@dotsetlabs/tollgate 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +96 -3
- package/dist/analyzers/index.d.ts +1 -0
- package/dist/analyzers/index.d.ts.map +1 -1
- package/dist/analyzers/index.js +3 -0
- package/dist/analyzers/index.js.map +1 -1
- package/dist/analyzers/output-validator.d.ts +77 -0
- package/dist/analyzers/output-validator.d.ts.map +1 -0
- package/dist/analyzers/output-validator.js +463 -0
- package/dist/analyzers/output-validator.js.map +1 -0
- package/dist/approval/webhook.d.ts +74 -0
- package/dist/approval/webhook.d.ts.map +1 -0
- package/dist/approval/webhook.js +160 -0
- package/dist/approval/webhook.js.map +1 -0
- package/dist/index.d.ts +2 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/integration/index.d.ts +12 -0
- package/dist/integration/index.d.ts.map +1 -0
- package/dist/integration/index.js +7 -0
- package/dist/integration/index.js.map +1 -0
- package/dist/intent/index.d.ts +12 -0
- package/dist/intent/index.d.ts.map +1 -0
- package/dist/intent/index.js +12 -0
- package/dist/intent/index.js.map +1 -0
- package/dist/intent/tracker.d.ts +151 -0
- package/dist/intent/tracker.d.ts.map +1 -0
- package/dist/intent/tracker.js +460 -0
- package/dist/intent/tracker.js.map +1 -0
- package/dist/intent/verifier.d.ts +103 -0
- package/dist/intent/verifier.d.ts.map +1 -0
- package/dist/intent/verifier.js +275 -0
- package/dist/intent/verifier.js.map +1 -0
- package/dist/policy/types.d.ts +5 -1
- package/dist/policy/types.d.ts.map +1 -1
- package/dist/policy/validator.d.ts.map +1 -1
- package/dist/policy/validator.js +4 -10
- package/dist/policy/validator.js.map +1 -1
- package/dist/proxy/bridge.d.ts.map +1 -1
- package/dist/proxy/bridge.js +11 -3
- package/dist/proxy/bridge.js.map +1 -1
- package/dist/proxy/server.d.ts.map +1 -1
- package/dist/proxy/server.js +56 -0
- package/dist/proxy/server.js.map +1 -1
- package/package.json +5 -2
package/README.md
CHANGED
|
@@ -60,9 +60,28 @@ Tollgate doesn't just ask "Allow this tool?" — it **understands what the tool
|
|
|
60
60
|
└─────────────────────────────────┴─────────────────────┴─────────────────────┘
|
|
61
61
|
```
|
|
62
62
|
|
|
63
|
-
|
|
63
|
+
Six built-in analyzers parse SQL, shell commands, file paths, HTTP requests, prompt injection attacks, and **tool response validation**.
|
|
64
64
|
|
|
65
|
-
### 3.
|
|
65
|
+
### 3. LLM Output Validation (NEW)
|
|
66
|
+
|
|
67
|
+
Tollgate doesn't just check what you send to tools — it **validates what tools send back**:
|
|
68
|
+
|
|
69
|
+
```
|
|
70
|
+
┌─────────────────────────────────────────────────────────────────────────────┐
|
|
71
|
+
│ Tool Response Contains │ Tollgate Action │
|
|
72
|
+
├───────────────────────────────────────────┼─────────────────────────────────┤
|
|
73
|
+
│ "Ignore previous instructions..." │ BLOCKED - prompt injection │
|
|
74
|
+
│ API keys (sk-*, AKIA*, etc.) │ BLOCKED - credential exposure │
|
|
75
|
+
│ "You are now in developer mode" │ BLOCKED - role manipulation │
|
|
76
|
+
│ Base64-encoded suspicious content │ BLOCKED - obfuscated payload │
|
|
77
|
+
│ Exfiltration markers (webhook.site, etc.) │ BLOCKED - data exfiltration │
|
|
78
|
+
│ Normal query results │ ALLOWED │
|
|
79
|
+
└───────────────────────────────────────────┴─────────────────────────────────┘
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
This protects against **indirect prompt injection** — attacks where malicious content in tool responses tries to hijack the AI's behavior. Other MCP gateways only check inputs; Tollgate checks outputs too.
