@enactprotocol/shared 1.0.12

package/dist/security/verification-enforcer.js

@@ -0,0 +1,181 @@
+// src/security/verification-enforcer.ts - Mandatory signature verification enforcement
+import { verifyTool, VERIFICATION_POLICIES, } from "./sign";
+import logger from "../exec/logger";
+/**
+ * Enforce mandatory signature verification for tool execution
+ * This is the central function that should be called before ANY tool execution
+ */
+export async function enforceSignatureVerification(tool, options = {}) {
+    const toolName = tool.name || "unknown";
+    // Check if verification is explicitly skipped
+    if (options.skipVerification) {
+        logger.warn(`🚨 SECURITY WARNING: Signature verification skipped for tool: ${toolName}`);
+        logger.warn(`   This bypasses security measures and is NOT recommended for production use!`);
+        return {
+            allowed: true,
+            reason: `Verification skipped by request for tool: ${toolName}`,
+            verificationResult: {
+                isValid: false,
+                message: "Verification skipped",
+                validSignatures: 0,
+                totalSignatures: 0,
+                verifiedSigners: [],
+                errors: ["Signature verification was explicitly skipped"],
+            },
+        };
+    }
+    // Check if tool has any signatures
+    const hasSignatures = !!(tool.signatures && Object.keys(tool.signatures).length > 0) ||
+        !!tool.signature;
+    if (!hasSignatures) {
+        logger.warn(`⚠️  Tool has no signatures: ${toolName}`);
+        // Only allow unsigned tools if explicitly permitted (for development/testing)
+        if (options.allowUnsigned) {
+            logger.warn(`   Allowing unsigned tool execution due to allowUnsigned flag (DEV/TEST ONLY)`);
+            return {
+                allowed: true,
+                reason: `Unsigned tool allowed by explicit permission: ${toolName}`,
+                verificationResult: {
+                    isValid: false,
+                    message: "No signatures found, but execution allowed",
+                    validSignatures: 0,
+                    totalSignatures: 0,
+                    verifiedSigners: [],
+                    errors: [
+                        "Tool has no signatures but execution was explicitly allowed",
+                    ],
+                },
+            };
+        }
+        // Reject unsigned tools by default
+        return {
+            allowed: false,
+            reason: `Tool has no signatures and unsigned execution is not permitted: ${toolName}`,
+            error: {
+                message: `Tool "${toolName}" has no cryptographic signatures. For security, only signed tools can be executed.`,
+                code: "NO_SIGNATURES_FOUND",
+                details: {
+                    toolName,
+                    hasSignature: !!tool.signature,
+                    hasSignatures: !!tool.signatures,
+                    signatureCount: tool.signatures
+                        ? Object.keys(tool.signatures).length
+                        : 0,
+                },
+            },
+        };
+    }
+    // Perform signature verification
+    try {
+        logger.info(`🔐 Verifying signatures for tool: ${toolName}`);
+        // Determine verification policy
+        const policyKey = (options.verifyPolicy || "permissive").toUpperCase();
+        const policy = VERIFICATION_POLICIES[policyKey] || VERIFICATION_POLICIES.PERMISSIVE;
+        logger.info(`   Using verification policy: ${policyKey.toLowerCase()}`);
+        if (policy.minimumSignatures) {
+            logger.info(`   Minimum signatures required: ${policy.minimumSignatures}`);
+        }
+        if (policy.requireRoles) {
+            logger.info(`   Required roles: ${policy.requireRoles.join(", ")}`);
+        }
+        // Verify the tool
+        const verificationResult = await verifyTool(tool, policy);
+        if (verificationResult.isValid) {
+            logger.info(`✅ Signature verification passed for tool: ${toolName}`);
+            logger.info(`   Valid signatures: ${verificationResult.validSignatures}/${verificationResult.totalSignatures}`);
