sovr-mcp-proxy 6.0.1 → 7.0.0

package/dist/index.mjs

@@ -5,7 +5,7 @@ import {
 // src/index.ts
 import { spawn } from "child_process";
 import { EventEmitter } from "events";
-var PROXY_VERSION = "5.2.0";
+var PROXY_VERSION = "7.0.0";
 var SOVR_MIN_VERSION_URL = "https://api.sovr.inc/api/sovr/v1/version/check";
 var SOVR_DASHBOARD_URL = "https://sovr.inc/dashboard/api-keys";
 function validateApiKey(key) {
@@ -823,11 +823,15 @@ var McpProxy = class extends EventEmitter {
 };
 async function cli(args) {
   const { PolicyEngine, DEFAULT_RULES } = await import("./engine-DWKHAJGE.mjs");
+  const { transformToolList, shouldIntercept, parseMode } = await import("./toolReplacement.mjs");
+  const { normalize: normalizeCommand, summarize: summarizeNormalization } = await import("./commandNormalizer.mjs");
   let upstreamCmd = "";
   let upstreamArgs = [];
   let rulesFile = null;
   let verbose = false;
   let startupTimeoutMs = 3e4;
+  let mode = "enforce";
+  let whitelistPreset = null;
   for (let i = 0; i < args.length; i++) {
     switch (args[i]) {
       case "--upstream":
@@ -849,14 +853,39 @@ async function cli(args) {
       case "-t":
         startupTimeoutMs = parseInt(args[++i] ?? "30000", 10);
         break;
+      case "--mode":
+      case "-m":
+        mode = args[++i] ?? "enforce";
+        break;
+      case "--whitelist":
+      case "-w":
+        whitelistPreset = args[++i] ?? null;
+        break;
+      default: {
+        const modeMatch = args[i]?.match(/^--mode=(.+)$/);
+        if (modeMatch) {
+          mode = modeMatch[1];
+          break;
+        }
+        const wlMatch = args[i]?.match(/^--whitelist=(.+)$/);
+        if (wlMatch) {
+          whitelistPreset = wlMatch[1];
+          break;
+        }
+      }
     }
   }
   if (!upstreamCmd) {
     process.stderr.write(
-      'Usage: sovr-mcp-proxy --upstream "command args..." [--rules policy.json] [--timeout 30000] [--verbose]\n'
+      'Usage: sovr-mcp-proxy --upstream "command args..." [--mode=exclusive|enforce|advisory|monitor] [--whitelist=preset|path] [--verbose]\n'
     );
     process.exit(1);
   }
+  if (!["exclusive", "enforce", "advisory", "monitor"].includes(mode)) {
+    process.stderr.write(`[SOVR] Invalid mode: ${mode}. Must be: exclusive|enforce|advisory|monitor
+`);
+    process.exit(1);
+  }
   let rules = DEFAULT_RULES;
   if (rulesFile) {
     const fs = await import("fs");
@@ -864,6 +893,26 @@ async function cli(args) {
     const parsed = JSON.parse(content);
     rules = parsed.rules ?? parsed;
   }
+  const { WhitelistEngine, PRESETS: WL_PRESETS } = await import("./whitelistEngine.mjs");
+  let whitelist = null;
+  if (whitelistPreset) {
+    const presetNames = Object.keys(WL_PRESETS);
+    if (presetNames.includes(whitelistPreset)) {
+      whitelist = new WhitelistEngine(WL_PRESETS[whitelistPreset]);
+    } else {
+      try {
+        const fs = await import("fs");
+        const content = fs.readFileSync(whitelistPreset, "utf-8");
+        const parsed = JSON.parse(content);
+        whitelist = new WhitelistEngine(parsed);
