npm - @clampd/mcp-proxy - Versions diffs - 0.2.0 - Mend

@clampd/mcp-proxy 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/dist/interceptor.js ADDED Viewed

@@ -0,0 +1,274 @@
+/**
+ * Gateway communication — classifies tool calls, scans input/output,
+ * and validates responses through ag-gateway.
+ *
+ * This is the security boundary: every MCP tool call passes through here
+ * before reaching the upstream server.
+ */
+import { createHmac, createHash } from "node:crypto";
+import { log } from "./logger.js";
+// ── Tool descriptor hashing ──────────────────────────────────────────
+/** Compute SHA-256 hex hash of a tool descriptor for rug-pull detection. */
+export function computeToolDescriptorHash(tool) {
+    const canonical = JSON.stringify({
+        name: tool.name,
+        description: tool.description ?? "",
+        inputSchema: tool.inputSchema ?? {},
+    });
+    return createHash("sha256").update(canonical).digest("hex");
+}
+/** Build a lookup map of tool name → descriptor hash. */
+export function buildDescriptorMap(tools) {
+    const map = new Map();
+    for (const tool of tools) {
+        map.set(tool.name, computeToolDescriptorHash(tool));
+    }
+    return map;
+}
+// ── JWT generation ────────────────────────────────────────────────────
+function makeAgentJwt(agentId, secret) {
+    if (!secret) {
+        throw new Error("No JWT signing secret available. " +
+            "Set JWT_SECRET env var or pass --secret flag.");
+    }
+    // Derive signing key: ags_ prefixed secrets get SHA-256 hashed
+    // to match the credential_hash stored server-side in Redis.
+    const signingKey = secret.startsWith("ags_")
+        ? createHash("sha256").update(secret).digest("hex")
+        : secret;
+    const header = { alg: "HS256", typ: "JWT" };
+    const payload = {
+        sub: agentId,
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + 300, // 5 minutes
+        iss: "clampd-mcp-proxy",
+    };
+    const encode = (obj) => Buffer.from(JSON.stringify(obj)).toString("base64url");
+    const headerB64 = encode(header);
+    const payloadB64 = encode(payload);
+    const signature = createHmac("sha256", signingKey)
+        .update(`${headerB64}.${payloadB64}`)
+        .digest("base64url");
+    return `${headerB64}.${payloadB64}.${signature}`;
+}
+// ── Shared helpers ───────────────────────────────────────────────────
+function makeHeaders(apiKey, agentId, secret, authorizedTools) {
+    const jwt = makeAgentJwt(agentId, secret);
+    const h = {
+        "Content-Type": "application/json",
+        "X-AG-Key": apiKey,
+        "Authorization": `Bearer ${jwt}`,
+    };
+    if (authorizedTools && authorizedTools.length > 0) {
+        h["X-AG-Authorized-Tools"] = authorizedTools.join(",");
+    }
+    return h;
+}
+function baseUrl(gatewayUrl) {
+    return gatewayUrl.replace(/\/$/, "");
+}
+// ── Gateway classify ─────────────────────────────────────────────────
+export async function classifyToolCall(gatewayUrl, apiKey, secret, agentId, toolName, params, dryRun = false, toolDescriptorHash, authorizedTools, toolDescription, toolParamsSchema) {
+    const endpoint = dryRun ? "/v1/verify" : "/v1/proxy";
+    const url = `${baseUrl(gatewayUrl)}${endpoint}`;
+    // MCP proxy handles upstream forwarding itself — use evaluate-only
+    // mode (empty target_url) so the gateway runs stages 1-6 and returns
+    // the allow/deny verdict without attempting to forward to mcp://.
