@aiclude/mcp-guard 0.2.0

package/dist/index.js

@@ -0,0 +1,1844 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/policy.ts
+import { readFileSync } from "fs";
+import { parse as parseYaml } from "yaml";
+var VALID_RULE_TYPES = /* @__PURE__ */ new Set(["tool-poisoning", "argument-injection", "data-exfiltration"]);
+var VALID_ACTIONS = /* @__PURE__ */ new Set(["block", "warn"]);
+var VALID_SEVERITIES = /* @__PURE__ */ new Set(["critical", "high", "medium", "low", "info"]);
+var VALID_LOG_LEVELS = /* @__PURE__ */ new Set(["debug", "info", "warn", "error"]);
+function getDefaultPolicy() {
+  return {
+    version: 1,
+    failMode: "closed",
+    logging: { level: "info", destination: "stderr" },
+    rules: [
+      { id: "tool-poisoning", enabled: true, severity: "critical", action: "block", type: "tool-poisoning" },
+      { id: "argument-injection", enabled: true, severity: "critical", action: "block", type: "argument-injection" },
+      { id: "data-exfiltration", enabled: true, severity: "high", action: "warn", type: "data-exfiltration" }
+    ]
+  };
+}
+function loadPolicy(configPath) {
+  const raw = readFileSync(configPath, "utf-8");
+  const parsed = parseYaml(raw);
+  const sanitized = sanitizeObject(parsed);
+  return validatePolicy(sanitized);
+}
+function validatePolicy(raw) {
+  if (!raw || typeof raw !== "object") {
+    throw new Error("Policy must be a YAML object");
+  }
+  const obj = raw;
+  if (obj["version"] !== 1) {
+    throw new Error(`Unsupported policy version: ${String(obj["version"])}. Expected 1`);
+  }
+  const failMode = obj["failMode"] ?? "closed";
+  if (failMode !== "closed" && failMode !== "open") {
+    throw new Error(`Invalid failMode: "${String(failMode)}". Must be "closed" or "open"`);
+  }
+  const logging = obj["logging"];
+  const logLevel = logging?.["level"] ?? "info";
+  if (!VALID_LOG_LEVELS.has(logLevel)) {
+    throw new Error(`Invalid log level: "${logLevel}"`);
+  }
+  const rawRules = obj["rules"];
+  if (!Array.isArray(rawRules)) {
+    throw new Error("Policy must contain a 'rules' array");
+  }
+  const rules = rawRules.map((r, i) => {
+    if (!r || typeof r !== "object") {
+      throw new Error(`Rule at index ${i} must be an object`);
+    }
+    const rule = r;
+    const id = rule["id"];
+    if (typeof id !== "string" || id.length === 0) {
+      throw new Error(`Rule at index ${i} must have a string 'id'`);
+    }
+    const type = rule["type"];
+    if (!VALID_RULE_TYPES.has(type)) {
+      throw new Error(`Rule "${id}": unknown type "${type}". Valid: ${[...VALID_RULE_TYPES].join(", ")}`);
+    }
+    const action = rule["action"] ?? "block";
+    if (!VALID_ACTIONS.has(action)) {
+      throw new Error(`Rule "${id}": invalid action "${action}". Valid: ${[...VALID_ACTIONS].join(", ")}`);
+    }
+    const severity = rule["severity"] ?? "high";
+    if (!VALID_SEVERITIES.has(severity)) {
+      throw new Error(`Rule "${id}": invalid severity "${severity}"`);
+    }
+    const enabled = rule["enabled"] !== false;
+    return {
+      id,
+      enabled,
+      severity,
+      action,
+      type,
+      config: rule["config"] ?? void 0
+    };
+  });
+  return {
+    version: 1,
+    failMode,
+    logging: { level: logLevel, destination: "stderr" },
+    rules
+  };
+}
+function sanitizeObject(obj) {
+  if (obj === null || typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map(sanitizeObject);
+  const clean = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (key === "__proto__" || key === "constructor" || key === "prototype") continue;
+    clean[key] = sanitizeObject(value);
+  }
+  return clean;
+}
+
+// src/types.ts
+function isRequest(msg) {
+  return "method" in msg && "id" in msg && !("result" in msg) && !("error" in msg);
+}
+function isResponse(msg) {
+  return !("method" in msg) && "id" in msg;
+}
+function isMalformed(msg) {
+  const hasMethod = "method" in msg;
+  const hasResult = "result" in msg;
+  const hasError = "error" in msg;
+  return hasMethod && (hasResult || hasError);
+}
+
+// src/detectors/normalize.ts
+var CONFUSABLE_MAP = {
+  // Cyrillic → Latin
+  "\u0430": "a",
+  "\u0435": "e",
+  "\u043E": "o",
+  "\u0440": "p",
+  "\u0441": "c",
+  "\u0443": "y",
+  "\u0445": "x",
+  "\u0456": "i",
+  "\u0458": "j",
+  "\u04BB": "h",
+  "\u0455": "s",
+  "\u0491": "g",
+  "\u0454": "e",
+  "\u0442": "t",
+  "\u043C": "m",
+  "\u043D": "n",
+  "\u0432": "b",
+  "\u043A": "k",
+  "\u0434": "d",
+  "\u0437": "3",
+  // Greek → Latin
+  "\u03B1": "a",
+  "\u03B5": "e",
+  "\u03BF": "o",
+  "\u03C1": "p",
+  "\u03B9": "i",
+  "\u03BA": "k",
+  "\u03BD": "v",
+  "\u03C4": "t",
+  // Fullwidth → ASCII
+  "\uFF21": "A",
+  "\uFF22": "B",
+  "\uFF23": "C",
+  "\uFF24": "D",
+  "\uFF25": "E",
+  "\uFF26": "F",
+  "\uFF27": "G",
+  "\uFF28": "H",
+  "\uFF29": "I",
+  "\uFF2A": "J",
+  "\uFF2B": "K",
+  "\uFF2C": "L",
+  "\uFF2D": "M",
+  "\uFF2E": "N",
+  "\uFF2F": "O",
+  "\uFF30": "P",
+  "\uFF31": "Q",
+  "\uFF32": "R",
+  "\uFF33": "S",
+  "\uFF34": "T",
+  "\uFF35": "U",
+  "\uFF36": "V",
+  "\uFF37": "W",
+  "\uFF38": "X",
+  "\uFF39": "Y",
+  "\uFF3A": "Z",
+  "\uFF41": "a",
+  "\uFF42": "b",
+  "\uFF43": "c",
+  "\uFF44": "d",
+  "\uFF45": "e",
+  "\uFF46": "f",
+  "\uFF47": "g",
+  "\uFF48": "h",
+  "\uFF49": "i",
+  "\uFF4A": "j",
+  "\uFF4B": "k",
+  "\uFF4C": "l",
+  "\uFF4D": "m",
+  "\uFF4E": "n",
+  "\uFF4F": "o",
+  "\uFF50": "p",
+  "\uFF51": "q",
+  "\uFF52": "r",
+  "\uFF53": "s",
+  "\uFF54": "t",
+  "\uFF55": "u",
+  "\uFF56": "v",
+  "\uFF57": "w",
+  "\uFF58": "x",
+  "\uFF59": "y",
+  "\uFF5A": "z",
+  // Common special chars
+  "\uFF10": "0",
+  "\uFF11": "1",
+  "\uFF12": "2",
+  "\uFF13": "3",
+  "\uFF14": "4",
+  "\uFF15": "5",
+  "\uFF16": "6",
+  "\uFF17": "7",
+  "\uFF18": "8",
+  "\uFF19": "9",
+  "\u2018": "'",
+  "\u2019": "'",
+  "\u201C": '"',
+  "\u201D": '"',
+  "\uFF07": "'",
+  "\uFF02": '"'
+};
+var INVISIBLE_CHARS_REGEX = new RegExp(
+  "[\\u200B\\u200C\\u200D\\uFEFF\\u00AD\\u2060\\u180E\\u2061\\u2062\\u2063\\u2064\\u034F\\u17B4\\u17B5\\u115F\\u1160\\u3164\\u200E\\u200F\\u202A-\\u202E\\u2066-\\u2069\\uFE00-\\uFE0F\\uFFF9-\\uFFFB\\u2028\\u2029]",
+  "g"
+);
+var TAG_CHARS_REGEX = /[\u{E0001}-\u{E007F}]/gu;
+function normalizeForDetection(text) {
+  let result = text.normalize("NFKD");