+            if (verificationResult.verifiedSigners.length > 0) {
+                logger.info(`   Verified signers: ${verificationResult.verifiedSigners
+                    .map((s) => `${s.signer}${s.role ? ` (${s.role})` : ""}`)
+                    .join(", ")}`);
+            }
+            return {
+                allowed: true,
+                reason: `Tool signature verification passed: ${verificationResult.message}`,
+                verificationResult,
+            };
+        }
+        else {
+            logger.error(`❌ Signature verification failed for tool: ${toolName}`);
+            logger.error(`   Policy: ${policyKey.toLowerCase()}`);
+            logger.error(`   Valid signatures: ${verificationResult.validSignatures}/${verificationResult.totalSignatures}`);
+            if (verificationResult.errors.length > 0) {
+                logger.error(`   Errors:`);
+                verificationResult.errors.forEach((error) => logger.error(`     - ${error}`));
+            }
+            return {
+                allowed: false,
+                reason: `Tool signature verification failed: ${verificationResult.message}`,
+                verificationResult,
+                error: {
+                    message: `Tool "${toolName}" failed signature verification. ${verificationResult.message}`,
+                    code: "SIGNATURE_VERIFICATION_FAILED",
+                    details: {
+                        toolName,
+                        policy: policyKey.toLowerCase(),
+                        validSignatures: verificationResult.validSignatures,
+                        totalSignatures: verificationResult.totalSignatures,
+                        errors: verificationResult.errors,
+                        verifiedSigners: verificationResult.verifiedSigners,
+                    },
+                },
+            };
+        }
+    }
+    catch (error) {
+        const errorMessage = error instanceof Error ? error.message : "Unknown verification error";
+        logger.error(`💥 Signature verification error for tool: ${toolName} - ${errorMessage}`);
+        return {
+            allowed: false,
+            reason: `Signature verification error: ${errorMessage}`,
+            error: {
+                message: `Signature verification failed due to error: ${errorMessage}`,
+                code: "VERIFICATION_ERROR",
+                details: { toolName, originalError: error },
+            },
+        };
+    }
+}
+/**
+ * Create an execution result for verification failure
+ */
+export function createVerificationFailureResult(tool, verificationResult, executionId) {
+    return {
+        success: false,
+        error: verificationResult.error || {
+            message: verificationResult.reason,
+            code: "VERIFICATION_FAILED",
+        },
+        metadata: {
+            executionId,
+            toolName: tool.name || "unknown",
+            version: tool.version,
+            executedAt: new Date().toISOString(),
+            environment: "direct",
+            command: tool.command,
+        },
+    };
+}
+/**
+ * Log security audit information for tool execution
+ */
+export function logSecurityAudit(tool, verificationResult, executionAllowed, options) {
+    const auditLog = {
+        timestamp: new Date().toISOString(),
+        tool: tool.name || "unknown",
+        version: tool.version,
+        command: tool.command,
+        executionAllowed,
+        verificationSkipped: options.skipVerification || false,
+        verificationPolicy: options.verifyPolicy || "permissive",
+        verificationResult: verificationResult.verificationResult
+            ? {
+                isValid: verificationResult.verificationResult.isValid,
+                validSignatures: verificationResult.verificationResult.validSignatures,
+                totalSignatures: verificationResult.verificationResult.totalSignatures,
+                verifiedSigners: verificationResult.verificationResult.verifiedSigners,
+            }
+            : null,
+        errors: verificationResult.error ? [verificationResult.error.message] : [],
+    };
+    logger.info(`🔍 Security Audit Log:`, auditLog);
+}

