@guardion/guardion 0.3.0 → 0.4.0

package/dist/core/inventory.js

@@ -0,0 +1,69 @@
+// core/inventory — UNIVERSAL tool-inventory types + Guard submission. The
+// connector-specific local discovery (collectInventory) lives in each connector
+// (e.g. connectors/claude-code/src/collect.ts); this module only defines the
+// shared ScannedTool shape, the rug-pull pin, and the /v1/guard submit.
+import os from 'node:os';
+import path from 'node:path';
+import http from 'node:http';
+import https from 'node:https';
+import { createRequire } from 'node:module';
+import { fileURLToPath } from 'node:url';
+/** Attach prev_* fingerprints from the local pin (~/.guardion/fingerprints.json)
+ *  so the server can flag a changed tool as a rug-pull. Best-effort; never throws. */
+export function pinInventory(tools) {
+    try {
+        const requireCjs = createRequire(import.meta.url);
+        // fingerprint.cjs lives beside this module (core/); dist mirrors source.
+        const fpPath = path.resolve(path.dirname(fileURLToPath(import.meta.url)), 'fingerprint.cjs');
+        const { pinAndEnrich } = requireCjs(fpPath);
+        return pinAndEnrich(tools, path.join(os.homedir(), '.guardion', 'fingerprints.json'));
+    }
+    catch {
+        return tools;
+    }
+}
+/** POST the inventory to Guard API /v1/guard, tagged snapshot_source=plugin_scan. */
+export function submitInventory(opts) {
+    const { apiUrl, token, policy, application } = opts;
+    const tools = pinInventory(opts.tools); // attach rug-pull prev_* fingerprints
+    const body = JSON.stringify({
+        tools,
+        policy: policy || undefined,
+        application: application || 'claude-code',
+        log: true,
+        snapshot_source: 'plugin_scan',
+    });
+    return new Promise((resolve, reject) => {
+        let url;
+        try {
+            url = new URL('/v1/guard', apiUrl);
+        }
+        catch (e) {
+            return reject(e);
+        }
+        const transport = url.protocol === 'https:' ? https : http;
+        const req = transport.request({
+            hostname: url.hostname,
+            port: url.port,
+            path: url.pathname,
+            method: 'POST',
+            timeout: 8000,
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${token}`,
+                'Content-Length': Buffer.byteLength(body),
+            },
+        }, (res) => {
+            res.resume();
+            res.on('end', () => resolve({ status: res.statusCode ?? 0 }));
+        });
+        req.on('error', reject);
+        req.on('timeout', () => {
+            req.destroy();
+            reject(new Error('timeout'));
+        });
+        req.write(body);
+        req.end();
+    });
+}
+//# sourceMappingURL=inventory.js.map

package/dist/core/inventory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inventory.js","sourceRoot":"","sources":["../../core/inventory.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,gFAAgF;AAChF,6EAA6E;AAC7E,wEAAwE;AACxE,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAqBzC;sFACsF;AACtF,MAAM,UAAU,YAAY,CAAC,KAAoB;IAC/C,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClD,yEAAyE;QACzE,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC;QAC7F,MAAM,EAAE,YAAY,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAC5C,OAAO,YAAY,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACxF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAUD,qFAAqF;AACrF,MAAM,UAAU,eAAe,CAAC,IAAmB;IACjD,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC;IACpD,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAG,sCAAsC;IAChF,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;QAC1B,KAAK;QACL,MAAM,EAAE,MAAM,IAAI,SAAS;QAC3B,WAAW,EAAE,WAAW,IAAI,aAAa;QACzC,GAAG,EAAE,IAAI;QACT,eAAe,EAAE,aAAa;KAC/B,CAAC,CAAC;IAEH,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,MAAM,CAAC,CAAU,CAAC,CAAC;QAC5B,CAAC;QACD,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAC3D,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAC3B;YACE,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,QAAQ;YAClB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI;YACb,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;aAC1C;SACF,EACD,CAAC,GAAG,EAAE,EAAE;YACN,GAAG,CAAC,MAAM,EAAE,CAAC;YACb,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,UAAU,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAChE,CAAC,CACF,CAAC;QACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACxB,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACrB,GAAG,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChB,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/core/keychain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.d.ts","sourceRoot":"","sources":["../../core/keychain.ts"],"names":[],"mappings":"AAaA,wBAAgB,QAAQ,IAAI,MAAM,CAiCjC;AAID,wBAAgB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAsB5C;AAED,wBAAgB,UAAU,IAAI,IAAI,CAwBjC"}

package/dist/core/keychain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.js","sourceRoot":"","sources":["../../core/keychain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,eAAe,EACf,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AAExB,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAE9B,iFAAiF;AAEjF,MAAM,UAAU,QAAQ;IACtB,4BAA4B;IAC5B,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IAEzE,oBAAoB;IACpB,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;QACxB,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IAED,yCAAyC;IACzC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,cAAc,EAAE,CAAC;QAC3B,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IAED,0DAA0D;IAC1D,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7D,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IAED,wBAAwB;IACxB,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3D,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,iFAAiF;AAEjF,MAAM,UAAU,QAAQ,CAAC,KAAa;IACpC,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,WAAW,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO;IACT,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,cAAc,CAAC,KAAK,CAAC,CAAC;QACtB,OAAO;IACT,CAAC;IACD,oCAAoC;IACpC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,EAAE;QACxC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,EAAE;YACxC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,EAAE;gBAC1C,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;gBAC7C,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;gBACtC,CAAC,CAAC,aAAa,CAAC,eAAe,EAAE,KAAK,EAAE;oBACtC,QAAQ,EAAE,OAAO;oBACjB,IAAI,EAAE,KAAK;iBACZ,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,YAAY,CACV,UAAU,EACV;gBACE,yBAAyB;gBACzB,IAAI;gBACJ,gBAAgB;gBAChB,IAAI;gBACJ,gBAAgB;aACjB,EACD,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE,CAC7C,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;QACD,OAAO;IACT,CAAC;IACD,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF,SAAS,WAAW;IAClB,IAAI,CAAC;QACH,OAAO,YAAY,CACjB,UAAU,EACV;YACE,uBAAuB;YACvB,IAAI;YACJ,gBAAgB;YAChB,IAAI;YACJ,gBAAgB;YAChB,IAAI;SACL,EACD;YACE,OAAO,EAAE,gBAAgB;YACzB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CACF,CAAC,IAAI,EAAE,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,+DAA+D;IAC/D,IAAI,CAAC;QACH,YAAY,CACV,UAAU,EACV;YACE,yBAAyB;YACzB,IAAI;YACJ,gBAAgB;YAChB,IAAI;YACJ,gBAAgB;SACjB,EACD,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE,CAC7C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,oBAAoB;IACtB,CAAC;IAED,YAAY,CACV,UAAU,EACV;QACE,sBAAsB;QACtB,IAAI;QACJ,gBAAgB;QAChB,IAAI;QACJ,gBAAgB;QAChB,IAAI;QACJ,KAAK;KACN,EACD,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE,CAC7C,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF,SAAS,cAAc;IACrB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,CAAC,gBAAgB,CAAC,EAAE;YACrD,OAAO,EAAE,gBAAgB;YACzB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QACH,yDAAyD;QACzD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC5C,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,YAAY,CAAC,QAAQ,EAAE,CAAC,eAAe,EAAE,aAAa,EAAE,SAAS,KAAK,EAAE,CAAC,EAAE;QACzE,OAAO,EAAE,gBAAgB;QACzB,KAAK,EAAE,MAAM;KACd,CAAC,CAAC;AACL,CAAC"}

package/dist/core/mcp/guard-client.cjs

@@ -0,0 +1,86 @@
+'use strict';
+/**
+ * Guard control-plane client for the interposer. We delegate ALL detection to
+ * Guard (POST /v1/guard) — never re-implement it here. This module only does the
+ * HTTP round-trip and interprets the response (block / sanitize / reason).
