@danielblomma/cortex-mcp 1.7.1 → 2.0.2

package/scaffold/mcp/src/core/audit/writer.ts

@@ -0,0 +1,68 @@
+import { appendFile, mkdir } from "node:fs/promises";
+import { join } from "node:path";
+
+export type AuditEvidenceLevel = "required" | "diagnostic";
+export type AuditEventType =
+  | "tool_call"
+  | "workflow_transition"
+  | "review_result"
+  | "policy_sync"
+  | "approval"
+  | "session"
+  | "security_scan";
+
+export type AuditEntry = {
+  timestamp: string;
+  tool: string;
+  input: Record<string, unknown>;
+  result_count: number;
+  entities_returned: string[];
+  rules_applied: string[];
+  duration_ms: number;
+  status?: "success" | "error";
+  error?: string;
+  event_type?: AuditEventType;
+  evidence_level?: AuditEvidenceLevel;
+  resource_type?: string;
+  resource_id?: string;
+  repo?: string;
+  instance_id?: string;
+  session_id?: string;
+  metadata?: Record<string, unknown>;
+};
+
+type AuditWriterOptions = {
+  onEntry?: (entry: AuditEntry) => void;
+};
+
+export class AuditWriter {
+  private readonly auditDir: string;
+  private readonly onEntry: ((entry: AuditEntry) => void) | null;
+  private initialized = false;
+
+  constructor(contextDir: string, options: AuditWriterOptions = {}) {
+    this.auditDir = join(contextDir, "audit");
+    this.onEntry = options.onEntry ?? null;
+  }
+
+  log(entry: AuditEntry): void {
+    const date = entry.timestamp.slice(0, 10); // YYYY-MM-DD
+    const filePath = join(this.auditDir, `${date}.jsonl`);
+    const line = JSON.stringify(entry) + "\n";
+
+    this.onEntry?.(entry);
+
+    // Fire-and-forget async write — don't block the tool handler
+    this.writeAsync(filePath, line).catch(() => {
+      process.stderr.write("[cortex-enterprise] Failed to write audit entry\n");
+    });
+  }
+
+  private async writeAsync(filePath: string, line: string): Promise<void> {
+    if (!this.initialized) {
+      await mkdir(this.auditDir, { recursive: true });
+      this.initialized = true;
+    }
+    await appendFile(filePath, line);
+  }
+}

package/scaffold/mcp/src/core/config.ts

@@ -0,0 +1,329 @@
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import type { Role, RBACConfig } from "./rbac/check.js";
+import { parseValidatorsConfig, type ValidatorsConfig } from "./validators/config.js";
+
+export type TelemetryConfig = {
+  enabled: boolean;
+  endpoint: string;
+  api_key: string;
+  interval_minutes: number;
+};
+
+export type EnterpriseServiceConfig = {
+  endpoint: string;
+  api_key: string;
+  base_url: string;
+};
+
+export type EnterpriseActivation =
+  | { active: true; reason: "active"; endpoint: string; api_key: string }
+  | {
+      active: false;
+      reason:
+        | "missing_api_key"
+        | "missing_endpoint"
+        | "invalid_api_key_format"
+        | "invalid_endpoint_format";
+      endpoint: string | null;
+      api_key: string | null;
+    };
+
+export type AuditConfig = {
+  enabled: boolean;
+  retention_days: number;
+};
+
+export type PolicyConfig = {
+  enabled: boolean;
+  endpoint: string;
+  api_key: string;
+  sync_interval_minutes: number;
+};
+
+export type ComplianceFramework =
+  | "iso27001"
+  | "iso42001"
+  | "soc2"
+  | "gdpr"
+  | "ai_act"
+  | "nis2";
+
+export type ComplianceConfig = {
+  frameworks: ComplianceFramework[];
+  eu_addons: boolean;
+};
+
+export type GovernMode = "off" | "advisory" | "enforced";
+export type GovernTier = "prevent" | "wrap" | "detect" | "off";
+
+export type GovernConfig = {
+  mode: GovernMode;
+  sync_on_startup: boolean;
+  sync_interval_minutes: number;
+  tier_claude: GovernTier;
+  tier_codex: GovernTier;
+  tier_copilot: GovernTier;
+  detect_ungoverned: boolean;
+  govern_endpoint: string;
+};
+
+export type EnterpriseConfig = {
+  enterprise: EnterpriseServiceConfig;
+  telemetry: TelemetryConfig;
+  audit: AuditConfig;
+  policy: PolicyConfig;
+  rbac: RBACConfig;