+      } catch (err) {
+        process.stderr.write(`[SOVR] Failed to load whitelist from ${whitelistPreset}: ${err.message}
+`);
+        process.exit(1);
+      }
+    }
+  }
+  const validatedMode = parseMode(mode);
   const engine = new PolicyEngine({
     rules,
     audit_log: true,
@@ -876,6 +925,24 @@ async function cli(args) {
       }
     }
   });
+  process.stderr.write(`
+`);
+  process.stderr.write(`  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+`);
+  process.stderr.write(`  \u2551  SOVR MCP Proxy v${PROXY_VERSION}                      \u2551
+`);
+  process.stderr.write(`  \u2551  Mode: ${mode.toUpperCase().padEnd(40)}\u2551
+`);
+  if (whitelist) {
+    process.stderr.write(`  \u2551  Whitelist: ${(whitelistPreset ?? "custom").padEnd(35)}\u2551
+`);
+  }
+  process.stderr.write(`  \u2551  Upstream: ${upstreamCmd.substring(0, 36).padEnd(36)}\u2551
+`);
+  process.stderr.write(`  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+`);
+  process.stderr.write(`
+`);
   const proxy = new McpProxy({
     engine,
     upstream: { command: upstreamCmd, args: upstreamArgs },
@@ -892,8 +959,37 @@ async function cli(args) {
         `[ESCALATED] ${info.toolName}: ${info.decision.reason}
 `
       );
+    },
+    onIntercept: (info) => {
+      if (info.arguments?.command && typeof info.arguments.command === "string") {
+        const normalized = normalizeCommand(info.arguments.command);
+        if (verbose) {
+          process.stderr.write(`[SOVR] Normalized: ${summarizeNormalization(normalized)}
+`);
+          if (normalized.suspicious) {
+            process.stderr.write(`[SOVR] \u26A0 Suspicious: ${normalized.suspicion_reasons.join(", ")}
+`);
+          }
+        }
+      }
+      if (whitelist && info.arguments?.command && typeof info.arguments.command === "string") {
+        const wlResult = whitelist.evaluate(info.arguments.command);
+        if (!wlResult.allowed && (validatedMode === "enforce" || validatedMode === "exclusive")) {
+          if (verbose) {
+            process.stderr.write(`[SOVR] Whitelist DENIED: ${wlResult.reason}
+`);
+          }
+        }
+      }
     }
   });
+  if (validatedMode === "exclusive") {
+    proxy.on("intercept", () => {
+      if (verbose) {
+        process.stderr.write("[SOVR] Exclusive mode: all tool calls routed through SOVR\n");
+      }
+    });
+  }
   await proxy.start();
 }
 var index_default = McpProxy;

package/dist/toolReplacement.d.mts

@@ -0,0 +1,108 @@
+/**
+ * @sovr/proxy-mcp — Tool Replacement Mode (--mode=exclusive)
+ *
+ * Solves the FATAL bypass problem identified in Reddit feedback:
+ *   "The LLM isn't forced to route commands through your MCP server."
+ *
+ * Solution: Instead of adding SOVR as an *additional* MCP tool alongside
+ * the native Bash tool, SOVR *replaces* the native Bash tool entirely.
+ * The LLM has no choice — every command goes through SOVR.
+ *
+ * How it works:
+ *   1. SOVR proxy intercepts the MCP `tools/list` response from upstream
+ *   2. In exclusive mode, it REMOVES dangerous native tools (Bash, shell, etc.)
