@guardion/guardion 0.2.0 → 0.4.0

package/dist/core/inventory.js

@@ -0,0 +1,69 @@
+// core/inventory — UNIVERSAL tool-inventory types + Guard submission. The
+// connector-specific local discovery (collectInventory) lives in each connector
+// (e.g. connectors/claude-code/src/collect.ts); this module only defines the
+// shared ScannedTool shape, the rug-pull pin, and the /v1/guard submit.
+import os from 'node:os';
+import path from 'node:path';
+import http from 'node:http';
+import https from 'node:https';
+import { createRequire } from 'node:module';
+import { fileURLToPath } from 'node:url';
+/** Attach prev_* fingerprints from the local pin (~/.guardion/fingerprints.json)
+ *  so the server can flag a changed tool as a rug-pull. Best-effort; never throws. */
+export function pinInventory(tools) {
+    try {
+        const requireCjs = createRequire(import.meta.url);
+        // fingerprint.cjs lives beside this module (core/); dist mirrors source.
+        const fpPath = path.resolve(path.dirname(fileURLToPath(import.meta.url)), 'fingerprint.cjs');
+        const { pinAndEnrich } = requireCjs(fpPath);
+        return pinAndEnrich(tools, path.join(os.homedir(), '.guardion', 'fingerprints.json'));
+    }
+    catch {
+        return tools;
+    }
+}
+/** POST the inventory to Guard API /v1/guard, tagged snapshot_source=plugin_scan. */
+export function submitInventory(opts) {
+    const { apiUrl, token, policy, application } = opts;
+    const tools = pinInventory(opts.tools); // attach rug-pull prev_* fingerprints
+    const body = JSON.stringify({
+        tools,
+        policy: policy || undefined,
+        application: application || 'claude-code',
+        log: true,
+        snapshot_source: 'plugin_scan',
+    });
+    return new Promise((resolve, reject) => {
+        let url;
+        try {
+            url = new URL('/v1/guard', apiUrl);
+        }
+        catch (e) {
+            return reject(e);
+        }
+        const transport = url.protocol === 'https:' ? https : http;
+        const req = transport.request({
+            hostname: url.hostname,
+            port: url.port,
+            path: url.pathname,
+            method: 'POST',
+            timeout: 8000,
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${token}`,
+                'Content-Length': Buffer.byteLength(body),
+            },
+        }, (res) => {
+            res.resume();
+            res.on('end', () => resolve({ status: res.statusCode ?? 0 }));
+        });
+        req.on('error', reject);
+        req.on('timeout', () => {
+            req.destroy();
+            reject(new Error('timeout'));
+        });
+        req.write(body);
+        req.end();
+    });
+}
+//# sourceMappingURL=inventory.js.map

package/dist/core/inventory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inventory.js","sourceRoot":"","sources":["../../core/inventory.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,gFAAgF;AAChF,6EAA6E;AAC7E,wEAAwE;AACxE,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAqBzC;sFACsF;AACtF,MAAM,UAAU,YAAY,CAAC,KAAoB;IAC/C,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClD,yEAAyE;QACzE,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC;QAC7F,MAAM,EAAE,YAAY,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAC5C,OAAO,YAAY,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACxF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAUD,qFAAqF;AACrF,MAAM,UAAU,eAAe,CAAC,IAAmB;IACjD,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC;IACpD,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAG,sCAAsC;IAChF,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;QAC1B,KAAK;QACL,MAAM,EAAE,MAAM,IAAI,SAAS;QAC3B,WAAW,EAAE,WAAW,IAAI,aAAa;QACzC,GAAG,EAAE,IAAI;QACT,eAAe,EAAE,aAAa;KAC/B,CAAC,CAAC;IAEH,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,MAAM,CAAC,CAAU,CAAC,CAAC;QAC5B,CAAC;QACD,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAC3D,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAC3B;YACE,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,QAAQ;YAClB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI;YACb,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;aAC1C;SACF,EACD,CAAC,GAAG,EAAE,EAAE;YACN,GAAG,CAAC,MAAM,EAAE,CAAC;YACb,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,UAAU,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAChE,CAAC,CACF,CAAC;QACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACxB,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACrB,GAAG,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChB,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/core/keychain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.d.ts","sourceRoot":"","sources":["../../core/keychain.ts"],"names":[],"mappings":"AAaA,wBAAgB,QAAQ,IAAI,MAAM,CAiCjC;AAID,wBAAgB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAsB5C;AAED,wBAAgB,UAAU,IAAI,IAAI,CAwBjC"}