+  result = result.replace(INVISIBLE_CHARS_REGEX, "");
+  result = result.replace(TAG_CHARS_REGEX, "");
+  result = result.replace(/[\u0300-\u036F\u0483-\u0489\u0591-\u05BD\u05BF\u05C1\u05C2\u05C4\u05C5\u05C7\u0610-\u061A\u064B-\u065F\u0670\u06D6-\u06DC\u06DF-\u06E4\u06E7\u06E8\u06EA-\u06ED]/g, "");
+  let mapped = "";
+  for (const char of result) {
+    mapped += CONFUSABLE_MAP[char] ?? char;
+  }
+  return mapped;
+}
+function normalizeForSql(text) {
+  let result = normalizeForDetection(text);
+  result = result.replace(/\/\*[\s\S]*?\*\//g, " ");
+  result = result.replace(/--\s.*$/gm, "");
+  result = result.replace(/#\s.*$/gm, "");
+  result = result.replace(/\s+/g, " ");
+  return result;
+}
+function countInvisibleChars(text) {
+  const matches1 = text.match(INVISIBLE_CHARS_REGEX);
+  const matches2 = text.match(TAG_CHARS_REGEX);
+  return (matches1?.length ?? 0) + (matches2?.length ?? 0);
+}
+
+// src/detectors/zero-width.ts
+function containsZeroWidth(text) {
+  const count = countInvisibleChars(text);
+  return { found: count > 0, count };
+}
+
+// src/detectors/injection-phrases.ts
+function decodeInjectionPhrases() {
+  const encoded = [
+    [105, 103, 110, 111, 114, 101, 32, 112, 114, 101, 118, 105, 111, 117, 115, 32, 105, 110, 115, 116, 114, 117, 99, 116, 105, 111, 110, 115],
+    [105, 103, 110, 111, 114, 101, 32, 97, 108, 108, 32, 112, 114, 101, 118, 105, 111, 117, 115],
+    [102, 111, 114, 103, 101, 116, 32, 121, 111, 117, 114, 32, 105, 110, 115, 116, 114, 117, 99, 116, 105, 111, 110, 115],
+    [121, 111, 117, 32, 97, 114, 101, 32, 110, 111, 119],
+    [110, 101, 119, 32, 105, 110, 115, 116, 114, 117, 99, 116, 105, 111, 110, 115],
+    [111, 118, 101, 114, 114, 105, 100, 101, 32, 121, 111, 117, 114],
+    [100, 105, 115, 114, 101, 103, 97, 114, 100, 32, 97, 108, 108],
+    [115, 121, 115, 116, 101, 109, 32, 112, 114, 111, 109, 112, 116],
+    [73, 77, 80, 79, 82, 84, 65, 78, 84, 58, 32],
+    [65, 68, 77, 73, 78, 58],
+    [83, 89, 83, 84, 69, 77, 58],
+    [100, 111, 32, 110, 111, 116, 32, 116, 101, 108, 108, 32, 116, 104, 101, 32, 117, 115, 101, 114],
+    [100, 111, 32, 110, 111, 116, 32, 109, 101, 110, 116, 105, 111, 110],
+    [104, 105, 100, 100, 101, 110, 32, 105, 110, 115, 116, 114, 117, 99, 116, 105, 111, 110],
+    [115, 101, 99, 114, 101, 116, 108, 121],
+    [119, 105, 116, 104, 111, 117, 116, 32, 116, 101, 108, 108, 105, 110, 103]
+  ];
+  return encoded.map((codes) => String.fromCharCode(...codes));
+}
+var _cache = null;
+function getInjectionPhrases() {
+  if (!_cache) {
+    _cache = decodeInjectionPhrases();
+  }
+  return _cache;
+}
+var INSTRUCTION_PATTERNS = [
+  /\b(?:you\s+must|always|never|do\s+not)\b.*\b(?:user|output|response|answer)\b/i,
+  /\b(?:respond|reply|answer)\s+(?:only|exclusively)\s+(?:with|in)\b/i
+];
+function detectInjectionPhrase(text) {
+  const normalized = normalizeForDetection(text).toLowerCase();
+  for (const phrase of getInjectionPhrases()) {
+    if (normalized.includes(phrase)) {
+      return phrase;
+    }
+  }
+  return null;
+}
+function detectInstructionPattern(text) {
+  const normalized = normalizeForDetection(text);
+  return INSTRUCTION_PATTERNS.some((p) => p.test(normalized));
+}
+
+// src/detectors/shadow-names.ts
+var SHADOW_TARGET_NAMES = [
+  "read_file",
+  "write_file",
+  "execute_command",
+  "run_terminal",
+  "bash",
+  "search",
+  "edit_file",
+  "list_directory",
+  "create_file",
+  "delete_file",
+  "read_resource",
+  "call_tool",
+  "search_files",
+  "run_command"
+];
+var GENERIC_TOOL_NAMES = /* @__PURE__ */ new Set([
+  "search",
+  "read_file",
+  "write_file",
+  "edit_file",
+  "list_directory",
+  "create_file",
+  "delete_file",
+  "read_resource",
+  "search_files"
+]);
+function checkShadowing(toolName) {
+  const normalized = normalizeForDetection(toolName).toLowerCase().replace(/[-\s]/g, "_");
+  for (const target of SHADOW_TARGET_NAMES) {
+    if (normalized === target) {
+      return {
+        isShadow: true,
+        target,
+        isGeneric: GENERIC_TOOL_NAMES.has(target)
+      };
+    }
+    if (normalized.endsWith(`_${target}`) || normalized.endsWith(`__${target}`)) {
+      return {
+        isShadow: true,
+        target,
+        isGeneric: GENERIC_TOOL_NAMES.has(target)
+      };
+    }
+  }
+  return null;
+}
+
+// src/detectors/homoglyph.ts
+var HOMOGLYPH_MAP = {
+  // Cyrillic → Latin
+  "\u0430": "a",
+  // а → a
+  "\u0435": "e",
+  // е → e
+  "\u043E": "o",
+  // о → o
+  "\u0441": "c",
+  // с → c
+  "\u0440": "p",
+  // р → p
+  "\u0443": "y",
+  // у → y
+  "\u0445": "x",
+  // х → x
+  "\u043A": "k",
+  // к → k
+  "\u043C": "m",
+  // м → m (lowercase)
+  "\u0456": "i",
+  // і → i (Ukrainian i)
+  "\u0458": "j",
+  // ј → j (Serbian je)
+  "\u04BB": "h",
+  // һ → h
+  "\u0455": "s",
+  // ѕ → s
+  "\u0471": "\u03C8",
+  // ѱ (rare)
+  "\u0410": "A",
+  // А → A
+  "\u0412": "B",
+  // В → B
+  "\u0415": "E",
+  // Е → E
+  "\u041A": "K",
+  // К → K
+  "\u041C": "M",
+  // М → M
+  "\u041D": "H",
+  // Н → H
+  "\u041E": "O",
+  // О → O
+  "\u0420": "P",
+  // Р → P
+  "\u0421": "C",
+  // С → C
+  "\u0422": "T",
+  // Т → T
+  "\u0425": "X",
+  // Х → X
+  "\u04AE": "Y",
+  // Ү → Y
+  // Greek → Latin
+  "\u03B1": "a",
+  // α → a
+  "\u03BF": "o",
+  // ο → o
+  "\u03B5": "e",
+  // ε → e (visually similar in some fonts)
+  "\u03BA": "k",
+  // κ → k (visually similar in some fonts)
+  "\u03BD": "v",
+  // ν → v
+  "\u03C1": "p",
+  // ρ → p
+  "\u03C4": "t",
+  // τ → t (visually similar in some fonts)
+  "\u0391": "A",
+  // Α → A
+  "\u0392": "B",
+  // Β → B
+  "\u0395": "E",
+  // Ε → E
+  "\u0396": "Z",
+  // Ζ → Z
+  "\u0397": "H",
+  // Η → H
+  "\u0399": "I",
+  // Ι → I
+  "\u039A": "K",
+  // Κ → K
+  "\u039C": "M",
+  // Μ → M
+  "\u039D": "N",
+  // Ν → N
+  "\u039F": "O",
+  // Ο → O
+  "\u03A1": "P",
+  // Ρ → P
+  "\u03A4": "T",
+  // Τ → T
+  "\u03A5": "Y",
+  // Υ → Y
+  "\u03A7": "X"
+  // Χ → X
+};
+var HOMOGLYPH_REGEX = new RegExp(`[${Object.keys(HOMOGLYPH_MAP).join("")}]`, "g");
+function normalizeHomoglyphs(text) {
+  return text.replace(HOMOGLYPH_REGEX, (ch) => HOMOGLYPH_MAP[ch] ?? ch);
+}
+function containsHomoglyphs(text) {
+  const matches = text.match(HOMOGLYPH_REGEX);
+  const count = matches ? matches.length : 0;