|
|
83
|
+
|
|
84
|
+
### 4. Session-Based Approval Memory
|
|
66
85
|
|
|
67
86
|
Stop clicking "Allow" for every operation:
|
|
68
87
|
|
|
@@ -276,6 +295,21 @@ tollgate serve --all --no-interactive
|
|
|
276
295
|
```
|
|
277
296
|
|
|
278
297
|
**Interactive Commands:**
|
|
298
|
+
|
|
299
|
+
| Command | Description |
|
|
300
|
+
|:--------|:------------|
|
|
301
|
+
| `status` / `ls` / `list` | Show status of all configured servers |
|
|
302
|
+
| `start <n\|name>` | Start a server by number or name |
|
|
303
|
+
| `stop <n\|name>` | Stop a running server |
|
|
304
|
+
| `restart <n\|name>` | Restart a server |
|
|
305
|
+
| `start-all` | Start all configured servers |
|
|
306
|
+
| `stop-all` | Stop all running servers |
|
|
307
|
+
| `stats` | Show orchestrator statistics |
|
|
308
|
+
| `logs <n\|name>` | Show recent logs for a server |
|
|
309
|
+
| `help` | Show available commands |
|
|
310
|
+
| `quit` / `exit` | Exit the orchestrator |
|
|
311
|
+
|
|
312
|
+
**Example session:**
|
|
279
313
|
```
|
|
280
314
|
tollgate> status
|
|
281
315
|
# Server Status Health Uptime Calls
|
|
@@ -283,6 +317,12 @@ tollgate> status
|
|
|
283
317
|
2 github running healthy 5m 30s 8
|
|
284
318
|
3 filesystem stopped unknown - 0
|
|
285
319
|
|
|
320
|
+
tollgate> logs 1
|
|
321
|
+
Recent logs for postgres:
|
|
322
|
+
[12:05:32] Tool call: query (approved)
|
|
323
|
+
[12:05:45] Tool call: query (approved)
|
|
324
|
+
[12:06:01] Tool call: execute (prompted → approved)
|
|
325
|
+
|
|
286
326
|
tollgate> stop 2
|
|
287
327
|
Stopping github...
|
|
288
328
|
Server "github" stopped successfully
|
|
@@ -418,7 +458,7 @@ export default defineAsyncAnalyzer({
|
|
|
418
458
|
|
|
419
459
|
## Approval Methods
|
|
420
460
|
|
|
421
|
-
Tollgate supports
|
|
461
|
+
Tollgate supports three approval methods:
|
|
422
462
|
|
|
423
463
|
### Terminal (Default)
|
|
424
464
|
|
|
@@ -466,6 +506,49 @@ approval:
|
|
|
466
506
|
timeout: 60000
|
|
467
507
|
```
|
|
468
508
|
|
|
509
|
+
### Webhook
|
|
510
|
+
|
|
511
|
+
For automated workflows, CI/CD pipelines, or custom approval systems, use webhook approvals:
|
|
512
|
+
|
|
513
|
+
```yaml
|
|
514
|
+
approval:
|
|
515
|
+
method: webhook
|
|
516
|
+
webhookUrl: https://your-approval-service.com/api/tollgate/approve
|
|
517
|
+
webhookHeaders:
|
|
518
|
+
Authorization: Bearer your-token
|
|
519
|
+
webhookSecret: optional-hmac-secret
|
|
520
|
+
timeout: 30000
|
|
521
|
+
```
|
|
522
|
+
|
|
523
|
+
When a tool call requires approval, Tollgate sends a POST request to your webhook:
|
|
524
|
+
|
|
525
|
+
```json
|
|
526
|
+
{
|
|
527
|
+
"id": "req_abc123",
|
|
528
|
+
"timestamp": "2025-01-15T12:00:00Z",
|
|
529
|
+
"server": "postgres",
|
|
530
|
+
"tool": "query",
|
|
531
|
+
"args": { "sql": "SELECT * FROM users" },
|
|
532
|
+
"decision": {
|
|
533
|
+
"action": "prompt",
|
|
534
|
+
"reason": "Write operation requires approval",
|
|
535
|
+
"analysis": { "risk": "write" }
|
|
536
|
+
}
|
|
537
|
+
}
|
|
538
|
+
```
|
|
539
|
+
|
|
540
|
+
Your webhook should respond with:
|
|
541
|
+
|
|
542
|
+
```json
|
|
543
|
+
{
|
|
544
|
+
"approved": true,
|
|
545
|
+
"duration": "15min",
|
|
546
|
+
"scope": "tool"
|
|
547
|
+
}
|
|
548
|
+
```
|
|
549
|
+
|
|
550
|
+
The `X-Tollgate-Signature` header contains an HMAC-SHA256 signature if `webhookSecret` is configured.