+ *
+ * Decision mapping (AARM → MCP):
+ *   res.deny === true              → BLOCK   (JSON-RPC error)
+ *   res.correction / res.redacted  → SANITIZE (replace content with redacted text)
+ *   else                           → ALLOW   (forward)
+ * Unreachable Guard (null) → fail-open unless failClosed.
+ */
+const http = require('http');
+const https = require('https');
+
+function createGuardClient(opts) {
+  const { apiUrl, token, policy, application, timeout, failClosed } = opts;
+
+  // `message` is a single message object OR an ordered array of messages (one per
+  // redactable leaf). Correction choices come back 1:1 in the same order.
+  function evaluate(message, tools) {
+    return new Promise((resolve) => {
+      if (!token) return resolve(null);
+      let url; try { url = new URL('/v1/guard', apiUrl); } catch { return resolve(null); }
+      const tr = url.protocol === 'https:' ? https : http;
+      const payload = { application: application || 'mcp-interpose', policy, log: true };
+      if (message) payload.messages = Array.isArray(message) ? message : [message];
+      if (tools) payload.tools = tools;
+      const body = JSON.stringify(payload);
+      const req = tr.request({
+        hostname: url.hostname, port: url.port || (url.protocol === 'https:' ? 443 : 80),
+        path: url.pathname, method: 'POST', timeout: timeout || 3000,
+        headers: {
+          'Content-Type': 'application/json',
+          'Authorization': `Bearer ${token}`,
+          'Content-Length': Buffer.byteLength(body),
+        },
+      }, (r) => {
+        let d = ''; r.setEncoding('utf8');
+        r.on('data', (c) => { d += c; });
+        r.on('end', () => { try { resolve(JSON.parse(d)); } catch { resolve(null); } });
+      });
+      req.on('error', () => resolve(null));
+      req.on('timeout', () => { req.destroy(); resolve(null); });
+      req.write(body); req.end();
+    });
+  }
+
+  // null (unreachable) ⇒ fail-open unless failClosed. res.deny ⇒ block.
+  function shouldBlock(res) {
+    if (!res) return !!failClosed;
+    return res.deny === true;
+  }
+
+  function reasonOf(res) {
+    try {
+      const b = res && Array.isArray(res.breakdown) ? res.breakdown[0] : null;
+      const l = b && (b.top_label || b.label);
+      return l ? `Guardion: ${l}` : 'Guardion governance';
+    } catch { return 'Guardion governance'; }
+  }
+
+  // Sanitized text from a correction (the redacted message content), or null.
+  function correctionText(res) {
+    try {
+      if (!res) return null;
+      const ch = res.correction && Array.isArray(res.correction.choices) ? res.correction.choices : null;
+      if (ch && ch.length && typeof ch[0].content === 'string') return ch[0].content;
+    } catch { /* ignore */ }
+    return null;
+  }
+
+  // Redacted content per submitted message, in order (choices are 1:1 with the
+  // messages sent). Entry is null when that choice carried no string content.
+  function corrections(res) {
+    try {
+      const ch = res && res.correction && Array.isArray(res.correction.choices) ? res.correction.choices : null;
+      if (!ch) return [];
+      return ch.map((c) => (c && typeof c.content === 'string' ? c.content : null));
+    } catch { return []; }
+  }
+
+  return { evaluate, shouldBlock, reasonOf, correctionText, corrections };
+}
+
+module.exports = { createGuardClient };

package/dist/core/mcp/interceptor.cjs

@@ -0,0 +1,238 @@
+'use strict';
+/**
+ * Transport-agnostic interception brain (Layer 2, AGT MCP-Security-Gateway-1.0).
+ *
+ * Given injected `sendClient` / `sendServer` and a Guard client, it returns the
+ * two relay handlers a transport drives:
+ *   onClient(msg)  — host → server  (requests we scan as INPUT)
+ *   onServer(msg)  — server → host  (results we scan as OUTPUT; server-initiated
+ *                    sampling requests we scan as INPUT; tools/list integrity)
+ *
+ * It is the same logic for stdio / http / sse — only the I/O differs (see
+ * transport/*). Detection is delegated to Guard; this file only decides
+ * block / sanitize / forward and tracks request↔response pairing.