+    const body = {
+        tool: toolName,
+        params,
+        target_url: "",
+    };
+    if (!dryRun) {
+        body.prompt_context = `MCP tool call: ${toolName}`;
+    }
+    if (toolDescriptorHash) {
+        body.tool_descriptor_hash = toolDescriptorHash;
+    }
+    if (toolDescription) {
+        body.tool_description = toolDescription;
+    }
+    if (toolParamsSchema) {
+        body.tool_params_schema = toolParamsSchema;
+    }
+    log("debug", `POST ${url} — tool=${toolName}`);
+    const resp = await fetch(url, {
+        method: "POST",
+        headers: makeHeaders(apiKey, agentId, secret, authorizedTools),
+        body: JSON.stringify(body),
+        signal: AbortSignal.timeout(5_000),
+    });
+    if (!resp.ok) {
+        const text = await resp.text().catch(() => `HTTP ${resp.status}`);
+        throw new Error(`Gateway returned ${resp.status}: ${text}`);
+    }
+    const json = (await resp.json());
+    return {
+        allowed: json.allowed,
+        risk_score: json.risk_score ?? 0,
+        matched_rules: json.matched_rules ?? [],
+        denial_reason: json.denial_reason,
+        scope_granted: json.scope_granted,
+        request_id: json.request_id,
+        scope_token: json.scope_token,
+        latency_ms: json.latency_ms ?? 0,
+        degraded_stages: json.degraded_stages ?? [],
+        session_flags: json.session_flags ?? [],
+        action: json.action,
+        reasoning: json.reasoning,
+    };
+}
+// ── Input scanning ───────────────────────────────────────────────────
+export async function scanInput(gatewayUrl, apiKey, secret, agentId, text) {
+    const url = `${baseUrl(gatewayUrl)}/v1/scan-input`;
+    log("debug", `POST ${url} — scan-input (${text.length} chars)`);
+    const resp = await fetch(url, {
+        method: "POST",
+        headers: makeHeaders(apiKey, agentId, secret),
+        body: JSON.stringify({ text }),
+        signal: AbortSignal.timeout(5_000),
+    });
+    if (!resp.ok) {
+        const body = await resp.text().catch(() => `HTTP ${resp.status}`);
+        throw new Error(`scan-input returned ${resp.status}: ${body}`);
+    }
+    const json = (await resp.json());
+    return {
+        allowed: json.allowed,
+        risk_score: json.risk_score ?? 0,
+        matched_rules: json.matched_rules ?? [],
+        denial_reason: json.denial_reason,
+        latency_ms: json.latency_ms ?? 0,
+    };
+}
+// ── Output scanning ──────────────────────────────────────────────────
+export async function scanOutput(gatewayUrl, apiKey, secret, agentId, text, requestId) {
+    const url = `${baseUrl(gatewayUrl)}/v1/scan-output`;
+    log("debug", `POST ${url} — scan-output (${text.length} chars)`);
+    const body = { text };
+    if (requestId)
+        body.request_id = requestId;
+    const resp = await fetch(url, {
+        method: "POST",
+        headers: makeHeaders(apiKey, agentId, secret),
+        body: JSON.stringify(body),
+        signal: AbortSignal.timeout(5_000),
+    });
+    if (!resp.ok) {
+        const respBody = await resp.text().catch(() => `HTTP ${resp.status}`);
+        throw new Error(`scan-output returned ${resp.status}: ${respBody}`);
+    }
+    const json = (await resp.json());
+    return {
+        allowed: json.allowed,
+        risk_score: json.risk_score ?? 0,
+        matched_rules: json.matched_rules ?? [],
+        denial_reason: json.denial_reason,
+        latency_ms: json.latency_ms ?? 0,
+        pii_found: json.pii_found,
+        secrets_found: json.secrets_found,
+    };
+}
+// ── Response inspection ──────────────────────────────────────────────
+export async function inspectResponse(gatewayUrl, apiKey, secret, agentId, toolName, responseData, requestId, scopeToken) {
+    const url = `${baseUrl(gatewayUrl)}/v1/inspect`;
+    log("debug", `POST ${url} — inspect response for ${toolName}`);
+    const body = {
+        tool: toolName,
+        response_data: responseData,
+    };
+    if (requestId)
+        body.request_id = requestId;
+    if (scopeToken)
+        body.scope_token = scopeToken;
+    const resp = await fetch(url, {
+        method: "POST",
+        headers: makeHeaders(apiKey, agentId, secret),
+        body: JSON.stringify(body),
+        signal: AbortSignal.timeout(5_000),
+    });
+    if (!resp.ok) {
+        const respBody = await resp.text().catch(() => `HTTP ${resp.status}`);
+        throw new Error(`inspect returned ${resp.status}: ${respBody}`);
+    }
+    const json = (await resp.json());
+    return {
+        allowed: json.allowed,
+        risk_score: json.risk_score ?? 0,
+        matched_rules: json.matched_rules ?? [],
+        denial_reason: json.denial_reason,
+        latency_ms: json.latency_ms ?? 0,
+    };
+}
+/**
+ * Register discovered tools with the gateway at startup.
+ *
+ * Sends a lightweight `/v1/proxy` call (evaluate-only, target_url="") for
+ * each tool with benign empty params. This triggers the shadow event pipeline
+ * in ag-gateway, which ag-control picks up to auto-capture tool descriptors
+ * into the `tool_descriptors` table. If the org has `auto_trust` enabled,
+ * tools are auto-approved and their scopes synced to Redis — preventing
+ * `tool_not_registered` (422) errors on subsequent real calls.
+ *
+ * Requests run in parallel with a concurrency cap to avoid overwhelming
+ * the gateway. Registration is idempotent (safe to re-run on restart).
