@danielblomma/cortex-mcp 1.7.1 → 2.0.2

package/scaffold/mcp/src/core/policy/enforce.ts

@@ -0,0 +1,98 @@
+/**
+ * Policy enforcement layer.
+ *
+ * Bridges the injection scanner with the policy store — only runs the
+ * scanner when the `prompt-injection-defense` policy is active.
+ */
+
+import type { OrgPolicy } from "./store.js";
+import { scanForInjection, sanitizeContent, type InjectionMatch, type ScanResult } from "./injection.js";
+
+const RULE_ID = "prompt-injection-defense";
+
+export type EnforcementResult = {
+  allowed: boolean;
+  ruleId: string;
+  scan: ScanResult;
+  sanitized?: string;
+};
+
+/**
+ * Check whether the prompt-injection-defense policy is active.
+ */
+export function isInjectionDefenseActive(policies: OrgPolicy[]): boolean {
+  return policies.some((p) => p.id === RULE_ID && p.enforce);
+}
+
+/**
+ * Enforce the prompt-injection-defense policy against a piece of text.
+ *
+ * If the policy is not active the text is always allowed.
+ *
+ * @param text     The text to check
+ * @param policies The current merged policy list
+ * @param options  Optional: pass `sanitize: true` to get a sanitised version of the text
+ * @returns        EnforcementResult
+ */
+export function enforceInjectionPolicy(
+  text: string,
+  policies: OrgPolicy[],
+  options?: { sanitize?: boolean },
+): EnforcementResult {
+  if (!isInjectionDefenseActive(policies)) {
+    return {
+      allowed: true,
+      ruleId: RULE_ID,
+      scan: { score: 0, flagged: false, matches: [] },
+    };
+  }
+
+  const scan = scanForInjection(text);
+
+  const result: EnforcementResult = {
+    allowed: !scan.flagged,
+    ruleId: RULE_ID,
+    scan,
+  };
+
+  if (options?.sanitize && scan.flagged) {
+    result.sanitized = sanitizeContent(text);
+  }
+
+  return result;
+}
+
+/**
+ * Build a violation payload compatible with the cortex-web
+ * `POST /api/v1/violations/push` endpoint.
+ */
+export function buildViolationPayload(
+  matches: InjectionMatch[],
+  context: { filePath?: string; query?: string },
+): {
+  rule_id: string;
+  severity: "error" | "warning" | "info";
+  message: string;
+  file_path?: string;
+  metadata?: string;
+  occurred_at: string;
+} {
+  const topMatch = matches[0];
+  const score = matches.reduce((s, m) => s + m.weight, 0).toFixed(2);
+  const message = `Prompt injection detected: ${topMatch.category} (score ${score})`;
+
+  return {
+    rule_id: RULE_ID,
+    severity: "warning",
+    message: message.slice(0, 2000),
+    file_path: context.filePath?.slice(0, 500),
+    metadata: JSON.stringify({
+      query_present: Boolean(context.query),
+      query_length: context.query?.length ?? 0,
+      match_count: matches.length,
+      categories: [...new Set(matches.map((m) => m.category))],
+      patterns: matches.map((m) => m.pattern),
+    }).slice(0, 5000),
+    occurred_at: new Date().toISOString(),
+  };
+}