|
|
551
|
+
|
|
469
552
|
### Persistent Sessions
|
|
470
553
|
|
|
471
554
|
By default, session grants are stored in memory and lost on restart. Enable persistent storage to survive restarts:
|
|
@@ -817,6 +900,16 @@ await bridge.start();
|
|
|
817
900
|
|
|
818
901
|
---
|
|
819
902
|
|
|
903
|
+
## Part of the Dotset Labs Security Stack
|
|
904
|
+
|
|
905
|
+
| Stage | Tool | Focus |
|
|
906
|
+
|-------|------|-------|
|
|
907
|
+
| **Pre-install** | [Hardpoint](https://github.com/dotsetlabs/hardpoint) | Scan dev environment for threats |
|
|
908
|
+
| **At runtime** | **Tollgate** | Control what MCP servers can do |
|
|
909
|
+
| **Continuous** | [Deadfall](https://github.com/dotsetlabs/deadfall) | Monitor activity and detect anomalies |
|
|
910
|
+
|
|
911
|
+
---
|
|
912
|
+
|
|
820
913
|
## Open Source Commitment
|
|
821
914
|
|
|
822
915
|
Tollgate is MIT licensed. The core functionality — MCP policy enforcement, content analysis, and local audit logging — will always be free and open source.
|
|
@@ -4,6 +4,7 @@ export { FilesystemAnalyzer } from './filesystem.js';
|
|
|
4
4
|
export { ShellAnalyzer } from './shell.js';
|
|
5
5
|
export { HttpAnalyzer } from './http.js';
|
|
6
6
|
export { PromptInjectionAnalyzer } from './prompt-injection.js';
|
|
7
|
+
export { OutputValidatorAnalyzer, createOutputValidator } from './output-validator.js';
|
|
7
8
|
export { defineAnalyzer, defineAsyncAnalyzer, createPatternAnalyzer, isCustomAnalyzer, isAsyncAnalyzer, type AnalyzerDefinition, type CustomAnalyzer, } from './sdk.js';
|
|
8
9
|
export { loadAnalyzer, loadAnalyzers, loadAnalyzersFromConfig, initializeAnalyzers, cleanupAnalyzers, unloadAnalyzer, listCustomAnalyzers, resolveAnalyzerPath, type LoadResult, type LoaderOptions, } from './loader.js';
|
|
9
10
|
import type { ContentAnalyzer, AnalysisResult, AnalyzerContext, RiskMapping, RiskLevel } from './types.js';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/analyzers/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/analyzers/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAGvF,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,KAAK,kBAAkB,EACvB,KAAK,cAAc,GACpB,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,YAAY,EACZ,aAAa,EACb,uBAAuB,EACvB,mBAAmB,EACnB,gBAAgB,EAChB,cAAc,EACd,mBAAmB,EACnB,mBAAmB,EACnB,KAAK,UAAU,EACf,KAAK,aAAa,GACnB,MAAM,aAAa,CAAC;AAErB,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,eAAe,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAU3G,mFAAmF;AACnF,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,MAAM,GAAG,QAAQ,CAAC;AAKzD;;GAEG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,SAAS,CAA2C;IAC5D,OAAO,CAAC,eAAe,CAA0C;IACjE,OAAO,CAAC,SAAS,CAAS;gBAEd,SAAS,GAAE,MAAoC;IAW3D;;OAEG;IACH,QAAQ,CAAC,QAAQ,EAAE,eAAe,GAAG,IAAI;IASzC;;OAEG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAWjC;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IAI9C;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI1B;;OAEG;IACH,IAAI,IAAI,MAAM,EAAE;IAIhB;;OAEG;IACH,UAAU,IAAI,MAAM,EAAE;IAItB;;OAEG;IACH,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAInC;;OAEG;IACH,UAAU,IAAI,MAAM;IAIpB;;OAEG;IACH,OAAO,CACL,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,eAAe,GACxB,cAAc;IAajB;;;;;;;;OAQG;IACG,kBAAkB,CACtB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,eAAe,EACzB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,cAAc,CAAC;IA6B1B;;;OAGG;IACG,YAAY,CAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,cAAc,CAAC;IAoB1B;;OAEG;IACG,yBAAyB,IAAI,OAAO,CAAC,IAAI,CAAC;IAMhD;;OAEG;IACG,sBAAsB,IAAI,OAAO,CAAC,IAAI,CAAC;IAM7C;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,SAAS;CAIxH;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,SAAS,EACf,OAAO,GAAE,WAAkC,GAC1C,cAAc,CAGhB;AAED;;GAEG;AACH,eAAO,MAAM,gBAAgB,kBAAyB,CAAC;AAEvD;;GAEG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,MAAM,GAAG,IAAI,CAiEf;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,YAAY,EAAE,MAAM,EACpB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B,MAAM,GAAG,IAAI,CA+Ff"}