+ *   3. It INJECTS SOVR-wrapped equivalents that enforce policy checks
+ *   4. When the LLM calls the SOVR tool, the proxy evaluates the command,
+ *      then either forwards to the real tool or blocks it
+ *
+ * Supported modes:
+ *   - "monitor"   (default) — Log all tool calls, allow everything
+ *   - "advisory"  — Log + warn on risky calls, but allow
+ *   - "enforce"   — Block risky calls, allow safe ones
+ *   - "exclusive" — Replace native tools entirely, ALL calls go through SOVR
+ *
+ * @example
+ * ```
+ * # Start proxy in exclusive mode (recommended for production)
+ * npx sovr-mcp-proxy --upstream "..." --mode=exclusive
+ *
+ * # Start proxy in enforce mode (less intrusive)
+ * npx sovr-mcp-proxy --upstream "..." --mode=enforce
+ * ```
+ */
+type ProxyMode = 'monitor' | 'advisory' | 'enforce' | 'exclusive';
+/** Tools that are considered dangerous and should be replaced in exclusive mode */
+interface ToolReplacementConfig {
+    /** Proxy enforcement mode */
+    mode: ProxyMode;
+    /** Tool names to intercept/replace (glob patterns supported) */
+    targetTools: string[];
+    /** Custom tool descriptions for replaced tools */
+    toolDescriptions?: Record<string, string>;
+    /** Whether to add a SOVR status tool */
+    addStatusTool: boolean;
+    /** Whether to add a SOVR audit tool */
+    addAuditTool: boolean;
+}
+/** MCP Tool definition (from MCP spec) */
+interface McpToolDef {
+    name: string;
+    description?: string;
+    inputSchema: {
+        type: 'object';
+        properties?: Record<string, unknown>;
+        required?: string[];
+        [key: string]: unknown;
+    };
+}
+/** Result of tool list transformation */
+interface ToolListTransformResult {
+    /** The transformed tool list */
+    tools: McpToolDef[];
+    /** Tools that were removed */
+    removedTools: string[];
+    /** Tools that were added by SOVR */
+    addedTools: string[];
+    /** Tools that were wrapped (kept but intercepted) */
+    wrappedTools: string[];
+}
+/**
+ * Default dangerous tool patterns that should be replaced in exclusive mode.
+ * These are the native tools that AI coding agents typically have access to.
+ */
+declare const DEFAULT_TARGET_TOOLS: string[];
+declare const DEFAULT_TOOL_REPLACEMENT_CONFIG: ToolReplacementConfig;
+/**
+ * Transform the upstream MCP server's tool list based on the proxy mode.
+ *
+ * In exclusive mode:
+ *   - Removes ALL native execution tools (Bash, shell, etc.)
+ *   - Injects SOVR-wrapped equivalents
+ *   - The LLM literally cannot bypass SOVR because the native tools don't exist
+ *
+ * In enforce mode:
+ *   - Keeps native tools but wraps them with SOVR interception
+ *   - Adds SOVR tools alongside native ones
+ *
+ * In advisory/monitor mode:
+ *   - Keeps all native tools unchanged
+ *   - Adds SOVR tools for optional use
+ */
+declare function transformToolList(upstreamTools: McpToolDef[], config: ToolReplacementConfig): ToolListTransformResult;
+/**
+ * Determine if a tool call should be intercepted based on the proxy mode.
+ */
+declare function shouldIntercept(toolName: string, config: ToolReplacementConfig): {
+    intercept: boolean;
+    reason: string;
+};
+/**
+ * Generate a human-readable summary of the tool replacement configuration.
+ */
+declare function describeMode(config: ToolReplacementConfig): string;
+/**
+ * Parse mode from CLI argument string.
+ */
+declare function parseMode(input: string): ProxyMode;
+
+export { DEFAULT_TARGET_TOOLS, DEFAULT_TOOL_REPLACEMENT_CONFIG, type McpToolDef, type ProxyMode, type ToolListTransformResult, type ToolReplacementConfig, describeMode, parseMode, shouldIntercept, transformToolList };

package/dist/toolReplacement.d.ts

@@ -0,0 +1,108 @@
+/**
+ * @sovr/proxy-mcp — Tool Replacement Mode (--mode=exclusive)
+ *
+ * Solves the FATAL bypass problem identified in Reddit feedback:
+ *   "The LLM isn't forced to route commands through your MCP server."
+ *
+ * Solution: Instead of adding SOVR as an *additional* MCP tool alongside
+ * the native Bash tool, SOVR *replaces* the native Bash tool entirely.
+ * The LLM has no choice — every command goes through SOVR.
+ *
+ * How it works:
+ *   1. SOVR proxy intercepts the MCP `tools/list` response from upstream
+ *   2. In exclusive mode, it REMOVES dangerous native tools (Bash, shell, etc.)