+ *
+ * Improvements over the fire-and-forget v1:
+ *   #1 broaden scanned methods: resources/read, prompts/get, sampling/createMessage
+ *   #5 tool-list integrity AT CONNECT: local rug-pull (fingerprint drift) strips
+ *      the changed tools; a Guard deny on the toolset refuses the poisoned server
+ *      (synchronous when enforcing) — no longer fire-and-forget
+ *   #6 in-proxy redaction: a Guard correction rewrites the result content (SANITIZE)
+ */
+const J = require('./jsonrpc.cjs');
+
+// host → server requests whose ARGUMENTS we scan as tool input.
+const INPUT_REQUESTS = new Set(['tools/call', 'resources/read', 'prompts/get']);
+// server → host requests we scan as input (the server feeding the host LLM).
+const SERVER_INPUT_REQUESTS = new Set(['sampling/createMessage']);
+// results (matched via the pending request) whose payload we scan as tool output.
+const OUTPUT_METHODS = new Set(['tools/call', 'resources/read', 'prompts/get']);
+
+function _inputMessage(serverName, method, params) {
+  const ns = serverName ? serverName + '/' : '';
+  if (method === 'tools/call') {
+    const name = (params && params.name) || '';
+    return { role: 'tool_input', name: ns + name,
+             content: `${name} ${JSON.stringify((params && params.arguments) || {})}` };
+  }
+  if (method === 'resources/read') {
+    const uri = (params && params.uri) || '';
+    return { role: 'tool_input', name: ns + 'resources/read', content: uri };
+  }
+  if (method === 'prompts/get') {
+    const name = (params && params.name) || '';
+    return { role: 'tool_input', name: ns + 'prompts/get:' + name,
+             content: `${name} ${JSON.stringify((params && params.arguments) || {})}` };
+  }
+  return null;
+}
+
+function createInterceptor(opts) {
+  const {
+    guard, enforce, dlp = false, integrity = true, redact = true,
+    fingerprint, pinPath, serverName, log = () => {},
+    sendClient, sendServer,
+  } = opts;
+
+  // Synchronous scan path (await Guard before forwarding) runs for hard
+  // enforcement OR standalone DLP. Observe-only stays fire-and-forget. Blocking
+  // is gated by `enforce`; anonymization by `redact` — so `dlp` = anonymize,
+  // never block.
+  const sync = enforce || dlp;
+
+  const pending = new Map();   // request id → { method, toolName }
+
+  // ── #5: tool-list integrity ────────────────────────────────────────────────
+  // Local rug-pull via the fingerprint pin (deterministic, no Guard round-trip):
+  // a tool whose description/schema changed from the pinned baseline is drift.
+  function driftedNames(tools) {
+    const out = new Set();
+    try {
+      let defs = tools.map((t) => ({
+        name: t.name, description: t.description || '', server: serverName || 'mcp',
+        source: 'mcp', snapshot_source: 'mcp_interpose', parameters: J.paramsToList(t.inputSchema),
+      }));
+      if (fingerprint && fingerprint.pinAndEnrich) {
+        defs = fingerprint.pinAndEnrich(defs, pinPath);   // attaches prev_* + updates pin
+        for (const d of defs) {
+          const dh = fingerprint.descriptionHash(d.description);
+          const sh = fingerprint.schemaHash(d.parameters);
+          if ((d.prev_description_hash && d.prev_description_hash !== dh)
+            || (d.prev_schema_hash && d.prev_schema_hash !== sh)) {
+            out.add(d.name);
+          }
+        }
+      }
+    } catch { /* best-effort */ }
+    return out;
+  }
+
+  function toolDefs(tools) {
+    let defs = tools.map((t) => ({
+      name: t.name, description: t.description || '', server: serverName || 'mcp',
+      source: 'mcp', snapshot_source: 'mcp_interpose', parameters: J.paramsToList(t.inputSchema),
+    }));
+    try { if (fingerprint && fingerprint.pinAndEnrich) defs = fingerprint.pinAndEnrich(defs, pinPath); } catch { /* pin best-effort */ }
+    return defs;
+  }
+
+  async function handleToolsList(msg) {
+    const tools = msg.result.tools;
+    const drifted = (enforce && integrity) ? driftedNames(tools) : new Set();
+
+    if (!enforce) {                              // observe-only: fire-and-forget + pin
+      try { guard.evaluate(null, toolDefs(tools)); } catch { /* ignore */ }
+      return sendClient(msg);
+    }
+
+    // Synchronous poisoning verdict on the toolset (connect-time). A deny means
+    // the server is poisoned → refuse to expose ANY of its tools.