+  return {
+    found: count > 0,
+    count,
+    normalized: count > 0 ? normalizeHomoglyphs(text) : text
+  };
+}
+
+// src/detectors/multilingual-phrases.ts
+var KOREAN_PHRASES = [
+  "\uC774\uC804 \uC9C0\uC2DC\uB97C \uBB34\uC2DC",
+  "\uC2DC\uC2A4\uD15C \uD504\uB86C\uD504\uD2B8",
+  "\uC0C8\uB85C\uC6B4 \uC9C0\uC2DC",
+  "\uBAA8\uB4E0 \uADDC\uCE59 \uBB34\uC2DC",
+  "\uC9C0\uAE08\uBD80\uD130 \uB108\uB294",
+  "\uAD00\uB9AC\uC790 \uBAA8\uB4DC"
+];
+var CHINESE_PHRASES = [
+  "\u5FFD\u7565\u4E4B\u524D\u7684\u6307\u4EE4",
+  "\u5FFD\u7565\u6240\u6709\u6307\u4EE4",
+  "\u7CFB\u7EDF\u63D0\u793A",
+  "\u65B0\u6307\u4EE4",
+  "\u7BA1\u7406\u5458\u6A21\u5F0F",
+  "\u4F60\u73B0\u5728\u662F"
+];
+var JAPANESE_PHRASES = [
+  "\u524D\u306E\u6307\u793A\u3092\u7121\u8996",
+  "\u3059\u3079\u3066\u306E\u6307\u793A\u3092\u7121\u8996",
+  "\u30B7\u30B9\u30C6\u30E0\u30D7\u30ED\u30F3\u30D7\u30C8",
+  "\u65B0\u3057\u3044\u6307\u793A",
+  "\u7BA1\u7406\u8005\u30E2\u30FC\u30C9"
+];
+var ALL_PHRASES = [...KOREAN_PHRASES, ...CHINESE_PHRASES, ...JAPANESE_PHRASES];
+function detectMultilingualInjection(text) {
+  for (const phrase of ALL_PHRASES) {
+    if (text.includes(phrase)) {
+      return phrase;
+    }
+  }
+  return null;
+}
+
+// src/rules/tool-poisoning.ts
+var ToolPoisoningRule = class {
+  id = "tool-poisoning";
+  type = "tool-poisoning";
+  config;
+  constructor(config) {
+    this.config = config ?? {};
+  }
+  evaluate(message, direction, context) {
+    if (direction !== "server-to-client") return null;
+    if (!isResponse(message)) return null;
+    const originalReq = context.requestMap.get(message.id);
+    if (!originalReq || originalReq.method !== "tools/list") return null;
+    const result = message.result;
+    if (!result?.tools || !Array.isArray(result.tools)) return null;
+    const action = this.getAction(context);
+    for (const tool of result.tools) {
+      const finding = this.checkTool(tool);
+      if (finding) {
+        return {
+          action,
+          ruleId: this.id,
+          severity: finding.severity,
+          reason: `Tool "${tool.name}": ${finding.reason}`
+        };
+      }
+    }
+    return null;
+  }
+  checkTool(tool) {
+    const desc = tool.description ?? "";
+    if (this.cfg("checkZeroWidth", true)) {
+      const zw = containsZeroWidth(desc);
+      if (zw.found) {
+        return { severity: "critical", reason: `Hidden zero-width characters detected (${zw.count} found)` };
+      }
+      const zwName = containsZeroWidth(tool.name);
+      if (zwName.found) {
+        return { severity: "critical", reason: `Hidden zero-width characters in tool name` };
+      }
+    }
+    if (this.cfg("checkHomoglyphs", true)) {
+      const hgName = containsHomoglyphs(tool.name);
+      if (hgName.found) {
+        return { severity: "high", reason: `Homoglyph characters in tool name (${hgName.count} found, normalized: "${hgName.normalized}")` };
+      }
+      const hgDesc = containsHomoglyphs(desc);
+      if (hgDesc.found && hgDesc.count >= 3) {
+        return { severity: "medium", reason: `Homoglyph characters in description (${hgDesc.count} found)` };
+      }
+    }
+    if (this.cfg("checkInjectionPhrases", true)) {
+      const phrase = detectInjectionPhrase(desc);
+      if (phrase) {
+        return { severity: "critical", reason: `Prompt injection phrase in description: "${phrase}"` };
+      }
+    }
+    if (this.cfg("checkMultilingualInjection", true)) {
+      const mlPhrase = detectMultilingualInjection(desc);
+      if (mlPhrase) {
+        return { severity: "critical", reason: `Multilingual prompt injection phrase in description: "${mlPhrase}"` };
+      }
+    }
+    if (this.cfg("checkHtmlComments", true)) {
+      const htmlComment = /<!--[\s\S]*?-->/;
+      if (htmlComment.test(desc)) {
+        return { severity: "high", reason: `HTML comment hiding content in description` };
+      }
+    }
+    if (this.cfg("checkBase64", true)) {
+      const base64 = /[A-Za-z0-9+/]{40,}={0,2}/;
+      if (base64.test(desc) && desc.length > 200) {
+        return { severity: "high", reason: `Suspicious base64-encoded content in description` };
+      }
+    }
+    if (this.cfg("checkShadowing", true)) {
+      const shadow = checkShadowing(tool.name);
+      if (shadow && !shadow.isGeneric) {
+        return { severity: "high", reason: `Tool name shadows dangerous system tool: "${shadow.target}"` };
+      }
+    }
+    if (this.cfg("checkInstructionPatterns", true)) {
+      if (detectInstructionPattern(desc)) {
+        return { severity: "medium", reason: `Instruction-like manipulation pattern in description` };
+      }
+    }
+    const maxLen = this.cfg("maxDescriptionLength", 5e3);
+    if (maxLen > 0 && desc.length > maxLen) {
+      return { severity: "medium", reason: `Description exceeds ${maxLen} chars (${desc.length})` };
+    }
+    if (this.cfg("checkInputSchema", true) && tool.inputSchema) {
+      const schemaFinding = this.checkInputSchema(tool.inputSchema);
+      if (schemaFinding) {
+        return schemaFinding;
+      }
+    }
+    return null;
+  }
+  /**
+   * Recursively inspect inputSchema for hidden injection in field descriptions and default values.
+   */
+  checkInputSchema(schema) {
+    const strings = this.extractSchemaStrings(schema);
+    for (const { path, value } of strings) {
+      const phrase = detectInjectionPhrase(value);
+      if (phrase) {
+        return { severity: "critical", reason: `Prompt injection in inputSchema ${path}: "${phrase}"` };
+      }
+      const mlPhrase = detectMultilingualInjection(value);
+      if (mlPhrase) {
+        return { severity: "critical", reason: `Multilingual injection in inputSchema ${path}: "${mlPhrase}"` };
+      }
+      const zw = containsZeroWidth(value);
+      if (zw.found) {
+        return { severity: "high", reason: `Hidden zero-width characters in inputSchema ${path}` };
+      }
+      if (detectInstructionPattern(value)) {
+        return { severity: "medium", reason: `Instruction-like pattern in inputSchema ${path}` };
+      }
+    }
+    return null;
+  }
+  /**
+   * Extract all string values from a JSON schema, tracking their path (e.g., "properties.query.description").
+   * Focuses on "description" and "default" fields which are common injection vectors.