package/scaffold/mcp/src/core/policy/injection.ts

@@ -0,0 +1,229 @@
+/**
+ * Prompt injection scanner.
+ *
+ * Detects common prompt injection patterns in text and returns a risk
+ * score with categorised matches.  Designed to run on every piece of
+ * content that flows between the file system and an LLM.
+ */
+
+// ── Types ──────────────────────────────────────────────────────────
+
+export type InjectionCategory =
+  | "instruction_override"
+  | "role_play"
+  | "delimiter_escape"
+  | "instruction_marker"
+  | "encoded_payload";
+
+export type InjectionMatch = {
+  pattern: string;
+  category: InjectionCategory;
+  matched: string;
+  position: number;
+  weight: number;
+};
+
+export type ScanResult = {
+  score: number;
+  flagged: boolean;
+  matches: InjectionMatch[];
+};
+
+// ── Pattern definitions ────────────────────────────────────────────
+
+type PatternDef = {
+  regex: RegExp;
+  category: InjectionCategory;
+  pattern: string;
+  weight: number;
+};
+
+const PATTERNS: PatternDef[] = [
+  // ── Instruction overrides ──
+  {
+    regex: /ignore\s+(all\s+)?previous\s+instructions/gi,
+    category: "instruction_override",
+    pattern: "ignore_previous_instructions",
+    weight: 0.5,
+  },
+  {
+    regex: /disregard\s+(all\s+)?(above|previous|prior|earlier)/gi,
+    category: "instruction_override",
+    pattern: "disregard_previous",
+    weight: 0.5,
+  },
+  {
+    regex: /forget\s+(all\s+)?(above|previous|prior|earlier)\s+(instructions|context|rules)/gi,
+    category: "instruction_override",
+    pattern: "forget_previous",
+    weight: 0.5,
+  },
+  {
+    regex: /new\s+instructions?\s*:/gi,
+    category: "instruction_override",
+    pattern: "new_instructions",
+    weight: 0.4,
+  },
+  {
+    regex: /you\s+are\s+now\s+/gi,
+    category: "instruction_override",
+    pattern: "you_are_now",
+    weight: 0.4,
+  },
+  {
+    regex: /from\s+now\s+on\s*,?\s+(you|ignore|do\s+not)/gi,
+    category: "instruction_override",
+    pattern: "from_now_on",
+    weight: 0.4,
+  },
+  {
+    regex: /override\s+(all\s+)?(system|safety|previous)\s+(prompt|instructions|rules)/gi,
+    category: "instruction_override",
+    pattern: "override_system",
+    weight: 0.5,
+  },
+
+  // ── Role-play / persona attacks ──
+  {
+    regex: /act\s+as\s+(an?\s+)?(unrestricted|unfiltered|evil|malicious|jailbroken)/gi,
+    category: "role_play",
+    pattern: "act_as_unrestricted",
+    weight: 0.5,
+  },
+  {
+    regex: /pretend\s+you\s+are\s+(an?\s+)?(different|new|unrestricted)/gi,
+    category: "role_play",
+    pattern: "pretend_you_are",
+    weight: 0.4,
+  },
+  {
+    regex: /enter\s+(DAN|developer|god|sudo|admin)\s+mode/gi,
+    category: "role_play",
+    pattern: "special_mode",
+    weight: 0.5,
+  },
+  {
+    regex: /jailbreak/gi,
+    category: "role_play",
+    pattern: "jailbreak_keyword",
+    weight: 0.4,
+  },
+
+  // ── Delimiter escapes ──
+  {
+    regex: /<\/?(system|assistant|user|tool_result|human|function_call|antml:)[\s>]/gi,
+    category: "delimiter_escape",
+    pattern: "xml_tag_escape",
+    weight: 0.5,
+  },
+  {
+    regex: /\[INST\]|\[\/INST\]|\[SYS\]|\[\/SYS\]/gi,
+    category: "delimiter_escape",
+    pattern: "inst_tag_escape",
+    weight: 0.5,
+  },
+  {
+    regex: /```\s*(system|prompt|instructions)/gi,
+    category: "delimiter_escape",
+    pattern: "code_block_escape",
+    weight: 0.3,
+  },
+
+  // ── Instruction markers ──
+  {
+    regex: /^\s*(IMPORTANT|SYSTEM|ADMIN|OVERRIDE|INSTRUCTION)\s*:/gim,
+    category: "instruction_marker",
+    pattern: "authority_marker",
+    weight: 0.3,
+  },
+  {
+    regex: /\bdo\s+not\s+follow\s+(any\s+)?(previous|prior|above)\s+(rules|instructions|guidelines)/gi,
+    category: "instruction_marker",
+    pattern: "do_not_follow",
+    weight: 0.5,
+  },
+
+  // ── Encoded payloads ──
+  {
+    regex: /(?:eval|atob|Buffer\.from)\s*\(\s*["'`][A-Za-z0-9+/=]{20,}["'`]\s*\)/g,
+    category: "encoded_payload",
+    pattern: "encoded_eval",
+    weight: 0.4,
+  },
+  {
+    regex: /&#x[0-9a-f]{2,4};/gi,
+    category: "encoded_payload",
+    pattern: "html_entity_encode",
+    weight: 0.2,
+  },
+];
+
+// ── Public API ─────────────────────────────────────────────────────
+
+const DEFAULT_THRESHOLD = 0.3;
+
+/**
+ * Scan a text string for prompt injection patterns.
+ *
+ * @param text      The text to scan
+ * @param threshold Risk score threshold (0–1) above which `flagged` is true
+ * @returns         ScanResult with score, flagged boolean, and matches
+ */
+export function scanForInjection(
+  text: string,
+  threshold: number = DEFAULT_THRESHOLD,
+): ScanResult {
+  if (!text) {
+    return { score: 0, flagged: false, matches: [] };
+  }
+
+  const matches: InjectionMatch[] = [];
+
+  for (const def of PATTERNS) {
+    // Reset lastIndex for global regexes
+    def.regex.lastIndex = 0;
+
+    let m: RegExpExecArray | null;
+    while ((m = def.regex.exec(text)) !== null) {
+      matches.push({
+        pattern: def.pattern,
+        category: def.category,
+        matched: m[0],
+        position: m.index,
+        weight: def.weight,
+      });
+    }
+  }
+
+  const score = Math.min(
+    1,
+    matches.reduce((sum, m) => sum + m.weight, 0),
+  );
+
+  return {
+    score,
+    flagged: score >= threshold,
+    matches,
+  };
+}
+
+/**
+ * Sanitize text by wrapping it in safe delimiters and neutralising
+ * known injection patterns.  Use this on content returned to the LLM
+ * when you want to keep the content but reduce injection risk.
+ */
+export function sanitizeContent(text: string): string {
+  if (!text) return text;
+
+  let out = text;
+
+  // Neutralise XML-like tags that mimic system boundaries
+  out = out.replace(/<\/?(system|assistant|user|tool_result|human|function_call|antml:)/gi, (m) =>
+    m.replace(/</g, "&lt;").replace(/>/g, "&gt;"),
+  );
+
+  // Neutralise [INST] / [SYS] tags
+  out = out.replace(/\[(\/?)(?:INST|SYS)\]/gi, "[$1_$&_]");
+
+  return out;
+}