+    let res = null;
+    if (integrity) { try { res = await guard.evaluate(null, toolDefs(tools)); } catch { res = null; } }
+    if (integrity && guard.shouldBlock(res)) {
+      log(`tools/list blocked (poisoned server): ${guard.reasonOf(res)}`);
+      return sendClient(J.rpcError(msg.id, `[guardion] blocked — ${guard.reasonOf(res)}`));
+    }
+
+    if (drifted.size) {                          // rug-pull: strip changed tools
+      const safe = tools.filter((t) => !drifted.has(t.name));
+      log(`tools/list rug-pull: stripped ${[...drifted].join(', ')}`);
+      msg.result.tools = safe;
+    }
+    return sendClient(msg);
+  }
+
+  // ── #6: output redaction / block (leaf-level, structure-preserving) ──────────
+  async function handleResult(msg, method, toolName) {
+    const name = toolName || method;
+    if (!sync) {                                 // observe-only: fire-and-forget
+      try { guard.evaluate({ role: J.ROLES.output, name, content: J.resultText(msg.result) }); } catch { /* ignore */ }
+      return sendClient(msg);
+    }
+
+    // Scan each redactable string leaf; fall back to a flat message for shapes
+    // with no text leaves (e.g. image-only) so a deny is still enforced.
+    const leaves = J.collectOutputLeaves(method, msg.result);
+    const messages = leaves.length
+      ? leaves.map((l) => ({ role: J.ROLES.output, name, content: l.text }))
+      : { role: J.ROLES.output, name, content: J.resultText(msg.result) };
+    const res = await guard.evaluate(messages);
+
+    if (enforce && guard.shouldBlock(res)) {
+      log(`${method} result blocked: ${guard.reasonOf(res)}`);
+      return sendClient(J.rpcError(msg.id, `[guardion] blocked — ${guard.reasonOf(res)}`));
+    }
+    if (redact && res && res.redacted && leaves.length) {
+      const corr = guard.corrections(res);
+      const applied = leaves.map((l, i) => ({ path: l.path, text: corr[i] != null ? corr[i] : l.text }));
+      J.applyLeaves(msg.result, applied);        // write back in place; structure preserved
+      log(`${method} result sanitized (redaction)`);
+    }
+    return sendClient(msg);
+  }
+
+  // Input scan messages: one per redactable argument leaf (for redaction
+  // write-back) PLUS a trailing identity envelope (tool/prompt name) so
+  // tool-name threat detection and fail-closed still fire when arguments are
+  // empty. Corrections map 1:1 to `leaves` by index; the envelope is last and
+  // ignored for redaction.