+ */
+export async function registerTools(gatewayUrl, apiKey, secret, agentId, tools, descriptorMap) {
+    const url = `${baseUrl(gatewayUrl)}/v1/proxy`;
+    const toolNames = tools.map((t) => t.name);
+    const result = { registered: 0, failed: 0, errors: [] };
+    // Process in batches of 5 to avoid overwhelming the gateway
+    const BATCH_SIZE = 5;
+    for (let i = 0; i < tools.length; i += BATCH_SIZE) {
+        const batch = tools.slice(i, i + BATCH_SIZE);
+        const promises = batch.map(async (tool) => {
+            const body = {
+                tool: tool.name,
+                params: {},
+                target_url: "",
+                prompt_context: `MCP startup registration: ${tool.name}`,
+            };
+            const hash = descriptorMap.get(tool.name);
+            if (hash) {
+                body.tool_descriptor_hash = hash;
+            }
+            if (tool.description) {
+                body.tool_description = tool.description;
+            }
+            if (tool.inputSchema) {
+                body.tool_params_schema = JSON.stringify(tool.inputSchema);
+            }
+            try {
+                const resp = await fetch(url, {
+                    method: "POST",
+                    headers: makeHeaders(apiKey, agentId, secret, toolNames),
+                    body: JSON.stringify(body),
+                    signal: AbortSignal.timeout(10_000),
+                });
+                if (!resp.ok) {
+                    const text = await resp.text().catch(() => `HTTP ${resp.status}`);
+                    // 422 tool_not_registered is expected when auto_trust is off —
+                    // the shadow event was still emitted, so discovery still works.
+                    if (resp.status === 422) {
+                        result.registered++;
+                        return;
+                    }
+                    result.failed++;
+                    result.errors.push({ tool: tool.name, error: `${resp.status}: ${text}` });
+                    return;
+                }
+                result.registered++;
+            }
+            catch (err) {
+                result.failed++;
+                result.errors.push({
+                    tool: tool.name,
+                    error: err instanceof Error ? err.message : String(err),
+                });
+            }
+        });
+        await Promise.all(promises);
+    }
+    return result;
+}
+//# sourceMappingURL=interceptor.js.map

package/dist/interceptor.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"interceptor.js","sourceRoot":"","sources":["../src/interceptor.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAwDlC,wEAAwE;AAExE,4EAA4E;AAC5E,MAAM,UAAU,yBAAyB,CAAC,IAAa;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/B,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;QACnC,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;KACpC,CAAC,CAAC;IACH,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC9D,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,kBAAkB,CAAC,KAAgB;IACjD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,yEAAyE;AAEzE,SAAS,YAAY,CAAC,OAAe,EAAE,MAAc;IACnD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,mCAAmC;YACnC,+CAA+C,CAChD,CAAC;IACJ,CAAC;IAED,+DAA+D;IAC/D,4DAA4D;IAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;QAC1C,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;QACnD,CAAC,CAAC,MAAM,CAAC;IAEX,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAC5C,MAAM,OAAO,GAAG;QACd,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAClC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,EAAE,YAAY;QACtD,GAAG,EAAE,kBAAkB;KACxB,CAAC;IAEF,MAAM,MAAM,GAAG,CAAC,GAA4B,EAAE,EAAE,CAC9C,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAEzD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;SAC/C,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;SACpC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEvB,OAAO,GAAG,SAAS,IAAI,UAAU,IAAI,SAAS,EAAE,CAAC;AACnD,CAAC;AAED,wEAAwE;AAExE,SAAS,WAAW,CAAC,MAAc,EAAE,OAAe,EAAE,MAAc,EAAE,eAA0B;IAC9F,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1C,MAAM,CAAC,GAA2B;QAChC,cAAc,EAAE,kBAAkB;QAClC,UAAU,EAAE,MAAM;QAClB,eAAe,EAAE,UAAU,GAAG,EAAE;KACjC,CAAC;IACF,IAAI,eAAe,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,CAAC,CAAC,uBAAuB,CAAC,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,OAAO,CAAC,UAAkB;IACjC,OAAO,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACvC,CAAC;AAED,wEAAwE;AAExE,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,UAAkB,EAClB,MAAc,EACd,MAAc,EACd,OAAe,EACf,QAAgB,EAChB,MAA+B,EAC/B,MAAM,GAAG,KAAK,EACd,kBAA2B,EAC3B,eAA0B,EAC1B,eAAwB,EACxB,gBAAyB;IAEzB,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC;IACrD,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,QAAQ,EAAE,CAAC;IAEhD,mEAAmE;IACnE,qEAAqE;IACrE,kEAAkE;IAClE,MAAM,IAAI,GAA4B;QACpC,IAAI,EAAE,QAAQ;QACd,MAAM;QACN,UAAU,EAAE,EAAE;KACf,CAAC;IAEF,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,IAAI,CAAC,cAAc,GAAG,kBAAkB,QAAQ,EAAE,CAAC;IACrD,CAAC;IAED,IAAI,kBAAkB,EAAE,CAAC;QACvB,IAAI,CAAC,oBAAoB,GAAG,kBAAkB,CAAC;IACjD,CAAC;IACD,IAAI,eAAe,EAAE,CAAC;QACpB,IAAI,CAAC,gBAAgB,GAAG,eAAe,CAAC;IAC1C,CAAC;IACD,IAAI,gBAAgB,EAAE,CAAC;QACrB,IAAI,CAAC,kBAAkB,GAAG,gBAAgB,CAAC;IAC7C,CAAC;IAED,GAAG,CAAC,OAAO,EAAE,QAAQ,GAAG,WAAW,QAAQ,EAAE,CAAC,CAAC;IAE/C,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC5B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC;QAC9D,