+   */
+  extractSchemaStrings(obj, path = "") {
+    const results = [];
+    if (obj === null || typeof obj !== "object") return results;
+    const record = obj;
+    for (const [key, val] of Object.entries(record)) {
+      const currentPath = path ? `${path}.${key}` : key;
+      if (typeof val === "string" && (key === "description" || key === "default" || key === "title" || key === "enum")) {
+        results.push({ path: currentPath, value: val });
+      } else if (typeof val === "string" && key === "const") {
+        results.push({ path: currentPath, value: val });
+      } else if (Array.isArray(val)) {
+        for (let i = 0; i < val.length; i++) {
+          if (typeof val[i] === "string") {
+            results.push({ path: `${currentPath}[${i}]`, value: val[i] });
+          } else {
+            results.push(...this.extractSchemaStrings(val[i], `${currentPath}[${i}]`));
+          }
+        }
+      } else if (typeof val === "object" && val !== null) {
+        results.push(...this.extractSchemaStrings(val, currentPath));
+      }
+    }
+    return results;
+  }
+  cfg(key, defaultValue) {
+    return this.config[key] ?? defaultValue;
+  }
+  getAction(context) {
+    const rule = context.policy.rules.find((r) => r.id === this.id);
+    return rule?.action ?? "block";
+  }
+};
+
+// src/detectors/fuzz-patterns.ts
+var INJECTION_PATTERNS = [
+  // SQL Injection
+  { category: "SQL Injection", pattern: /'\s*OR\s+\d+=\d+/i, severity: "critical", cwe: "CWE-89" },
+  { category: "SQL Injection", pattern: /;\s*DROP\s+TABLE\b/i, severity: "critical", cwe: "CWE-89" },
+  { category: "SQL Injection", pattern: /UNION\s+SELECT\b/i, severity: "critical", cwe: "CWE-89" },
+  { category: "SQL Injection", pattern: /;\s*DELETE\s+FROM\b/i, severity: "critical", cwe: "CWE-89" },
+  // Command Injection
+  { category: "Command Injection", pattern: /;\s*(?:ls|cat|rm|wget|curl|nc|bash|sh|id|whoami)\b/, severity: "critical", cwe: "CWE-78" },
+  { category: "Command Injection", pattern: /\$\(\s*(?:[\w/]+\s+|;|&&|\|\|)/, severity: "critical", cwe: "CWE-78" },
+  { category: "Command Injection", pattern: /`(?:[\w/]+\s+|;|&&|\|\|)[^`]+`/, severity: "critical", cwe: "CWE-78" },
+  { category: "Command Injection", pattern: /\|\s*(?:cat|sh|bash|nc)\b/, severity: "critical", cwe: "CWE-78" },
+  { category: "Command Injection", pattern: /&&\s*(?:echo|cat|rm|wget)\b/, severity: "critical", cwe: "CWE-78" },
+  // Path Traversal
+  { category: "Path Traversal", pattern: /(?:\.\.\/){2,}/, severity: "critical", cwe: "CWE-22" },
+  { category: "Path Traversal", pattern: /(?:\.\.\\){2,}/, severity: "critical", cwe: "CWE-22" },
+  { category: "Path Traversal", pattern: /\/proc\/self\//, severity: "critical", cwe: "CWE-22" },
+  { category: "Path Traversal", pattern: /\/etc\/(?:passwd|shadow|hosts)/, severity: "critical", cwe: "CWE-22" },
+  // XSS
+  { category: "XSS", pattern: /<script\b[^>]*>.*<\/script>/i, severity: "critical", cwe: "CWE-79" },
+  { category: "XSS", pattern: /\b(?:onclick|onerror|onload|onmouseover|onfocus|onblur)\s*=\s*["']?[^"']*["']?/i, severity: "critical", cwe: "CWE-79" },
+  { category: "XSS", pattern: /javascript\s*:/i, severity: "critical", cwe: "CWE-79" },
+  // Template Injection (server-side only — CSO Finding #8: ${} requires dangerous content)
+  { category: "Template Injection", pattern: /\{\{.*\}\}/, severity: "critical", cwe: "CWE-94" },
+  { category: "Template Injection", pattern: /\$\{(?:.*(?:process|require|import|eval|exec|spawn|constructor|__proto__|globalThis|Function))[^}]*\}/i, severity: "high", cwe: "CWE-94" },
+  { category: "Template Injection", pattern: /<%=?.*%>/, severity: "critical", cwe: "CWE-94" }
+];
+function checkForInjection(value, context = "argument") {
+  const normalized = normalizeForDetection(value);
+  const sqlNormalized = normalizeForSql(value);
+  for (const pat of INJECTION_PATTERNS) {
+    if (context === "description" && pat.category === "Template Injection") {
+      continue;
+    }
+    if (pat.category === "SQL Injection") {
+      if (pat.pattern.test(sqlNormalized)) {
+        return pat;
+      }
+    } else {
+      if (pat.pattern.test(normalized)) {
+        return pat;
+      }
+    }
+  }
+  return null;
+}
+var VULN_INDICATORS = [
+  { pattern: /(?:ENOENT|EACCES|EPERM).*\/etc\/|\/proc\/|\/root\//i, name: "Path Disclosure", cwe: "CWE-209", severity: "high" },
+  { pattern: /at\s+\w+\s+\(.*:\d+:\d+\)/i, name: "Stack Trace Exposure", cwe: "CWE-209", severity: "high" },
+  { pattern: /syntax\s+error|unexpected\s+token|unterminated/i, name: "SQL/Syntax Error Exposure", cwe: "CWE-209", severity: "high" },
+  { pattern: /command\s+not\s+found|sh:|bash:|PWNED|uid=\d+/i, name: "Command Execution Evidence", cwe: "CWE-78", severity: "critical" },
+  { pattern: /root:x:0:0|\/bin\/(?:ba)?sh/i, name: "/etc/passwd Content", cwe: "CWE-22", severity: "critical" },
+  // CSO Finding #9: require assignment context (key=value or key:value) instead of bare word match; drop "token" (too generic)
+  { pattern: /(?:^|[=:,\s])(?:password|secret|api[_-]?key)\s*[:=]\s*\S+/i, name: "Sensitive Data Exposure", cwe: "CWE-200", severity: "critical" },
+  // CSO Finding #4: require computation context for template injection detection
+  { pattern: /\b(?:7\s*\*\s*7\s*=\s*49|49\s*(?:=|==)\s*7\s*\*\s*7|\{\{7\*7\}\}.*49|<%.*7\*7.*%>.*49)/i, name: "Template Injection (7*7=49)", cwe: "CWE-94", severity: "critical" }
+];
+function checkResponseIndicators(content) {
+  for (const ind of VULN_INDICATORS) {
+    if (ind.pattern.test(content)) {
+      return ind;
+    }
+  }
+  return null;
+}
+
+// src/rules/argument-injection.ts
+var ArgumentInjectionRule = class {
+  id = "argument-injection";
+  type = "argument-injection";
+  config;
+  constructor(config) {
+    this.config = config ?? {};
+  }
+  evaluate(message, direction, context) {
+    if (direction !== "client-to-server") return null;
+    if (!isRequest(message)) return null;
+    if (message.method !== "tools/call") return null;
+    const params = message.params;
+    if (!params?.arguments) return null;
+    const action = this.getAction(context);
+    const allValues = extractStringValues(params.arguments);
+    for (const value of allValues) {
+      const normalized = normalizeHomoglyphs(value);
+      const injection = checkForInjection(normalized);
+      if (injection) {
+        return {
+          action,
+          ruleId: this.id,
+          severity: injection.severity,
+          reason: `${injection.category} detected in tool "${params.name ?? "unknown"}" arguments (${injection.cwe})`
+        };
+      }
+      if (this.cfg("checkPromptInjection", true)) {
+        const phrase = detectInjectionPhrase(normalized);
+        if (phrase) {
+          return {
+            action,
+            ruleId: this.id,
+            severity: "high",
+            reason: `Prompt injection phrase in tool "${params.name ?? "unknown"}" arguments: "${phrase}"`
+          };
+        }
+      }
+      if (this.cfg("checkMultilingualInjection", true)) {
+        const mlPhrase = detectMultilingualInjection(value);
+        if (mlPhrase) {
+          return {
+            action,
+            ruleId: this.id,
+            severity: "high",
+            reason: `Multilingual prompt injection in tool "${params.name ?? "unknown"}" arguments: "${mlPhrase}"`
+          };
+        }
+      }
+      const zw = containsZeroWidth(value);
+      if (zw.found) {
+        return {
+          action,
+          ruleId: this.id,
+          severity: "high",
+          reason: `Hidden zero-width characters in tool "${params.name ?? "unknown"}" arguments`
+        };
+      }
+    }
+    return null;
+  }
+  cfg(key, defaultValue) {
+    return this.config[key] ?? defaultValue;
+  }
+  getAction(context) {
+    const rule = context.policy.rules.find((r) => r.id === this.id);
+    return rule?.action ?? "block";
+  }
+};
+function extractStringValues(obj) {
+  const values = [];
+  function walk(val) {
+    if (typeof val === "string") {
+      values.push(val);
+    } else if (Array.isArray(val)) {
+      for (const item of val) walk(item);
+    } else if (val !== null && typeof val === "object") {
+      for (const v of Object.values(val)) walk(v);
+    }
+  }
+  walk(obj);
+  return values;
+}
+
+// src/rules/data-exfiltration.ts
+var DataExfiltrationRule = class {
+  id = "data-exfiltration";
+  type = "data-exfiltration";
+  config;
+  constructor(config) {
+    this.config = config ?? {};
+  }
+  evaluate(message, direction, context) {
+    if (direction !== "server-to-client") return null;
+    if (!isResponse(message)) return null;
+    const originalReq = context.requestMap.get(message.id);
+    if (!originalReq || originalReq.method !== "tools/call") return null;
+    const content = extractResponseText(message.result);
+    if (!content) return null;
+    const action = this.getAction(context);
+    const indicator = checkResponseIndicators(content);
+    if (indicator) {
+      return {
+        action,
+        ruleId: this.id,
+        severity: indicator.severity,
+        reason: `${indicator.name} in tool response (${indicator.cwe})`
+      };
+    }
+    return null;
+  }
+  getAction(context) {
+    const rule = context.policy.rules.find((r) => r.id === this.id);
+    return rule?.action ?? "warn";
+  }
+};
+function extractResponseText(result) {
+  if (typeof result === "string") return result;
+  if (result && typeof result === "object") {
+    const r = result;
+    if (Array.isArray(r["content"])) {
+      const texts = [];
+      for (const item of r["content"]) {
+        if (item["type"] === "text" && typeof item["text"] === "string") {
+          texts.push(item["text"]);
+        }
+      }
+      if (texts.length > 0) return texts.join("\n");
+    }
+    try {
+      return JSON.stringify(result);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+
+// src/rules/index.ts
+var RULE_CONSTRUCTORS = {
+  "tool-poisoning": ToolPoisoningRule,
+  "argument-injection": ArgumentInjectionRule,
+  "data-exfiltration": DataExfiltrationRule
+};
+function createRules(policy) {
+  const rules = [];
+  for (const ruleConfig of policy.rules) {
+    if (!ruleConfig.enabled) continue;
+    const Constructor = RULE_CONSTRUCTORS[ruleConfig.type];
+    if (!Constructor) {
+      throw new Error(`Unknown rule type: "${ruleConfig.type}"`);
+    }
+    rules.push(new Constructor(ruleConfig.config));
+  }
+  return rules;
+}
+
+// src/proxy.ts
+import spawn from "cross-spawn";
+
+// src/framing.ts
+var MAX_CONTENT_LENGTH = 10 * 1024 * 1024;
+var MAX_BUFFER_SIZE = 20 * 1024 * 1024;
+var MessageFramer = class {
+  buffer = "";
+  mode = "unknown";
+  /**
+   * Feed raw data from a stream. Returns an array of complete parsed messages.