+  function _inputScan(method, params) {
+    const toolName = (params && params.name) || '';
+    const scanName = serverName ? serverName + '/' + toolName : toolName;
+    const leaves = J.collectInputLeaves(method, params);
+    const messages = leaves.map((l) => ({ role: J.ROLES.input, name: scanName, content: l.text }));
+    if (method === 'tools/call' && toolName) {
+      messages.push({ role: J.ROLES.input, name: scanName, content: toolName });
+    } else if (method === 'prompts/get') {
+      const pn = serverName ? serverName + '/prompts/get' : 'prompts/get';
+      messages.push({ role: J.ROLES.input, name: pn, content: toolName || 'prompts/get' });
+    }
+    return { leaves, messages };
+  }
+
+  // ── host → server ──────────────────────────────────────────────────────────
+  async function onClient(msg) {
+    if (J.isRequest(msg) && INPUT_REQUESTS.has(msg.method)) {
+      const toolName = (msg.params && msg.params.name) || '';
+      pending.set(msg.id, { method: msg.method, toolName });
+      if (sync) {
+        const { leaves, messages } = _inputScan(msg.method, msg.params);
+        if (messages.length) {
+          const res = await guard.evaluate(messages);
+          if (enforce && guard.shouldBlock(res)) {
+            pending.delete(msg.id);
+            log(`${msg.method} blocked (input): ${guard.reasonOf(res)}`);
+            return sendClient(J.rpcError(msg.id, `[guardion] blocked — ${guard.reasonOf(res)}`));
+          }
+          if (redact && res && res.redacted && leaves.length) {
+            const corr = guard.corrections(res);
+            const applied = leaves.map((l, i) => ({ path: l.path, text: corr[i] != null ? corr[i] : l.text }));
+            J.applyLeaves(msg.params, applied);    // anonymize args in place before forwarding
+            log(`${msg.method} input anonymized (redaction)`);
+          }
+        }
+      } else {
+        const message = _inputMessage(serverName, msg.method, msg.params);
+        if (message) { try { guard.evaluate(message); } catch { /* observe-only */ } }
+      }
+      return sendServer(msg);
+    }
+    if (J.isRequest(msg)) pending.set(msg.id, { method: msg.method });
+    return sendServer(msg);
+  }
+
+  // ── server → host ────────────────────────────────────────────────────────────
+  async function onServer(msg) {
+    // server-initiated request (sampling/createMessage): scan what the server is
+    // feeding into the host LLM; a deny is returned to the SERVER (it asked).
+    if (J.isRequest(msg) && SERVER_INPUT_REQUESTS.has(msg.method)) {
+      const content = J.samplingText(msg.params);
+      const message = { role: J.ROLES.input, name: (serverName ? serverName + '/' : '') + msg.method, content };
+      if (enforce) {
+        const res = await guard.evaluate(message);
+        if (guard.shouldBlock(res)) {
+          log(`${msg.method} blocked (server sampling): ${guard.reasonOf(res)}`);
+          return sendServer(J.rpcError(msg.id, `[guardion] blocked — ${guard.reasonOf(res)}`));
+        }
+      } else {
+        try { guard.evaluate(message); } catch { /* observe-only */ }
+      }
+      return sendClient(msg);
+    }
+
+    const info = J.isResponse(msg) ? pending.get(msg.id) : null;
+    if (info) pending.delete(msg.id);
+
+    if (info && info.method === 'tools/list' && msg.result && Array.isArray(msg.result.tools)) {
+      return handleToolsList(msg);
+    }
+    if (info && OUTPUT_METHODS.has(info.method) && msg.result) {
+      return handleResult(msg, info.method, info.toolName);
+    }
+    return sendClient(msg);
+  }
+
+  return { onClient, onServer };
+}
+
+module.exports = { createInterceptor, INPUT_REQUESTS, SERVER_INPUT_REQUESTS, OUTPUT_METHODS };

package/dist/core/mcp/jsonrpc.cjs

@@ -0,0 +1,194 @@
+'use strict';
+/**
+ * JSON-RPC / MCP framing + helpers shared by every transport.
+ *
+ * Zero-dep (node builtins only) so the interposer runs when launched by arbitrary
+ * hosts without node_modules. Pure functions — unit-testable standalone.
+ */
+
+// Canonical Guard message roles for the two MCP scan directions. These MUST match
+// Guard's MessagesRole enum (guard/guard/core/schemas.py) — `tool_response`, NOT
+// `tool_output` (which is a Target name, not a role). A mismatch makes /v1/guard
+// 422 and silently fail-open, so both directions are pinned here once.