+  validators: ValidatorsConfig;
+  compliance: ComplianceConfig;
+  govern: GovernConfig;
+};
+
+const DEFAULT_FRAMEWORKS: ComplianceFramework[] = ["iso27001", "iso42001", "soc2"];
+const EU_ADDON_FRAMEWORKS: ComplianceFramework[] = ["gdpr", "ai_act", "nis2"];
+const VALID_FRAMEWORKS = new Set<ComplianceFramework>([
+  ...DEFAULT_FRAMEWORKS,
+  ...EU_ADDON_FRAMEWORKS,
+]);
+const VALID_MODES = new Set<GovernMode>(["off", "advisory", "enforced"]);
+const VALID_TIERS = new Set<GovernTier>(["prevent", "wrap", "detect", "off"]);
+
+const DEFAULTS: EnterpriseConfig = {
+  enterprise: {
+    endpoint: "",
+    api_key: "",
+    base_url: "",
+  },
+  telemetry: {
+    enabled: false,
+    endpoint: "",
+    api_key: "",
+    interval_minutes: 10,
+  },
+  audit: {
+    enabled: true,
+    retention_days: 90,
+  },
+  policy: {
+    enabled: true,
+    endpoint: "",
+    api_key: "",
+    sync_interval_minutes: 240,
+  },
+  rbac: {
+    enabled: false,
+    default_role: "developer",
+  },
+  validators: {},
+  compliance: {
+    frameworks: [],
+    eu_addons: false,
+  },
+  govern: {
+    mode: "off",
+    sync_on_startup: true,
+    sync_interval_minutes: 60,
+    tier_claude: "prevent",
+    tier_codex: "prevent",
+    tier_copilot: "wrap",
+    detect_ungoverned: true,
+    govern_endpoint: "",
+  },
+};
+
+const VALID_ROLES: Role[] = ["admin", "developer", "readonly"];
+
+function isValidRole(value: string | undefined): value is Role {
+  return VALID_ROLES.includes(value as Role);
+}
+
+function stripInlineComment(value: string): string {
+  // Strip # comments that aren't inside quotes
+  const singleMatch = value.match(/^'([^']*)'(\s*#.*)?$/);
+  if (singleMatch) return singleMatch[1];
+  const doubleMatch = value.match(/^"([^"]*)"(\s*#.*)?$/);
+  if (doubleMatch) return doubleMatch[1];
+  // Unquoted: strip from first # preceded by whitespace
+  const commentIdx = value.search(/\s+#/);
+  return commentIdx >= 0 ? value.slice(0, commentIdx).trimEnd() : value;
+}
+
+function parseInlineList(value: string): string[] | null {
+  const trimmed = value.trim();
+  if (!trimmed.startsWith("[") || !trimmed.endsWith("]")) return null;
+  const inner = trimmed.slice(1, -1).trim();
+  if (!inner) return [];
+  return inner
+    .split(",")
+    .map((part) => part.trim().replace(/^["']|["']$/g, ""))
+    .filter(Boolean);
+}
+
+function parseSimpleYaml(text: string): Record<string, string> {
+  const result: Record<string, string> = {};
+  let section = "";
+  for (const line of text.split("\n")) {
+    const trimmed = line.trimEnd();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+
+    const sectionMatch = trimmed.match(/^(\w+):\s*$/);
+    if (sectionMatch) {
+      section = sectionMatch[1];
+      continue;
+    }
+
+    const kvMatch = trimmed.match(/^\s+(\w+):\s*(.+?)\s*$/);
+    if (kvMatch && section) {
+      result[`${section}.${kvMatch[1]}`] = stripInlineComment(kvMatch[2]);
+      continue;
+    }
+
+    const topMatch = trimmed.match(/^(\w+):\s*(.+?)\s*$/);
+    if (topMatch) {
+      result[topMatch[1]] = stripInlineComment(topMatch[2]);
+    }
+  }
+  return result;
+}
+
+function isLikelyApiKey(value: string): boolean {
+  return /^(?:ctx|ent)_[A-Za-z0-9._-]{8,}$/.test(value);
+}
+
+function isLikelyHttpUrl(value: string): boolean {
+  try {
+    const parsed = new URL(value);
+    return parsed.protocol === "http:" || parsed.protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+
+export function resolveEnterpriseActivation(config: EnterpriseConfig): EnterpriseActivation {
+  const apiKey = config.enterprise.api_key.trim();
+  const endpoint = config.enterprise.endpoint.trim();
+
+  if (!apiKey) {
+    return { active: false, reason: "missing_api_key", api_key: null, endpoint: endpoint || null };
+  }
+
+  if (!endpoint) {
+    return { active: false, reason: "missing_endpoint", api_key: apiKey, endpoint: null };