package/dist/{keychain.js → core/keychain.js}

@@ -1,6 +1,6 @@
 import { execFileSync } from 'node:child_process';
 import fs from 'node:fs';
-import { KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, TOKEN_FILE_PATH, SYSTEM_TOKEN_PATH } from './constants.js';
+import { KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, TOKEN_FILE_PATH, SYSTEM_TOKEN_PATH, } from './constants.js';
 const KEYCHAIN_TIMEOUT = 2000;
 // ── Get ───────────────────────────────────────────────────────────────────────
 export function getToken() {
@@ -25,14 +25,18 @@ export function getToken() {
         if (t)
             return t;
     }
-    catch { /* absent */ }
+    catch {
+        /* absent */
+    }
     // 5. User file fallback
     try {
         const t = fs.readFileSync(TOKEN_FILE_PATH, 'utf-8').trim();
         if (t)
             return t;
     }
-    catch { /* absent */ }
+    catch {
+        /* absent */
+    }
     return '';
 }
 // ── Set ───────────────────────────────────────────────────────────────────────
@@ -51,7 +55,10 @@ export function setToken(token) {
             import('node:path').then(({ default: p }) => {
                 const dir = p.join(o.homedir(), '.guardion');
                 f.mkdirSync(dir, { recursive: true });
-                f.writeFileSync(TOKEN_FILE_PATH, token, { encoding: 'utf-8', mode: 0o600 });
+                f.writeFileSync(TOKEN_FILE_PATH, token, {
+                    encoding: 'utf-8',
+                    mode: 0o600,
+                });
             });
         });
     });
@@ -60,21 +67,40 @@ export function clearToken() {
     if (process.platform === 'darwin') {
         try {
             execFileSync('security', [
-                'delete-generic-password', '-s', KEYCHAIN_SERVICE, '-a', KEYCHAIN_ACCOUNT,
+                'delete-generic-password',
+                '-s',
+                KEYCHAIN_SERVICE,
+                '-a',
+                KEYCHAIN_ACCOUNT,
             ], { timeout: KEYCHAIN_TIMEOUT, stdio: 'pipe' });
         }
-        catch { /* not found */ }
+        catch {
+            /* not found */
+        }
         return;
     }
     try {
         fs.unlinkSync(TOKEN_FILE_PATH);
     }
-    catch { /* absent */ }
+    catch {
+        /* absent */
+    }
 }
 // ── macOS Keychain ────────────────────────────────────────────────────────────
 function keychainGet() {
     try {
-        return execFileSync('security', ['find-generic-password', '-s', KEYCHAIN_SERVICE, '-a', KEYCHAIN_ACCOUNT, '-w'], { timeout: KEYCHAIN_TIMEOUT, encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+        return execFileSync('security', [
+            'find-generic-password',
+            '-s',
+            KEYCHAIN_SERVICE,
+            '-a',
+            KEYCHAIN_ACCOUNT,
+            '-w',
+        ], {
+            timeout: KEYCHAIN_TIMEOUT,
+            encoding: 'utf8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
     }
     catch {
         return '';
@@ -84,22 +110,33 @@ function keychainSet(token) {
     // Delete existing entry first (add fails if it already exists)
     try {
         execFileSync('security', [
-            'delete-generic-password', '-s', KEYCHAIN_SERVICE, '-a', KEYCHAIN_ACCOUNT,
+            'delete-generic-password',
+            '-s',
+            KEYCHAIN_SERVICE,
+            '-a',
+            KEYCHAIN_ACCOUNT,
         ], { timeout: KEYCHAIN_TIMEOUT, stdio: 'pipe' });
     }
-    catch { /* not found — ok */ }
+    catch {
+        /* not found — ok */
+    }
     execFileSync('security', [
         'add-generic-password',
-        '-s', KEYCHAIN_SERVICE,
-        '-a', KEYCHAIN_ACCOUNT,
-        '-w', token,
+        '-s',
+        KEYCHAIN_SERVICE,
+        '-a',
+        KEYCHAIN_ACCOUNT,
+        '-w',
+        token,
