@1claw/mcp 0.11.0 → 0.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +25 -0
- package/dist/__tests__/security.test.js +138 -2
- package/dist/__tests__/security.test.js.map +1 -1
- package/dist/index.js +57 -10
- package/dist/index.js.map +1 -1
- package/dist/security/index.d.ts +17 -8
- package/dist/security/index.d.ts.map +1 -1
- package/dist/security/index.js +132 -51
- package/dist/security/index.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -151,3 +151,28 @@ pnpm inspect
|
|
|
151
151
|
- **Token scoping.** Use the 1claw dashboard to create agent tokens with the minimum permissions needed. Restrict by vault, path prefix, or action.
|
|
152
152
|
- **No hardcoded credentials.** All auth is via environment variables (stdio) or headers (httpStream).
|
|
153
153
|
- **410/404 handling.** Expired or missing secrets surface clear error messages rather than raw HTTP codes.
|
|
154
|
+
|
|
155
|
+
### Security inspection pipeline
|
|
156
|
+
|
|
157
|
+
All tool calls pass through an inspection pipeline before execution and after results are returned. The pipeline runs by default and is configurable via environment variables.
|
|
158
|
+
|
|
159
|
+
**Input inspection** (before tool execution):
|
|
160
|
+
1. **Unicode normalization** — Strips zero-width characters, replaces Cyrillic/Greek homoglyphs.
|
|
161
|
+
2. **Threat detection** — Command injection, encoding obfuscation, social engineering, network threats.
|
|
162
|
+
3. **PII detection** — Emails, SSNs, credit card numbers, phone numbers, AWS keys, private key headers.
|
|
163
|
+
4. **Exfiltration protection** — Blocks or warns when a previously fetched secret value appears in a non-secret tool's input (e.g., an agent trying to send a secret to an external URL).
|
|
164
|
+
|
|
165
|
+
**Output inspection** (after tool execution):
|
|
166
|
+
1. **Threat detection** — Same patterns as input.
|
|
167
|
+
2. **PII detection** — Same patterns as input.
|
|
168
|
+
3. **Secret redaction** — Tracks every secret value fetched via `get_secret` or `get_env_bundle`. If a known secret appears in the output of a non-secret tool (e.g., `list_vaults`, `grant_access`), the value is replaced with `[REDACTED:path]` before it reaches the LLM context window.
|
|
169
|
+
|
|
170
|
+
### Security environment variables
|
|
171
|
+
|
|
172
|
+
| Variable | Default | Description |
|
|
173
|
+
| ---------------------------------- | -------- | ------------------------------------------------------------------------------------------------ |
|
|
174
|
+
| `ONECLAW_MCP_SECURITY_ENABLED` | `true` | Master switch. Set to `false` to disable all inspection. |
|
|
175
|
+
| `ONECLAW_MCP_SANITIZATION_MODE` | `block` | `block` rejects critical/high threats; `surgical` normalizes Unicode but allows; `log_only` only logs. |
|
|
176
|
+
| `ONECLAW_MCP_REDACT_SECRETS` | `true` | Redact known secret values from non-secret tool outputs. Requires security enabled. |
|
|
177
|
+
| `ONECLAW_MCP_PII_DETECTION` | `true` | Detect PII patterns (emails, SSNs, credit cards, etc.) in inputs and outputs. |
|
|
178
|
+
| `ONECLAW_MCP_EXFIL_PROTECTION` | `warn` | `block` rejects tool inputs containing known secrets; `warn` logs but allows; `off` disables. |
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { describe, it, expect, beforeEach, afterEach } from "vitest";
|
|
2
|
-
import { inspectInput, inspectOutput, normalizeUnicode, isSecurityEnabled, getSanitizationMode, } from "../security/index.js";
|
|
2
|
+
import { inspectInput, inspectOutput, normalizeUnicode, isSecurityEnabled, getSanitizationMode, isSecretRedactionEnabled, isPiiDetectionEnabled, getExfilProtectionMode, registerSecret, clearSecrets, trackedSecretCount, } from "../security/index.js";
|
|
3
3
|
describe("Security Module", () => {
|
|
4
4
|
let originalEnv;
|
|
5
5
|
beforeEach(() => {
|
|
@@ -193,7 +193,6 @@ describe("Security Module", () => {
|
|
|
193
193
|
describe("inspectOutput", () => {
|
|
194
194
|
it("detects threats in output", () => {
|
|
195
195
|
const result = inspectOutput("test_tool", "Your API key is sk-12345");
|
|
196
|
-
// Output inspection logs but doesn't block
|
|
197
196
|
expect(result.passed).toBe(true);
|
|
198
197
|
});
|
|
199
198
|
it("skips inspection when disabled", () => {
|
|
@@ -202,5 +201,142 @@ describe("Security Module", () => {
|
|
|
202
201
|
expect(result.threats).toHaveLength(0);
|
|
203
202
|
});
|
|
204
203
|
});
|
|
204
|
+
describe("PII detection", () => {
|
|
205
|
+
it("detects email addresses in input", () => {
|
|
206
|
+
const result = inspectInput("test_tool", {
|
|
207
|
+
message: "Contact alice@example.com",
|
|
208
|
+
});
|
|
209
|
+
expect(result.threats.some((t) => t.pattern === "email")).toBe(true);
|
|
210
|
+
});
|
|
211
|
+
it("detects SSN in input", () => {
|
|
212
|
+
const result = inspectInput("test_tool", {
|
|
213
|
+
data: "SSN: 123-45-6789",
|
|
214
|
+
});
|
|
215
|
+
expect(result.threats.some((t) => t.pattern === "ssn")).toBe(true);
|
|
216
|
+
});
|
|
217
|
+
it("detects credit card numbers in input", () => {
|
|
218
|
+
const result = inspectInput("test_tool", {
|
|
219
|
+
card: "4111-1111-1111-1111",
|
|
220
|
+
});
|
|
221
|
+
expect(result.threats.some((t) => t.pattern === "credit_card")).toBe(true);
|
|
222
|
+
});
|
|
223
|
+
it("detects AWS access keys", () => {
|
|
224
|
+
const result = inspectInput("test_tool", {
|
|
225
|
+
key: "AKIAIOSFODNN7EXAMPLE",
|
|
226
|
+
});
|
|
227
|
+
expect(result.threats.some((t) => t.pattern === "aws_key")).toBe(true);
|
|
228
|
+
});
|
|
229
|
+
it("detects private key headers", () => {
|
|
230
|
+
const result = inspectInput("test_tool", {
|
|
231
|
+
key: "-----BEGIN RSA PRIVATE KEY-----",
|
|
232
|
+
});
|
|
233
|
+
expect(result.threats.some((t) => t.pattern === "private_key_header")).toBe(true);
|
|
234
|
+
});
|
|
235
|
+
it("detects PII in output", () => {
|
|
236
|
+
const result = inspectOutput("test_tool", "User email: alice@example.com");
|
|
237
|
+
expect(result.threats.some((t) => t.pattern === "email")).toBe(true);
|
|
238
|
+
});
|
|
239
|
+
it("skips PII detection when disabled", () => {
|
|
240
|
+
process.env.ONECLAW_MCP_PII_DETECTION = "false";
|
|
241
|
+
const result = inspectInput("test_tool", {
|
|
242
|
+
data: "SSN: 123-45-6789",
|
|
243
|
+
});
|
|
244
|
+
expect(result.threats.some((t) => t.type === "pii")).toBe(false);
|
|
245
|
+
});
|
|
246
|
+
});
|
|
247
|
+
describe("secret redaction", () => {
|
|
248
|
+
beforeEach(() => {
|
|
249
|
+
clearSecrets();
|
|
250
|
+
});
|
|
251
|
+
it("registers and counts secrets", () => {
|
|
252
|
+
registerSecret("api-keys/stripe", "sk_live_abc123def456");
|
|
253
|
+
expect(trackedSecretCount()).toBe(1);
|
|
254
|
+
});
|
|
255
|
+
it("ignores short values", () => {
|
|
256
|
+
registerSecret("short", "abc");
|
|
257
|
+
expect(trackedSecretCount()).toBe(0);
|
|
258
|
+
});
|
|
259
|
+
it("redacts known secret from non-secret tool output", () => {
|
|
260
|
+
registerSecret("api-keys/stripe", "sk_live_abc123def456");
|
|
261
|
+
const result = inspectOutput("list_vaults", "Found key: sk_live_abc123def456");
|
|
262
|
+
expect(result.redacted).toBe("Found key: [REDACTED:api-keys/stripe]");
|
|
263
|
+
expect(result.threats.some((t) => t.type === "secret_leak")).toBe(true);
|
|
264
|
+
});
|
|
265
|
+
it("does not redact get_secret output", () => {
|
|
266
|
+
registerSecret("api-keys/stripe", "sk_live_abc123def456");
|
|
267
|
+
const result = inspectOutput("get_secret", '{"value":"sk_live_abc123def456"}');
|
|
268
|
+
expect(result.redacted).toBeUndefined();
|
|
269
|
+
});
|
|
270
|
+
it("does not redact when feature is disabled", () => {
|
|
271
|
+
process.env.ONECLAW_MCP_REDACT_SECRETS = "false";
|
|
272
|
+
registerSecret("api-keys/stripe", "sk_live_abc123def456");
|
|
273
|
+
const result = inspectOutput("list_vaults", "Found key: sk_live_abc123def456");
|
|
274
|
+
expect(result.redacted).toBeUndefined();
|
|
275
|
+
});
|
|
276
|
+
it("clears secrets", () => {
|
|
277
|
+
registerSecret("api-keys/stripe", "sk_live_abc123def456");
|
|
278
|
+
clearSecrets();
|
|
279
|
+
expect(trackedSecretCount()).toBe(0);
|
|
280
|
+
});
|
|
281
|
+
});
|
|
282
|
+
describe("exfiltration protection", () => {
|
|
283
|
+
beforeEach(() => {
|
|
284
|
+
clearSecrets();
|
|
285
|
+
registerSecret("api-keys/stripe", "sk_live_abc123def456");
|
|
286
|
+
});
|
|
287
|
+
it("warns when secret appears in non-secret tool input (default mode)", () => {
|
|
288
|
+
delete process.env.ONECLAW_MCP_EXFIL_PROTECTION;
|
|
289
|
+
const result = inspectInput("share_secret", {
|
|
290
|
+
message: "Here is the key: sk_live_abc123def456",
|
|
291
|
+
});
|
|
292
|
+
expect(result.threats.some((t) => t.type === "secret_exfiltration")).toBe(true);
|
|
293
|
+
expect(result.passed).toBe(true);
|
|
294
|
+
});
|
|
295
|
+
it("blocks when exfil protection is set to block", () => {
|
|
296
|
+
process.env.ONECLAW_MCP_EXFIL_PROTECTION = "block";
|
|
297
|
+
const result = inspectInput("share_secret", {
|
|
298
|
+
message: "Here is the key: sk_live_abc123def456",
|
|
299
|
+
});
|
|
300
|
+
expect(result.passed).toBe(false);
|
|
301
|
+
expect(result.threats.some((t) => t.type === "secret_exfiltration")).toBe(true);
|
|
302
|
+
});
|
|
303
|
+
it("skips exfil check for secret tools (put_secret)", () => {
|
|
304
|
+
process.env.ONECLAW_MCP_EXFIL_PROTECTION = "block";
|
|
305
|
+
const result = inspectInput("put_secret", {
|
|
306
|
+
path: "api-keys/stripe",
|
|
307
|
+
