOPER = {
+      version: "1.0",
+      mode: "whitelist",
+      rules: [
+        // Read operations
+        ...PRESET_READONLY.rules,
+        // Git (safe operations)
+        { pattern: "git status", allow: true, description: "Git status" },
+        { pattern: "git diff *", allow: true, description: "Git diff" },
+        { pattern: "git log *", allow: true, description: "Git log" },
+        { pattern: "git branch *", allow: true, description: "Git branch" },
+        { pattern: "git add *", allow: true, description: "Git add" },
+        { pattern: "git commit *", allow: true, description: "Git commit" },
+        { pattern: "git push *", allow: true, require_approval: true, description: "Git push (requires approval)" },
+        { pattern: "git pull *", allow: true, description: "Git pull" },
+        { pattern: "git checkout *", allow: true, description: "Git checkout" },
+        { pattern: "git stash *", allow: true, description: "Git stash" },
+        // Node.js / npm
+        { pattern: "node *", allow: true, description: "Run Node.js" },
+        { pattern: "npm run *", allow: true, description: "Run npm script" },
+        { pattern: "npm test", allow: true, description: "Run tests" },
+        { pattern: "npm install *", allow: true, description: "Install packages" },
+        { pattern: "npx *", allow: true, description: "Run npx" },
+        { pattern: "pnpm *", allow: true, description: "Run pnpm" },
+        { pattern: "yarn *", allow: true, description: "Run yarn" },
+        // Python
+        { pattern: "python3 *", allow: true, description: "Run Python", max_args: 20 },
+        { pattern: "pip install *", allow: true, description: "Install Python packages" },
+        { pattern: "pip3 install *", allow: true, description: "Install Python packages" },
+        // Build tools
+        { pattern: "make *", allow: true, description: "Run make" },
+        { pattern: "cargo *", allow: true, description: "Run cargo" },
+        // File operations (limited)
+        { pattern: "mkdir *", allow: true, description: "Create directory" },
+        { pattern: "cp *", allow: true, description: "Copy files" },
+        { pattern: "mv *", allow: true, description: "Move files" },
+        { pattern: "touch *", allow: true, description: "Create empty file" },
+        // Dangerous operations — require approval
+        { pattern: "rm *", allow: true, require_approval: true, description: "Delete files (requires approval)" },
+        { pattern: "npm publish *", allow: true, require_approval: true, description: "Publish package (requires approval)" },
+        { pattern: "docker *", allow: true, require_approval: true, description: "Docker operations (requires approval)" }
+      ],
+      settings: {
+        max_command_length: 2e3,
+        allow_env_expansion: true,
+        allow_subshell: false,
+        allow_pipes: true,
+        allow_chains: true,
+        allow_redirects: true
+      }
+    };
+    PRESET_PRODUCTION = {
+      version: "1.0",
+      mode: "whitelist",
+      rules: [
+        { pattern: "echo *", allow: true, description: "Echo" },
+        { pattern: "date", allow: true, description: "Date" },
+        { pattern: "uptime", allow: true, description: "Uptime" },
+        { pattern: "df *", allow: true, description: "Disk usage" },
+        { pattern: "free *", allow: true, description: "Memory usage" },
+        { pattern: "ps *", allow: true, description: "Process list" },
+        { pattern: "curl *", allow: true, require_approval: true, description: "HTTP request (requires approval)" }
+      ],
+      default_action: "deny",
+      settings: {
+        max_command_length: 500,
+        allow_env_expansion: false,
+        allow_subshell: false,
+        allow_pipes: false,
+        allow_chains: false,
+        allow_redirects: false
+      }
+    };
+    PRESETS = {
+      readonly: PRESET_READONLY,
+      developer: PRESET_DEVELOPER,
+      production: PRESET_PRODUCTION
+    };
+    WhitelistEngine = class {
+      policy;
+      constructor(policy) {
+        this.policy = policy;
+        this.policy.rules.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+      }
+      /**
+       * Evaluate a command against the whitelist policy.