     ], { timeout: KEYCHAIN_TIMEOUT, stdio: 'pipe' });
 }
 // ── Windows Credential Manager ────────────────────────────────────────────────
 function windowsCredGet() {
     try {
         const out = execFileSync('cmdkey', ['/list:guardion'], {
-            timeout: KEYCHAIN_TIMEOUT, encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'],
+            timeout: KEYCHAIN_TIMEOUT,
+            encoding: 'utf8',
+            stdio: ['pipe', 'pipe', 'pipe'],
         });
         // Parse token from output (stored in generic credential)
         const match = out.match(/Password:\s*(.+)/);
@@ -111,7 +148,8 @@ function windowsCredGet() {
 }
 function windowsCredSet(token) {
     execFileSync('cmdkey', [`/add:guardion`, `/user:token`, `/pass:${token}`], {
-        timeout: KEYCHAIN_TIMEOUT, stdio: 'pipe',
+        timeout: KEYCHAIN_TIMEOUT,
+        stdio: 'pipe',
     });
 }
 //# sourceMappingURL=keychain.js.map

package/dist/core/keychain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.js","sourceRoot":"","sources":["../../core/keychain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,eAAe,EACf,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AAExB,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAE9B,iFAAiF;AAEjF,MAAM,UAAU,QAAQ;IACtB,4BAA4B;IAC5B,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IAEzE,oBAAoB;IACpB,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IAED,yCAAyC;IACzC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,cAAc,EAAE,CAAC;QAC3B,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IAED,0DAA0D;IAC1D,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7D,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IAED,wBAAwB;IACxB,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3D,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,iFAAiF;AAEjF,MAAM,UAAU,QAAQ,CAAC,KAAa;IACpC,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,WAAW,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO;IACT,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,cAAc,CAAC,KAAK,CAAC,CAAC;QACtB,OAAO;IACT,CAAC;IACD,oCAAoC;IACpC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,EAAE;QACxC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,EAAE;YACxC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,EAAE;gBAC1C,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;gBAC7C,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;gBACtC,CAAC,CAAC,aAAa,CAAC,eAAe,EAAE,KAAK,EAAE;oBACtC,QAAQ,EAAE,OAAO;oBACjB,IAAI,EAAE,KAAK;iBACZ,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,YAAY,CACV,UAAU,EACV;gBACE,yBAAyB;gBACzB,IAAI;gBACJ,gBAAgB;gBAChB,IAAI;gBACJ,gBAAgB;aACjB,EACD,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE,CAC7C,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;QACD,OAAO;IACT,CAAC;IACD,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF,SAAS,WAAW;IAClB,IAAI,CAAC;QACH,OAAO,YAAY,CACjB,UAAU,EACV;YACE,uBAAuB;YACvB,IAAI;YACJ,gBAAgB;YAChB,IAAI;YACJ,gBAAgB;YAChB,IAAI;SACL,EACD;YACE,OAAO,EAAE,gBAAgB;YACzB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CACF,CAAC,IAAI,EAAE,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,+DAA+D;IAC/D,IAAI,CAAC;QACH,YAAY,CACV,UAAU,EACV;YACE,yBAAyB;YACzB,IAAI;YACJ,gBAAgB;YAChB,IAAI;YACJ,gBAAgB;SACjB,EACD,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE,CAC7C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,oBAAoB;IACtB,CAAC;IAED,YAAY,CACV,UAAU,EACV;QACE,sBAAsB;QACtB,IAAI;QACJ,gBAAgB;QAChB,IAAI;QACJ,gBAAgB;QAChB,IAAI;QACJ,KAAK;KACN,EACD,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE,CAC7C,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF,SAAS,cAAc;IACrB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,CAAC,gBAAgB,CAAC,EAAE;YACrD,OAAO,EAAE,gBAAgB;YACzB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QACH,yDAAyD;QACzD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC5C,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,YAAY,CAAC,QAAQ,EAAE,CAAC,eAAe,EAAE,aAAa,EAAE,SAAS,KAAK,EAAE,CAAC,EAAE;QACzE,OAAO,EAAE,gBAAgB;QACzB,KAAK,EAAE,MAAM;KACd,CAAC,CAAC;AACL,CAAC"}

package/dist/core/mcp/guard-client.cjs

@@ -0,0 +1,86 @@
+'use strict';
+/**
+ * Guard control-plane client for the interposer. We delegate ALL detection to
+ * Guard (POST /v1/guard) — never re-implement it here. This module only does the
+ * HTTP round-trip and interprets the response (block / sanitize / reason).