value: "sk_live_abc123def456",
|
|
308
|
+
});
|
|
309
|
+
expect(result.threats.some((t) => t.type === "secret_exfiltration")).toBe(false);
|
|
310
|
+
});
|
|
311
|
+
it("skips exfil check when off", () => {
|
|
312
|
+
process.env.ONECLAW_MCP_EXFIL_PROTECTION = "off";
|
|
313
|
+
const result = inspectInput("share_secret", {
|
|
314
|
+
message: "Here is the key: sk_live_abc123def456",
|
|
315
|
+
});
|
|
316
|
+
expect(result.threats.some((t) => t.type === "secret_exfiltration")).toBe(false);
|
|
317
|
+
});
|
|
318
|
+
});
|
|
319
|
+
describe("feature flag helpers", () => {
|
|
320
|
+
it("isSecretRedactionEnabled defaults to true", () => {
|
|
321
|
+
delete process.env.ONECLAW_MCP_REDACT_SECRETS;
|
|
322
|
+
expect(isSecretRedactionEnabled()).toBe(true);
|
|
323
|
+
});
|
|
324
|
+
it("isSecretRedactionEnabled false when security disabled", () => {
|
|
325
|
+
process.env.ONECLAW_MCP_SECURITY_ENABLED = "false";
|
|
326
|
+
expect(isSecretRedactionEnabled()).toBe(false);
|
|
327
|
+
});
|
|
328
|
+
it("isPiiDetectionEnabled defaults to true", () => {
|
|
329
|
+
delete process.env.ONECLAW_MCP_PII_DETECTION;
|
|
330
|
+
expect(isPiiDetectionEnabled()).toBe(true);
|
|
331
|
+
});
|
|
332
|
+
it("getExfilProtectionMode defaults to warn", () => {
|
|
333
|
+
delete process.env.ONECLAW_MCP_EXFIL_PROTECTION;
|
|
334
|
+
expect(getExfilProtectionMode()).toBe("warn");
|
|
335
|
+
});
|
|
336
|
+
it("getExfilProtectionMode off when security disabled", () => {
|
|
337
|
+
process.env.ONECLAW_MCP_SECURITY_ENABLED = "false";
|
|
338
|
+
expect(getExfilProtectionMode()).toBe("off");
|
|
339
|
+
});
|
|
340
|
+
});
|
|
205
341
|
});
|
|
206
342
|
//# sourceMappingURL=security.test.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security.test.js","sourceRoot":"","sources":["../../src/__tests__/security.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EACH,YAAY,EACZ,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,GACtB,MAAM,sBAAsB,CAAC;AAE9B,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC7B,IAAI,WAA8B,CAAC;IAEnC,UAAU,CAAC,GAAG,EAAE;QACZ,WAAW,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACX,OAAO,CAAC,GAAG,GAAG,WAAW,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC/B,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;YAC/B,OAAO,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;YAChD,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAC9C,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,OAAO,CAAC;YACnD,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACjC,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;YACzB,OAAO,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;YACjD,MAAM,CAAC,mBAAmB,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACjC,OAAO,CAAC,GAAG,CAAC,6BAA6B,GAAG,UAAU,CAAC;YACvD,MAAM,CAAC,mBAAmB,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACjC,OAAO,CAAC,GAAG,CAAC,6BAA6B,GAAG,UAAU,CAAC;YACvD,MAAM,CAAC,mBAAmB,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACpC,MAAM,KAAK,GAAG,6BAA6B,CAAC;YAC5C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACzD,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC3C,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACpC,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,sBAAsB;YAC9C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACzD,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACnC,MAAM,KAAK,GAAG,aAAa,CAAC;YAC5B,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACzD,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC/B,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;QAC1B,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;YAC/B,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;gBACtC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,oCAAoC;iBAC/C,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClF,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;gBACpC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,oBAAoB;iBAC/B,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACxF,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;gBAC9B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,0BAA0B;iBACrC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClF,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;gBAC1B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,sBAAsB;iBACjC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC3C,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;YAChC,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;gBACnC,8CAA8C;gBAC9C,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,IAAI,EAAE,kDAAkD;iBAC3D,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;gBAC3B,oDAAoD;gBACpD,yEAAyE;gBACzE,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAA,0BAA0B;iBAC/C,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;gBAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAA,cAAc;iBACnC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClF,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;YAChC,EAAE,CAAC,iBAAiB,EAAE,GAAG,EAAE;gBACvB,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,8BAA8B;iBACzC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC3E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;gBAChC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,wCAAwC;iBACnD,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;gBAChC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,+BAA+B;iBAC1C,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC3E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;gBAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,+BAA+B;iBAC1C,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;gBACnC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,uBAAuB;iBAClC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtF,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;YAC7B,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;gBAC1B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,GAAG,EAAE,8BAA8B;iBACtC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACzE,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;gBAC7B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,GAAG,EAAE,0BAA0B;iBAClC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;gBAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,GAAG,EAAE,wBAAwB;iBAChC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;gBACjC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,OAAO,EAAE,+BAA+B;iBAC3C,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9E,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;YACjC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;gBAC7C,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,QAAQ,EAAE,aAAa;iBAClC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpF,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;YAC/B,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;gBACvC,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,OAAO,CAAC;gBACnD,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,YAAY;iBACvB,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC3C,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACjC,MAAM,MAAM,GAAG,aAAa,CAAC,WAAW,EAAE,0BAA0B,CAAC,CAAC;YACtE,2CAA2C;YAC3C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACtC,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,OAAO,CAAC;YACnD,MAAM,MAAM,GAAG,aAAa,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;YACxD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"security.test.js","sourceRoot":"","sources":["../../src/__tests__/security.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EACH,YAAY,EACZ,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,wBAAwB,EACxB,qBAAqB,EACrB,sBAAsB,EACtB,cAAc,EACd,YAAY,EACZ,kBAAkB,GACrB,MAAM,sBAAsB,CAAC;AAE9B,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC7B,IAAI,WAA8B,CAAC;IAEnC,UAAU,CAAC,GAAG,EAAE;QACZ,WAAW,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACX,OAAO,CAAC,GAAG,GAAG,WAAW,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC/B,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;YAC/B,OAAO,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;YAChD,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAC9C,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,OAAO,CAAC;YACnD,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACjC,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;YACzB,OAAO,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;YACjD,MAAM,CAAC,mBAAmB,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACjC,OAAO,CAAC,GAAG,CAAC,6BAA6B,GAAG,UAAU,CAAC;YACvD,MAAM,CAAC,mBAAmB,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACjC,OAAO,CAAC,GAAG,CAAC,6BAA6B,GAAG,UAAU,CAAC;YACvD,MAAM,CAAC,mBAAmB,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACpC,MAAM,KAAK,GAAG,6BAA6B,CAAC;YAC5C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACzD,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YAC3C,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACpC,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,sBAAsB;YAC9C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACzD,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACnC,MAAM,KAAK,GAAG,aAAa,CAAC;YAC5B,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACzD,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC/B,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;QAC1B,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;YAC/B,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;gBACtC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,oCAAoC;iBAC/C,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClF,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;gBACpC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,oBAAoB;iBAC/B,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACxF,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;gBAC9B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,0BAA0B;iBACrC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClF,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;gBAC1B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,sBAAsB;iBACjC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC3C,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;YAChC,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;gBACnC,8CAA8C;gBAC9C,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,IAAI,EAAE,kDAAkD;iBAC3D,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;gBAC3B,oDAAoD;gBACpD,yEAAyE;gBACzE,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAA,0BAA0B;iBAC/C,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;gBAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAA,cAAc;iBACnC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClF,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;YAChC,EAAE,CAAC,iBAAiB,EAAE,GAAG,EAAE;gBACvB,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,8BAA8B;iBACzC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC3E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;gBAChC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,wCAAwC;iBACnD,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;gBAChC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,+BAA+B;iBAC1C,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC3E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;gBAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,+BAA+B;iBAC1C,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;gBACnC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,uBAAuB;iBAClC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtF,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;YAC7B,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;gBAC1B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,GAAG,EAAE,8BAA8B;iBACtC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACzE,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;gBAC7B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,GAAG,EAAE,0BAA0B;iBAClC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;gBAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,GAAG,EAAE,wBAAwB;iBAChC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1E,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;gBACjC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,OAAO,EAAE,+BAA+B;iBAC3C,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9E,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;YACjC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;gBAC7C,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,QAAQ,EAAE,aAAa;iBAClC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpF,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;YAC/B,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;gBACvC,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,OAAO,CAAC;gBACnD,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;oBACrC,MAAM,EAAE,YAAY;iBACvB,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC3C,CAAC,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACjC,MAAM,MAAM,GAAG,aAAa,CAAC,WAAW,EAAE,0BAA0B,CAAC,CAAC;YACtE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACtC,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,OAAO,CAAC;YACnD,MAAM,MAAM,GAAG,aAAa,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;YACxD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YACxC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;gBACrC,OAAO,EAAE,2BAA2B;aACvC,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;YAC5B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;gBACrC,IAAI,EAAE,kBAAkB;aAC3B,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC5C,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;gBACrC,IAAI,EAAE,qBAAqB;aAC9B,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;YAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;gBACrC,GAAG,EAAE,sBAAsB;aAC9B,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACnC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;gBACrC,GAAG,EAAE,iCAAiC;aACzC,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;YAC7B,MAAM,MAAM,GAAG,aAAa,CAAC,WAAW,EAAE,+BAA+B,CAAC,CAAC;YAC3E,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;YACzC,OAAO,CAAC,GAAG,CAAC,yBAAyB,GAAG,OAAO,CAAC;YAChD,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE;gBACrC,IAAI,EAAE,kBAAkB;aAC3B,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAC9B,UAAU,CAAC,GAAG,EAAE;YACZ,YAAY,EAAE,CAAC;QACnB,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACpC,cAAc,CAAC,iBAAiB,EAAE,sBAAsB,CAAC,CAAC;YAC1D,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;YAC5B,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAC/B,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YACxD,cAAc,CAAC,iBAAiB,EAAE,sBAAsB,CAAC,CAAC;YAC1D,MAAM,MAAM,GAAG,aAAa,CAAC,aAAa,EAAE,iCAAiC,CAAC,CAAC;YAC/E,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;YACtE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;YACzC,cAAc,CAAC,iBAAiB,EAAE,sBAAsB,CAAC,CAAC;YAC1D,MAAM,MAAM,GAAG,aAAa,CAAC,YAAY,EAAE,kCAAkC,CAAC,CAAC;YAC/E,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,aAAa,EAAE,CAAC;QAC5C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;YAChD,OAAO,CAAC,GAAG,CAAC,0BAA0B,GAAG,OAAO,CAAC;YACjD,cAAc,CAAC,iBAAiB,EAAE,sBAAsB,CAAC,CAAC;YAC1D,MAAM,MAAM,GAAG,aAAa,CAAC,aAAa,EAAE,iCAAiC,CAAC,CAAC;YAC/E,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,aAAa,EAAE,CAAC;QAC5C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gBAAgB,EAAE,GAAG,EAAE;YACtB,cAAc,CAAC,iBAAiB,EAAE,sBAAsB,CAAC,CAAC;YAC1D,YAAY,EAAE,CAAC;YACf,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACrC,UAAU,CAAC,GAAG,EAAE;YACZ,YAAY,EAAE,CAAC;YACf,cAAc,CAAC,iBAAiB,EAAE,sBAAsB,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mEAAmE,EAAE,GAAG,EAAE;YACzE,OAAO,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;YAChD,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,EAAE;gBACxC,OAAO,EAAE,uCAAuC;aACnD,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACpD,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,OAAO,CAAC;YACnD,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,EAAE;gBACxC,OAAO,EAAE,uCAAuC;aACnD,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACvD,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,OAAO,CAAC;YACnD,MAAM,MAAM,GAAG,YAAY,CAAC,YAAY,EAAE;gBACtC,IAAI,EAAE,iBAAiB;gBACvB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YAClC,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,KAAK,CAAC;YACjD,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,EAAE;gBACxC,OAAO,EAAE,uCAAuC;aACnD,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrF,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAClC,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;YACjD,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;YAC9C,MAAM,CAAC,wBAAwB,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;YAC7D,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,OAAO,CAAC;YACnD,MAAM,CAAC,wBAAwB,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAC9C,OAAO,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;YAC7C,MAAM,CAAC,qBAAqB,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;YAC/C,OAAO,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;YAChD,MAAM,CAAC,sBAAsB,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;YACzD,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,OAAO,CAAC;YACnD,MAAM,CAAC,sBAAsB,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -13,7 +13,7 @@ import { grantAccessTool } from "./tools/grant_access.js";
|
|
|
13
13
|
import { shareSecretTool } from "./tools/share_secret.js";
|
|
14
14
|
import { simulateTransactionTool } from "./tools/simulate_transaction.js";
|
|
15
15
|
import { submitTransactionTool } from "./tools/submit_transaction.js";
|
|
16
|
-
import { inspectInput, inspectOutput, isSecurityEnabled } from "./security/index.js";
|
|
16
|
+
import { inspectInput, inspectOutput, isSecurityEnabled, registerSecret, isSecretRedactionEnabled } from "./security/index.js";
|
|
17
17
|
const baseUrl = process.env.ONECLAW_BASE_URL ?? "https://api.1claw.xyz";
|
|
18
18
|
const transport = process.env.MCP_TRANSPORT ?? "stdio";
|
|
19
19
|
const port = parseInt(process.env.PORT ?? "8080", 10);
|
|
@@ -66,15 +66,35 @@ const serverOpts = {
|
|
|
66
66
|
health: { enabled: true, path: "/health" },
|
|
67
67
|
};
|
|
68
68
|
if (transport === "httpStream") {
|
|
69
|
-
serverOpts.authenticate = (request) => {
|
|
69
|
+
serverOpts.authenticate = async (request) => {
|
|
70
70
|
const auth = (request.headers["authorization"] ?? "");
|
|
71
71
|
const token = auth.replace(/^Bearer\s+/i, "").trim();
|
|
72
72
|
const vaultId = (request.headers["x-vault-id"] ?? "");
|
|
73
73
|
if (!token)
|
|
74
|
-
|
|
74
|
+
throw new Error("Missing Authorization header (Bearer <agent-token>)");
|
|
75
75
|
if (!vaultId)
|
|
76
|
-
|
|
77
|
-
|
|
76
|
+
throw new Error("Missing X-Vault-ID header");
|
|
77
|
+
// H-9: Validate token against the vault API (not just pass-through).
|
|
78
|
+
// Calls GET /v1/vaults to confirm the token is valid. An invalid or
|
|
79
|
+
// expired token will fail with 401, rejecting the session early.