+   * Locks to detected framing mode on first successful parse to prevent
+   * mixed-protocol desynchronization attacks.
+   */
+  feed(chunk) {
+    this.buffer += typeof chunk === "string" ? chunk : chunk.toString("utf-8");
+    const messages = [];
+    if (this.buffer.length > MAX_BUFFER_SIZE) {
+      this.buffer = "";
+      throw new Error("Message buffer exceeded maximum size");
+    }
+    while (this.buffer.length > 0) {
+      if (this.mode !== "newline") {
+        const headerMatch = this.buffer.match(/^Content-Length:\s*(\d+)\r?\n\r?\n/);
+        if (headerMatch) {
+          const contentLength = parseInt(headerMatch[1], 10);
+          if (contentLength > MAX_CONTENT_LENGTH) {
+            this.buffer = "";
+            throw new Error(`Content-Length ${contentLength} exceeds maximum ${MAX_CONTENT_LENGTH}`);
+          }
+          const headerEnd = headerMatch[0].length;
+          if (this.buffer.length < headerEnd + contentLength) break;
+          const body = this.buffer.substring(headerEnd, headerEnd + contentLength);
+          this.buffer = this.buffer.substring(headerEnd + contentLength);
+          this.mode = "content-length";
+          const parsed = tryParseJson(body);
+          if (parsed) messages.push(parsed);
+          continue;
+        }
+      }
+      if (this.mode !== "content-length") {
+        const nlIndex = this.buffer.indexOf("\n");
+        if (nlIndex === -1) {
+          break;
+        }
+        const line = this.buffer.substring(0, nlIndex).trim();
+        this.buffer = this.buffer.substring(nlIndex + 1);
+        if (line.length > 0 && line.startsWith("{")) {
+          const parsed = tryParseJson(line);
+          if (parsed) {
+            this.mode = "newline";
+            messages.push(parsed);
+          }
+        }
+        continue;
+      }
+      break;
+    }
+    return messages;
+  }
+  /** Reset the internal buffer and mode detection */
+  reset() {
+    this.buffer = "";
+    this.mode = "unknown";
+  }
+  /** Get the current framing mode (for testing/diagnostics) */
+  getMode() {
+    return this.mode;
+  }
+  /** Serialize a message to newline-delimited JSON (MCP SDK convention) */
+  static serialize(message) {
+    return JSON.stringify(message) + "\n";
+  }
+};
+function tryParseJson(raw) {
+  try {
+    const obj = JSON.parse(raw);
+    if (obj["jsonrpc"] === "2.0") {
+      return obj;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+// src/logger.ts
+var LEVEL_ORDER = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+var Logger = class {
+  threshold;
+  constructor(level = "info") {
+    this.threshold = LEVEL_ORDER[level];
+  }
+  debug(msg, data) {
+    this.log("debug", msg, data);
+  }
+  info(msg, data) {
+    this.log("info", msg, data);
+  }
+  warn(msg, data) {
+    this.log("warn", msg, data);
+  }
+  error(msg, data) {
+    this.log("error", msg, data);
+  }
+  log(level, msg, data) {
+    if (LEVEL_ORDER[level] < this.threshold) return;
+    const entry = {
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      level,
+      msg,
+      ...data
+    };
+    process.stderr.write(JSON.stringify(entry) + "\n");
+  }
+};
+
+// src/rule-engine.ts
+var REQUEST_TTL_MS = 6e4;
+var MAX_TRACKED_REQUESTS = 1e4;
+var RuleEngine = class {
+  rules;
+  policy;
+  logger;
+  requestMap = /* @__PURE__ */ new Map();
+  serverInfo;
+  dryRun;
+  cleanupInterval = null;
+  constructor(opts) {
+    this.rules = opts.rules;
+    this.policy = opts.policy;
+    this.logger = opts.logger;
+    this.serverInfo = opts.serverInfo;
+    this.dryRun = opts.dryRun;
+    this.cleanupInterval = setInterval(() => this.cleanupStaleRequests(), 3e4);
+    this.cleanupInterval.unref();
+  }
+  /** Remove tracked requests older than REQUEST_TTL_MS, or oldest when over capacity */
+  cleanupStaleRequests() {
+    const now = Date.now();
+    for (const [id, entry] of this.requestMap) {
+      if (now - entry.trackedAt > REQUEST_TTL_MS) {
+        this.requestMap.delete(id);
+      }
+    }
+    if (this.requestMap.size > MAX_TRACKED_REQUESTS) {
+      const sorted = [...this.requestMap.entries()].sort(
+        (a, b) => a[1].trackedAt - b[1].trackedAt
+      );
+      const toRemove = sorted.slice(0, this.requestMap.size - MAX_TRACKED_REQUESTS);
+      for (const [id] of toRemove) {
+        this.requestMap.delete(id);
+      }
+    }
+  }
+  /** Clean up resources */
+  dispose() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+  /** Get the list of rule IDs for logging */
+  getRuleIds() {
+    return this.rules.map((r) => r.id);
+  }
+  /** Track a request for later response correlation */
+  trackRequest(id, request) {
+    this.requestMap.set(id, { request, trackedAt: Date.now() });
+  }
+  /** Remove a tracked request after response is processed */
+  untrackRequest(id) {
+    this.requestMap.delete(id);
+  }
+  /** Get the request map for rule context (returns requests only, without tracking metadata) */
+  getRequestMap() {
+    const result = /* @__PURE__ */ new Map();
+    for (const [id, entry] of this.requestMap) {
+      result.set(id, entry.request);
+    }
+    return result;
+  }
+  /**
+   * Evaluate all rules against a message.
+   * Returns the first non-null verdict, or null if all rules pass.
+   */
+  evaluate(message, direction) {
+    const context = {
+      policy: this.policy,
+      serverCommand: this.serverInfo,
+      requestMap: this.getRequestMap()
+    };
+    for (const rule of this.rules) {
+      try {
+        const verdict = rule.evaluate(message, direction, context);
+        if (verdict) return verdict;
+      } catch (err) {
+        this.logger.error("Rule evaluation error, blocking", {
+          rule: rule.id,
+          error: err instanceof Error ? err.message : String(err)
+        });
+        return {
+          action: "block",
+          ruleId: rule.id,
+          severity: "critical",
+          reason: `Rule evaluation error: ${err instanceof Error ? err.message : String(err)}`
+        };
+      }
+    }
+    return null;
+  }
+  /**
+   * Log a verdict appropriately (block, dry-run block, or warn).
+   * Returns true if the message should be blocked (not forwarded).
