@blacksandscyber/mcp-server-bursar 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +230 -0
- package/build/config.d.ts +45 -0
- package/build/config.js +177 -0
- package/build/http-transport.d.ts +16 -0
- package/build/http-transport.js +191 -0
- package/build/index.d.ts +16 -0
- package/build/index.js +31 -0
- package/build/server.d.ts +41 -0
- package/build/server.js +902 -0
- package/build/shared/errors.d.ts +50 -0
- package/build/shared/errors.js +69 -0
- package/build/shared/linkBuilder.d.ts +93 -0
- package/build/shared/linkBuilder.js +148 -0
- package/build/shared/logger.d.ts +10 -0
- package/build/shared/logger.js +28 -0
- package/build/shield/bootRole.d.ts +60 -0
- package/build/shield/bootRole.js +145 -0
- package/build/shield/client.d.ts +265 -0
- package/build/shield/client.js +656 -0
- package/build/shield/deploy/index.d.ts +69 -0
- package/build/shield/deploy/index.js +569 -0
- package/build/shield/discovery/dataStoreDetector.d.ts +3 -0
- package/build/shield/discovery/dataStoreDetector.js +125 -0
- package/build/shield/discovery/dockerScanner.d.ts +34 -0
- package/build/shield/discovery/dockerScanner.js +543 -0
- package/build/shield/discovery/endpointScanner.d.ts +3 -0
- package/build/shield/discovery/endpointScanner.js +306 -0
- package/build/shield/discovery/environmentScanner.d.ts +86 -0
- package/build/shield/discovery/environmentScanner.js +545 -0
- package/build/shield/discovery/externalServiceDetector.d.ts +3 -0
- package/build/shield/discovery/externalServiceDetector.js +98 -0
- package/build/shield/discovery/frameworkDetector.d.ts +3 -0
- package/build/shield/discovery/frameworkDetector.js +114 -0
- package/build/shield/discovery/manifestGenerator.d.ts +12 -0
- package/build/shield/discovery/manifestGenerator.js +124 -0
- package/build/shield/discovery/piiDetector.d.ts +5 -0
- package/build/shield/discovery/piiDetector.js +203 -0
- package/build/shield/discovery/severity.d.ts +47 -0
- package/build/shield/discovery/severity.js +138 -0
- package/build/shield/discovery/topologyNormalizer.d.ts +109 -0
- package/build/shield/discovery/topologyNormalizer.js +416 -0
- package/build/shield/identity.d.ts +53 -0
- package/build/shield/identity.js +70 -0
- package/build/shield/install/configMerge.d.ts +91 -0
- package/build/shield/install/configMerge.js +324 -0
- package/build/shield/install/keystore.d.ts +25 -0
- package/build/shield/install/keystore.js +156 -0
- package/build/shield/install/orchestrator.d.ts +33 -0
- package/build/shield/install/orchestrator.js +404 -0
- package/build/shield/install/transports/awsSsm.d.ts +43 -0
- package/build/shield/install/transports/awsSsm.js +378 -0
- package/build/shield/install/transports/bootstrapToken.d.ts +39 -0
- package/build/shield/install/transports/bootstrapToken.js +117 -0
- package/build/shield/install/transports/ssh.d.ts +50 -0
- package/build/shield/install/transports/ssh.js +569 -0
- package/build/shield/install/types.d.ts +139 -0
- package/build/shield/install/types.js +10 -0
- package/build/shield/protocol-walkthrough.d.ts +65 -0
- package/build/shield/protocol-walkthrough.js +392 -0
- package/build/shield/provision/appProvisioner.d.ts +15 -0
- package/build/shield/provision/appProvisioner.js +25 -0
- package/build/shield/types.d.ts +261 -0
- package/build/shield/types.js +4 -0
- package/build/shield/verify/postureReporter.d.ts +4 -0
- package/build/shield/verify/postureReporter.js +31 -0