|
|
80
|
+
const validationRes = await fetch(`${baseUrl}/v1/vaults/${vaultId}`, {
|
|
81
|
+
headers: { Authorization: `Bearer ${token}` },
|
|
82
|
+
});
|
|
83
|
+
if (!validationRes.ok) {
|
|
84
|
+
const status = validationRes.status;
|
|
85
|
+
if (status === 401) {
|
|
86
|
+
throw new Error("Invalid or expired Bearer token");
|
|
87
|
+
}
|
|
88
|
+
if (status === 403) {
|
|
89
|
+
// H-10: The token's vault_ids claim doesn't include this vault
|
|
90
|
+
throw new Error("X-Vault-ID is not accessible with this token (vault binding mismatch)");
|
|
91
|
+
}
|
|
92
|
+
if (status === 404) {
|
|
93
|
+
throw new Error(`Vault ${vaultId} not found`);
|
|
94
|
+
}
|
|
95
|
+
throw new Error(`Token validation failed (HTTP ${status})`);
|
|
96
|
+
}
|
|
97
|
+
return { token, vaultId };
|
|
78
98
|
};
|
|
79
99
|
}
|
|
80
100
|
const server = new FastMCP(serverOpts);
|
|
@@ -100,12 +120,37 @@ function registerTool(factory) {
|
|
|
100
120
|
const client = resolveClient(context.session);
|
|
101
121
|
const tool = factory(client);
|
|
102
122
|
const result = await tool.execute(args, context);
|
|
103
|
-
//
|
|
123
|
+
// Track secret values for redaction and exfiltration protection
|
|
124
|
+
if (isSecretRedactionEnabled()) {
|
|
125
|
+
if (proto.name === "get_secret") {
|
|
126
|
+
try {
|
|
127
|
+
const parsed = JSON.parse(result);
|
|
128
|
+
if (parsed.value && parsed.path)
|
|
129
|
+
registerSecret(parsed.path, parsed.value);
|
|
130
|
+
}
|
|
131
|
+
catch { /* not JSON — skip */ }
|
|
132
|
+
}
|
|
133
|
+
if (proto.name === "get_env_bundle") {
|
|
134
|
+
try {
|
|
135
|
+
const env = JSON.parse(result);
|
|
136
|
+
for (const [key, val] of Object.entries(env)) {
|
|
137
|
+
if (typeof val === "string")
|
|
138
|
+
registerSecret(`env:${key}`, val);
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
catch { /* not JSON — skip */ }
|
|
142
|
+
}
|
|
143
|
+
}
|
|
144
|
+
// Security inspection of output (redacts secrets, detects PII, logs threats)
|
|
104
145
|
if (isSecurityEnabled()) {
|
|
105
146
|
const outputCheck = inspectOutput(proto.name, result);
|
|
106
147
|
if (outputCheck.threats.length > 0) {
|
|
107
148
|
context.log.info(`[SECURITY] Output warnings for ${proto.name}: ${outputCheck.threats.map(t => t.pattern).join(", ")}`);
|
|
108
149
|
}
|
|
150
|
+
if (outputCheck.redacted) {
|
|
151
|
+
context.log.info(`[SECURITY] Redacted secret values from ${proto.name} output`);
|
|
152
|
+
return outputCheck.redacted;
|
|
153
|
+
}
|
|
109
154
|
}
|
|
110
155
|
return result;
|
|
111
156
|
},
|
|
@@ -123,7 +168,8 @@ registerTool(shareSecretTool);
|
|
|
123
168
|
registerTool(simulateTransactionTool);
|
|
124
169
|
registerTool(submitTransactionTool);
|
|
125
170
|
// ── Stretch: rotate_and_store ────────────────────────
|
|
126
|
-
|
|
171
|
+
// Registered via registerTool so input/output go through security inspection.
|
|
172
|
+
const rotateAndStoreTool = (client) => ({
|
|
127
173
|
name: "rotate_and_store",
|
|
128
174
|
description: "Store a new value for an existing secret (creating a new version) and return the version number. Useful when an agent has regenerated an API key and needs to persist it.",
|
|
129
175
|
parameters: z.object({
|
|
@@ -131,7 +177,6 @@ server.addTool({
|
|
|
131
177
|
value: z.string().min(1).describe("The new secret value"),
|
|
132
178
|
}),
|
|
133
179
|
execute: async (args, context) => {
|
|
134
|
-
const client = resolveClient(context.session);
|
|
135
180
|
const result = await client.putSecret(args.path, {
|
|
136
181
|
value: args.value,
|
|
137
182
|
type: "api_key",
|
|
@@ -140,15 +185,16 @@ server.addTool({
|
|
|
140
185
|
return `Rotated secret at '${args.path}'. New version: ${result.version}.`;
|
|
141
186
|
},
|
|
142
187
|
});
|
|
188
|
+
registerTool(rotateAndStoreTool);
|
|
143
189
|
// ── Stretch: get_env_bundle ──────────────────────────
|
|
144
|
-
|
|
190
|
+
// Registered via registerTool so input/output go through security inspection.
|
|
191
|
+
const getEnvBundleTool = (client) => ({
|
|
145
192
|
name: "get_env_bundle",
|
|
146
193
|
description: "Fetch a secret of type env_bundle, parse its KEY=VALUE lines, and return a structured JSON object. Useful for injecting environment variables into subprocesses.",
|
|
147
194
|
parameters: z.object({
|
|
148
195
|
path: z.string().min(1).describe("Path to an env_bundle secret"),
|
|
149
196
|
}),
|
|
150
197
|
execute: async (args, context) => {
|
|
151
|
-
const client = resolveClient(context.session);
|
|
152
198
|
try {
|
|
153
199
|
const secret = await client.getSecret(args.path);
|
|
154
200
|
context.log.info(`env_bundle accessed: ${args.path}`);
|
|
@@ -180,6 +226,7 @@ server.addTool({
|
|
|
180
226
|
}
|
|
181
227
|
},
|
|
182
228
|
});
|
|
229
|
+
registerTool(getEnvBundleTool);
|
|
183
230
|
// ── Resource: browsable secret listing ───────────────
|
|
184
231
|
server.addResource({
|
|
185
232
|
uri: "vault://secrets",
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,iBAAiB,EAAE,cAAc,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAI/H,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,uBAAuB,CAAC;AACxE,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC;AACvD,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;AAEtD,uDAAuD;AAEvD,IAAI,YAAuC,CAAC;AAE5C,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;IACtD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAE9C,IAAI,WAAW,EAAE,CAAC;QACd,mFAAmF;QACnF,YAAY,GAAG,IAAI,aAAa,CAAC;YAC7B,OAAO;YACP,OAAO,EAAE,OAAO,IAAI,SAAS;YAC7B,MAAM,EAAE,WAAW;YACnB,OAAO,EAAE,OAAO,IAAI,SAAS;SAChC,CAAC,CAAC;IACP,CAAC;SAAM,IAAI,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CACT,2EAA2E,CAC9E,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,YAAY,GAAG,IAAI,aAAa,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;SAAM,CAAC;QACJ,OAAO,CAAC,KAAK,CACT,wCAAwC;YACpC,8FAA8F;YAC9F,oEAAoE;YACpE,oEAAoE,CAC3E,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;AACL,CAAC;AAED,SAAS,aAAa,CAAC,OAAqB;IACxC,IAAI,OAAO,EAAE,CAAC;QACV,OAAO,IAAI,aAAa,CAAC;YACrB,OAAO;YACP,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,OAAO,EAAE,OAAO,CAAC,OAAO;SAC3B,CAAC,CAAC;IACP,CAAC;IACD,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IACtC,MAAM,IAAI,SAAS,CACf,kEAAkE,CACrE,CAAC;AACN,CAAC;AAMD,MAAM,UAAU,GAAe;IAC3B,IAAI,EAAE,OAAO;IACb,OAAO,EAAE,OAAO;IAChB,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE;CAC7C,CAAC;AAEF,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;IAC7B,UAAU,CAAC,YAAY,GAAG,KAAK,EAC3B,OAA6B,EACT,EAAE;QACtB,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,EAAE,CAAW,CAAC;QAChE,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACrD,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,CAAW,CAAC;QAEhE,IAAI,CAAC,KAAK;YACN,MAAM,IAAI,KAAK,CACX,qDAAqD,CACxD,CAAC;QACN,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAE3D,qEAAqE;QACrE,oEAAoE;QACpE,iEAAiE;QACjE,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,cAAc,OAAO,EAAE,EAAE;YACjE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;SAChD,CAAC,CAAC;QACH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACpB,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC;YACpC,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACvD,CAAC;YACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