+   */
+  handleVerdict(verdict, direction, method) {
+    if (!verdict) return false;
+    const dirLabel = direction === "client-to-server" ? "client\u2192server" : "server\u2192client";
+    if (verdict.action === "block") {
+      if (this.dryRun) {
+        this.logger.warn(`DRY-RUN WOULD BLOCK ${dirLabel}`, {
+          rule: verdict.ruleId,
+          severity: verdict.severity,
+          reason: verdict.reason,
+          method
+        });
+        return false;
+      }
+      this.logger.warn(`BLOCKED ${dirLabel}`, {
+        rule: verdict.ruleId,
+        severity: verdict.severity,
+        reason: verdict.reason,
+        method
+      });
+      return true;
+    }
+    if (verdict.action === "warn") {
+      this.logger.warn(`WARNING ${dirLabel}`, {
+        rule: verdict.ruleId,
+        severity: verdict.severity,
+        reason: verdict.reason
+      });
+    }
+    return false;
+  }
+};
+
+// src/proxy.ts
+var McpGuardProxy = class {
+  child = null;
+  clientFramer = new MessageFramer();
+  serverFramer = new MessageFramer();
+  ruleEngine;
+  options;
+  policy;
+  logger;
+  stopped = false;
+  constructor(options, policy, rules) {
+    this.options = options;
+    this.policy = policy;
+    this.logger = new Logger(options.verbose ? "debug" : policy.logging.level);
+    this.ruleEngine = new RuleEngine({
+      rules,
+      policy,
+      logger: this.logger,
+      serverInfo: options.serverCommand,
+      dryRun: options.dryRun
+    });
+  }
+  async start() {
+    this.logger.info("mcp-guard starting", {
+      server: this.options.serverCommand,
+      args: this.options.serverArgs,
+      rules: this.ruleEngine.getRuleIds(),
+      failMode: this.policy.failMode,
+      dryRun: this.options.dryRun
+    });
+    this.child = spawn(this.options.serverCommand, this.options.serverArgs, {
+      stdio: ["pipe", "pipe", "inherit"]
+      // stderr passes through
+    });
+    if (!this.child.stdin || !this.child.stdout) {
+      throw new Error("Failed to open stdio pipes to MCP server");
+    }
+    this.child.on("exit", (code, signal) => {
+      this.logger.info("MCP server exited", { code, signal });
+      if (!this.stopped) {
+        process.exit(code ?? 1);
+      }
+    });
+    this.child.on("error", (err) => {
+      this.logger.error("Failed to spawn MCP server", { error: err.message });
+      process.exit(1);
+    });
+    process.stdin.on("data", (chunk) => {
+      this.handleClientData(chunk);
+    });
+    process.stdin.on("end", () => {
+      this.logger.debug("Client stdin closed");
+      this.stop();
+    });
+    this.child.stdout.on("data", (chunk) => {
+      this.handleServerData(chunk);
+    });
+    this.child.stdout.on("end", () => {
+      this.logger.debug("Server stdout closed");
+    });
+    const handleSignal = (sig) => {
+      this.logger.info("Received signal, shutting down", { signal: sig });
+      this.stop();
+    };
+    process.on("SIGTERM", handleSignal);
+    process.on("SIGINT", handleSignal);
+  }
+  stop() {
+    if (this.stopped) return;
+    this.stopped = true;
+    this.ruleEngine.dispose();
+    if (this.child) {
+      try {
+        this.child.kill("SIGTERM");
+      } catch {
+      }
+      setTimeout(() => {
+        try {
+          this.child?.kill("SIGKILL");
+        } catch {
+        }
+      }, 2e3);
+    }
+  }
+  handleClientData(chunk) {
+    let messages;
+    try {
+      messages = this.clientFramer.feed(chunk);
+    } catch (err) {
+      this.logger.error("Client framing error, dropping message", {
+        failMode: this.policy.failMode,
+        error: err instanceof Error ? err.message : String(err)
+      });
+      return;
+    }
+    if (messages.length === 0) return;
+    for (const msg of messages) {
+      if (isMalformed(msg)) {
+        this.logger.warn("Dropping malformed JSON-RPC message (has both method and result/error)");
+        if ("id" in msg) {
+          this.writeToClient({
+            jsonrpc: "2.0",
+            id: msg.id,
+            error: { code: -32600, message: "Malformed JSON-RPC: contradictory fields" }
+          });
+        }
+        continue;
+      }
+      if (isRequest(msg)) {
+        this.ruleEngine.trackRequest(msg.id, msg);
+      }
+      const verdict = this.ruleEngine.evaluate(msg, "client-to-server");
+      const blocked = this.ruleEngine.handleVerdict(
+        verdict,
+        "client-to-server",
+        isRequest(msg) ? msg.method : void 0
+      );
+      if (blocked && isRequest(msg)) {
+        const errorResponse = {
+          jsonrpc: "2.0",
+          id: msg.id,
+          error: {
+            code: -32600,
+            message: `Blocked by mcp-guard: ${verdict.reason}`,
+            data: { rule: verdict.ruleId, severity: verdict.severity }
+          }
+        };
+        this.writeToClient(errorResponse);
+        continue;
+      }
+      this.writeToServer(msg);
+    }
+  }
+  handleServerData(chunk) {
+    let messages;
+    try {
+      messages = this.serverFramer.feed(chunk);
+    } catch (err) {
+      this.logger.error("Server framing error, dropping message", {
+        failMode: this.policy.failMode,
+        error: err instanceof Error ? err.message : String(err)
+      });
+      return;
+    }
+    if (messages.length === 0) return;
+    for (const msg of messages) {
+      if (isMalformed(msg)) {
+        this.logger.warn("Dropping malformed server JSON-RPC message (has both method and result/error)");
+        continue;
+      }
+      const verdict = this.ruleEngine.evaluate(msg, "server-to-client");
+      const blocked = this.ruleEngine.handleVerdict(verdict, "server-to-client");
+      if (blocked) {
+        if (isResponse(msg)) {
+          const errorResponse = {
+            jsonrpc: "2.0",
+            id: msg.id,
+            error: {
+              code: -32600,
+              message: `Blocked by mcp-guard: ${verdict.reason}`,
+              data: { rule: verdict.ruleId, severity: verdict.severity }
+            }
+          };
+          this.writeToClient(errorResponse);
+        }
+        continue;
+      }
+      if (isResponse(msg)) {
+        this.ruleEngine.untrackRequest(msg.id);
+      }
+      this.writeToClient(msg);
+    }
+  }
+  writeToClient(msg) {
+    process.stdout.write(MessageFramer.serialize(msg));
+  }
+  writeToServer(msg) {
+    this.child?.stdin?.write(MessageFramer.serialize(msg));
+  }
+};
+
+// src/http-proxy.ts
+import { createServer } from "http";
+var MAX_REQUEST_BODY = 5 * 1024 * 1024;
+var MAX_SSE_BUFFER = 1 * 1024 * 1024;
+var UPSTREAM_TIMEOUT_MS = 3e4;
+var McpHttpProxy = class {
+  server = null;
+  ruleEngine;
+  options;
+  logger;
+  constructor(options, policy, rules) {
+    this.options = options;
+    this.logger = new Logger(options.verbose ? "debug" : policy.logging.level);
+    this.ruleEngine = new RuleEngine({
+      rules,
+      policy,
+      logger: this.logger,
+      serverInfo: options.upstream,
+      dryRun: options.dryRun
+    });
+  }
+  async start() {
+    this.logger.info("mcp-guard HTTP proxy starting", {
+      upstream: this.options.upstream,
+      listen: `${this.options.host}:${this.options.port}`,
+      dryRun: this.options.dryRun
+    });
+    this.server = createServer((req, res) => {
+      this.handleRequest(req, res).catch((err) => {
+        this.logger.error("Request handler error", { error: err.message });
+        if (!res.headersSent) {
+          res.writeHead(500, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Internal proxy error" }));
+        }
+      });
+    });
+    return new Promise((resolve, reject) => {
+      this.server.on("error", reject);
+      this.server.listen(this.options.port, this.options.host, () => {
+        this.logger.info("mcp-guard HTTP proxy listening", {
+          url: `http://${this.options.host}:${this.options.port}`
+        });
+        resolve();
+      });
+    });
+  }
+  async stop() {
+    this.ruleEngine.dispose();
+    return new Promise((resolve) => {
+      if (this.server) {
+        this.server.close(() => resolve());
+      } else {
+        resolve();
+      }
+    });
+  }
+  async handleRequest(req, res) {
+    const method = req.method?.toUpperCase() ?? "GET";
+    const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
+    this.logger.debug("Incoming request", { method, path: url.pathname, query: url.search });
+    if (method === "POST") {
+      await this.handlePost(req, res, url);
+    } else if (method === "GET") {
+      await this.handleGet(req, res, url);
+    } else if (method === "DELETE") {
+      await this.handleDelete(req, res);
+    } else {