|
package/dist/analyzers/index.js
CHANGED
|
@@ -4,6 +4,7 @@ export { FilesystemAnalyzer } from './filesystem.js';
|
|
|
4
4
|
export { ShellAnalyzer } from './shell.js';
|
|
5
5
|
export { HttpAnalyzer } from './http.js';
|
|
6
6
|
export { PromptInjectionAnalyzer } from './prompt-injection.js';
|
|
7
|
+
export { OutputValidatorAnalyzer, createOutputValidator } from './output-validator.js';
|
|
7
8
|
// SDK exports for custom analyzers
|
|
8
9
|
export { defineAnalyzer, defineAsyncAnalyzer, createPatternAnalyzer, isCustomAnalyzer, isAsyncAnalyzer, } from './sdk.js';
|
|
9
10
|
// Loader exports for dynamic analyzer loading
|
|
@@ -14,6 +15,7 @@ import { FilesystemAnalyzer } from './filesystem.js';
|
|
|
14
15
|
import { ShellAnalyzer } from './shell.js';
|
|
15
16
|
import { HttpAnalyzer } from './http.js';
|
|
16
17
|
import { PromptInjectionAnalyzer } from './prompt-injection.js';
|
|
18
|
+
import { OutputValidatorAnalyzer } from './output-validator.js';
|
|
17
19
|
import { isCustomAnalyzer, isAsyncAnalyzer } from './sdk.js';
|
|
18
20
|
/** Default timeout for analyzer operations (5 seconds) */
|
|
19
21
|
const DEFAULT_ANALYZER_TIMEOUT_MS = 5000;
|
|
@@ -32,6 +34,7 @@ export class AnalyzerRegistry {
|
|
|
32
34
|
this.register(new ShellAnalyzer());
|
|
33
35
|
this.register(new HttpAnalyzer());
|
|
34
36
|
this.register(new PromptInjectionAnalyzer());
|
|
37
|
+
this.register(new OutputValidatorAnalyzer());
|
|
35
38
|
}
|
|
36
39
|
/**
|
|
37
40
|
* Register a new analyzer
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analyzers/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analyzers/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAEvF,mCAAmC;AACnC,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,GAGhB,MAAM,UAAU,CAAC;AAElB,8CAA8C;AAC9C,OAAO,EACL,YAAY,EACZ,aAAa,EACb,uBAAuB,EACvB,mBAAmB,EACnB,gBAAgB,EAChB,cAAc,EACd,mBAAmB,EACnB,mBAAmB,GAGpB,MAAM,aAAa,CAAC;AAGrB,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAuB,MAAM,UAAU,CAAC;AAKlF,0DAA0D;AAC1D,MAAM,2BAA2B,GAAG,IAAI,CAAC;AAEzC;;GAEG;AACH,MAAM,OAAO,gBAAgB;IACnB,SAAS,GAAiC,IAAI,GAAG,EAAE,CAAC;IACpD,eAAe,GAAgC,IAAI,GAAG,EAAE,CAAC;IACzD,SAAS,CAAS;IAE1B,YAAY,YAAoB,2BAA2B;QACzD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,8BAA8B;QAC9B,IAAI,CAAC,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,CAAC;QACjC,IAAI,CAAC,QAAQ,CAAC,IAAI,kBAAkB,EAAE,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,IAAI,aAAa,EAAE,CAAC,CAAC;QACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,YAAY,EAAE,CAAC,CAAC;QAClC,IAAI,CAAC,QAAQ,CAAC,IAAI,uBAAuB,EAAE,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,CAAC,IAAI,uBAAuB,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,QAAyB;QAChC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAE5C,6DAA6D;QAC7D,IAAI,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,IAAY;QACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC5B,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,IAAI;QACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,SAAiB;QAC1B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,OAAO,CACL,YAAoB,EACpB,OAAe,EACf,OAAyB;QAEzB,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAClD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