;gBACjB,+DAA+D;gBAC/D,MAAM,IAAI,KAAK,CACX,uEAAuE,CAC1E,CAAC;YACN,CAAC;YACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,SAAS,OAAO,YAAY,CAAC,CAAC;YAClD,CAAC;YACD,MAAM,IAAI,KAAK,CACX,iCAAiC,MAAM,GAAG,CAC7C,CAAC;QACN,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC9B,CAAC,CAAC;AACN,CAAC;AAED,MAAM,MAAM,GAAG,IAAI,OAAO,CAAc,UAAU,CAAC,CAAC;AAapD,SAAS,YAAY,CAAC,OAAuB;IACzC,MAAM,KAAK,GAAG,OAAO,CACjB,YAAY,IAAI,IAAI,aAAa,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CACzE,CAAC;IACF,MAAM,CAAC,OAAO,CAAC;QACX,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,OAAO,EAAE,KAAK,EACV,IAA6B,EAC7B,OAGC,EACH,EAAE;YACA,+BAA+B;YAC/B,IAAI,iBAAiB,EAAE,EAAE,CAAC;gBACtB,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;gBAClD,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;oBACrB,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBACrC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,sBAAsB,KAAK,CAAC,IAAI,KAAK,MAAM,EAAE,IAAI,KAAK,MAAM,EAAE,OAAO,GAAG,CAAC,CAAC;oBAC3F,MAAM,IAAI,SAAS,CAAC,0BAA0B,MAAM,EAAE,IAAI,WAAW,CAAC,CAAC;gBAC3E,CAAC;gBACD,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAChC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,2BAA2B,KAAK,CAAC,IAAI,KAAK,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACpH,CAAC;YACL,CAAC;YAED,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAC9C,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YAC7B,MAAM,MAAM,GAAG,MACX,IAAI,CAAC,OACR,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAEjB,gEAAgE;YAChE,IAAI,wBAAwB,EAAE,EAAE,CAAC;gBAC7B,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAC9B,IAAI,CAAC;wBACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;wBAClC,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI;4BAAE,cAAc,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;oBAC/E,CAAC;oBAAC,MAAM,CAAC,CAAC,qBAAqB,CAAC,CAAC;gBACrC,CAAC;gBACD,IAAI,KAAK,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;oBAClC,IAAI,CAAC;wBACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;wBAC/B,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;4BAC3C,IAAI,OAAO,GAAG,KAAK,QAAQ;gCAAE,cAAc,CAAC,OAAO,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;wBACnE,CAAC;oBACL,CAAC;oBAAC,MAAM,CAAC,CAAC,qBAAqB,CAAC,CAAC;gBACrC,CAAC;YACL,CAAC;YAED,6EAA6E;YAC7E,IAAI,iBAAiB,EAAE,EAAE,CAAC;gBACtB,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;gBACtD,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACjC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,kCAAkC,KAAK,CAAC,IAAI,KAAK,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC5H,CAAC;gBACD,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;oBACvB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,0CAA0C,KAAK,CAAC,IAAI,SAAS,CAAC,CAAC;oBAChF,OAAO,WAAW,CAAC,QAAQ,CAAC;gBAChC,CAAC;YACL,CAAC;YAED,OAAO,MAAM,CAAC;QAClB,CAAC;KACJ,CAAC,CAAC;AACP,CAAC;AAED,YAAY,CAAC,eAAiC,CAAC,CAAC;AAChD,YAAY,CAAC,aAA+B,CAAC,CAAC;AAC9C,YAAY,CAAC,aAA+B,CAAC,CAAC;AAC9C,YAAY,CAAC,gBAAkC,CAAC,CAAC;AACjD,YAAY,CAAC,kBAAoC,CAAC,CAAC;AACnD,YAAY,CAAC,eAAiC,CAAC,CAAC;AAChD,YAAY,CAAC,cAAgC,CAAC,CAAC;AAC/C,YAAY,CAAC,eAAiC,CAAC,CAAC;AAChD,YAAY,CAAC,eAAiC,CAAC,CAAC;AAChD,YAAY,CAAC,uBAAyC,CAAC,CAAC;AACxD,YAAY,CAAC,qBAAuC,CAAC,CAAC;AAEtD,wDAAwD;AACxD,8EAA8E;AAE9E,MAAM,kBAAkB,GAAG,CAAC,MAAqB,EAAE,EAAE,CAAC,CAAC;IACnD,IAAI,EAAE,kBAAkB;IACxB,WAAW,EACP,2KAA2K;IAC/K,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,uBAAuB,CAAC;QACzD,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;KAC5D,CAAC;IACF,OAAO,EAAE,KAAK,EACV,IAAqC,EACrC,OAAiD,EACnD,EAAE;QACA,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE;YAC7C,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,SAAS;SAClB,CAAC,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,mBAAmB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACjD,OAAO,sBAAsB,IAAI,CAAC,IAAI,mBAAmB,MAAM,CAAC,OAAO,GAAG,CAAC;IAC/E,CAAC;CACJ,CAAC,CAAC;AACH,YAAY,CAAC,kBAAoC,CAAC,CAAC;AAEnD,wDAAwD;AACxD,8EAA8E;AAE9E,MAAM,gBAAgB,GAAG,CAAC,MAAqB,EAAE,EAAE,CAAC,CAAC;IACjD,IAAI,EAAE,gBAAgB;IACtB,WAAW,EACP,kKAAkK;IACtK,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,8BAA8B,CAAC;KACnE,CAAC;IACF,OAAO,EAAE,KAAK,EACV,IAAsB,EACtB,OAAiD,EACnD,EAAE;QACA,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,wBAAwB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YAEtD,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC/B,MAAM,IAAI,SAAS,CACf,cAAc,IAAI,CAAC,IAAI,cAAc,MAAM,CAAC,IAAI,sBAAsB,CACzE,CAAC;YACN,CAAC;YAED,MAAM,GAAG,GAA2B,EAAE,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAClD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBACnC,IAAI,KAAK,KAAK,CAAC,CAAC;oBAAE,SAAS;gBAC3B,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC5D,CAAC;YAED,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,IAAI,GAAG,YAAY,eAAe,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACrB,MAAM,IAAI,SAAS,CACf,mBAAmB,IAAI,CAAC,IAAI,wDAAwD,CACvF,CAAC;gBACN,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACrB,MAAM,IAAI,SAAS,CACf,4BAA4B,IAAI,CAAC,IAAI,IAAI,CAC5C,CAAC;gBACN,CAAC;YACL,CAAC;YACD,MAAM,GAAG,CAAC;QACd,CAAC;IACL,CAAC;CACJ,CAAC,CAAC;AACH,YAAY,CAAC,gBAAkC,CAAC,CAAC;AAEjD,wDAAwD;AAExD,MAAM,CAAC,WAAW,CAAC;IACf,GAAG,EAAE,iBAAiB;IACtB,IAAI,EAAE,eAAe;IACrB,WAAW,EACP,2FAA2F;IAC/F,QAAQ,EAAE,kBAAkB;IAC5B,KAAK,CAAC,IAAI,CAAC,IAAkB;QACzB,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;QACxC,OAAO;YACH,IAAI,EAAE,IAAI,CAAC,SAAS,CAChB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACrB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,UAAU,EAAE,CAAC,CAAC,UAAU;aAC3B,CAAC,CAAC,EACH,IAAI,EACJ,CAAC,CACJ;SACJ,CAAC;IACN,CAAC;CACJ,CAAC,CAAC;AAEH,wDAAwD;AAExD,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;IAC7B,MAAM,CAAC,KAAK,CAAC;QACT,aAAa,EAAE,YAAY;QAC3B,UAAU,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE;KACxC,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,sCAAsC,IAAI,mBAAmB,CAAC,CAAC;AAC/E,CAAC;KAAM,CAAC;IACJ,MAAM,CAAC,KAAK,CAAC,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC,CAAC;AAC7C,CAAC"}
|
package/dist/security/index.d.ts
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Security inspection module for MCP tools.
|
|
3
|
-
* Detects command injection, encoding obfuscation, and other threats.
|
|
3
|
+
* Detects command injection, encoding obfuscation, PII, and other threats.
|
|
4
|
+
* Tracks fetched secret values for redaction and exfiltration protection.
|
|
4
5
|
*/
|
|
5
6
|
export interface ThreatDetection {
|
|
6
7
|
type: string;
|
|
@@ -12,28 +13,36 @@ export interface InspectionResult {
|
|
|
12
13
|
passed: boolean;
|
|
13
14
|
threats: ThreatDetection[];
|
|
14
15
|
sanitized?: string;
|
|
16
|
+
redacted?: string;
|
|
15
17
|
}
|
|
16
18
|
/**
|
|
17
|
-
*
|
|
19
|
+
* Register a secret value for redaction and exfiltration protection.
|
|
20
|
+
* Called after get_secret / get_env_bundle returns a value.
|
|
18
21
|
*/
|
|
19
|
-
export declare function
|
|
22
|
+
export declare function registerSecret(path: string, value: string): void;
|
|
20
23
|
/**
|
|
21
|
-
*
|
|
24
|
+
* Clear all tracked secrets (e.g. on session teardown).
|
|
22
25
|
*/
|
|
23
|
-
export declare function
|
|
26
|
+
export declare function clearSecrets(): void;
|
|
24
27
|
/**
|
|
25
|
-
*
|
|
28
|
+
* Return the number of tracked secret values.