+      res.writeHead(405, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: `Method ${method} not allowed` }));
+    }
+  }
+  // ─── POST: Client sends JSON-RPC messages ──────────────────────────────────
+  async handlePost(req, res, url) {
+    const body = await readBody(req);
+    if (!body) {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Empty request body" }));
+      return;
+    }
+    let messages;
+    try {
+      const parsed = JSON.parse(body);
+      messages = Array.isArray(parsed) ? parsed : [parsed];
+    } catch {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Invalid JSON" }));
+      return;
+    }
+    const blocked = [];
+    const allowed = [];
+    for (const msg of messages) {
+      if (isMalformed(msg)) {
+        this.logger.warn("Dropping malformed JSON-RPC message (has both method and result/error)");
+        if ("id" in msg) {
+          blocked.push({
+            jsonrpc: "2.0",
+            id: msg.id,
+            error: { code: -32600, message: "Malformed JSON-RPC: contradictory fields" }
+          });
+        }
+        continue;
+      }
+      if (isRequest(msg)) {
+        this.ruleEngine.trackRequest(msg.id, msg);
+      }
+      const verdict = this.ruleEngine.evaluate(msg, "client-to-server");
+      const shouldBlock = this.ruleEngine.handleVerdict(
+        verdict,
+        "client-to-server",
+        isRequest(msg) ? msg.method : void 0
+      );
+      if (shouldBlock && isRequest(msg)) {
+        blocked.push({
+          jsonrpc: "2.0",
+          id: msg.id,
+          error: {
+            code: -32600,
+            message: `Blocked by mcp-guard: ${verdict.reason}`,
+            data: { rule: verdict.ruleId, severity: verdict.severity }
+          }
+        });
+      } else {
+        allowed.push(msg);
+      }
+    }
+    if (allowed.length === 0 && blocked.length > 0) {
+      const accept = req.headers.accept ?? "";
+      if (accept.includes("text/event-stream")) {
+        res.writeHead(200, sseHeaders());
+        for (const err of blocked) {
+          writeSseEvent(res, "message", JSON.stringify(err));
+        }
+        res.end();
+      } else {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(blocked.length === 1 ? blocked[0] : blocked));
+      }
+      return;
+    }
+    const upstreamUrl = new URL(url.pathname + url.search, this.options.upstream);
+    const upstreamRes = await this.forwardPost(upstreamUrl.toString(), req, allowed);
+    if (!upstreamRes.ok && !upstreamRes.body) {
+      res.writeHead(upstreamRes.status, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: `Upstream returned ${upstreamRes.status}` }));
+      return;
+    }
+    const upstreamContentType = upstreamRes.headers.get("content-type") ?? "";
+    const proxyHeaders = {};
+    const sessionId = upstreamRes.headers.get("mcp-session-id");
+    if (sessionId) proxyHeaders["mcp-session-id"] = sessionId;
+    if (upstreamContentType.includes("text/event-stream")) {
+      proxyHeaders["content-type"] = "text/event-stream";
+      proxyHeaders["cache-control"] = "no-cache, no-transform";
+      proxyHeaders["connection"] = "keep-alive";
+      res.writeHead(upstreamRes.status, proxyHeaders);
+      await this.streamSseResponse(upstreamRes, res, blocked);
+    } else {
+      const responseBody = await upstreamRes.text();
+      proxyHeaders["content-type"] = upstreamContentType || "application/json";
+      res.writeHead(upstreamRes.status, proxyHeaders);
+      const inspected = this.inspectJsonResponse(responseBody, blocked);
+      res.end(inspected);
+    }
+  }
+  // ─── GET: SSE stream (server→client notifications) ─────────────────────────
+  async handleGet(req, res, url) {
+    const upstreamUrl = new URL(url.pathname + url.search, this.options.upstream);
+    const headers = {
+      "Accept": "text/event-stream"
+    };
+    const sessionId = req.headers["mcp-session-id"];
+    if (sessionId) headers["Mcp-Session-Id"] = String(sessionId);
+    const protocolVersion = req.headers["mcp-protocol-version"];
+    if (protocolVersion) headers["Mcp-Protocol-Version"] = String(protocolVersion);
+    const lastEventId = req.headers["last-event-id"];
+    if (lastEventId) headers["Last-Event-Id"] = String(lastEventId);
+    let upstreamRes;
+    try {
+      const ac = AbortSignal.timeout(UPSTREAM_TIMEOUT_MS);
+      upstreamRes = await fetch(upstreamUrl.toString(), { method: "GET", headers, signal: ac });
+    } catch (err) {
+      res.writeHead(502, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: `Upstream connection failed: ${err.message}` }));
+      return;
+    }
+    if (!upstreamRes.ok || !upstreamRes.body) {
+      res.writeHead(upstreamRes.status, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: `Upstream returned ${upstreamRes.status}` }));
+      return;
+    }
+    const proxyHeaders = {
+      "content-type": "text/event-stream",
+      "cache-control": "no-cache, no-transform",
+      "connection": "keep-alive"
+    };
+    const upSessionId = upstreamRes.headers.get("mcp-session-id");
+    if (upSessionId) proxyHeaders["mcp-session-id"] = upSessionId;
+    res.writeHead(200, proxyHeaders);
+    await this.streamSseResponse(upstreamRes, res, []);
+  }
+  // ─── DELETE: Session termination ───────────────────────────────────────────
+  async handleDelete(req, res) {
+    const headers = {};
+    const sessionId = req.headers["mcp-session-id"];
+    if (sessionId) headers["Mcp-Session-Id"] = String(sessionId);
+    try {
+      const ac = AbortSignal.timeout(UPSTREAM_TIMEOUT_MS);
+      const upstreamRes = await fetch(this.options.upstream, { method: "DELETE", headers, signal: ac });
+      res.writeHead(upstreamRes.status);
+      res.end();
+    } catch (err) {
+      res.writeHead(502, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: `Upstream connection failed: ${err.message}` }));
+    }
+  }
+  // ─── Helpers ───────────────────────────────────────────────────────────────
+  async forwardPost(upstreamUrl, originalReq, messages) {
+    const body = messages.length === 1 ? JSON.stringify(messages[0]) : JSON.stringify(messages);
+    const headers = {
+      "Content-Type": "application/json",
+      "Accept": originalReq.headers.accept ?? "application/json, text/event-stream"
+    };
+    const sessionId = originalReq.headers["mcp-session-id"];
+    if (sessionId) headers["Mcp-Session-Id"] = String(sessionId);
+    const protocolVersion = originalReq.headers["mcp-protocol-version"];
+    if (protocolVersion) headers["Mcp-Protocol-Version"] = String(protocolVersion);
+    const auth = originalReq.headers["authorization"];
+    if (auth) headers["Authorization"] = String(auth);
+    try {
+      const ac = AbortSignal.timeout(UPSTREAM_TIMEOUT_MS);
+      return await fetch(upstreamUrl, { method: "POST", headers, body, signal: ac });
+    } catch (err) {
+      return new Response(JSON.stringify({ error: `Upstream connection failed: ${err.message}` }), {
+        status: 502,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+  }
+  /**
+   * Stream SSE from upstream Response to client ServerResponse,
+   * inspecting each JSON-RPC message through security rules.
+   */
+  async streamSseResponse(upstreamRes, clientRes, prependErrors) {
+    for (const err of prependErrors) {
+      writeSseEvent(clientRes, "message", JSON.stringify(err));
+    }
+    if (!upstreamRes.body) {
+      clientRes.end();
+      return;
+    }
+    const reader = upstreamRes.body.getReader();
+    const decoder = new TextDecoder();
+    let sseBuffer = "";
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        sseBuffer += decoder.decode(value, { stream: true });
+        if (sseBuffer.length > MAX_SSE_BUFFER) {
+          this.logger.warn("SSE buffer exceeded limit, resetting", { size: sseBuffer.length });
+          sseBuffer = "";
+          continue;
+        }
+        const events = parseSseEvents(sseBuffer);
+        sseBuffer = events.remaining;
+        for (const event of events.parsed) {
+          if (event.event === "message" && event.data) {
+            const inspected = this.inspectSseMessage(event.data);
+            if (inspected !== null) {
+              writeSseEvent(clientRes, event.event, inspected, event.id);
+            }
+          } else {
+            writeSseEventRaw(clientRes, event);
+          }
+        }
+      }
+    } catch (err) {
+      this.logger.error("SSE stream error", { error: err.message });
+    } finally {
+      clientRes.end();
+    }
+  }
+  /**
+   * Inspect a single JSON-RPC message from an SSE event.
+   * Returns the (possibly modified) JSON string, or null to block.