+ *
+ * Decision mapping (AARM → MCP):
+ *   res.deny === true              → BLOCK   (JSON-RPC error)
+ *   res.correction / res.redacted  → SANITIZE (replace content with redacted text)
+ *   else                           → ALLOW   (forward)
+ * Unreachable Guard (null) → fail-open unless failClosed.
+ */
+const http = require('http');
+const https = require('https');
+
+function createGuardClient(opts) {
+  const { apiUrl, token, policy, application, timeout, failClosed } = opts;
+
+  // `message` is a single message object OR an ordered array of messages (one per
+  // redactable leaf). Correction choices come back 1:1 in the same order.
+  function evaluate(message, tools) {
+    return new Promise((resolve) => {
+      if (!token) return resolve(null);
+      let url; try { url = new URL('/v1/guard', apiUrl); } catch { return resolve(null); }
+      const tr = url.protocol === 'https:' ? https : http;
+      const payload = { application: application || 'mcp-interpose', policy, log: true };
+      if (message) payload.messages = Array.isArray(message) ? message : [message];
+      if (tools) payload.tools = tools;
+      const body = JSON.stringify(payload);
+      const req = tr.request({
+        hostname: url.hostname, port: url.port || (url.protocol === 'https:' ? 443 : 80),
+        path: url.pathname, method: 'POST', timeout: timeout || 3000,
+        headers: {
+          'Content-Type': 'application/json',
+          'Authorization': `Bearer ${token}`,
+          'Content-Length': Buffer.byteLength(body),
+        },
+      }, (r) => {
+        let d = ''; r.setEncoding('utf8');
+        r.on('data', (c) => { d += c; });
+        r.on('end', () => { try { resolve(JSON.parse(d)); } catch { resolve(null); } });
+      });
+      req.on('error', () => resolve(null));
+      req.on('timeout', () => { req.destroy(); resolve(null); });
+      req.write(body); req.end();
+    });
+  }
+
+  // null (unreachable) ⇒ fail-open unless failClosed. res.deny ⇒ block.
+  function shouldBlock(res) {
+    if (!res) return !!failClosed;
+    return res.deny === true;
+  }
+
+  function reasonOf(res) {
+    try {
+      const b = res && Array.isArray(res.breakdown) ? res.breakdown[0] : null;
+      const l = b && (b.top_label || b.label);
+      return l ? `Guardion: ${l}` : 'Guardion governance';
+    } catch { return 'Guardion governance'; }
+  }
+
+  // Sanitized text from a correction (the redacted message content), or null.
+  function correctionText(res) {
+    try {
+      if (!res) return null;
+      const ch = res.correction && Array.isArray(res.correction.choices) ? res.correction.choices : null;
+      if (ch && ch.length && typeof ch[0].content === 'string') return ch[0].content;
+    } catch { /* ignore */ }
+    return null;
+  }
+
+  // Redacted content per submitted message, in order (choices are 1:1 with the
+  // messages sent). Entry is null when that choice carried no string content.