- package/dxt/blacksands-ca.crt +67 -0
- package/dxt/scripts/setup.js +520 -0
- package/package.json +76 -0
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.detectDataStores = detectDataStores;
|
|
37
|
+
/** Detect database and data store connections. */
|
|
38
|
+
const fs = __importStar(require("fs"));
|
|
39
|
+
const path = __importStar(require("path"));
|
|
40
|
+
const DB_PACKAGES = {
|
|
41
|
+
pg: { type: "postgresql", defaultPort: 5432 },
|
|
42
|
+
mysql2: { type: "mysql", defaultPort: 3306 },
|
|
43
|
+
mongoose: { type: "mongodb", defaultPort: 27017 },
|
|
44
|
+
mongodb: { type: "mongodb", defaultPort: 27017 },
|
|
45
|
+
sequelize: { type: "sql_orm", defaultPort: null },
|
|
46
|
+
prisma: { type: "sql_orm", defaultPort: null },
|
|
47
|
+
"@prisma/client": { type: "sql_orm", defaultPort: null },
|
|
48
|
+
typeorm: { type: "sql_orm", defaultPort: null },
|
|
49
|
+
knex: { type: "sql_orm", defaultPort: null },
|
|
50
|
+
redis: { type: "redis", defaultPort: 6379 },
|
|
51
|
+
ioredis: { type: "redis", defaultPort: 6379 },
|
|
52
|
+
psycopg2: { type: "postgresql", defaultPort: 5432 },
|
|
53
|
+
asyncpg: { type: "postgresql", defaultPort: 5432 },
|
|
54
|
+
sqlalchemy: { type: "sql_orm", defaultPort: null },
|
|
55
|
+
pymongo: { type: "mongodb", defaultPort: 27017 },
|
|
56
|
+
};
|
|
57
|
+
const ENV_PATTERNS = [
|
|
58
|
+
{ pattern: /DATABASE_URL/i, type: "sql" },
|
|
59
|
+
{ pattern: /POSTGRES_(?:HOST|URL|URI)/i, type: "postgresql" },
|
|
60
|
+
{ pattern: /MYSQL_(?:HOST|URL|URI)/i, type: "mysql" },
|
|
61
|
+
{ pattern: /MONGO(?:DB)?_(?:HOST|URL|URI)/i, type: "mongodb" },
|
|
62
|
+
{ pattern: /REDIS_(?:HOST|URL|URI)/i, type: "redis" },
|
|
63
|
+
];
|
|
64
|
+
async function detectDataStores(projectPath) {
|
|
65
|
+
const stores = [];
|
|
66
|
+
const seen = new Set();
|
|
67
|
+
// package.json
|
|
68
|
+
const pkgPath = path.join(projectPath, "package.json");
|
|
69
|
+
if (fs.existsSync(pkgPath)) {
|
|
70
|
+
try {
|
|
71
|
+
const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
|
|
72
|
+
const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
|
|
73
|
+
for (const [dep, meta] of Object.entries(DB_PACKAGES)) {
|
|
74
|
+
if (allDeps[dep] && !seen.has(meta.type)) {
|
|
75
|
+
seen.add(meta.type);
|
|
76
|
+
stores.push({ type: meta.type, host: "detected", port: meta.defaultPort, encrypted: null, contains_pii: null, detectedFrom: "package.json" });
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
catch { /* ignore */ }
|
|
81
|
+
}
|
|
82
|
+
// requirements.txt
|
|
83
|
+
const reqPath = path.join(projectPath, "requirements.txt");
|
|
84
|
+
if (fs.existsSync(reqPath)) {
|
|
85
|
+
const content = fs.readFileSync(reqPath, "utf8").toLowerCase();
|
|
86
|
+
for (const [dep, meta] of Object.entries(DB_PACKAGES)) {
|
|
87
|
+
if (content.includes(dep.toLowerCase()) && !seen.has(meta.type)) {
|
|
88
|
+
seen.add(meta.type);
|
|
89
|
+
stores.push({ type: meta.type, host: "detected", port: meta.defaultPort, encrypted: null, contains_pii: null, detectedFrom: "requirements.txt" });
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
// .env files
|
|
94
|
+
for (const envFile of [".env", ".env.local", ".env.example"]) {
|
|
95
|
+
const envPath = path.join(projectPath, envFile);
|
|
96
|
+
if (fs.existsSync(envPath)) {
|
|
97
|
+
const content = fs.readFileSync(envPath, "utf8");
|
|
98
|
+
for (const { pattern, type } of ENV_PATTERNS) {
|
|
99
|
+