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;QAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,oBAAoB,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA4B,CAAC;IAE5D,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAkB;QAChC,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,CAAC;QAC5C,aAAa,EAAG,IAAI,CAAC,aAA0B,IAAI,EAAE;QACrD,aAAa,EAAE,IAAI,CAAC,aAAmC;QACvD,aAAa,EAAE,IAAI,CAAC,aAAmC;QACvD,UAAU,EAAE,IAAI,CAAC,UAAgC;QACjD,WAAW,EAAE,IAAI,CAAC,WAAiC;QACnD,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,CAAC;QAC5C,eAAe,EAAG,IAAI,CAAC,eAA4B,IAAI,EAAE;QACzD,aAAa,EAAG,IAAI,CAAC,aAA0B,IAAI,EAAE;QACrD,MAAM,EAAE,IAAI,CAAC,MAA4B;QACzC,SAAS,EAAE,IAAI,CAAC,SAA+B;KAChD,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,UAAkB,EAClB,MAAc,EACd,MAAc,EACd,OAAe,EACf,IAAY;IAEZ,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,gBAAgB,CAAC;IAEnD,GAAG,CAAC,OAAO,EAAE,QAAQ,GAAG,kBAAkB,IAAI,CAAC,MAAM,SAAS,CAAC,CAAC;IAEhE,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC5B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC;QAC7C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;QAC9B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA4B,CAAC;IAC5D,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAkB;QAChC,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,CAAC;QAC5C,aAAa,EAAG,IAAI,CAAC,aAA0B,IAAI,EAAE;QACrD,aAAa,EAAE,IAAI,CAAC,aAAmC;QACvD,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,CAAC;KAC7C,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAAkB,EAClB,MAAc,EACd,MAAc,EACd,OAAe,EACf,IAAY,EACZ,SAAkB;IAElB,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC;IAEpD,GAAG,CAAC,OAAO,EAAE,QAAQ,GAAG,mBAAmB,IAAI,CAAC,MAAM,SAAS,CAAC,CAAC;IAEjE,MAAM,IAAI,GAA4B,EAAE,IAAI,EAAE,CAAC;IAC/C,IAAI,SAAS;QAAE,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;IAE3C,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC5B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC;QAC7C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;QAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA4B,CAAC;IAC5D,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAkB;QAChC,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,CAAC;QAC5C,aAAa,EAAG,IAAI,CAAC,aAA0B,IAAI,EAAE;QACrD,aAAa,EAAE,IAAI,CAAC,aAAmC;QACvD,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,CAAC;QAC5C,SAAS,EAAE,IAAI,CAAC,SAAoC;QACpD,aAAa,EAAE,IAAI,CAAC,aAA4C;KACjE,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,UAAkB,EAClB,MAAc,EACd,MAAc,EACd,OAAe,EACf,QAAgB,EAChB,YAAqB,EACrB,SAAkB,EAClB,UAAmB;IAEnB,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC;IAEhD,GAAG,CAAC,OAAO,EAAE,QAAQ,GAAG,2BAA2B,QAAQ,EAAE,CAAC,CAAC;IAE/D,MAAM,IAAI,GAA4B;QACpC,IAAI,EAAE,QAAQ;QACd,aAAa,EAAE,YAAY;KAC5B,CAAC;IACF,IAAI,SAAS;QAAE,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;IAC3C,IAAI,UAAU;QAAE,IAAI,CAAC,WAAW,GAAG,UAAU,CAAC;IAE9C,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC5B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC;QAC7C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;QAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,oBAAoB,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA4B,CAAC;IAC5D,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAkB;QAChC,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,CAAC;QAC5C,aAAa,EAAG,IAAI,CAAC,aAA0B,IAAI,EAAE;QACrD,aAAa,EAAE,IAAI,CAAC,aAAmC;QACvD,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,CAAC;KAC7C,CAAC;AACJ,CAAC;AAUD;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,UAAkB,EAClB,MAAc,EACd,MAAc,EACd,OAAe,EACf,KAAgB,EAChB,aAAkC;IAElC,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC;IAC9C,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAwB,EAAE,UAAU,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAE7E,4DAA4D;IAC5D,MAAM,UAAU,GAAG,CAAC,CAAC;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,UAAU,EAAE,CAAC;QAClD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC;QAC7C,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;YACxC,MAAM,IAAI,GAA4B;gBACpC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,MAAM,EAAE,EAAE;gBACV,UAAU,EAAE,EAAE;gBACd,cAAc,EAAE,6BAA6B,IAAI,CAAC,IAAI,EAAE;aACzD,CAAC;YAEF,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1C,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC,oBAAoB,GAAG,IAAI,CAAC;YACnC,CAAC;YACD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,WAAW,CAAC;YAC3C,CAAC;YACD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC7D,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;oBAC5B,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC;oBACxD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;oBAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;iBACpC,CAAC,CAAC;gBAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;oBACb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;oBAClE,+DAA+D;oBAC/D,gEAAgE;oBAChE,IAAI,IAAI,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;wBACxB,MAAM,CAAC,UAAU,EAAE,CAAC;wBACpB,OAAO;oBACT,CAAC;oBACD,MAAM,CAAC,MAAM,EAAE,CAAC;oBAChB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,EAAE,CAAC,CAAC;oBAC1E,OAAO;gBACT,CAAC;gBAED,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,MAAM,CAAC,MAAM,EAAE,CAAC;gBAChB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;oBACjB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxD,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/logger.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Minimal logger that writes to stderr (to avoid corrupting MCP stdio streams).