package/dist/services/McpCoreService.d.ts

@@ -0,0 +1,102 @@
+import type { EnactTool, ExecutionResult } from "../types";
+export declare class McpCoreService {
+    private core;
+    constructor(options?: {
+        apiUrl?: string;
+        supabaseUrl?: string;
+        authToken?: string;
+    });
+    /**
+     * Set authentication token
+     */
+    setAuthToken(token: string): void;
+    /**
+     * Search for tools
+     */
+    searchTools(query: string, options?: {
+        limit?: number;
+        tags?: string[];
+        author?: string;
+    }): Promise<EnactTool[]>;
+    /**
+     * Get a specific tool by name
+     */
+    getToolInfo(name: string): Promise<EnactTool | null>;
+    /**
+     * Execute a tool by name
+     */
+    executeToolByName(name: string, inputs?: Record<string, any>, options?: {
+        timeout?: string;
+        verifyPolicy?: "permissive" | "enterprise" | "paranoid";
+        skipVerification?: boolean;
+        force?: boolean;
+        dryRun?: boolean;
+    }): Promise<ExecutionResult>;
+    /**
+     * Execute a tool from raw YAML definition
+     */
+    executeRawTool(toolYaml: string, inputs?: Record<string, any>, options?: {
+        timeout?: string;
+        skipVerification?: boolean;
+        force?: boolean;
+        dryRun?: boolean;
+    }): Promise<ExecutionResult>;
+    /**
+     * Verify a tool's signature
+     */
+    verifyTool(name: string, policy?: string): Promise<{
+        verified: boolean;
+        signatures: any[];
+        policy: string;
+        errors?: string[];
+    }>;
+    /**
+     * Check if a tool exists
+     */
+    toolExists(name: string): Promise<boolean>;
+    /**
+     * Get tools by tags
+     */
+    getToolsByTags(tags: string[], limit?: number): Promise<EnactTool[]>;
+    /**
+     * Get tools by author
+     */
+    getToolsByAuthor(author: string, limit?: number): Promise<EnactTool[]>;
+    /**
+     * Get all tools with filters
+     */
+    getTools(options?: {
+        limit?: number;
+        offset?: number;
+        tags?: string[];
+        author?: string;
+    }): Promise<EnactTool[]>;
+    /**
+     * Get authentication status
+     */
+    getAuthStatus(): Promise<{
+        authenticated: boolean;
+        user?: string;
+        server?: string;
+    }>;
+    /**
+     * Check if service is available (always true for core service)
+     */
+    isAvailable(): Promise<boolean>;
+    /**
+     * Get service path info (not applicable for core service)
+     */
+    getPathInfo(): Promise<{
+        detectedPath: string | null;
+        isAvailable: boolean;
+        version?: string;
+    }>;
+    /**
+     * Publish a tool (requires authentication)
+     */
+    publishTool(tool: EnactTool): Promise<{
+        success: boolean;
+        message: string;
+    }>;
+}
+export declare const mcpCoreService: McpCoreService;

package/dist/services/McpCoreService.js

@@ -0,0 +1,120 @@
+// src/services/McpCoreService.ts - Direct core integration for MCP server
+import { EnactCore } from "../core/EnactCore";
+export class McpCoreService {
+    constructor(options) {
+        this.core = new EnactCore({
+            apiUrl: options?.apiUrl || "https://enact.tools",
+            supabaseUrl: options?.supabaseUrl || "https://xjnhhxwxovjifdxdwzih.supabase.co",
+            authToken: options?.authToken,
+        });
+    }
+    /**
+     * Set authentication token
+     */
+    setAuthToken(token) {
+        this.core.setAuthToken(token);
+    }
+    /**
+     * Search for tools
+     */
+    async searchTools(query, options) {
+        const searchOptions = {
+            query,
+            limit: options?.limit,
+            tags: options?.tags,
+            author: options?.author,
+        };
+        return await this.core.searchTools(searchOptions);
+    }
+    /**
+     * Get a specific tool by name
+     */
+    async getToolInfo(name) {
+        return await this.core.getToolByName(name);
+    }
+    /**
+     * Execute a tool by name
+     */
+    async executeToolByName(name, inputs = {}, options) {
+        const executeOptions = {
+            timeout: options?.timeout,
+            verifyPolicy: options?.verifyPolicy,
+            skipVerification: options?.skipVerification,
+            force: options?.force,
+            dryRun: options?.dryRun,
+        };
+        return await this.core.executeToolByName(name, inputs, executeOptions);
+    }
+    /**
+     * Execute a tool from raw YAML definition
+     */
+    async executeRawTool(toolYaml, inputs = {}, options) {
+        const executeOptions = {
+            timeout: options?.timeout,
+            skipVerification: options?.skipVerification,
+            force: options?.force,
+            dryRun: options?.dryRun,
+        };
+        return await this.core.executeRawTool(toolYaml, inputs, executeOptions);
+    }
+    /**
+     * Verify a tool's signature
+     */
+    async verifyTool(name, policy) {
+        return await this.core.verifyTool(name, policy);
+    }
+    /**
+     * Check if a tool exists
+     */
+    async toolExists(name) {
+        return await this.core.toolExists(name);
+    }
+    /**
+     * Get tools by tags
+     */
+    async getToolsByTags(tags, limit = 20) {
+        return await this.core.getToolsByTags(tags, limit);
+    }
+    /**
+     * Get tools by author
+     */
+    async getToolsByAuthor(author, limit = 20) {
+        return await this.core.getToolsByAuthor(author, limit);
+    }
+    /**
+     * Get all tools with filters
+     */
+    async getTools(options) {
+        return await this.core.getTools(options);
+    }
+    /**
+     * Get authentication status
+     */
+    async getAuthStatus() {
+        return await this.core.getAuthStatus();
+    }
+    /**
+     * Check if service is available (always true for core service)
+     */
+    async isAvailable() {
+        return true;
+    }
+    /**
+     * Get service path info (not applicable for core service)
+     */
+    async getPathInfo() {
+        return {
+            detectedPath: "core-library",
+            isAvailable: true,
+            version: "2.0.0-core",
+        };
+    }
+    /**
+     * Publish a tool (requires authentication)
+     */
+    async publishTool(tool) {
+        return await this.core.publishTool(tool);
+    }
+}
+// Create and export singleton instance
+export const mcpCoreService = new McpCoreService();