+       */
+      evaluate(command) {
+        const violations = [];
+        const structuralCheck = this.checkStructural(command);
+        violations.push(...structuralCheck.violations);
+        if (structuralCheck.blocked) {
+          return {
+            allowed: false,
+            require_approval: false,
+            reason: `Structural violation: ${violations.join(", ")}`,
+            risk: "critical",
+            violations
+          };
+        }
+        const enabledRules = this.policy.rules.filter((r) => r.enabled !== false);
+        for (const rule of enabledRules) {
+          if (matchPattern(command, rule.pattern)) {
+            if (rule.max_args !== void 0) {
+              const argCount = command.split(/\s+/).length - 1;
+              if (argCount > rule.max_args) {
+                violations.push(`Too many arguments: ${argCount} > ${rule.max_args}`);
+                return {
+                  allowed: false,
+                  require_approval: false,
+                  matched_rule: rule,
+                  reason: `Argument limit exceeded for pattern "${rule.pattern}"`,
+                  risk: "high",
+                  violations
+                };
+              }
+            }
+            if (rule.allow) {
+              return {
+                allowed: true,
+                require_approval: rule.require_approval ?? false,
+                matched_rule: rule,
+                reason: rule.description || `Matched whitelist pattern: ${rule.pattern}`,
+                risk: rule.require_approval ? "medium" : "low",
+                violations
+              };
+            } else {
+              return {
+                allowed: false,
+                require_approval: false,
+                matched_rule: rule,
+                reason: rule.description || `Matched blacklist pattern: ${rule.pattern}`,
+                risk: "high",
+                violations
+              };
+            }
+          }
+        }
+        switch (this.policy.mode) {
+          case "whitelist":
+            return {
+              allowed: false,
+              require_approval: false,
+              reason: `No whitelist rule matches command. In whitelist mode, unlisted commands are DENIED.`,
+              risk: "high",
+              violations
+            };
+          case "blacklist":
+            return {
+              allowed: true,
+              require_approval: false,
+              reason: "No blacklist rule matches. Command allowed by default.",
+              risk: "medium",
+              violations
+            };
+          case "hybrid": {
+            const defaultAction = this.policy.default_action || "deny";
+            return {
+              allowed: defaultAction === "allow",
+              require_approval: defaultAction === "escalate",
+              reason: `No rule matches. Hybrid mode default: ${defaultAction}`,
+              risk: defaultAction === "allow" ? "medium" : "high",
+              violations
+            };
+          }
+        }
+      }
+      /**
+       * Check structural constraints (pipes, chains, subshells, etc.)
+       */
+      checkStructural(command) {
+        const violations = [];
+        const settings = this.policy.settings || {};
+        if (settings.max_command_length && command.length > settings.max_command_length) {
+          violations.push(`Command too long: ${command.length} > ${settings.max_command_length}`);
+        }
+        if (settings.allow_subshell === false) {
+          if (/\$\(/.test(command) || /`[^`]+`/.test(command)) {
+            violations.push("Subshell execution not allowed");
+          }
+        }
+        if (settings.allow_pipes === false) {
+          if (/\|(?!\|)/.test(command)) {
+            violations.push("Pipe chains not allowed");
+          }
+        }
+        if (settings.allow_chains === false) {
+          if (/[;&]|&&|\|\|/.test(command)) {
+            violations.push("Command chaining not allowed");
+          }
+        }
+        if (settings.allow_redirects === false) {
+          if (/[<>]|>>/.test(command)) {
+            violations.push("Output redirection not allowed");
+          }
+        }
+        if (settings.allow_env_expansion === false) {
+          if (/\$[A-Za-z_]/.test(command) || /\$\{/.test(command)) {
+            violations.push("Environment variable expansion not allowed");
+          }
+        }
+        return {
+          blocked: violations.length > 0,
+          violations
+        };
+      }
+      /**
+       * Get the current policy.
+       */
+      getPolicy() {
+        return { ...this.policy };
+      }
+      /**
+       * Add a rule dynamically.
+       */
+      addRule(rule) {
+        this.policy.rules.push(rule);
+        this.policy.rules.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+      }
+      /**
+       * Remove a rule by pattern.
+       */
+      removeRule(pattern) {
+        const idx = this.policy.rules.findIndex((r) => r.pattern === pattern);
+        if (idx >= 0) {
+          this.policy.rules.splice(idx, 1);
+          return true;
+        }
+        return false;
+      }
+      /**
+       * List all rules.
+       */
+      listRules() {
+        return [...this.policy.rules];
+      }
+    };
+  }
+});
+
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
@@ -5529,7 +6496,7 @@ var UsageTracker = class {
 };
 
 // src/index.ts
-var PROXY_VERSION = "5.2.0";
+var PROXY_VERSION = "7.0.0";