+  }
+
+  if (!isLikelyApiKey(apiKey)) {
+    return { active: false, reason: "invalid_api_key_format", api_key: apiKey, endpoint };
+  }
+
+  if (!isLikelyHttpUrl(endpoint)) {
+    return { active: false, reason: "invalid_endpoint_format", api_key: apiKey, endpoint };
+  }
+
+  return { active: true, reason: "active", api_key: apiKey, endpoint };
+}
+
+function deriveEndpoint(baseUrl: string, suffix: string): string {
+  if (!baseUrl) return "";
+  return baseUrl.replace(/\/$/, "") + suffix;
+}
+
+function isValidTier(value: string | undefined): value is GovernTier {
+  return value !== undefined && VALID_TIERS.has(value as GovernTier);
+}
+
+function isValidMode(value: string | undefined): value is GovernMode {
+  return value !== undefined && VALID_MODES.has(value as GovernMode);
+}
+
+function resolveFrameworks(rawList: string | undefined, euAddons: boolean): ComplianceFramework[] {
+  const parsed = rawList ? parseInlineList(rawList) : null;
+  const base = parsed && parsed.length > 0
+    ? parsed.filter((f): f is ComplianceFramework => VALID_FRAMEWORKS.has(f as ComplianceFramework))
+    : DEFAULT_FRAMEWORKS.slice();
+  if (!euAddons) return base;
+  const merged = new Set<ComplianceFramework>(base);
+  for (const f of EU_ADDON_FRAMEWORKS) merged.add(f);
+  return Array.from(merged);
+}
+
+export function loadEnterpriseConfig(contextDir: string): EnterpriseConfig {
+  let raw: string;
+  try {
+    raw = readFileSync(join(contextDir, "enterprise.yml"), "utf8");
+  } catch {
+    try {
+      raw = readFileSync(join(contextDir, "enterprise.yaml"), "utf8");
+    } catch {
+      return DEFAULTS;
+    }
+  }
+
+  const fields = parseSimpleYaml(raw);
+  const enterpriseApiKey = fields["enterprise.api_key"] ?? DEFAULTS.enterprise.api_key;
+  const baseUrl = (fields["enterprise.base_url"] ?? fields["enterprise.endpoint"] ?? "").replace(/\/$/, "");
+  const enterpriseEndpoint = fields["enterprise.endpoint"] ?? baseUrl;
+
+  const telemetryEndpoint =
+    fields["enterprise.endpoint_telemetry"] ??
+    fields["telemetry.endpoint"] ??
+    deriveEndpoint(baseUrl, "/api/v1/telemetry/push");
+  const telemetryApiKey = fields["telemetry.api_key"] ?? enterpriseApiKey;
+  const policyEndpoint =
+    fields["enterprise.endpoint_policy"] ??
+    fields["policy.endpoint"] ??
+    deriveEndpoint(baseUrl, "/api/v1/policies/sync");
+  const policyApiKey = fields["policy.api_key"] ?? enterpriseApiKey;
+  const governEndpoint =
+    fields["enterprise.endpoint_govern"] ??
+    deriveEndpoint(baseUrl, "/api/v1/govern");
+
+  const euAddons = fields["compliance.eu_addons"] === "true";
+  const frameworks = resolveFrameworks(fields["compliance.frameworks"], euAddons);
+
+  const governMode = isValidMode(fields["govern.mode"]) ? fields["govern.mode"] : DEFAULTS.govern.mode;
+
+  return {
+    enterprise: {
+      endpoint: enterpriseEndpoint,
+      api_key: enterpriseApiKey,
+      base_url: baseUrl,
+    },
+    telemetry: {
+      endpoint: telemetryEndpoint,
+      api_key: telemetryApiKey,
+      enabled: fields["telemetry.enabled"] !== undefined
+        ? fields["telemetry.enabled"] === "true"
+        : !!(telemetryEndpoint && telemetryApiKey),
+      interval_minutes: parseInt(fields["telemetry.interval_minutes"] ?? "", 10) || DEFAULTS.telemetry.interval_minutes,
+    },
+    audit: {
+      enabled: fields["audit.enabled"] !== "false",
+      retention_days: parseInt(fields["audit.retention_days"] ?? "", 10) || DEFAULTS.audit.retention_days,
+    },
+    policy: {
+      enabled: fields["policy.enabled"] !== "false",
+      endpoint: policyEndpoint,
+      api_key: policyApiKey,
+      sync_interval_minutes: parseInt(fields["policy.sync_interval_minutes"] ?? "", 10) || DEFAULTS.policy.sync_interval_minutes,
+    },
+    rbac: {
+      enabled: fields["rbac.enabled"] === "true",