,6DAA6D;YAC7D,4DAA4D;YAC5D,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,qBAAqB,YAAY,EAAE;aAC5C,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,kBAAkB,CACtB,YAAoB,EACpB,OAAe,EACf,OAAyB,EACzB,SAAkB;QAElB,MAAM,OAAO,GAAG,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC;QAE5C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAChC,IAAI,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,EAAE,OAAO,CAAC;gBACjD,IAAI,OAAO,CAAiB,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;oBACxC,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;gBACnE,CAAC,CAAC;aACH,CAAC,CAAC;YACH,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,IAAI,OAAO,KAAK,kBAAkB,EAAE,CAAC;gBACnC,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,aAAa,YAAY,qBAAqB,OAAO,2BAA2B;oBACxF,QAAQ,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE;iBAChD,CAAC;YACJ,CAAC;YACD,gCAAgC;YAChC,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,aAAa,YAAY,YAAY,OAAO,EAAE;gBACtD,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;aAC1B,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAChB,YAAoB,EACpB,OAAe,EACf,OAAyB;QAEzB,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAClD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,6DAA6D;YAC7D,4DAA4D;YAC5D,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,qBAAqB,YAAY,EAAE;aAC5C,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO,QAAQ,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QAED,oBAAoB;QACpB,OAAO,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,yBAAyB;QAC7B,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC;YACrD,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACxB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,sBAAsB;QAC1B,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC;YACrD,MAAM,QAAQ,CAAC,OAAO,EAAE,CAAC;QAC3B,CAAC;IACH,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,YAAoB;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,OAAO,QAAQ,EAAE,cAAc,CAAC;IAClC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,IAAe,EACf,UAAuB,oBAAoB;IAE3C,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC;IAC3D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,gBAAgB,EAAE,CAAC;AAEvD;;GAEG;AACH,MAAM,UAAU,aAAa,CAC3B,MAAc,EACd,IAAY,EACZ,KAA+B;IAE/B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IAErC,mCAAmC;IACnC,IACE,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;QAChC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC7B,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC9B,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;QAChC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,EAC3B,CAAC;QACD,+BAA+B;QAC/B,IACE,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC3B,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC7B,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EACzB,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,IACE,WAAW,CAAC,QAAQ,CAAC,YAAY,CAAC;QAClC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC5B,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAC1B,CAAC;QACD,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,2CAA2C;IAC3C,IACE,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC7B,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;QAChC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC5B,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC5B,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC1B,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QACzB,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAC7B,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,oCAAoC;IACpC,IACE,