 var SOVR_MIN_VERSION_URL = "https://api.sovr.inc/api/sovr/v1/version/check";
 var SOVR_DASHBOARD_URL = "https://sovr.inc/dashboard/api-keys";
 function validateApiKey(key) {
@@ -6347,11 +7314,15 @@ var McpProxy = class extends import_node_events.EventEmitter {
 };
 async function cli(args) {
   const { PolicyEngine: PolicyEngine2, DEFAULT_RULES: DEFAULT_RULES2 } = await Promise.resolve().then(() => (init_engine(), engine_exports));
+  const { transformToolList: transformToolList2, shouldIntercept: shouldIntercept2, parseMode: parseMode2 } = await Promise.resolve().then(() => (init_toolReplacement(), toolReplacement_exports));
+  const { normalize: normalizeCommand, summarize: summarizeNormalization } = await Promise.resolve().then(() => (init_commandNormalizer(), commandNormalizer_exports));
   let upstreamCmd = "";
   let upstreamArgs = [];
   let rulesFile = null;
   let verbose = false;
   let startupTimeoutMs = 3e4;
+  let mode = "enforce";
+  let whitelistPreset = null;
   for (let i = 0; i < args.length; i++) {
     switch (args[i]) {
       case "--upstream":
@@ -6373,14 +7344,39 @@ async function cli(args) {
       case "-t":
         startupTimeoutMs = parseInt(args[++i] ?? "30000", 10);
         break;
+      case "--mode":
+      case "-m":
+        mode = args[++i] ?? "enforce";
+        break;
+      case "--whitelist":
+      case "-w":
+        whitelistPreset = args[++i] ?? null;
+        break;
+      default: {
+        const modeMatch = args[i]?.match(/^--mode=(.+)$/);
+        if (modeMatch) {
+          mode = modeMatch[1];
+          break;
+        }
+        const wlMatch = args[i]?.match(/^--whitelist=(.+)$/);
+        if (wlMatch) {
+          whitelistPreset = wlMatch[1];
+          break;
+        }
+      }
     }
   }
   if (!upstreamCmd) {
     process.stderr.write(
-      'Usage: sovr-mcp-proxy --upstream "command args..." [--rules policy.json] [--timeout 30000] [--verbose]\n'
+      'Usage: sovr-mcp-proxy --upstream "command args..." [--mode=exclusive|enforce|advisory|monitor] [--whitelist=preset|path] [--verbose]\n'
     );
     process.exit(1);
   }
+  if (!["exclusive", "enforce", "advisory", "monitor"].includes(mode)) {
+    process.stderr.write(`[SOVR] Invalid mode: ${mode}. Must be: exclusive|enforce|advisory|monitor
+`);
+    process.exit(1);
+  }
   let rules = DEFAULT_RULES2;
   if (rulesFile) {
     const fs = await import("fs");
@@ -6388,6 +7384,26 @@ async function cli(args) {
     const parsed = JSON.parse(content);
     rules = parsed.rules ?? parsed;
   }
+  const { WhitelistEngine: WhitelistEngine2, PRESETS: WL_PRESETS } = await Promise.resolve().then(() => (init_whitelistEngine(), whitelistEngine_exports));
+  let whitelist = null;
+  if (whitelistPreset) {
+    const presetNames = Object.keys(WL_PRESETS);
+    if (presetNames.includes(whitelistPreset)) {
+      whitelist = new WhitelistEngine2(WL_PRESETS[whitelistPreset]);
+    } else {
+      try {
+        const fs = await import("fs");
+        const content = fs.readFileSync(whitelistPreset, "utf-8");
+        const parsed = JSON.parse(content);
+        whitelist = new WhitelistEngine2(parsed);
+      } catch (err) {
+        process.stderr.write(`[SOVR] Failed to load whitelist from ${whitelistPreset}: ${err.message}
+`);
+        process.exit(1);
+      }
+    }
+  }
+  const validatedMode = parseMode2(mode);
   const engine = new PolicyEngine2({
     rules,
     audit_log: true,
@@ -6400,6 +7416,24 @@ async function cli(args) {
       }
     }
   });
+  process.stderr.write(`
+`);
+  process.stderr.write(`  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+`);
+  process.stderr.write(`  \u2551  SOVR MCP Proxy v${PROXY_VERSION}                      \u2551
+`);
+  process.stderr.write(`  \u2551  Mode: ${mode.toUpperCase().padEnd(40)}\u2551
+`);
+  if (whitelist) {
+    process.stderr.write(`  \u2551  Whitelist: ${(whitelistPreset ?? "custom").padEnd(35)}\u2551
+`);
+  }
+  process.stderr.write(`  \u2551  Upstream: ${upstreamCmd.substring(0, 36).padEnd(36)}\u2551
+`);
+  process.stderr.write(`  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+`);
+  process.stderr.write(`
+`);
   const proxy = new McpProxy({
     engine,
     upstream: { command: upstreamCmd, args: upstreamArgs },
@@ -6416,8 +7450,37 @@ async function cli(args) {
         `[ESCALATED] ${info.toolName}: ${info.decision.reason}
 `
       );
+    },
+    onIntercept: (info) => {
+      if (info.arguments?.command && typeof info.arguments.command === "string") {
+        const normalized = normalizeCommand(info.arguments.command);
+        if (verbose) {
+          process.stderr.write(`[SOVR] Normalized: ${summarizeNormalization(normalized)}
+`);
+          if (normalized.suspicious) {
+            process.stderr.write(`[SOVR] \u26A0 Suspicious: ${normalized.suspicion_reasons.join(", ")}
+`);
+          }
+        }
+      }
+      if (whitelist && info.arguments?.command && typeof info.arguments.command === "string") {
+        const wlResult = whitelist.evaluate(info.arguments.command);
+        if (!wlResult.allowed && (validatedMode === "enforce" || validatedMode === "exclusive")) {
+          if (verbose) {
+            process.stderr.write(`[SOVR] Whitelist DENIED: ${wlResult.reason}
+`);
+          }
+        }
+      }
     }
   });
+  if (validatedMode === "exclusive") {
+    proxy.on("intercept", () => {
+      if (verbose) {
+        process.stderr.write("[SOVR] Exclusive mode: all tool calls routed through SOVR\n");
+      }
+    });
+  }
   await proxy.start();
 }
 var index_default = McpProxy;