+  function corrections(res) {
+    try {
+      const ch = res && res.correction && Array.isArray(res.correction.choices) ? res.correction.choices : null;
+      if (!ch) return [];
+      return ch.map((c) => (c && typeof c.content === 'string' ? c.content : null));
+    } catch { return []; }
+  }
+
+  return { evaluate, shouldBlock, reasonOf, correctionText, corrections };
+}
+
+module.exports = { createGuardClient };

package/dist/core/mcp/interceptor.cjs

@@ -0,0 +1,238 @@
+'use strict';
+/**
+ * Transport-agnostic interception brain (Layer 2, AGT MCP-Security-Gateway-1.0).
+ *
+ * Given injected `sendClient` / `sendServer` and a Guard client, it returns the
+ * two relay handlers a transport drives:
+ *   onClient(msg)  — host → server  (requests we scan as INPUT)
+ *   onServer(msg)  — server → host  (results we scan as OUTPUT; server-initiated
+ *                    sampling requests we scan as INPUT; tools/list integrity)
+ *
+ * It is the same logic for stdio / http / sse — only the I/O differs (see
+ * transport/*). Detection is delegated to Guard; this file only decides
+ * block / sanitize / forward and tracks request↔response pairing.
+ *
+ * Improvements over the fire-and-forget v1:
+ *   #1 broaden scanned methods: resources/read, prompts/get, sampling/createMessage
+ *   #5 tool-list integrity AT CONNECT: local rug-pull (fingerprint drift) strips
+ *      the changed tools; a Guard deny on the toolset refuses the poisoned server
+ *      (synchronous when enforcing) — no longer fire-and-forget
+ *   #6 in-proxy redaction: a Guard correction rewrites the result content (SANITIZE)
+ */
+const J = require('./jsonrpc.cjs');
+
+// host → server requests whose ARGUMENTS we scan as tool input.
+const INPUT_REQUESTS = new Set(['tools/call', 'resources/read', 'prompts/get']);
+// server → host requests we scan as input (the server feeding the host LLM).
+const SERVER_INPUT_REQUESTS = new Set(['sampling/createMessage']);
+// results (matched via the pending request) whose payload we scan as tool output.
+const OUTPUT_METHODS = new Set(['tools/call', 'resources/read', 'prompts/get']);
+
+function _inputMessage(serverName, method, params) {
+  const ns = serverName ? serverName + '/' : '';
+  if (method === 'tools/call') {
+    const name = (params && params.name) || '';
+    return { role: 'tool_input', name: ns + name,
+             content: `${name} ${JSON.stringify((params && params.arguments) || {})}` };
+  }
+  if (method === 'resources/read') {
+    const uri = (params && params.uri) || '';
+    return { role: 'tool_input', name: ns + 'resources/read', content: uri };
+  }
+  if (method === 'prompts/get') {
+    const name = (params && params.name) || '';
+    return { role: 'tool_input', name: ns + 'prompts/get:' + name,
+             content: `${name} ${JSON.stringify((params && params.arguments) || {})}` };
+  }
+  return null;
+}
+
+function createInterceptor(opts) {
+  const {
+    guard, enforce, dlp = false, integrity = true, redact = true,
+    fingerprint, pinPath, serverName, log = () => {},
+    sendClient, sendServer,
+  } = opts;
+
+  // Synchronous scan path (await Guard before forwarding) runs for hard
+  // enforcement OR standalone DLP. Observe-only stays fire-and-forget. Blocking
+  // is gated by `enforce`; anonymization by `redact` — so `dlp` = anonymize,
+  // never block.
+  const sync = enforce || dlp;
+
+  const pending = new Map();   // request id → { method, toolName }
+
+  // ── #5: tool-list integrity ────────────────────────────────────────────────
+  // Local rug-pull via the fingerprint pin (deterministic, no Guard round-trip):
+  // a tool whose description/schema changed from the pinned baseline is drift.