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC5B,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC7B,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC/B,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC;QAC3B,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC;QAC3B,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC9B,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC;QACjC,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC/B,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC3B,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC7B,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC1B,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC7B,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;QAC9B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAC5B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,YAAoB,EACpB,IAAY,EACZ,IAA6B;IAE7B,mCAAmC;IACnC,MAAM,eAAe,GAAG,gBAAgB,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAC3E,IAAI,eAAe,EAAE,CAAC;QACpB,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,QAAQ,YAAY,EAAE,CAAC;QACrB,KAAK,KAAK;YACR,4BAA4B;YAC5B,OAAO,CACL,IAAI,CAAC,KAAe;gBACpB,IAAI,CAAC,GAAa;gBAClB,IAAI,CAAC,SAAmB;gBACxB,IAAI,CACL,CAAC;QAEJ,KAAK,YAAY;YACf,6BAA6B;YAC7B,OAAO,CACL,IAAI,CAAC,IAAc;gBACnB,IAAI,CAAC,IAAc;gBACnB,IAAI,CAAC,QAAkB;gBACvB,IAAI,CAAC,SAAmB;gBACxB,IAAI,CAAC,QAAkB;gBACvB,IAAI,CACL,CAAC;QAEJ,KAAK,OAAO;YACV,gCAAgC;YAChC,OAAO,CACL,IAAI,CAAC,OAAiB;gBACtB,IAAI,CAAC,GAAa;gBAClB,IAAI,CAAC,MAAgB;gBACrB,IAAI,CAAC,KAAe;gBACpB,IAAI,CACL,CAAC;QAEJ,KAAK,MAAM;YACT,kEAAkE;YAClE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;gBACb,+DAA+D;gBAC/D,OAAO,IAAI,CAAC,SAAS,CAAC;oBACpB,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,KAAK;oBAC5B,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,EAAE;oBAC3B,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC;YACL,CAAC;YACD,OAAO,CACL,IAAI,CAAC,GAAa;gBAClB,IAAI,CAAC,IAAc;gBACnB,IAAI,CAAC,QAAkB;gBACvB,IAAI,CACL,CAAC;QAEJ,KAAK,kBAAkB,CAAC,CAAC,CAAC;YACxB,wDAAwD;YACxD,gEAAgE;YAChE,MAAM,YAAY,GAAa,EAAE,CAAC;YAClC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC9B,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAC3B,CAAC;qBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;oBACvD,mDAAmD;oBACnD,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,MAAM,CAAC,KAAgC,CAAC,EAAE,CAAC;wBAC1E,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;4BACpC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;wBACjC,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAClE,CAAC;QAED,OAAO,CAAC,CAAC,CAAC;YACR,qDAAqD;YACrD,2DAA2D;YAC3D,MAAM,WAAW,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;YACvF,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;gBAC/B,IAAI,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;oBACnC,OAAO,IAAI,CAAC,IAAI,CAAW,CAAC;gBAC9B,CAAC;YACH,CAAC;YAED,+CAA+C;YAC/C,MAAM,UAAU,GAAa,EAAE,CAAC;YAChC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;oBAC9B,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;YACD,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9D,CAAC;IACH,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Output Validator Analyzer
|
|
3
|
+
*
|
|
4
|
+
* Analyzes tool RESPONSES (not inputs) for security issues:
|
|
5
|
+
* - Prompt injection in responses (tool returns content that tries to hijack the AI)
|
|
6
|
+
* - Exfiltration attempts (sensitive data being exposed)
|
|
7
|
+
* - Malicious content patterns (code injection, encoded payloads)
|
|
8
|
+
*
|
|
9
|
+
* This is the critical missing piece in MCP security - tools can return
|
|
10
|
+
* malicious content that manipulates the AI's behavior after the tool call.