+const ROLES = { input: 'tool_input', output: 'tool_response' };
+
+// Keys that hold base64 binary — never sent for detection, never rewritten.
+const BINARY_KEYS = new Set(['data', 'blob']);
+// MCP structural / metadata keys carried alongside text in result shapes. Skipped
+// when walking result content so we only redact human-readable text leaves.
+const META_KEYS = new Set(['type', 'mimeType', 'annotations', '_meta', 'role', 'isError', 'size']);
+
+/** Incremental newline-delimited JSON-RPC framer (stdio / SSE data lines). */
+class LineFramer {
+  constructor() { this.buf = ''; }
+  /** Feed a chunk; returns the complete lines it produced (trailing partial kept). */
+  push(chunk) {
+    this.buf += chunk;
+    const out = [];
+    let nl;
+    while ((nl = this.buf.indexOf('\n')) >= 0) {
+      const line = this.buf.slice(0, nl);
+      this.buf = this.buf.slice(nl + 1);
+      if (line.trim()) out.push(line);
+    }
+    return out;
+  }
+}
+
+function parse(line) {
+  try { return JSON.parse(line); } catch { return null; }
+}
+
+function serialize(obj) {
+  return JSON.stringify(obj);
+}
+
+function isRequest(msg) {
+  return !!(msg && typeof msg === 'object' && msg.method && msg.id != null);
+}
+function isNotification(msg) {
+  return !!(msg && typeof msg === 'object' && msg.method && msg.id == null);
+}
+function isResponse(msg) {
+  return !!(msg && typeof msg === 'object' && msg.id != null && !msg.method
+    && (Object.prototype.hasOwnProperty.call(msg, 'result')
+      || Object.prototype.hasOwnProperty.call(msg, 'error')));
+}
+
+function rpcError(id, message, code) {
+  return { jsonrpc: '2.0', id: id == null ? null : id, error: { code: code || -32000, message } };
+}
+
+/** Flatten an MCP tool/resource/prompt result into scannable text. */
+function resultText(result) {
+  try {
+    if (result && Array.isArray(result.content)) {                 // tools/call
+      return result.content.map((c) => (c && typeof c.text === 'string' ? c.text : '')).join('\n');
+    }
+    if (result && Array.isArray(result.contents)) {                // resources/read
+      return result.contents.map((c) => (c && typeof c.text === 'string' ? c.text : '')).join('\n');
+    }
+    if (result && Array.isArray(result.messages)) {                // prompts/get
+      return result.messages.map((m) => {
+        const c = m && m.content;
+        if (c && typeof c.text === 'string') return c.text;
+        return typeof c === 'string' ? c : '';
+      }).join('\n');
+    }
+  } catch { /* ignore */ }
+  return typeof result === 'string' ? result : JSON.stringify(result || '');
+}
+
+/** Replace the textual payload of a result in place with `text` (best-effort SANITIZE). */
+function replaceResultText(result, text) {
+  if (!result || typeof result !== 'object') return result;
+  if (Array.isArray(result.content)) { result.content = [{ type: 'text', text }]; return result; }
+  if (Array.isArray(result.contents)) {
+    const uri = (result.contents[0] && result.contents[0].uri) || '';
+    result.contents = [{ uri, mimeType: 'text/plain', text }];
+    return result;
+  }
+  if (Array.isArray(result.messages)) {
+    result.messages = [{ role: 'user', content: { type: 'text', text } }];
+    return result;
+  }
+  return result;
+}
+
+/** Extract the text a server-initiated sampling/createMessage wants the host LLM to run. */
+function samplingText(params) {
+  if (!params || typeof params !== 'object') return '';
+  const parts = [];
+  if (typeof params.systemPrompt === 'string') parts.push(params.systemPrompt);
+  for (const m of (Array.isArray(params.messages) ? params.messages : [])) {
+    const c = m && m.content;
+    if (c && typeof c.text === 'string') parts.push(c.text);
+    else if (typeof c === 'string') parts.push(c);
+  }
+  return parts.join('\n');
+}
+
+// ── leaf-level, structure-preserving redaction ───────────────────────────────
+// Detection/redaction is a string transform: we extract every human-readable
+// string leaf (with its JSON path), let Guard redact each, then write the result
+// back IN PLACE — so multiple content blocks, structuredContent, images/audio,
+// blobs, isError, _meta and mimeType all survive untouched. Guard never has to
+// reserialize an MCP payload.