+ */
+export declare function setVerbose(v: boolean): void;
+export declare function log(level: "info" | "warn" | "error" | "debug", msg: string): void;
+//# sourceMappingURL=logger.d.ts.map

package/dist/logger.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,wBAAgB,UAAU,CAAC,CAAC,EAAE,OAAO,GAAG,IAAI,CAE3C;AAED,wBAAgB,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAMjF"}

package/dist/logger.js ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Minimal logger that writes to stderr (to avoid corrupting MCP stdio streams).
+ */
+let verbose = false;
+export function setVerbose(v) {
+    verbose = v;
+}
+export function log(level, msg) {
+    if (level === "debug" && !verbose)
+        return;
+    const ts = new Date().toISOString();
+    const prefix = `[${ts}] [clampd-mcp-proxy] [${level}]`;
+    process.stderr.write(`${prefix} ${msg}\n`);
+}
+//# sourceMappingURL=logger.js.map

package/dist/logger.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"logger.js","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,IAAI,OAAO,GAAG,KAAK,CAAC;AAEpB,MAAM,UAAU,UAAU,CAAC,CAAU;IACnC,OAAO,GAAG,CAAC,CAAC;AACd,CAAC;AAED,MAAM,UAAU,GAAG,CAAC,KAA0C,EAAE,GAAW;IACzE,IAAI,KAAK,KAAK,OAAO,IAAI,CAAC,OAAO;QAAE,OAAO;IAE1C,MAAM,EAAE,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACpC,MAAM,MAAM,GAAG,IAAI,EAAE,yBAAyB,KAAK,GAAG,CAAC;IACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC;AAC7C,CAAC"}

package/dist/mock-server.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+/**
+ * Mock MCP server with role-specific tool sets.
+ *
+ * Usage:
+ *   node mock-server.js analyst   → data analysis tools
+ *   node mock-server.js devops    → infrastructure tools
+ *   node mock-server.js dbadmin   → database tools
+ *   node mock-server.js all       → every tool (default)
+ *
+ * Runs over stdio so the MCP proxy can spawn it as an upstream.
+ */
+export {};
+//# sourceMappingURL=mock-server.d.ts.map

package/dist/mock-server.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"mock-server.d.ts","sourceRoot":"","sources":["../src/mock-server.ts"],"names":[],"mappings":";AACA;;;;;;;;;;GAUG"}

package/dist/mock-server.js ADDED Viewed

@@ -0,0 +1,128 @@
+#!/usr/bin/env node
+/**
+ * Mock MCP server with role-specific tool sets.
+ *
+ * Usage:
+ *   node mock-server.js analyst   → data analysis tools
+ *   node mock-server.js devops    → infrastructure tools
+ *   node mock-server.js dbadmin   → database tools
+ *   node mock-server.js all       → every tool (default)
+ *
+ * Runs over stdio so the MCP proxy can spawn it as an upstream.
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+const role = process.argv[2] ?? "all";
+const server = new McpServer({
+    name: `clampd-mock-${role}`,
+    version: "1.0.0",
+});
+// ── Database tools ──────────────────────────────────────────────
+const dbTools = () => {
+    server.tool("database_query", "Execute a SQL query against the database", { query: z.string().describe("SQL query to execute") }, async ({ query }) => ({
+        content: [{ type: "text", text: `[mock] Query result for: ${query}\n\n| id | name | email |\n|----|------|-------|\n| 1 | Alice | alice@example.com |\n| 2 | Bob | bob@example.com |` }],
+    }));
+    server.tool("database_schema", "Get database schema information", { table: z.string().optional().describe("Table name (omit for all tables)") }, async ({ table }) => ({
+        content: [{ type: "text", text: `[mock] Schema for ${table ?? "all tables"}:\n\nusers (id INT PK, name VARCHAR, email VARCHAR, ssn VARCHAR)\norders (id INT PK, user_id INT FK, total DECIMAL)\npayments (id INT PK, card_number VARCHAR, cvv VARCHAR)` }],
+    }));
+    server.tool("database_mutate", "Execute a write/mutation query (INSERT, UPDATE, DELETE)", { query: z.string().describe("SQL mutation to execute") }, async ({ query }) => ({
+        content: [{ type: "text", text: `[mock] Mutation executed: ${query}\nRows affected: 1` }],
+    }));
+};
+// ── Shell / Infrastructure tools ────────────────────────────────
+const shellTools = () => {
+    server.tool("shell_exec", "Execute a shell command on the server", { command: z.string().describe("Shell command to execute") }, async ({ command }) => ({
+        content: [{ type: "text", text: `[mock] $ ${command}\nCommand output simulated. Exit code: 0` }],
+    }));
+    server.tool("process_list", "List running processes", { filter: z.string().optional().describe("Process name filter") }, async ({ filter }) => ({
+        content: [{ type: "text", text: `[mock] PID  CMD\n1    systemd\n142  nginx\n203  postgres\n${filter ? `(filtered by: ${filter})` : ""}` }],
+    }));
+    server.tool("docker_exec", "Execute a command inside a Docker container", {
+        container: z.string().describe("Container name or ID"),
+        command: z.string().describe("Command to execute"),
+    }, async ({ container, command }) => ({
+        content: [{ type: "text", text: `[mock] docker exec ${container} ${command}\nOutput simulated.` }],
+    }));
+    server.tool("kubernetes_apply", "Apply a Kubernetes manifest", { manifest: z.string().describe("YAML manifest content") }, async ({ manifest }) => ({
+        content: [{ type: "text", text: `[mock] kubectl apply -f -\n${manifest.substring(0, 100)}...\nresource/configured` }],