package/scaffold/mcp/src/core/policy/store.ts

@@ -0,0 +1,197 @@
+import { readFileSync, writeFileSync, mkdirSync } from "node:fs";
+import { join } from "node:path";
+
+export type OrgPolicy = {
+  id: string;
+  title?: string | null;
+  kind?: "predefined" | "custom" | null;
+  status?: "draft" | "active" | "disabled" | "archived" | null;
+  severity?: "info" | "warning" | "error" | "block" | null;
+  description: string;
+  priority: number;
+  scope: string;
+  enforce: boolean;
+  source: "org" | "local";
+  // Execution hints for generic evaluators (M2). Null for predefined
+  // rules that dispatch via the name-based validator registry.
+  type?: string | null;
+  config?: Record<string, unknown> | null;
+};
+
+/**
+ * Parse the simple YAML rules format used by Cortex:
+ *
+ * rules:
+ *   - id: rule.foo
+ *     description: "..."
+ *     priority: 100
+ *     enforce: true
+ */
+function parseRulesYaml(text: string, source: "org" | "local"): OrgPolicy[] {
+  const policies: OrgPolicy[] = [];
+  let current: Partial<OrgPolicy> | null = null;
+
+  for (const line of text.split("\n")) {
+    const trimmed = line.trim();
+
+    // New rule entry
+    if (trimmed.startsWith("- id:")) {
+      if (current?.id) {
+        policies.push(finalize(current, source));
+      }
+      current = { id: trimmed.slice(5).trim() };
+      continue;
+    }
+
+    if (!current) continue;
+
+    if (trimmed.startsWith("title:")) {
+      current.title = trimmed.slice(6).trim().replace(/^["']|["']$/g, "");
+    } else if (trimmed.startsWith("kind:")) {
+      const kind = trimmed.slice(5).trim();
+      if (kind === "predefined" || kind === "custom") current.kind = kind;
+    } else if (trimmed.startsWith("status:")) {
+      const status = trimmed.slice(7).trim();
+      if (status === "draft" || status === "active" || status === "disabled" || status === "archived") {
+        current.status = status;
+      }
+    } else if (trimmed.startsWith("severity:")) {
+      const severity = trimmed.slice(9).trim();
+      if (severity === "info" || severity === "warning" || severity === "error" || severity === "block") {
+        current.severity = severity;
+      }
+    } else if (trimmed.startsWith("description:")) {
+      current.description = trimmed.slice(12).trim().replace(/^["']|["']$/g, "");
+    } else if (trimmed.startsWith("priority:")) {
+      current.priority = parseInt(trimmed.slice(9).trim(), 10) || 50;
+    } else if (trimmed.startsWith("scope:")) {
+      current.scope = trimmed.slice(6).trim();
+    } else if (trimmed.startsWith("enforce:")) {
+      current.enforce = trimmed.slice(8).trim() === "true";
+    } else if (trimmed.startsWith("type:")) {
+      const raw = trimmed.slice(5).trim();
+      current.type = raw === "null" || raw === "" ? null : raw;
+    } else if (trimmed.startsWith("config:")) {
+      // Config is JSON-encoded on a single line so the line-based parser
+      // doesn't need to understand nested YAML. `config: null` or an
+      // unparseable value leaves it null.
+      const raw = trimmed.slice(7).trim();
+      if (raw && raw !== "null") {
+        try {
+          const parsed = JSON.parse(raw);
+          if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            current.config = parsed as Record<string, unknown>;
+          }
+        } catch {
+          // ignore malformed config; evaluator will see null and fail
+          // gracefully with its own validation message.
+        }
+      }
+    }
+  }
+
+  if (current?.id) {
+    policies.push(finalize(current, source));
+  }
+
+  return policies;
+}
+
+function finalize(partial: Partial<OrgPolicy>, source: "org" | "local"): OrgPolicy {
+  return {
+    id: partial.id ?? "",
+    title: partial.title ?? partial.id ?? "",
+    kind: partial.kind ?? null,
+    status: partial.status ?? "active",
+    severity: partial.severity ?? "block",
+    description: partial.description ?? "",
+    priority: partial.priority ?? 50,
+    scope: partial.scope ?? "global",
+    enforce: partial.enforce ?? true,
+    source,
+    type: partial.type ?? null,
+    config: partial.config ?? null,
+  };
+}
+
+function policiesToYaml(policies: OrgPolicy[]): string {
+  const lines = ["rules:"];
+  for (const p of policies) {
+    lines.push(`  - id: ${p.id}`);
+    if (p.title) lines.push(`    title: "${p.title.replace(/"/g, '\\"')}"`);
+    if (p.kind) lines.push(`    kind: ${p.kind}`);
+    if (p.status) lines.push(`    status: ${p.status}`);
+    if (p.severity) lines.push(`    severity: ${p.severity}`);
+    lines.push(`    description: "${p.description.replace(/"/g, '\\"')}"`);
+    lines.push(`    priority: ${p.priority}`);
+    lines.push(`    scope: ${p.scope}`);
+    lines.push(`    enforce: ${p.enforce}`);
+    if (p.type) {
+      lines.push(`    type: ${p.type}`);
+    }
+    if (p.config) {
+      lines.push(`    config: ${JSON.stringify(p.config)}`);
+    }
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+
+export class PolicyStore {
+  private readonly contextDir: string;
+  private readonly orgRulesPath: string;
+  private readonly localRulesPath: string;
+
+  constructor(contextDir: string) {
+    this.contextDir = contextDir;
+    this.orgRulesPath = join(contextDir, "policies", "org-rules.yaml");
+    this.localRulesPath = join(contextDir, "rules.yaml");
+  }
+
+  loadOrgPolicies(): OrgPolicy[] {
+    try {
+      const raw = readFileSync(this.orgRulesPath, "utf8");
+      return parseRulesYaml(raw, "org");
+    } catch {
+      return [];
+    }
+  }
+
+  loadLocalPolicies(): OrgPolicy[] {
+    try {
+      const raw = readFileSync(this.localRulesPath, "utf8");
+      return parseRulesYaml(raw, "local");
+    } catch {
+      return [];
+    }
+  }
+
+  /**
+   * Merge org + local policies. Org rules override local rules with same ID.
+   * Result is sorted by priority (highest first).
+   */
+  getMergedPolicies(): OrgPolicy[] {
+    const orgPolicies = this.loadOrgPolicies();
+    const localPolicies = this.loadLocalPolicies();
+
+    const merged = new Map<string, OrgPolicy>();
+
+    // Local first
+    for (const p of localPolicies) {
+      merged.set(p.id, p);
+    }
+
+    // Org overrides
+    for (const p of orgPolicies) {
+      merged.set(p.id, p);
+    }
+
+    return [...merged.values()].sort((a, b) => b.priority - a.priority);
+  }
+
+  writeOrgPolicies(policies: OrgPolicy[]): void {
+    const dir = join(this.contextDir, "policies");
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(this.orgRulesPath, policiesToYaml(policies));
+  }
+}