+      default_role: isValidRole(fields["rbac.default_role"]) ? fields["rbac.default_role"] : DEFAULTS.rbac.default_role,
+    },
+    validators: parseValidatorsConfig(fields),
+    compliance: {
+      frameworks,
+      eu_addons: euAddons,
+    },
+    govern: {
+      mode: governMode,
+      sync_on_startup: fields["govern.sync_on_startup"] !== "false",
+      sync_interval_minutes: parseInt(fields["govern.sync_interval_minutes"] ?? "", 10) || DEFAULTS.govern.sync_interval_minutes,
+      tier_claude: isValidTier(fields["govern.tier_claude"]) ? fields["govern.tier_claude"] : DEFAULTS.govern.tier_claude,
+      tier_codex: isValidTier(fields["govern.tier_codex"]) ? fields["govern.tier_codex"] : DEFAULTS.govern.tier_codex,
+      tier_copilot: isValidTier(fields["govern.tier_copilot"]) ? fields["govern.tier_copilot"] : DEFAULTS.govern.tier_copilot,
+      detect_ungoverned: fields["govern.detect_ungoverned"] !== "false",
+      govern_endpoint: governEndpoint,
+    },
+  };
+}

package/scaffold/mcp/src/core/index.ts

@@ -0,0 +1,34 @@
+// Config
+export { loadEnterpriseConfig, resolveEnterpriseActivation } from "./config.js";
+export type {
+  TelemetryConfig,
+  AuditConfig,
+  PolicyConfig,
+  EnterpriseConfig,
+  EnterpriseServiceConfig,
+  EnterpriseActivation
+} from "./config.js";
+
+// Telemetry
+export { TelemetryCollector } from "./telemetry/collector.js";
+export type { TelemetryMetrics } from "./telemetry/collector.js";
+
+// Audit
+export { AuditWriter } from "./audit/writer.js";
+export type { AuditEntry } from "./audit/writer.js";
+export { queryAuditLog } from "./audit/query.js";
+export type { AuditQuery } from "./audit/query.js";
+
+// RBAC
+export { checkAccess, getAccessDeniedMessage } from "./rbac/check.js";
+export type { Role, RBACConfig } from "./rbac/check.js";
+
+// Policy
+export { PolicyStore } from "./policy/store.js";
+export type { OrgPolicy } from "./policy/store.js";
+
+// Prompt injection
+export { scanForInjection, sanitizeContent } from "./policy/injection.js";
+export type { ScanResult, InjectionMatch, InjectionCategory } from "./policy/injection.js";
+export { enforceInjectionPolicy, isInjectionDefenseActive, buildViolationPayload } from "./policy/enforce.js";
+export type { EnforcementResult } from "./policy/enforce.js";

package/scaffold/mcp/src/core/license.ts

@@ -0,0 +1,202 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync } from "node:fs";
+import { join } from "node:path";
+
+export type LicenseVerification =
+  | {
+      valid: true;
+      edition: string;
+      features: string[];
+      expires_at: string;
+      max_repos: number;
+      verified_at: string;
+      source: "remote" | "cache";
+    }
+  | {
+      valid: false;
+      reason: string;
+      verified_at: string;
+      source: "remote" | "cache" | "grace_expired";
+    };
+
+type CacheEntry = {
+  result: LicenseVerification;
+  // ISO timestamp for cache freshness window
+  cached_at: string;
+};
+
+const CACHE_FILE = "license_cache.json";
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24h fresh
+const GRACE_PERIOD_MS = 7 * 24 * 60 * 60 * 1000; // 7d grace if endpoint unreachable
+const REQUEST_TIMEOUT_MS = 5000;
+
+function cachePath(contextDir: string): string {
+  return join(contextDir, "telemetry", CACHE_FILE);
+}
+
+function readCache(contextDir: string): CacheEntry | null {
+  const path = cachePath(contextDir);
+  if (!existsSync(path)) return null;
+  try {
+    const raw = readFileSync(path, "utf8");
+    return JSON.parse(raw) as CacheEntry;
+  } catch {
+    return null;
+  }
+}
+
+function writeCache(contextDir: string, entry: CacheEntry): void {
+  const path = cachePath(contextDir);
+  try {
+    mkdirSync(join(contextDir, "telemetry"), { recursive: true });
+    writeFileSync(path, JSON.stringify(entry, null, 2), "utf8");
+  } catch {
+    // Cache failures are non-fatal — license check just won't be cached.