|
|
26
29
|
*/
|
|
30
|
+
export declare function trackedSecretCount(): number;
|
|
31
|
+
export declare function isSecurityEnabled(): boolean;
|
|
32
|
+
export declare function isSecretRedactionEnabled(): boolean;
|
|
33
|
+
export declare function isPiiDetectionEnabled(): boolean;
|
|
34
|
+
export declare function getExfilProtectionMode(): "block" | "warn" | "off";
|
|
35
|
+
export declare function getSanitizationMode(): "block" | "surgical" | "log_only";
|
|
27
36
|
export declare function normalizeUnicode(text: string): {
|
|
28
37
|
normalized: string;
|
|
29
38
|
modified: boolean;
|
|
30
39
|
};
|
|
31
40
|
/**
|
|
32
|
-
* Inspect tool input arguments for threats.
|
|
41
|
+
* Inspect tool input arguments for threats, PII, and secret exfiltration.
|
|
33
42
|
*/
|
|
34
43
|
export declare function inspectInput(toolName: string, args: unknown): InspectionResult;
|
|
35
44
|
/**
|
|
36
|
-
* Inspect tool output for threats
|
|
45
|
+
* Inspect tool output for threats, PII, and optionally redact known secrets.
|
|
37
46
|
*/
|
|
38
47
|
export declare function inspectOutput(toolName: string, result: string): InspectionResult;
|
|
39
48
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,eAAe;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;CACpD;AAED,MAAM,WAAW,gBAAgB;IAC7B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,eAAe,EAAE,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACrB;AAsED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAIhE;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,IAAI,CAEnC;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAID,wBAAgB,iBAAiB,IAAI,OAAO,CAE3C;AAED,wBAAgB,wBAAwB,IAAI,OAAO,CAGlD;AAED,wBAAgB,qBAAqB,IAAI,OAAO,CAG/C;AAED,wBAAgB,sBAAsB,IAAI,OAAO,GAAG,MAAM,GAAG,KAAK,CAKjE;AAED,wBAAgB,mBAAmB,IAAI,OAAO,GAAG,UAAU,GAAG,UAAU,CAMvE;AAID,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,OAAO,CAAA;CAAE,CAcxF;AAoFD;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,gBAAgB,CA0C9E;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAuBhF"}
|
package/dist/security/index.js
CHANGED
|
@@ -1,7 +1,9 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Security inspection module for MCP tools.
|
|
3
|
-
* Detects command injection, encoding obfuscation, and other threats.
|
|
3
|
+
* Detects command injection, encoding obfuscation, PII, and other threats.
|
|
4
|
+
* Tracks fetched secret values for redaction and exfiltration protection.
|
|
4
5
|
*/
|
|
6
|
+
// ── Threat patterns ──────────────────────────────────
|
|
5
7
|
const COMMAND_INJECTION_PATTERNS = [
|
|
6
8
|
{ name: "shell_chain", pattern: /(?:;|\||&&|\|\|)\s*(?:curl|wget|bash|sh|nc|python|perl|ruby|php|node)\b/i, severity: "critical" },
|
|
7
9
|
{ name: "command_substitution", pattern: /\$\([^)]+\)|`[^`]+`/, severity: "critical" },
|
|
@@ -28,6 +30,14 @@ const NETWORK_PATTERNS = [
|
|
|
28
30
|
{ name: "ip_url", pattern: /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/, severity: "medium" },
|
|
29
31
|
{ name: "data_exfil", pattern: /(?:curl|wget|nc)\s+(?:-[a-zA-Z]*\s+)*https?:\/\//i, severity: "critical" },
|
|
30
32
|
];
|
|
33
|
+
const PII_PATTERNS = [
|
|
34
|
+
{ name: "email", pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/, severity: "medium" },
|
|
35
|
+
{ name: "ssn", pattern: /\b\d{3}-\d{2}-\d{4}\b/, severity: "critical" },
|
|
36
|
+
{ name: "credit_card", pattern: /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6(?:011|5\d{2}))[- ]?\d{4}[- ]?\d{4}[- ]?\d{1,4}\b/, severity: "critical" },
|
|
37
|
+
{ name: "phone_us", pattern: /\b(?:\+1[- ]?)?\(?\d{3}\)?[- ]?\d{3}[- ]?\d{4}\b/, severity: "low" },
|
|
38
|
+
{ name: "aws_key", pattern: /\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/, severity: "critical" },
|
|
39
|
+
{ name: "private_key_header", pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, severity: "critical" },
|
|
40
|
+
];
|
|
31
41
|
// Zero-width and invisible characters
|
|
32
42
|
const ZERO_WIDTH_CHARS = /[\u200B\u200C\u200D\u200E\u200F\u202A-\u202E\u2060-\u2064\u2066-\u2069\uFEFF]/g;
|
|
33
43
|
// Cyrillic/Greek confusables
|
|
@@ -39,15 +49,59 @@ const CONFUSABLES = {
|
|
|
39
49
|
'Ο': 'O', 'Ρ': 'P', 'Τ': 'T', 'Υ': 'Y', 'Χ': 'X', 'Ζ': 'Z',
|
|
40
50
|
};
|
|
41
51
|
const CONFUSABLE_REGEX = new RegExp(`[${Object.keys(CONFUSABLES).join('')}]`, 'g');
|
|
52
|
+
// ── Secret value registry (vault-manifest-aware redaction) ───
|
|
53
|
+
const MIN_SECRET_LENGTH = 6;
|
|
54
|
+
const secretValues = new Map();
|
|
55
|
+
/** Tools that legitimately return or accept secret values. */
|
|
56
|
+
const SECRET_TOOLS = new Set([
|
|
57
|
+
"get_secret",
|
|
58
|
+
"get_env_bundle",
|
|
59
|
+
"put_secret",
|
|
60
|
+
"rotate_and_store",
|
|
61
|
+
]);
|
|
42
62
|
/**
|
|
43
|
-
*
|
|
63
|
+
* Register a secret value for redaction and exfiltration protection.
|
|
64
|
+
* Called after get_secret / get_env_bundle returns a value.
|
|
44
65
|
*/
|
|
45
|
-
export function
|
|
46
|
-
|
|
66
|
+
export function registerSecret(path, value) {
|
|
67
|
+
if (value.length >= MIN_SECRET_LENGTH) {
|
|
68
|
+
secretValues.set(value, path);
|
|
69
|
+
}
|
|
47
70
|
}
|
|
48
71
|
/**
|
|
49
|
-
*
|
|
72
|
+
* Clear all tracked secrets (e.g. on session teardown).
|
|
50
73
|
*/
|
|
74
|
+
export function clearSecrets() {
|
|
75
|
+
secretValues.clear();
|
|
76
|
+
}
|
|
77
|
+
/**
|
|
78
|
+
* Return the number of tracked secret values.
|
|
79
|
+
*/
|
|
80
|
+
export function trackedSecretCount() {
|
|
81
|
+
return secretValues.size;
|
|
82
|
+
}
|
|
83
|
+
// ── Feature flags ────────────────────────────────────
|
|
84
|
+
export function isSecurityEnabled() {
|
|
85
|
+
return process.env.ONECLAW_MCP_SECURITY_ENABLED !== "false";
|
|
86
|
+
}
|
|
87
|
+
export function isSecretRedactionEnabled() {
|
|
88
|
+
if (!isSecurityEnabled())
|
|
89
|
+
return false;
|
|
90
|
+
return process.env.ONECLAW_MCP_REDACT_SECRETS !== "false";
|
|
91
|
+
}
|
|
92
|
+
export function isPiiDetectionEnabled() {
|
|
93
|
+
if (!isSecurityEnabled())
|
|
94
|
+
return false;
|
|
95
|
+
return process.env.ONECLAW_MCP_PII_DETECTION !== "false";
|
|
96
|
+
}
|
|
97
|
+
export function getExfilProtectionMode() {
|
|
98
|
+
if (!isSecurityEnabled())
|
|
99
|
+
return "off";
|
|
100
|
+
const mode = process.env.ONECLAW_MCP_EXFIL_PROTECTION;
|
|
101
|
+
if (mode === "block" || mode === "off")
|
|
102
|
+
return mode;
|
|
103
|
+
return "warn";
|
|
104
|
+
}
|
|
51
105
|
export function getSanitizationMode() {
|
|
52
106
|
const mode = process.env.ONECLAW_MCP_SANITIZATION_MODE;
|
|
53
107
|
if (mode === "surgical" || mode === "log_only") {
|
|
@@ -55,100 +109,114 @@ export function getSanitizationMode() {
|
|
|
55
109
|
}
|
|
56
110
|
return "block";
|
|
57
111
|
}
|
|
58
|
-
|
|
59
|
-
* Normalize text by replacing confusables and stripping zero-width characters.