+ *   3. It INJECTS SOVR-wrapped equivalents that enforce policy checks
+ *   4. When the LLM calls the SOVR tool, the proxy evaluates the command,
+ *      then either forwards to the real tool or blocks it
+ *
+ * Supported modes:
+ *   - "monitor"   (default) — Log all tool calls, allow everything
+ *   - "advisory"  — Log + warn on risky calls, but allow
+ *   - "enforce"   — Block risky calls, allow safe ones
+ *   - "exclusive" — Replace native tools entirely, ALL calls go through SOVR
+ *
+ * @example
+ * ```
+ * # Start proxy in exclusive mode (recommended for production)
+ * npx sovr-mcp-proxy --upstream "..." --mode=exclusive
+ *
+ * # Start proxy in enforce mode (less intrusive)
+ * npx sovr-mcp-proxy --upstream "..." --mode=enforce
+ * ```
+ */
+type ProxyMode = 'monitor' | 'advisory' | 'enforce' | 'exclusive';
+/** Tools that are considered dangerous and should be replaced in exclusive mode */
+interface ToolReplacementConfig {
+    /** Proxy enforcement mode */
+    mode: ProxyMode;
+    /** Tool names to intercept/replace (glob patterns supported) */
+    targetTools: string[];
+    /** Custom tool descriptions for replaced tools */
+    toolDescriptions?: Record<string, string>;
+    /** Whether to add a SOVR status tool */
+    addStatusTool: boolean;
+    /** Whether to add a SOVR audit tool */
+    addAuditTool: boolean;
+}
+/** MCP Tool definition (from MCP spec) */
+interface McpToolDef {
+    name: string;
+    description?: string;
+    inputSchema: {
+        type: 'object';
+        properties?: Record<string, unknown>;
+        required?: string[];
+        [key: string]: unknown;
+    };
+}
+/** Result of tool list transformation */
+interface ToolListTransformResult {
+    /** The transformed tool list */
+    tools: McpToolDef[];
+    /** Tools that were removed */
+    removedTools: string[];
+    /** Tools that were added by SOVR */
+    addedTools: string[];
+    /** Tools that were wrapped (kept but intercepted) */
+    wrappedTools: string[];
+}
+/**
+ * Default dangerous tool patterns that should be replaced in exclusive mode.
+ * These are the native tools that AI coding agents typically have access to.
+ */
+declare const DEFAULT_TARGET_TOOLS: string[];
+declare const DEFAULT_TOOL_REPLACEMENT_CONFIG: ToolReplacementConfig;
+/**
+ * Transform the upstream MCP server's tool list based on the proxy mode.
+ *
+ * In exclusive mode:
+ *   - Removes ALL native execution tools (Bash, shell, etc.)
+ *   - Injects SOVR-wrapped equivalents
+ *   - The LLM literally cannot bypass SOVR because the native tools don't exist
+ *
+ * In enforce mode:
+ *   - Keeps native tools but wraps them with SOVR interception
+ *   - Adds SOVR tools alongside native ones
+ *
+ * In advisory/monitor mode:
+ *   - Keeps all native tools unchanged
+ *   - Adds SOVR tools for optional use
+ */
+declare function transformToolList(upstreamTools: McpToolDef[], config: ToolReplacementConfig): ToolListTransformResult;
+/**
+ * Determine if a tool call should be intercepted based on the proxy mode.
+ */
+declare function shouldIntercept(toolName: string, config: ToolReplacementConfig): {
+    intercept: boolean;
+    reason: string;
+};
+/**
+ * Generate a human-readable summary of the tool replacement configuration.
+ */
+declare function describeMode(config: ToolReplacementConfig): string;
+/**
+ * Parse mode from CLI argument string.