+    }));
+};
+// ── Filesystem tools ────────────────────────────────────────────
+const fsTools = () => {
+    server.tool("filesystem_read", "Read contents of a file", { path: z.string().describe("File path to read") }, async ({ path }) => ({
+        content: [{ type: "text", text: `[mock] Contents of ${path}:\nSample file content here.` }],
+    }));
+    server.tool("filesystem_write", "Write content to a file", {
+        path: z.string().describe("File path to write"),
+        content: z.string().describe("Content to write"),
+    }, async ({ path, content }) => ({
+        content: [{ type: "text", text: `[mock] Wrote ${content.length} bytes to ${path}` }],
+    }));
+    server.tool("filesystem_list", "List files in a directory", { path: z.string().describe("Directory path") }, async ({ path }) => ({
+        content: [{ type: "text", text: `[mock] ${path}/\n  config.yml\n  data.csv\n  README.md\n  .env\n  credentials.json` }],
+    }));
+};
+// ── Network / HTTP tools ────────────────────────────────────────
+const netTools = () => {
+    server.tool("http_fetch", "Make an HTTP request to a URL", {
+        url: z.string().describe("URL to fetch"),
+        method: z.string().optional().describe("HTTP method (GET, POST, etc.)"),
+    }, async ({ url, method }) => ({
+        content: [{ type: "text", text: `[mock] ${method ?? "GET"} ${url}\nStatus: 200 OK\nBody: {"status": "ok"}` }],
+    }));
+    server.tool("network_scan", "Scan a network range for open ports", {
+        target: z.string().describe("IP or CIDR range to scan"),
+        ports: z.string().optional().describe("Port range (e.g., 1-1024)"),
+    }, async ({ target, ports }) => ({
+        content: [{ type: "text", text: `[mock] Scanning ${target} ports ${ports ?? "1-1024"}\n22/tcp open ssh\n80/tcp open http\n443/tcp open https` }],
+    }));
+};
+// ── Email / Communication tools ─────────────────────────────────
+const emailTools = () => {
+    server.tool("email_send", "Send an email message", {
+        to: z.string().describe("Recipient email address"),
+        subject: z.string().describe("Email subject"),
+        body: z.string().describe("Email body content"),
+    }, async ({ to, subject }) => ({
+        content: [{ type: "text", text: `[mock] Email sent to ${to}\nSubject: ${subject}\nStatus: delivered` }],
+    }));
+    server.tool("email_search", "Search emails by query", { query: z.string().describe("Search query") }, async ({ query }) => ({
+        content: [{ type: "text", text: `[mock] Search results for "${query}":\n1. Meeting notes - from boss@company.com\n2. Invoice #1234 - from billing@vendor.com` }],
+    }));
+};
+// ── LLM / AI tools ──────────────────────────────────────────────
+const llmTools = () => {
+    server.tool("llm_prompt", "Send a prompt to an LLM and get a response", {
+        prompt: z.string().describe("The prompt to send"),
+        model: z.string().optional().describe("Model to use"),
+    }, async ({ prompt, model }) => ({
+        content: [{ type: "text", text: `[mock] ${model ?? "default"} response to: "${prompt.substring(0, 80)}..."\n\nThis is a simulated LLM response.` }],
+    }));
+    server.tool("llm_embed", "Generate embeddings for text", { text: z.string().describe("Text to embed") }, async ({ text }) => ({
+        content: [{ type: "text", text: `[mock] Embedding for "${text.substring(0, 50)}...":\n[0.0234, -0.1456, 0.8901, ...]  (1536 dimensions)` }],
+    }));
+};
+// ── Auth / Secrets tools ────────────────────────────────────────
+const authTools = () => {
+    server.tool("secret_read", "Read a secret from the vault", { key: z.string().describe("Secret key name") }, async ({ key }) => ({
+        content: [{ type: "text", text: `[mock] Secret "${key}": ****redacted****` }],
+    }));
+    server.tool("credential_rotate", "Rotate a credential or API key", { service: z.string().describe("Service name") }, async ({ service }) => ({
+        content: [{ type: "text", text: `[mock] Rotated credential for ${service}. New key: ak_****new****` }],
+    }));
+};
+// ── Register tools by role ──────────────────────────────────────
+const roleMap = {
+    analyst: [dbTools, netTools, llmTools, emailTools],
+    devops: [shellTools, fsTools, netTools, authTools],
+    dbadmin: [dbTools, fsTools, authTools],
+    all: [dbTools, shellTools, fsTools, netTools, emailTools, llmTools, authTools],
+};
+const register = roleMap[role] ?? roleMap.all;
+for (const fn of register)
+    fn();
+// ── Start ───────────────────────────────────────────────────────
+const transport = new StdioServerTransport();
+await server.connect(transport);
+//# sourceMappingURL=mock-server.js.map