|
|
60
|
-
*/
|
|
112
|
+
// ── Unicode normalization ────────────────────────────
|
|
61
113
|
export function normalizeUnicode(text) {
|
|
62
114
|
let modified = false;
|
|
63
|
-
// Strip zero-width chars
|
|
64
115
|
let normalized = text.replace(ZERO_WIDTH_CHARS, () => {
|
|
65
116
|
modified = true;
|
|
66
117
|
return '';
|
|
67
118
|
});
|
|
68
|
-
// Replace confusables
|
|
69
119
|
normalized = normalized.replace(CONFUSABLE_REGEX, (char) => {
|
|
70
120
|
modified = true;
|
|
71
121
|
return CONFUSABLES[char] || char;
|
|
72
122
|
});
|
|
73
123
|
return { normalized, modified };
|
|
74
124
|
}
|
|
75
|
-
|
|
76
|
-
* Detect threats in a string.
|
|
77
|
-
*/
|
|
125
|
+
// ── Threat detection ─────────────────────────────────
|
|
78
126
|
function detectThreats(text) {
|
|
79
127
|
const threats = [];
|
|
80
|
-
// Command injection
|
|
81
128
|
for (const { name, pattern, severity } of COMMAND_INJECTION_PATTERNS) {
|
|
82
129
|
const match = text.match(pattern);
|
|
83
130
|
if (match) {
|
|
84
|
-
threats.push({
|
|
85
|
-
type: "command_injection",
|
|
86
|
-
pattern: name,
|
|
87
|
-
location: match[0],
|
|
88
|
-
severity,
|
|
89
|
-
});
|
|
131
|
+
threats.push({ type: "command_injection", pattern: name, location: match[0], severity });
|
|
90
132
|
}
|
|
91
133
|
}
|
|
92
|
-
// Encoding obfuscation
|
|
93
134
|
for (const { name, pattern, severity } of ENCODING_PATTERNS) {
|
|
94
135
|
const match = text.match(pattern);
|
|
95
136
|
if (match) {
|
|
96
|
-
threats.push({
|
|
97
|
-
type: "encoding_obfuscation",
|
|
98
|
-
pattern: name,
|
|
99
|
-
location: match[0].slice(0, 50),
|
|
100
|
-
severity,
|
|
101
|
-
});
|
|
137
|
+
threats.push({ type: "encoding_obfuscation", pattern: name, location: match[0].slice(0, 50), severity });
|
|
102
138
|
}
|
|
103
139
|
}
|
|
104
|
-
// Social engineering
|
|
105
140
|
for (const { name, pattern, severity } of SOCIAL_ENGINEERING_PATTERNS) {
|
|
106
141
|
const match = text.match(pattern);
|
|
107
142
|
if (match) {
|
|
108
|
-
threats.push({
|
|
109
|
-
type: "social_engineering",
|
|
110
|
-
pattern: name,
|
|
111
|
-
location: match[0],
|
|
112
|
-
severity,
|
|
113
|
-
});
|
|
143
|
+
threats.push({ type: "social_engineering", pattern: name, location: match[0], severity });
|
|
114
144
|
}
|
|
115
145
|
}
|
|
116
|
-
// Network threats
|
|
117
146
|
for (const { name, pattern, severity } of NETWORK_PATTERNS) {
|
|
118
147
|
const match = text.match(pattern);
|
|
119
148
|
if (match) {
|
|
149
|
+
threats.push({ type: "network_threat", pattern: name, location: match[0], severity });
|
|
150
|
+
}
|
|
151
|
+
}
|
|
152
|
+
return threats;
|
|
153
|
+
}
|
|
154
|
+
function detectPii(text) {
|
|
155
|
+
if (!isPiiDetectionEnabled())
|
|
156
|
+
return [];
|
|
157
|
+
const threats = [];
|
|
158
|
+
for (const { name, pattern, severity } of PII_PATTERNS) {
|
|
159
|
+
const match = text.match(pattern);
|
|
160
|
+
if (match) {
|
|
161
|
+
threats.push({ type: "pii", pattern: name, location: match[0].slice(0, 30), severity });
|
|
162
|
+
}
|
|
163
|
+
}
|
|
164
|
+
return threats;
|
|
165
|
+
}
|
|
166
|
+
// ── Secret redaction ─────────────────────────────────
|
|
167
|
+
function redactSecrets(text) {
|
|
168
|
+
const matches = [];
|
|
169
|
+
let redacted = text;
|
|
170
|
+
for (const [value, path] of secretValues) {
|
|
171
|
+
if (redacted.includes(value)) {
|
|
172
|
+
redacted = redacted.split(value).join(`[REDACTED:${path}]`);
|
|
173
|
+
matches.push({ path });
|
|
174
|
+
}
|
|
175
|
+
}
|
|
176
|
+
return { redacted, matches };
|
|
177
|
+
}
|
|
178
|
+
// ── Exfiltration detection (secrets in tool inputs) ──
|
|
179
|
+
function detectExfiltration(text) {
|
|
180
|
+
const mode = getExfilProtectionMode();
|
|
181
|
+
if (mode === "off")
|
|
182
|
+
return [];
|
|
183
|
+
const threats = [];
|
|
184
|
+
for (const [value, path] of secretValues) {
|
|
185
|
+
if (text.includes(value)) {
|
|
120
186
|
threats.push({
|
|
121
|
-
type: "
|
|
122
|
-
pattern:
|
|
123
|
-
|
|
124
|
-
severity,
|
|
187
|
+
type: "secret_exfiltration",
|
|
188
|
+
pattern: `known_secret:${path}`,
|
|
189
|
+
severity: "critical",
|
|
125
190
|
});
|
|
126
191
|
}
|
|
127
192
|
}
|
|
128
193
|
return threats;
|
|
129
194
|
}
|
|
195
|
+
// ── Public API ───────────────────────────────────────
|
|
130
196
|
/**
|
|
131
|
-
* Inspect tool input arguments for threats.
|
|
197
|
+
* Inspect tool input arguments for threats, PII, and secret exfiltration.
|
|
132
198
|
*/
|
|
133
199
|
export function inspectInput(toolName, args) {
|
|
134
200
|
if (!isSecurityEnabled()) {
|
|
135
201
|
return { passed: true, threats: [] };
|
|
136
202
|
}
|
|
137
203
|
const text = JSON.stringify(args);
|
|
138
|
-
// Normalize Unicode first
|
|
139
204
|
const { normalized, modified } = normalizeUnicode(text);
|
|
140
|
-
// Detect threats
|
|
141
205
|
const threats = detectThreats(normalized);
|
|
142
|
-
// Add Unicode warnings if modified
|
|
143
206
|
if (modified) {
|
|
144
|
-
threats.push({
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
207
|
+
threats.push({ type: "unicode_obfuscation", pattern: "confusables_or_zero_width", severity: "medium" });
|
|
208
|
+
}
|
|
209
|
+
threats.push(...detectPii(normalized));
|
|
210
|
+
if (!SECRET_TOOLS.has(toolName)) {
|
|
211
|
+
const exfil = detectExfiltration(normalized);
|
|
212
|
+
threats.push(...exfil);
|
|
213
|
+
const exfilMode = getExfilProtectionMode();
|
|
214
|
+
if (exfil.length > 0 && exfilMode === "block") {
|
|
215
|
+
return { passed: false, threats };
|
|
216
|
+
}
|
|
149
217
|
}
|
|
150
218
|
const mode = getSanitizationMode();
|
|
151
|
-
const hasCritical = threats.some((t) => t.severity === "critical");
|
|
219
|
+
const hasCritical = threats.some((t) => t.severity === "critical" && t.type !== "secret_exfiltration");
|
|
152
220
|
const hasHigh = threats.some((t) => t.severity === "high");
|
|
153
221
|
if (mode === "block" && (hasCritical || hasHigh)) {
|
|
154
222
|
return { passed: false, threats };
|
|
@@ -165,14 +233,27 @@ export function inspectInput(toolName, args) {
|
|
|
165
233
|
return { passed: true, threats };
|
|
166
234
|
}
|
|
167
235
|
/**
|
|
168
|
-
* Inspect tool output for threats
|
|
236
|
+
* Inspect tool output for threats, PII, and optionally redact known secrets.