+  function driftedNames(tools) {
+    const out = new Set();
+    try {
+      let defs = tools.map((t) => ({
+        name: t.name, description: t.description || '', server: serverName || 'mcp',
+        source: 'mcp', snapshot_source: 'mcp_interpose', parameters: J.paramsToList(t.inputSchema),
+      }));
+      if (fingerprint && fingerprint.pinAndEnrich) {
+        defs = fingerprint.pinAndEnrich(defs, pinPath);   // attaches prev_* + updates pin
+        for (const d of defs) {
+          const dh = fingerprint.descriptionHash(d.description);
+          const sh = fingerprint.schemaHash(d.parameters);
+          if ((d.prev_description_hash && d.prev_description_hash !== dh)
+            || (d.prev_schema_hash && d.prev_schema_hash !== sh)) {
+            out.add(d.name);
+          }
+        }
+      }
+    } catch { /* best-effort */ }
+    return out;
+  }
+
+  function toolDefs(tools) {
+    let defs = tools.map((t) => ({
+      name: t.name, description: t.description || '', server: serverName || 'mcp',
+      source: 'mcp', snapshot_source: 'mcp_interpose', parameters: J.paramsToList(t.inputSchema),
+    }));
+    try { if (fingerprint && fingerprint.pinAndEnrich) defs = fingerprint.pinAndEnrich(defs, pinPath); } catch { /* pin best-effort */ }
+    return defs;
+  }
+
+  async function handleToolsList(msg) {
+    const tools = msg.result.tools;
+    const drifted = (enforce && integrity) ? driftedNames(tools) : new Set();
+
+    if (!enforce) {                              // observe-only: fire-and-forget + pin
+      try { guard.evaluate(null, toolDefs(tools)); } catch { /* ignore */ }
+      return sendClient(msg);
+    }
+
+    // Synchronous poisoning verdict on the toolset (connect-time). A deny means
+    // the server is poisoned → refuse to expose ANY of its tools.
+    let res = null;
+    if (integrity) { try { res = await guard.evaluate(null, toolDefs(tools)); } catch { res = null; } }
+    if (integrity && guard.shouldBlock(res)) {
+      log(`tools/list blocked (poisoned server): ${guard.reasonOf(res)}`);
+      return sendClient(J.rpcError(msg.id, `[guardion] blocked — ${guard.reasonOf(res)}`));
+    }
+
+    if (drifted.size) {                          // rug-pull: strip changed tools
+      const safe = tools.filter((t) => !drifted.has(t.name));
+      log(`tools/list rug-pull: stripped ${[...drifted].join(', ')}`);
+      msg.result.tools = safe;
+    }
+    return sendClient(msg);
+  }
+
+  // ── #6: output redaction / block (leaf-level, structure-preserving) ──────────
+  async function handleResult(msg, method, toolName) {
+    const name = toolName || method;
+    if (!sync) {                                 // observe-only: fire-and-forget
+      try { guard.evaluate({ role: J.ROLES.output, name, content: J.resultText(msg.result) }); } catch { /* ignore */ }
+      return sendClient(msg);
+    }
+
+    // Scan each redactable string leaf; fall back to a flat message for shapes
+    // with no text leaves (e.g. image-only) so a deny is still enforced.
+    const leaves = J.collectOutputLeaves(method, msg.result);
+    const messages = leaves.length
+      ? leaves.map((l) => ({ role: J.ROLES.output, name, content: l.text }))
+      : { role: J.ROLES.output, name, content: J.resultText(msg.result) };
+    const res = await guard.evaluate(messages);
+
+    if (enforce && guard.shouldBlock(res)) {
+      log(`${method} result blocked: ${guard.reasonOf(res)}`);
+      return sendClient(J.rpcError(msg.id, `[guardion] blocked — ${guard.reasonOf(res)}`));
+    }
+    if (redact && res && res.redacted && leaves.length) {
+      const corr = guard.corrections(res);
+      const applied = leaves.map((l, i) => ({ path: l.path, text: corr[i] != null ? corr[i] : l.text }));
+      J.applyLeaves(msg.result, applied);        // write back in place; structure preserved
+      log(`${method} result sanitized (redaction)`);
+    }
+    return sendClient(msg);
+  }
+
+  // Input scan messages: one per redactable argument leaf (for redaction
+  // write-back) PLUS a trailing identity envelope (tool/prompt name) so
+  // tool-name threat detection and fail-closed still fire when arguments are
+  // empty. Corrections map 1:1 to `leaves` by index; the envelope is last and
+  // ignored for redaction.