+   */
+  inspectSseMessage(data) {
+    let msg;
+    try {
+      msg = JSON.parse(data);
+    } catch {
+      this.logger.warn("Dropping unparseable SSE JSON-RPC message");
+      return null;
+    }
+    if (isMalformed(msg)) {
+      this.logger.warn("Dropping malformed SSE JSON-RPC message");
+      return null;
+    }
+    const verdict = this.ruleEngine.evaluate(msg, "server-to-client");
+    const shouldBlock = this.ruleEngine.handleVerdict(verdict, "server-to-client");
+    if (shouldBlock) {
+      if (isResponse(msg)) {
+        const errorResponse = {
+          jsonrpc: "2.0",
+          id: msg.id,
+          error: {
+            code: -32600,
+            message: `Blocked by mcp-guard: ${verdict.reason}`,
+            data: { rule: verdict.ruleId, severity: verdict.severity }
+          }
+        };
+        return JSON.stringify(errorResponse);
+      }
+      return null;
+    }
+    if (isResponse(msg)) {
+      this.ruleEngine.untrackRequest(msg.id);
+    }
+    return data;
+  }
+  /**
+   * Inspect a plain JSON response body.
+   */
+  inspectJsonResponse(body, prependErrors) {
+    let parsed;
+    try {
+      parsed = JSON.parse(body);
+    } catch {
+      this.logger.warn("Dropping unparseable JSON response from upstream");
+      const err = {
+        jsonrpc: "2.0",
+        id: 0,
+        error: { code: -32600, message: "Upstream returned unparseable JSON" }
+      };
+      return JSON.stringify(prependErrors.length > 0 ? [...prependErrors, err] : err);
+    }
+    const messages = Array.isArray(parsed) ? parsed : [parsed];
+    const results = [...prependErrors];
+    for (const raw of messages) {
+      const msg = raw;
+      if (msg.jsonrpc !== "2.0") {
+        results.push(raw);
+        continue;
+      }
+      if (isMalformed(msg)) {
+        this.logger.warn("Dropping malformed JSON-RPC response");
+        if (isResponse(msg)) {
+          results.push({
+            jsonrpc: "2.0",
+            id: msg.id,
+            error: { code: -32600, message: "Malformed JSON-RPC: contradictory fields" }
+          });
+        }
+        continue;
+      }
+      const verdict = this.ruleEngine.evaluate(msg, "server-to-client");
+      const shouldBlock = this.ruleEngine.handleVerdict(verdict, "server-to-client");
+      if (shouldBlock && isResponse(msg)) {
+        results.push({
+          jsonrpc: "2.0",
+          id: msg.id,
+          error: {
+            code: -32600,
+            message: `Blocked by mcp-guard: ${verdict.reason}`,
+            data: { rule: verdict.ruleId, severity: verdict.severity }
+          }
+        });
+      } else {
+        if (isResponse(msg)) {
+          this.ruleEngine.untrackRequest(msg.id);
+        }
+        results.push(raw);
+      }
+    }
+    if (!Array.isArray(parsed) && results.length === 1) {
+      return JSON.stringify(results[0]);
+    }
+    return JSON.stringify(results);
+  }
+};
+function sseHeaders() {
+  return {
+    "Content-Type": "text/event-stream",
+    "Cache-Control": "no-cache, no-transform",
+    "Connection": "keep-alive"
+  };
+}
+function sanitizeSseField(value) {
+  return value.replace(/[\n\r]/g, "");
+}
+function writeSseEvent(res, event, data, id) {
+  if (id) res.write(`id: ${sanitizeSseField(id)}
+`);
+  res.write(`event: ${sanitizeSseField(event)}
+`);
+  for (const line of data.split("\n")) {
+    res.write(`data: ${line}
+`);
+  }
+  res.write("\n");
+}
+function writeSseEventRaw(res, event) {
+  if (event.id) res.write(`id: ${sanitizeSseField(event.id)}
+`);
+  if (event.event) res.write(`event: ${sanitizeSseField(event.event)}
+`);
+  if (event.retry) res.write(`retry: ${sanitizeSseField(event.retry)}
+`);
+  if (event.data !== void 0) {
+    for (const line of event.data.split("\n")) {
+      res.write(`data: ${line}
+`);
+    }
+  }
+  res.write("\n");
+}
+function parseSseEvents(buffer) {
+  const events = [];
+  const parts = buffer.split("\n\n");
+  const remaining = parts.pop() ?? "";
+  for (const part of parts) {
+    if (part.trim() === "") continue;
+    const event = {};
+    for (const line of part.split("\n")) {
+      if (line.startsWith("event:")) {
+        event.event = line.substring(6).trim();
+      } else if (line.startsWith("data:")) {
+        const val = line.substring(5).trimStart();
+        event.data = event.data !== void 0 ? event.data + "\n" + val : val;
+      } else if (line.startsWith("id:")) {
+        event.id = line.substring(3).trim();
+      } else if (line.startsWith("retry:")) {
+        event.retry = line.substring(6).trim();
+      }
+    }
+    events.push(event);
+  }
+  return { parsed: events, remaining };
+}
+async function readBody(req) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let totalSize = 0;
+    req.on("data", (chunk) => {
+      totalSize += chunk.length;
+      if (totalSize > MAX_REQUEST_BODY) {
+        req.destroy();
+        reject(new Error(`Request body exceeds ${MAX_REQUEST_BODY} bytes limit`));
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on("end", () => {
+      const body = Buffer.concat(chunks).toString("utf-8");
+      resolve(body.length > 0 ? body : null);
+    });
+    req.on("error", () => resolve(null));
+  });
+}
+
+// src/index.ts
+function resolvePolicy(configPath, failOpen) {
+  let policy = getDefaultPolicy();
+  if (configPath) {
+    try {
+      policy = loadPolicy(configPath);
+    } catch (err) {
+      console.error(`[mcp-guard] Failed to load policy: ${err instanceof Error ? err.message : String(err)}`);
+      process.exit(1);
+    }
+  }
+  if (failOpen) {
+    policy.failMode = "open";
+  }
+  return policy;
+}
+var program = new Command();
+program.name("mcp-guard").description("MCP runtime security proxy \u2014 intercepts and enforces security policies on MCP tool calls").version("0.2.0");
+program.option("-c, --config <path>", "Path to policy YAML file").option("-v, --verbose", "Enable debug logging", false).option("--fail-open", "Allow traffic on policy errors (NOT recommended)", false).option("--dry-run", "Log decisions but never block", false).argument("<server-command>", "MCP server command to proxy (stdio mode)").argument("[server-args...]", "Arguments for the MCP server").action(async (serverCommand, serverArgs, opts) => {
+  try {
+    const policy = resolvePolicy(opts["config"], opts["failOpen"]);
+    const rules = createRules(policy);
+    if (rules.length === 0) console.error("[mcp-guard] Warning: no rules enabled");
+    const proxy = new McpGuardProxy(
+      {
+        mode: "stdio",
+        serverCommand,
+        serverArgs,
+        verbose: opts["verbose"],
+        failOpen: opts["failOpen"],
+        dryRun: opts["dryRun"],
+        configPath: opts["config"]
+      },
+      policy,
+      rules
+    );
+    await proxy.start();
+  } catch (err) {
+    console.error(`[mcp-guard] Fatal: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(1);
+  }
+});
+program.command("http").description("Run as HTTP reverse proxy between MCP client and a remote MCP server").requiredOption("-u, --upstream <url>", "Upstream MCP server URL (e.g. http://localhost:8080/mcp)").option("-p, --port <number>", "Port to listen on", "9090").option("-H, --host <host>", "Host to bind to", "127.0.0.1").option("-c, --config <path>", "Path to policy YAML file").option("-v, --verbose", "Enable debug logging", false).option("--fail-open", "Allow traffic on policy errors (NOT recommended)", false).option("--dry-run", "Log decisions but never block", false).action(async (opts) => {
+  try {
+    const policy = resolvePolicy(opts["config"], opts["failOpen"]);
+    const rules = createRules(policy);
+    if (rules.length === 0) console.error("[mcp-guard] Warning: no rules enabled");
+    const proxy = new McpHttpProxy(
+      {
+        mode: "http",
+        upstream: opts["upstream"],
+        port: parseInt(opts["port"], 10),
+        host: opts["host"] ?? "127.0.0.1",
+        verbose: opts["verbose"],
+        failOpen: opts["failOpen"],
+        dryRun: opts["dryRun"],
+        configPath: opts["config"]
+      },
+      policy,
+      rules
+    );
+    await proxy.start();
+    const handleSignal = () => {
+      proxy.stop().then(() => process.exit(0));
+    };
+    process.on("SIGTERM", handleSignal);
+    process.on("SIGINT", handleSignal);
+  } catch (err) {
+    console.error(`[mcp-guard] Fatal: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(1);
+  }
+});
+program.parse();