|
|
169
237
|
*/
|
|
170
238
|
export function inspectOutput(toolName, result) {
|
|
171
239
|
if (!isSecurityEnabled()) {
|
|
172
240
|
return { passed: true, threats: [] };
|
|
173
241
|
}
|
|
174
242
|
const threats = detectThreats(result);
|
|
175
|
-
|
|
243
|
+
threats.push(...detectPii(result));
|
|
244
|
+
if (!SECRET_TOOLS.has(toolName) && isSecretRedactionEnabled()) {
|
|
245
|
+
const { redacted, matches } = redactSecrets(result);
|
|
246
|
+
if (matches.length > 0) {
|
|
247
|
+
for (const m of matches) {
|
|
248
|
+
threats.push({
|
|
249
|
+
type: "secret_leak",
|
|
250
|
+
pattern: `redacted:${m.path}`,
|
|
251
|
+
severity: "critical",
|
|
252
|
+
});
|
|
253
|
+
}
|
|
254
|
+
return { passed: true, threats, redacted };
|
|
255
|
+
}
|
|
256
|
+
}
|
|
176
257
|
return { passed: true, threats };
|
|
177
258
|
}
|
|
178
259
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAgBH,wDAAwD;AAExD,MAAM,0BAA0B,GAAG;IAC/B,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,0EAA0E,EAAE,QAAQ,EAAE,UAAmB,EAAE;IAC3I,EAAE,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAmB,EAAE;IAC/F,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,qEAAqE,EAAE,QAAQ,EAAE,UAAmB,EAAE;IACxI,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAe,EAAE;IAChF,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,sEAAsE,EAAE,QAAQ,EAAE,MAAe,EAAE;CAC1I,CAAC;AAEF,MAAM,iBAAiB,GAAG;IACtB,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,mEAAmE,EAAE,QAAQ,EAAE,QAAiB,EAAE;IAClI,uFAAuF;IACvF,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,6BAA6B,EAAE,QAAQ,EAAE,QAAiB,EAAE;IAC3F,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,6BAA6B,EAAE,QAAQ,EAAE,QAAiB,EAAE;CAClG,CAAC;AAEF,MAAM,2BAA2B,GAAG;IAChC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,+DAA+D,EAAE,QAAQ,EAAE,QAAiB,EAAE;IAC1H,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,2EAA2E,EAAE,QAAQ,EAAE,MAAe,EAAE;IACtI,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,sEAAsE,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC/H,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,4GAA4G,EAAE,QAAQ,EAAE,UAAmB,EAAE;IACxK,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,8GAA8G,EAAE,QAAQ,EAAE,UAAmB,EAAE;CACzL,CAAC;AAEF,MAAM,gBAAgB,GAAG;IACrB,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,2BAA2B,EAAE,QAAQ,EAAE,MAAe,EAAE;IAClF,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC1E,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,+CAA+C,EAAE,QAAQ,EAAE,QAAiB,EAAE;IACzG,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,mDAAmD,EAAE,QAAQ,EAAE,UAAmB,EAAE;CACtH,CAAC;AAEF,MAAM,YAAY,GAAG;IACjB,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,gDAAgD,EAAE,QAAQ,EAAE,QAAiB,EAAE;IACzG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAmB,EAAE;IAChF,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,uFAAuF,EAAE,QAAQ,EAAE,UAAmB,EAAE;IACxJ,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,kDAAkD,EAAE,QAAQ,EAAE,KAAc,EAAE;IAC3G,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,+BAA+B,EAAE,QAAQ,EAAE,UAAmB,EAAE;IAC5F,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,wDAAwD,EAAE,QAAQ,EAAE,UAAmB,EAAE;CACnI,CAAC;AAEF,sCAAsC;AACtC,MAAM,gBAAgB,GAAG,gFAAgF,CAAC;AAE1G,6BAA6B;AAC7B,MAAM,WAAW,GAA2B;IACxC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG;IAC1D,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG;IAC1D,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG;IAC1D,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG;IAC1D,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG;CAC7D,CAAC;AAEF,MAAM,gBAAgB,GAAG,IAAI,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AAEnF,gEAAgE;AAEhE,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAC5B,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;AAE/C,8DAA8D;AAC9D,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC;IACzB,YAAY;IACZ,gBAAgB;IAChB,YAAY;IACZ,kBAAkB;CACrB,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY,EAAE,KAAa;IACtD,IAAI,KAAK,CAAC,MAAM,IAAI,iBAAiB,EAAE,CAAC;QACpC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAClC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY;IACxB,YAAY,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAC9B,OAAO,YAAY,CAAC,IAAI,CAAC;AAC7B,CAAC;AAED,wDAAwD;AAExD,MAAM,UAAU,iBAAiB;IAC7B,OAAO,OAAO,CAAC,GAAG,CAAC,4BAA4B,KAAK,OAAO,CAAC;AAChE,CAAC;AAED,MAAM,UAAU,wBAAwB;IACpC,IAAI,CAAC,iBAAiB,EAAE;QAAE,OAAO,KAAK,CAAC;IACvC,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,OAAO,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,qBAAqB;IACjC,IAAI,CAAC,iBAAiB,EAAE;QAAE,OAAO,KAAK,CAAC;IACvC,OAAO,OAAO,CAAC,GAAG,CAAC,yBAAyB,KAAK,OAAO,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,sBAAsB;IAClC,IAAI,CAAC,iBAAiB,EAAE;QAAE,OAAO,KAAK,CAAC;IACvC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;IACtD,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,mBAAmB;IAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;IACvD,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IAChB,CAAC;IACD,OAAO,OAAO,CAAC;AACnB,CAAC;AAED,wDAAwD;AAExD,MAAM,UAAU,gBAAgB,CAAC,IAAY;IACzC,IAAI,QAAQ,GAAG,KAAK,CAAC;IAErB,IAAI,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,EAAE;QACjD,QAAQ,GAAG,IAAI,CAAC;QAChB,OAAO,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,IAAI,EAAE,EAAE;QACvD,QAAQ,GAAG,IAAI,CAAC;QAChB,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AACpC,CAAC;AAED,wDAAwD;AAExD,SAAS,aAAa,CAAC,IAAY;IAC/B,MAAM,OAAO,GAAsB,EAAE,CAAC;IAEtC,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,0BAA0B,EAAE,CAAC;QACnE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,KAAK,EAAE,CAAC;YACR,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC7F,CAAC;IACL,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,iBAAiB,EAAE,CAAC;QAC1D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,KAAK,EAAE,CAAC;YACR,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC7G,CAAC;IACL,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,2BAA2B,EAAE,CAAC;QACpE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,KAAK,EAAE,CAAC;YACR,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9F,CAAC;IACL,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,gBAAgB,EAAE,CAAC;QACzD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,KAAK,EAAE,CAAC;YACR,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC1F,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACnB,CAAC;AAED,SAAS,SAAS,CAAC,IAAY;IAC3B,IAAI,CAAC,qBAAqB,EAAE;QAAE,OAAO,EAAE,CAAC;IACxC,MAAM,OAAO,GAAsB,EAAE,CAAC;IACtC,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,YAAY,EAAE,CAAC;QACrD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,KAAK,EAAE,CAAC;YACR,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC5F,CAAC;IACL,CAAC;IACD,OAAO,OAAO,CAAC;AACnB,CAAC;AAED,wDAAwD;AAExD,SAAS,aAAa,CAAC,IAAY;IAC/B,MAAM,OAAO,GAA4B,EAAE,CAAC;IAC5C,IAAI,QAAQ,GAAG,IAAI,CAAC;IACpB,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3B,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,aAAa,IAAI,GAAG,CAAC,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3B,CAAC;IACL,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;AACjC,CAAC;AAED,wDAAwD;AAExD,SAAS,kBAAkB,CAAC,IAAY;IACpC,MAAM,IAAI,GAAG,sBAAsB,EAAE,CAAC;IACtC,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAsB,EAAE,CAAC;IACtC,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC;gBACT,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,gBAAgB,IAAI,EAAE;gBAC/B,QAAQ,EAAE,UAAU;aACvB,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IACD,OAAO,OAAO,CAAC;AACnB,CAAC;AAED,wDAAwD;AAExD;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,QAAgB,EAAE,IAAa;IACxD,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;QACvB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;IAE1C,IAAI,QAAQ,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,2BAA2B,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5G,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;IAEvC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;QACvB,MAAM,SAAS,GAAG,sBAAsB,EAAE,CAAC;QAC3C,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC5C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QACtC,CAAC;IACL,CAAC;IAED,MAAM,IAAI,GAAG,mBAAmB,EAAE,CAAC;IACnC,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC;IACvG,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;IAE3D,IAAI,IAAI,KAAK,OAAO,IAAI,CAAC,WAAW,IAAI,OAAO,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IACtC,CAAC;IAED,IAAI,IAAI,KAAK,UAAU,IAAI,QAAQ,EAAE,CAAC;QAClC,IAAI,CAAC;YACD,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAC7C,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,CAAC;QAC/E,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QACrC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB,EAAE,MAAc;IAC1D,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;QACvB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC,OAAO,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAEnC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,wBAAwB,EAAE,EAAE,CAAC;QAC5D,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QACpD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACtB,OAAO,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,aAAa;oBACnB,OAAO,EAAE,YAAY,CAAC,CAAC,IAAI,EAAE;oBAC7B,QAAQ,EAAE,UAAU;iBACvB,CAAC,CAAC;YACP,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;QAC/C,CAAC;IACL,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AACrC,CAAC"}
|