+  }
+}
+
+function deleteCache(contextDir: string): void {
+  const path = cachePath(contextDir);
+  if (!existsSync(path)) return;
+  try {
+    unlinkSync(path);
+  } catch {
+    // ignore — best-effort
+  }
+}
+
+function ageMs(isoTimestamp: string): number {
+  return Date.now() - new Date(isoTimestamp).getTime();
+}
+
+async function fetchLicense(
+  endpoint: string,
+  apiKey: string,
+  instanceId: string | undefined,
+  clientVersion: string | undefined,
+): Promise<LicenseVerification | null> {
+  const url = `${endpoint.replace(/\/$/, "")}/api/v1/license/verify`;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+
+  try {
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        authorization: `Bearer ${apiKey}`,
+      },
+      body: JSON.stringify({
+        instance_id: instanceId,
+        client_version: clientVersion,
+      }),
+      signal: controller.signal,
+    });
+
+    if (!res.ok) {
+      // 401/429/5xx — treat as transient, surface null so caller can fall back.
+      return null;
+    }
+
+    const json = (await res.json()) as Record<string, unknown>;
+    const verifiedAt = new Date().toISOString();
+
+    if (json.valid === true) {
+      return {
+        valid: true,
+        edition: String(json.edition ?? "unknown"),
+        features: Array.isArray(json.features) ? json.features.map(String) : [],
+        expires_at: String(json.expires_at ?? ""),
+        max_repos: typeof json.max_repos === "number" ? json.max_repos : 0,
+        verified_at: verifiedAt,
+        source: "remote",
+      };
+    }
+
+    return {
+      valid: false,
+      reason: String(json.reason ?? "unknown"),
+      verified_at: verifiedAt,
+      source: "remote",
+    };
+  } catch {
+    // Network error, timeout, JSON parse error — treat as transient.
+    return null;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+/**
+ * Verify the license for the given api_key. Layered fallback:
+ *   1. If a positive cache (valid:true) is fresh (<24h) → use cache
+ *      Negative cache entries are never trusted; if one is encountered
+ *      it's deleted on the spot so a since-fixed remote can heal.
+ *   2. Otherwise try remote endpoint
+ *      - On valid:true → write positive cache, return result
+ *      - On valid:false (authoritative fail) → DELETE any positive
+ *        cache (so a revoked/expired key doesn't keep masquerading as
+ *        valid past its remote-side fail), return result, do NOT
+ *        cache the negative.
+ *      - On transient failure → fall back to positive cache if within
+ *        grace period (7d). If only a negative cache exists, ignore it.
+ *   3. If no usable cache and endpoint unreachable → return invalid
+ *      (grace_expired).
+ *
+ * The caller decides what to do based on the result. Typically:
+ *   - valid:true  → activate enterprise hooks
+ *   - valid:false → community mode (no enterprise)
+ */
+export async function verifyLicense(
+  contextDir: string,
+  endpoint: string,
+  apiKey: string,
+  options: { instance_id?: string; client_version?: string } = {},
+): Promise<LicenseVerification> {
+  let cached = readCache(contextDir);
+
+  // Defensive: a previous version of this code wrote negative results
+  // into the cache. Refuse to honour them and clean them up so a
+  // since-deployed fix on the remote can be observed.
+  if (cached && cached.result.valid === false) {
+    deleteCache(contextDir);
+    cached = null;
+  }
+
+  // Fresh positive cache: skip remote.
+  if (cached && cached.result.valid === true && ageMs(cached.cached_at) < CACHE_TTL_MS) {
+    return { ...cached.result, source: "cache" };
+  }
+
+  const remote = await fetchLicense(
+    endpoint,
+    apiKey,
+    options.instance_id,
+    options.client_version,
+  );
+
+  if (remote) {
+    if (remote.valid) {
+      writeCache(contextDir, {
+        result: remote,
+        cached_at: new Date().toISOString(),
+      });
+    } else {
+      // Authoritative fail from remote — drop any stale positive cache
+      // so we don't bounce back to "valid" on the next call.
+      deleteCache(contextDir);
+    }
+    return remote;
+  }
+
+  // Remote unreachable. Fall back to positive cache if within grace.
+  if (cached && cached.result.valid === true && ageMs(cached.cached_at) < GRACE_PERIOD_MS) {
+    return { ...cached.result, source: "cache" };
+  }
+
+  return {
+    valid: false,
+    reason: "endpoint_unreachable_grace_expired",
+    verified_at: new Date().toISOString(),
+    source: "grace_expired",
+  };
+}