+ */
+declare function parseMode(input: string): ProxyMode;
+
+export { DEFAULT_TARGET_TOOLS, DEFAULT_TOOL_REPLACEMENT_CONFIG, type McpToolDef, type ProxyMode, type ToolListTransformResult, type ToolReplacementConfig, describeMode, parseMode, shouldIntercept, transformToolList };

package/dist/toolReplacement.js

@@ -0,0 +1,234 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/toolReplacement.ts
+var toolReplacement_exports = {};
+__export(toolReplacement_exports, {
+  DEFAULT_TARGET_TOOLS: () => DEFAULT_TARGET_TOOLS,
+  DEFAULT_TOOL_REPLACEMENT_CONFIG: () => DEFAULT_TOOL_REPLACEMENT_CONFIG,
+  describeMode: () => describeMode,
+  parseMode: () => parseMode,
+  shouldIntercept: () => shouldIntercept,
+  transformToolList: () => transformToolList
+});
+module.exports = __toCommonJS(toolReplacement_exports);
+var DEFAULT_TARGET_TOOLS = [
+  // Claude Code native tools
+  "Bash",
+  "bash",
+  "shell",
+  "execute_command",
+  "run_command",
+  "terminal",
+  // Cursor / Windsurf / Continue
+  "run_terminal_command",
+  "execute_shell",
+  "shell_exec",
+  // Generic patterns
+  "exec",
+  "system",
+  "subprocess"
+];
+var SOVR_EXEC_TOOL = {
+  name: "sovr_exec",
+  description: "Execute a shell command through the SOVR Responsibility Layer. All commands are evaluated against security policies before execution. Dangerous commands (rm -rf, DROP TABLE, etc.) will be blocked. This is the ONLY way to execute commands \u2014 use this for ALL shell operations.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      command: {
+        type: "string",
+        description: "The shell command to execute. Will be policy-checked before running."
+      },
+      workdir: {
+        type: "string",
+        description: "Working directory for the command (optional)."
+      },
+      timeout: {
+        type: "number",
+        description: "Timeout in milliseconds (default: 300000 = 5 min)."
+      }
+    },
+    required: ["command"]
+  }
+};
+var SOVR_STATUS_TOOL = {
+  name: "sovr_status",
+  description: "Check the current SOVR security status, including active policies, recent decisions, and system health. Use this to understand what commands are allowed or blocked.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      verbose: {
+        type: "boolean",
+        description: "Include detailed policy information (default: false)."
+      }
+    }
+  }
+};
+var SOVR_AUDIT_TOOL = {
+  name: "sovr_audit",
+  description: "View the SOVR audit log of recent command evaluations. Shows what was allowed, blocked, or escalated.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      limit: {
+        type: "number",
+        description: "Number of recent entries to show (default: 10)."
+      },
+      filter: {
+        type: "string",
+        enum: ["all", "allowed", "blocked", "escalated"],
+        description: "Filter by decision type (default: all)."
+      }
+    }
+  }
+};
+var DEFAULT_TOOL_REPLACEMENT_CONFIG = {
+  mode: "enforce",
+  targetTools: DEFAULT_TARGET_TOOLS,
+  addStatusTool: true,
+  addAuditTool: true
+};
+function transformToolList(upstreamTools, config) {
+  const removedTools = [];
+  const addedTools = [];
+  const wrappedTools = [];
+  let resultTools = [];
+  switch (config.mode) {
+    case "exclusive": {
+      for (const tool of upstreamTools) {
+        if (isTargetTool(tool.name, config.targetTools)) {
+          removedTools.push(tool.name);
+        } else {
+          resultTools.push(tool);
+        }
+      }
+      resultTools.push(SOVR_EXEC_TOOL);
+      addedTools.push(SOVR_EXEC_TOOL.name);
+      break;
+    }
+    case "enforce": {
+      for (const tool of upstreamTools) {
+        if (isTargetTool(tool.name, config.targetTools)) {
+          resultTools.push({
+            ...tool,
+            description: `[SOVR-ENFORCED] ${tool.description || ""} \u2014 All calls are policy-checked by SOVR before execution.`