package/dist/services/index.d.ts

@@ -0,0 +1 @@
+export * from './McpCoreService';

package/dist/services/index.js

@@ -0,0 +1 @@
+export * from './McpCoreService';

package/dist/types.d.ts

@@ -0,0 +1,130 @@
+export interface EnactTool {
+    name: string;
+    description: string;
+    command: string;
+    timeout?: string;
+    tags?: string[];
+    license?: string;
+    outputSchema?: JSONSchemaDefinition;
+    enact?: string;
+    version?: string;
+    namespace?: string;
+    resources?: {
+        memory?: string;
+        gpu?: string;
+        disk?: string;
+    };
+    env?: Record<string, {
+        description: string;
+        source: string;
+        required: boolean;
+        default?: string;
+    }>;
+    inputSchema?: JSONSchemaDefinition;
+    doc?: string;
+    authors?: Array<{
+        name: string;
+        email?: string;
+        url?: string;
+    }>;
+    examples?: Array<{
+        input: Record<string, any>;
+        output?: any;
+        description?: string;
+    }>;
+    annotations?: {
+        title?: string;
+        readOnlyHint?: boolean;
+        destructiveHint?: boolean;
+        idempotentHint?: boolean;
+        openWorldHint?: boolean;
+    };
+    signature?: {
+        algorithm: string;
+        type: string;
+        signer: string;
+        created: string;
+        value: string;
+        role?: string;
+    };
+    signatures?: Record<string, {
+        algorithm: string;
+        type: string;
+        signer: string;
+        created: string;
+        value: string;
+        role?: string;
+    }>;
+    [key: string]: any;
+}
+export interface JSONSchemaDefinition {
+    type?: string | string[];
+    description?: string;
+    format?: string;
+    default?: any;
+    enum?: any[];
+    const?: any;
+    pattern?: string;
+    minLength?: number;
+    maxLength?: number;
+    minimum?: number;
+    maximum?: number;
+    exclusiveMinimum?: number;
+    exclusiveMaximum?: number;
+    multipleOf?: number;
+    items?: JSONSchemaDefinition | JSONSchemaDefinition[];
+    minItems?: number;
+    maxItems?: number;
+    uniqueItems?: boolean;
+    properties?: Record<string, JSONSchemaDefinition>;
+    required?: string[];
+    additionalProperties?: JSONSchemaDefinition | boolean;
+    allOf?: JSONSchemaDefinition[];
+    anyOf?: JSONSchemaDefinition[];
+    oneOf?: JSONSchemaDefinition[];
+    not?: JSONSchemaDefinition;
+    definitions?: Record<string, JSONSchemaDefinition>;
+    $ref?: string;
+    $id?: string;
+    $schema?: string;
+    [key: string]: any;
+}
+export interface ExecutionResult {
+    success: boolean;
+    output?: any;
+    error?: {
+        message: string;
+        code?: string;
+        details?: any;
+    };
+    metadata: {
+        executionId: string;
+        toolName: string;
+        version?: string;
+        executedAt: string;
+        environment: string;
+        timeout?: string;
+        command?: string;
+    };
+}
+export interface ExecutionEnvironment {
+    vars: Record<string, any>;
+    resources?: {
+        memory?: string;
+        gpu?: string;
+        disk?: string;
+        timeout?: string;
+    };
+    namespace?: string;
+}
+export declare abstract class ExecutionProvider {
+    abstract setup(tool: EnactTool): Promise<boolean>;
+    abstract execute(tool: EnactTool, inputs: Record<string, any>, environment: ExecutionEnvironment): Promise<ExecutionResult>;
+    abstract cleanup(): Promise<boolean>;
+    abstract resolveEnvironmentVariables(envConfig: Record<string, any>, namespace?: string): Promise<Record<string, any>>;
+    abstract executeCommand(command: string, inputs: Record<string, any>, environment: ExecutionEnvironment, timeout?: string): Promise<{
+        stdout: string;
+        stderr: string;
+        exitCode: number;
+    }>;
+}