package/scaffold/mcp/src/core/rbac/check.ts

@@ -0,0 +1,40 @@
+export type Role = "admin" | "developer" | "readonly";
+
+export type RBACConfig = {
+  enabled: boolean;
+  default_role: Role;
+};
+
+const PERMISSIONS: Record<string, Role[]> = {
+  // Admin-only actions
+  "policy.write":          ["admin"],
+  "policy.sync":           ["admin"],
+  "telemetry.configure":   ["admin"],
+
+  // Admin + developer
+  "audit.query":           ["admin", "developer"],
+  "policy.list":           ["admin", "developer"],
+  "telemetry.status":      ["admin", "developer"],
+  "context.review":        ["admin", "developer"],
+  "workflow.plan":         ["admin", "developer"],
+  "workflow.review_plan":  ["admin", "developer"],
+  "workflow.start":        ["admin", "developer"],
+  "workflow.update":       ["admin", "developer"],
+  "workflow.note":         ["admin", "developer"],
+  "workflow.todo":         ["admin", "developer"],
+  "workflow.approve":      ["admin", "developer"],
+
+  // All roles
+  "enterprise.status":     ["admin", "developer", "readonly"],
+  "workflow.status":       ["admin", "developer", "readonly"],
+};
+
+export function checkAccess(role: Role, action: string): boolean {
+  const allowed = PERMISSIONS[action];
+  if (!allowed) return false; // deny unknown actions by default
+  return allowed.includes(role);
+}
+
+export function getAccessDeniedMessage(role: Role, action: string): string {
+  return `Access denied: role '${role}' cannot perform '${action}'`;
+}