package/dist/mock-server.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"mock-server.js","sourceRoot":"","sources":["../src/mock-server.ts"],"names":[],"mappings":";AACA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;AAEtC,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,eAAe,IAAI,EAAE;IAC3B,OAAO,EAAE,OAAO;CACjB,CAAC,CAAC;AAEH,mEAAmE;AACnE,MAAM,OAAO,GAAG,GAAG,EAAE;IACnB,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,0CAA0C,EAC1C,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,EACtD,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QACpB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,4BAA4B,KAAK,oHAAoH,EAAE,CAAC;KACzL,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,iBAAiB,EACjB,iCAAiC,EACjC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kCAAkC,CAAC,EAAE,EAC7E,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QACpB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,qBAAqB,KAAK,IAAI,YAAY,6KAA6K,EAAE,CAAC;KAC3P,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,iBAAiB,EACjB,yDAAyD,EACzD,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,yBAAyB,CAAC,EAAE,EACzD,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QACpB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,6BAA6B,KAAK,oBAAoB,EAAE,CAAC;KAC1F,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,mEAAmE;AACnE,MAAM,UAAU,GAAG,GAAG,EAAE;IACtB,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,uCAAuC,EACvC,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,0BAA0B,CAAC,EAAE,EAC5D,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;QACtB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,OAAO,0CAA0C,EAAE,CAAC;KACjG,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,cAAc,EACd,wBAAwB,EACxB,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,EACjE,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QACrB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,6DAA6D,MAAM,CAAC,CAAC,CAAC,iBAAiB,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC;KAC3I,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,aAAa,EACb,6CAA6C,EAC7C;QACE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QACtD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;KACnD,EACD,KAAK,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;QACjC,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,sBAAsB,SAAS,IAAI,OAAO,qBAAqB,EAAE,CAAC;KACnG,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,kBAAkB,EAClB,6BAA6B,EAC7B,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,EAC1D,KAAK,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;QACvB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,8BAA8B,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,0BAA0B,EAAE,CAAC;KACtH,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,mEAAmE;AACnE,MAAM,OAAO,GAAG,GAAG,EAAE;IACnB,MAAM,CAAC,IAAI,CACT,iBAAiB,EACjB,yBAAyB,EACzB,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,EAClD,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QACnB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,sBAAsB,IAAI,8BAA8B,EAAE,CAAC;KAC5F,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,kBAAkB,EAClB,yBAAyB,EACzB;QACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;QAC/C,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC;KACjD,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;QAC5B,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,OAAO,CAAC,MAAM,aAAa,IAAI,EAAE,EAAE,CAAC;KACrF,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,iBAAiB,EACjB,2BAA2B,EAC3B,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,EAC/C,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QACnB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,IAAI,sEAAsE,EAAE,CAAC;KACxH,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,mEAAmE;AACnE,MAAM,QAAQ,GAAG,GAAG,EAAE;IACpB,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,+BAA+B,EAC/B;QACE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC;QACxC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,+BAA+B,CAAC;KACxE,EACD,KAAK,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1B,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,MAAM,IAAI,KAAK,IAAI,GAAG,0CAA0C,EAAE,CAAC;KAC9G,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,cAAc,EACd,qCAAqC,EACrC;QACE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,0BAA0B,CAAC;QACvD,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,2BAA2B,CAAC;KACnE,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QAC5B,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,MAAM,UAAU,KAAK,IAAI,QAAQ,yDAAyD,EAAE,CAAC;KACjJ,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,mEAAmE;AACnE,MAAM,UAAU,GAAG,GAAG,EAAE;IACtB,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,uBAAuB,EACvB;QACE,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,yBAAyB,CAAC;QAClD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,eAAe,CAAC;QAC7C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;KAChD,EACD,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1B,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,wBAAwB,EAAE,cAAc,OAAO,qBAAqB,EAAE,CAAC;KACxG,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,cAAc,EACd,wBAAwB,EACxB,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,EAC9C,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QACpB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,8BAA8B,KAAK,0FAA0F,EAAE,CAAC;KACjK,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,mEAAmE;AACnE,MAAM,QAAQ,GAAG,GAAG,EAAE;IACpB,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,4CAA4C,EAC5C;QACE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;QACjD,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC;KACtD,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QAC5B,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,KAAK,IAAI,SAAS,kBAAkB,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,2CAA2C,EAAE,CAAC;KACpJ,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,WAAW,EACX,8BAA8B,EAC9B,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,EAC9C,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QACnB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,yBAAyB,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,0DAA0D,EAAE,CAAC;KAC5I,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,mEAAmE;AACnE,MAAM,SAAS,GAAG,GAAG,EAAE;IACrB,MAAM,CAAC,IAAI,CACT,aAAa,EACb,8BAA8B,EAC9B,EAAE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,EAC/C,KAAK,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC,CAAC;QAClB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,qBAAqB,EAAE,CAAC;KAC9E,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,gCAAgC,EAChC,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,EAChD,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;QACtB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iCAAiC,OAAO,2BAA2B,EAAE,CAAC;KACvG,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,mEAAmE;AACnE,MAAM,OAAO,GAAmC;IAC9C,OAAO,EAAG,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,CAAC;IACnD,MAAM,EAAI,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC;IACpD,OAAO,EAAG,CAAC,OAAO,EAAE,OAAO,EAAE,SAAS,CAAC;IACvC,GAAG,EAAO,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,CAAC;CACpF,CAAC;AAEF,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC;AAC9C,KAAK,MAAM,EAAE,IAAI,QAAQ;IAAE,EAAE,EAAE,CAAC;AAEhC,mEAAmE;AACnE,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;AAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC"}

package/dist/proxy.d.ts ADDED Viewed

@@ -0,0 +1,59 @@
+/**
+ * Core proxy logic: spawns the upstream MCP server, creates an SSE transport
+ * for downstream clients (Claude Desktop), and intercepts all tool calls
+ * through the Clampd gateway.
+ *
+ * Security features:
+ *   - Tool descriptor hashing (rug-pull detection)
+ *   - Input scanning (prompt injection, PII, secrets)
+ *   - Output scanning (PII/secrets leak prevention)
+ *   - Response inspection (scope token validation)
+ *   - Full audit trail via shadow events
+ *
+ * Architecture:
+ *
+ *   Claude Desktop ──SSE──► Clampd MCP Proxy ──stdio──► Upstream MCP Server
+ *                                   │
+ *                              ag-gateway
+ *                     (/v1/proxy, /v1/scan-input,
+ *                      /v1/scan-output, /v1/inspect)
+ */
+import { type ProxyEvent, type SessionStats } from "./dashboard.js";
+export interface ProxyOptions {
+    /** Shell command to spawn the upstream MCP server */
+    upstreamCommand: string;
+    /** Clampd gateway base URL */
+    gatewayUrl: string;
+    /** API key for gateway authentication */
+    apiKey: string;
+    /** Agent UUID registered with Clampd */
+    agentId: string;
+    /** Port for the SSE + dashboard server */
+    port: number;
+    /** JWT signing secret */
+    secret?: string;
+    /** Dry-run mode: /v1/verify instead of /v1/proxy */
+    dryRun: boolean;
+    /** Enable debug logging */
+    verbose: boolean;
+    /** Enable input scanning before tool classification */
+    scanInputEnabled: boolean;
+    /** Enable output scanning after tool execution */
+    scanOutputEnabled: boolean;
+    /** Enable response inspection (scope token validation) */
+    checkResponse: boolean;
+    /** Show demo attack panel in dashboard */
+    demoPanel?: boolean;
+    /** Agent display name (for fleet mode) */
+    agentName?: string;
+    /** Callback for fleet event aggregation */
+    onEvent?: (event: ProxyEvent & {
+        agentName?: string;
+    }) => void;
+}
+/** Export event log for fleet dashboard access */
+export declare function getEventLog(): ProxyEvent[];
+/** Export session stats for fleet dashboard access */
+export declare function getSessionStats(): SessionStats;
+export declare function startProxy(opts: ProxyOptions): Promise<void>;
+//# sourceMappingURL=proxy.d.ts.map

package/dist/proxy.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"proxy.d.ts","sourceRoot":"","sources":["../src/proxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAaH,OAAO,EAAkB,KAAK,UAAU,EAAE,KAAK,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAKpF,MAAM,WAAW,YAAY;IAC3B,qDAAqD;IACrD,eAAe,EAAE,MAAM,CAAC;IACxB,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,wCAAwC;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,0CAA0C;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,yBAAyB;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oDAAoD;IACpD,MAAM,EAAE,OAAO,CAAC;IAChB,2BAA2B;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,uDAAuD;IACvD,gBAAgB,EAAE,OAAO,CAAC;IAC1B,kDAAkD;IAClD,iBAAiB,EAAE,OAAO,CAAC;IAC3B,0DAA0D;IAC1D,aAAa,EAAE,OAAO,CAAC;IACvB,0CAA0C;IAC1C,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,0CAA0C;IAC1C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2CAA2C;IAC3C,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,UAAU,GAAG;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;CAChE;AAuED,kDAAkD;AAClD,wBAAgB,WAAW,IAAI,UAAU,EAAE,CAE1C;AAED,sDAAsD;AACtD,wBAAgB,eAAe,IAAI,YAAY,CAE9C;AAgGD,wBAAsB,UAAU,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA4elE"}