+          });
+          wrappedTools.push(tool.name);
+        } else {
+          resultTools.push(tool);
+        }
+      }
+      resultTools.push(SOVR_EXEC_TOOL);
+      addedTools.push(SOVR_EXEC_TOOL.name);
+      break;
+    }
+    case "advisory": {
+      resultTools = [...upstreamTools];
+      resultTools.push(SOVR_EXEC_TOOL);
+      addedTools.push(SOVR_EXEC_TOOL.name);
+      break;
+    }
+    case "monitor":
+    default: {
+      resultTools = [...upstreamTools];
+      break;
+    }
+  }
+  if (config.addStatusTool) {
+    resultTools.push(SOVR_STATUS_TOOL);
+    addedTools.push(SOVR_STATUS_TOOL.name);
+  }
+  if (config.addAuditTool) {
+    resultTools.push(SOVR_AUDIT_TOOL);
+    addedTools.push(SOVR_AUDIT_TOOL.name);
+  }
+  return { tools: resultTools, removedTools, addedTools, wrappedTools };
+}
+function isTargetTool(toolName, targets) {
+  const lowerName = toolName.toLowerCase();
+  return targets.some((target) => {
+    const lowerTarget = target.toLowerCase();
+    if (lowerName === lowerTarget) return true;
+    if (lowerTarget.includes("*")) {
+      const regex = new RegExp(
+        "^" + lowerTarget.replace(/\*/g, ".*").replace(/\?/g, ".") + "$"
+      );
+      return regex.test(lowerName);
+    }
+    return false;
+  });
+}
+function shouldIntercept(toolName, config) {
+  switch (config.mode) {
+    case "exclusive":
+      if (toolName === "sovr_exec") {
+        return { intercept: true, reason: "exclusive-mode: all exec calls routed through SOVR" };
+      }
+      if (isTargetTool(toolName, config.targetTools)) {
+        return { intercept: true, reason: "exclusive-mode: native tool blocked, use sovr_exec" };
+      }
+      return { intercept: false, reason: "non-exec tool, passthrough" };
+    case "enforce":
+      if (toolName === "sovr_exec" || isTargetTool(toolName, config.targetTools)) {
+        return { intercept: true, reason: "enforce-mode: policy check required" };
+      }
+      return { intercept: false, reason: "non-exec tool, passthrough" };
+    case "advisory":
+      if (toolName === "sovr_exec") {
+        return { intercept: true, reason: "advisory-mode: SOVR exec call" };
+      }
+      if (isTargetTool(toolName, config.targetTools)) {
+        return { intercept: false, reason: "advisory-mode: native tool allowed with warning" };
+      }
+      return { intercept: false, reason: "non-exec tool, passthrough" };
+    case "monitor":
+    default:
+      return { intercept: false, reason: "monitor-mode: all tools passthrough" };
+  }
+}
+function describeMode(config) {
+  switch (config.mode) {
+    case "exclusive":
+      return `EXCLUSIVE MODE: Native execution tools (${config.targetTools.join(", ")}) are REMOVED. The LLM can ONLY execute commands through sovr_exec. Bypass is impossible.`;
+    case "enforce":
+      return `ENFORCE MODE: Native execution tools are wrapped with SOVR policy checks. All command executions are evaluated before running. Dangerous commands are blocked.`;
+    case "advisory":
+      return `ADVISORY MODE: Native tools remain available. SOVR tools are added alongside. Warnings are logged for risky commands but execution is not blocked.`;
+    case "monitor":
+      return `MONITOR MODE: All tools pass through unchanged. SOVR only logs activity. No enforcement or blocking.`;
+  }
+}
+function parseMode(input) {
+  const normalized = input.toLowerCase().trim();
+  if (["exclusive", "enforce", "advisory", "monitor"].includes(normalized)) {
+    return normalized;
+  }
+  throw new Error(
+    `Invalid mode: "${input}". Valid modes: exclusive, enforce, advisory, monitor`
+  );
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DEFAULT_TARGET_TOOLS,
+  DEFAULT_TOOL_REPLACEMENT_CONFIG,
+  describeMode,
+  parseMode,
+  shouldIntercept,
+  transformToolList
+});