+  function _inputScan(method, params) {
+    const toolName = (params && params.name) || '';
+    const scanName = serverName ? serverName + '/' + toolName : toolName;
+    const leaves = J.collectInputLeaves(method, params);
+    const messages = leaves.map((l) => ({ role: J.ROLES.input, name: scanName, content: l.text }));
+    if (method === 'tools/call' && toolName) {
+      messages.push({ role: J.ROLES.input, name: scanName, content: toolName });
+    } else if (method === 'prompts/get') {
+      const pn = serverName ? serverName + '/prompts/get' : 'prompts/get';
+      messages.push({ role: J.ROLES.input, name: pn, content: toolName || 'prompts/get' });
+    }
+    return { leaves, messages };
+  }
+
+  // ── host → server ──────────────────────────────────────────────────────────
+  async function onClient(msg) {
+    if (J.isRequest(msg) && INPUT_REQUESTS.has(msg.method)) {
+      const toolName = (msg.params && msg.params.name) || '';
+      pending.set(msg.id, { method: msg.method, toolName });
+      if (sync) {
+        const { leaves, messages } = _inputScan(msg.method, msg.params);
+        if (messages.length) {
+          const res = await guard.evaluate(messages);
+          if (enforce && guard.shouldBlock(res)) {
+            pending.delete(msg.id);
+            log(`${msg.method} blocked (input): ${guard.reasonOf(res)}`);
+            return sendClient(J.rpcError(msg.id, `[guardion] blocked — ${guard.reasonOf(res)}`));
+          }
+          if (redact && res && res.redacted && leaves.length) {
+            const corr = guard.corrections(res);
+            const applied = leaves.map((l, i) => ({ path: l.path, text: corr[i] != null ? corr[i] : l.text }));
+            J.applyLeaves(msg.params, applied);    // anonymize args in place before forwarding
+            log(`${msg.method} input anonymized (redaction)`);
+          }
+        }
+      } else {
+        const message = _inputMessage(serverName, msg.method, msg.params);
+        if (message) { try { guard.evaluate(message); } catch { /* observe-only */ } }
+      }
+      return sendServer(msg);
+    }
+    if (J.isRequest(msg)) pending.set(msg.id, { method: msg.method });
+    return sendServer(msg);
+  }
+
+  // ── server → host ────────────────────────────────────────────────────────────
+  async function onServer(msg) {
+    // server-initiated request (sampling/createMessage): scan what the server is
+    // feeding into the host LLM; a deny is returned to the SERVER (it asked).
+    if (J.isRequest(msg) && SERVER_INPUT_REQUESTS.has(msg.method)) {
+      const content = J.samplingText(msg.params);
+      const message = { role: J.ROLES.input, name: (serverName ? serverName + '/' : '') + msg.method, content };
+      if (enforce) {
+        const res = await guard.evaluate(message);
+        if (guard.shouldBlock(res)) {
+          log(`${msg.method} blocked (server sampling): ${guard.reasonOf(res)}`);
+          return sendServer(J.rpcError(msg.id, `[guardion] blocked — ${guard.reasonOf(res)}`));
+        }
+      } else {
+        try { guard.evaluate(message); } catch { /* observe-only */ }
+      }
+      return sendClient(msg);
+    }
+
+    const info = J.isResponse(msg) ? pending.get(msg.id) : null;
+    if (info) pending.delete(msg.id);
+
+    if (info && info.method === 'tools/list' && msg.result && Array.isArray(msg.result.tools)) {
+      return handleToolsList(msg);
+    }
+    if (info && OUTPUT_METHODS.has(info.method) && msg.result) {
+      return handleResult(msg, info.method, info.toolName);
+    }
+    return sendClient(msg);
+  }
+
+  return { onClient, onServer };
+}
+
+module.exports = { createInterceptor, INPUT_REQUESTS, SERVER_INPUT_REQUESTS, OUTPUT_METHODS };