package/dist/types.js

@@ -0,0 +1,3 @@
+// Updated execution provider interface
+export class ExecutionProvider {
+}

package/dist/utils/config.d.ts

@@ -0,0 +1,32 @@
+export interface EnactConfig {
+    defaultUrl?: string;
+    history?: string[];
+}
+/**
+ * Ensure config directory and file exist
+ */
+export declare function ensureConfig(): Promise<void>;
+/**
+ * Read the config file
+ */
+export declare function readConfig(): Promise<EnactConfig>;
+/**
+ * Write to the config file
+ */
+export declare function writeConfig(config: EnactConfig): Promise<void>;
+/**
+ * Add a file to the publish history
+ */
+export declare function addToHistory(filePath: string): Promise<void>;
+/**
+ * Get the publish history
+ */
+export declare function getHistory(): Promise<string[]>;
+/**
+ * Set the default publish URL
+ */
+export declare function setDefaultUrl(url: string): Promise<void>;
+/**
+ * Get the default publish URL
+ */
+export declare function getDefaultUrl(): Promise<string | undefined>;

package/dist/utils/config.js

@@ -0,0 +1,78 @@
+// src/utils/config.ts
+import { homedir } from "os";
+import { join } from "path";
+import { existsSync } from "fs";
+import { mkdir, readFile, writeFile } from "fs/promises";
+// Define config paths
+const CONFIG_DIR = join(homedir(), ".enact");
+const CONFIG_FILE = join(CONFIG_DIR, "config.json");
+/**
+ * Ensure config directory and file exist
+ */
+export async function ensureConfig() {
+    if (!existsSync(CONFIG_DIR)) {
+        await mkdir(CONFIG_DIR, { recursive: true });
+    }
+    if (!existsSync(CONFIG_FILE)) {
+        await writeConfig({ history: [] });
+    }
+}
+/**
+ * Read the config file
+ */
+export async function readConfig() {
+    await ensureConfig();
+    try {
+        const data = await readFile(CONFIG_FILE, "utf8");
+        return JSON.parse(data);
+    }
+    catch (error) {
+        console.error("Failed to read config:", error.message);
+        return { history: [] };
+    }
+}
+/**
+ * Write to the config file
+ */
+export async function writeConfig(config) {
+    await ensureConfig();
+    await writeFile(CONFIG_FILE, JSON.stringify(config, null, 2));
+}
+/**
+ * Add a file to the publish history
+ */
+export async function addToHistory(filePath) {
+    const config = await readConfig();
+    if (!config.history) {
+        config.history = [];
+    }
+    // Add to history if not already there
+    if (!config.history.includes(filePath)) {
+        config.history.unshift(filePath);
+        // Keep history to a reasonable size
+        config.history = config.history.slice(0, 10);
+        await writeConfig(config);
+    }
+}
+/**
+ * Get the publish history
+ */
+export async function getHistory() {
+    const config = await readConfig();
+    return config.history || [];
+}
+/**
+ * Set the default publish URL
+ */
+export async function setDefaultUrl(url) {
+    const config = await readConfig();
+    config.defaultUrl = url;
+    await writeConfig(config);
+}
+/**
+ * Get the default publish URL
+ */
+export async function getDefaultUrl() {
+    const config = await readConfig();
+    return config.defaultUrl;
+}