if (pattern.test(content) && !seen.has(type)) {
|
|
100
|
+
seen.add(type);
|
|
101
|
+
stores.push({ type, host: "from_env", port: null, encrypted: null, contains_pii: null, detectedFrom: envFile });
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
// docker-compose
|
|
107
|
+
for (const composeFile of ["docker-compose.yml", "docker-compose.yaml", "compose.yml"]) {
|
|
108
|
+
const composePath = path.join(projectPath, composeFile);
|
|
109
|
+
if (fs.existsSync(composePath)) {
|
|
110
|
+
const content = fs.readFileSync(composePath, "utf8");
|
|
111
|
+
const check = (re, type, port, pii) => {
|
|
112
|
+
if (re.test(content) && !seen.has(type)) {
|
|
113
|
+
seen.add(type);
|
|
114
|
+
stores.push({ type, host: "docker", port, encrypted: false, contains_pii: pii ? null : false, detectedFrom: composeFile });
|
|
115
|
+
}
|
|
116
|
+
};
|
|
117
|
+
check(/postgres/i, "postgresql", 5432, true);
|
|
118
|
+
check(/mysql|mariadb/i, "mysql", 3306, true);
|
|
119
|
+
check(/mongo/i, "mongodb", 27017, true);
|
|
120
|
+
check(/redis/i, "redis", 6379, false);
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
return stores;
|
|
124
|
+
}
|
|
125
|
+
//# sourceMappingURL=dataStoreDetector.js.map
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Docker environment scanner — Phase 2, READ-ONLY Docker daemon inspection.
|
|
3
|
+
*
|
|
4
|
+
* Maps a local Docker environment into the SAME normalized {@link RawEnvironment}
|
|
5
|
+
* shape the macOS scanner produces, so {@link topologyNormalizer.buildInfraPlane}
|
|
6
|
+
* folds it into the frozen topology envelope through the identical code path.
|
|
7
|
+
* Docker supplies the INFRA plane only; the ZT plane is still built solely from
|
|
8
|
+
* the Shield Broker.
|
|
9
|
+
*
|
|
10
|
+
* SECURITY MODEL (hard requirements — mirrors environmentScanner.ts):
|
|
11
|
+
* - Only the `docker` binary is ever executed, and only with READ-ONLY
|
|
12
|
+
* subcommands (version/info/ps/inspect/network ls|inspect/volume ls|inspect/
|
|
13
|
+
* stats). No run/stop/rm/exec/build — enforced at type + runtime.
|
|
14
|
+
* - Every spawn uses execFile with an ARGUMENT ARRAY — never a shell string,
|
|
15
|
+
* never string-interpolation. Container/network/volume ids come from CLI
|
|
16
|
+
* output; any id beginning with "-" is rejected and option parsing is
|
|
17
|
+
* terminated with `--` so an id can never be read as a flag.
|
|
18
|
+
* - Every spawn has a timeout + maxBuffer. A missing binary, a failed
|
|
19
|
+
* `docker info` (daemon down), malformed output, or a timeout DEGRADES
|
|
20
|
+
* GRACEFULLY: we return whatever we have plus a human-readable note. The
|
|
21
|
+
* scan must never throw.
|
|
22
|
+
*/
|
|
23
|
+
import type { RawEnvironment } from "./environmentScanner";
|
|
24
|
+
/**
|
|
25
|
+
* Inspect the local Docker environment READ-ONLY and return the raw environment
|
|
26
|
+
* in the SAME shape as {@link scanMacEnvironment}. Never throws: any failure is
|
|
27
|
+
* captured in `notes` and the corresponding section is returned empty/partial.
|
|
28
|
+
*
|
|
29
|
+
* `listeningPorts` is left empty for the Docker provider — published container
|
|
30
|
+
* ports are already surfaced per-container; host-level TCP LISTEN inspection is
|
|
31
|
+
* the macOS scanner's concern.
|
|
32
|
+
*/
|
|
33
|
+
export declare function scanDockerEnvironment(): Promise<RawEnvironment>;
|
|
34
|
+
//# sourceMappingURL=dockerScanner.d.ts.map
|