|
|
11
|
+
*
|
|
12
|
+
* @module analyzers/output-validator
|
|
13
|
+
*/
|
|
14
|
+
import type { AnalysisResult, ContentAnalyzer, AnalyzerContext } from './types.js';
|
|
15
|
+
/**
|
|
16
|
+
* Output Validator Analyzer
|
|
17
|
+
*
|
|
18
|
+
* Classifies tool responses by injection/exfiltration risk:
|
|
19
|
+
* - safe: Normal response content
|
|
20
|
+
* - read: Minor suspicious patterns (low confidence)
|
|
21
|
+
* - write: Moderate indicators of manipulation
|
|
22
|
+
* - destructive: High-confidence injection patterns
|
|
23
|
+
* - dangerous: Clear prompt injection or exfiltration attempt
|
|
24
|
+
*/
|
|
25
|
+
export declare class OutputValidatorAnalyzer implements ContentAnalyzer {
|
|
26
|
+
readonly name = "output-validator";
|
|
27
|
+
/**
|
|
28
|
+
* Analyze tool response content for security issues.
|
|
29
|
+
*/
|
|
30
|
+
analyze(content: string, context?: AnalyzerContext): AnalysisResult;
|
|
31
|
+
/**
|
|
32
|
+
* Normalize content for pattern matching.
|
|
33
|
+
*/
|
|
34
|
+
private normalizeContent;
|
|
35
|
+
/**
|
|
36
|
+
* Check for instruction injection patterns in response.
|
|
37
|
+
* These are attempts to manipulate the AI through tool output.
|
|
38
|
+
*/
|
|
39
|
+
private checkInstructionInjection;
|
|
40
|
+
/**
|
|
41
|
+
* Check for role manipulation attempts.
|
|
42
|
+
*/
|
|
43
|
+
private checkRoleManipulation;
|
|
44
|
+
/**
|
|
45
|
+
* Check for data exfiltration markers.
|
|
46
|
+
*/
|
|
47
|
+
private checkExfiltrationMarkers;
|
|
48
|
+
/**
|
|
49
|
+
* Check for encoded payloads that might hide malicious content.
|
|
50
|
+
*/
|
|
51
|
+
private checkEncodedPayloads;
|
|
52
|
+
/**
|
|
53
|
+
* Check for hidden instructions using delimiters or special formatting.
|
|
54
|
+
*/
|
|
55
|
+
private checkHiddenInstructions;
|
|
56
|
+
/**
|
|
57
|
+
* Check for credential/secret exposure in response.
|
|
58
|
+
*/
|
|
59
|
+
private checkSecretExposure;
|
|
60
|
+
/**
|
|
61
|
+
* Check for shell command injection in response.
|
|
62
|
+
*/
|
|
63
|
+
private checkShellInjection;
|
|
64
|
+
/**
|
|
65
|
+
* Check if a risk level is higher than another.
|
|
66
|
+
*/
|
|
67
|
+
private isHigherRisk;
|
|
68
|
+
/**
|
|
69
|
+
* Generate human-readable reason based on risk and triggers.
|
|
70
|
+
*/
|
|
71
|
+
private getRiskReason;
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
74
|
+
* Create a new output validator instance.
|
|
75
|
+
*/
|
|
76
|
+
export declare function createOutputValidator(): OutputValidatorAnalyzer;
|
|
77
|
+
//# sourceMappingURL=output-validator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"output-validator.d.ts","sourceRoot":"","sources":["../../src/analyzers/output-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAEnF;;;;;;;;;GASG;AACH,qBAAa,uBAAwB,YAAW,eAAe;IAC7D,QAAQ,CAAC,IAAI,sBAAsB;IAEnC;;OAEG;IACH,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,cAAc;IA4FnE;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAOxB;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IAmEjC;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiC7B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAyChC;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAqD5B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAiD/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAkD3B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA+C3B;;OAEG;IACH,OAAO,CAAC,YAAY;IAWpB;;OAEG;IACH,OAAO,CAAC,aAAa;CAetB;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,uBAAuB,CAE/D"}
|