+
+/** Recursively collect string leaves of `node` as { path, text }. Skips base64
+ *  binary keys always; skips MCP metadata keys when `skipMeta` (result shapes). */
+function collectStringLeaves(node, basePath, out, skipMeta) {
+  if (node == null) return out;
+  if (typeof node === 'string') { out.push({ path: basePath.slice(), text: node }); return out; }
+  if (Array.isArray(node)) {
+    for (let i = 0; i < node.length; i++) collectStringLeaves(node[i], basePath.concat(i), out, skipMeta);
+    return out;
+  }
+  if (typeof node === 'object') {
+    for (const k of Object.keys(node)) {
+      // Skip MCP binary (base64) + structural/metadata keys ONLY in result shapes
+      // (skipMeta). Tool-input arguments are arbitrary tool-defined keys — a field
+      // named `data`/`blob`/`type` there can be redactable text, so scan it.
+      if (skipMeta && (BINARY_KEYS.has(k) || META_KEYS.has(k))) continue;
+      collectStringLeaves(node[k], basePath.concat(k), out, skipMeta);
+    }
+  }
+  return out; // numbers / booleans are not redactable text
+}
+
+/** Redactable string leaves of a tool-call INPUT (relative to `params`). */
+function collectInputLeaves(method, params) {
+  const out = [];
+  if (!params || typeof params !== 'object') return out;
+  if (method === 'tools/call' || method === 'prompts/get') {
+    collectStringLeaves(params.arguments, ['arguments'], out, false); // arbitrary tool keys
+  } else if (method === 'resources/read') {
+    if (typeof params.uri === 'string') out.push({ path: ['uri'], text: params.uri });
+  }
+  return out;
+}
+
+/** Redactable string leaves of a tool/resource/prompt OUTPUT (relative to `result`). */
+function collectOutputLeaves(method, result) {
+  const out = [];
+  if (!result || typeof result !== 'object') return out;
+  if (method === 'tools/call') {
+    collectStringLeaves(result.content, ['content'], out, true);                 // text / resource_link / embedded resource text
+    if (result.structuredContent != null) collectStringLeaves(result.structuredContent, ['structuredContent'], out, false);
+  } else if (method === 'resources/read') {
+    collectStringLeaves(result.contents, ['contents'], out, true);               // TextResourceContents.text / .uri (blob skipped)
+  } else if (method === 'prompts/get') {
+    collectStringLeaves(result.messages, ['messages'], out, true);
+  }
+  return out;
+}
+
+function setByPath(root, p, value) {
+  let n = root;
+  for (let i = 0; i < p.length - 1; i++) { if (n == null) return; n = n[p[i]]; }
+  if (n != null && p.length) n[p[p.length - 1]] = value;
+}
+
+/** Write redacted strings back into `root` by path, preserving everything else. */
+function applyLeaves(root, leaves) {
+  for (const l of (leaves || [])) {
+    if (l && Array.isArray(l.path) && typeof l.text === 'string') setByPath(root, l.path, l.text);
+  }
+  return root;
+}
+
+function paramsToList(inputSchema) {
+  const props = inputSchema && inputSchema.properties ? inputSchema.properties : {};
+  return Object.keys(props).map((k) => ({
+    name: k,
+    type: (props[k] && props[k].type) || '',
+    description: (props[k] && props[k].description) || '',
+  }));
+}
+
+module.exports = {
+  ROLES,
+  LineFramer, parse, serialize, isRequest, isNotification, isResponse,
+  rpcError, resultText, replaceResultText, samplingText, paramsToList,
+  collectStringLeaves, collectInputLeaves, collectOutputLeaves, applyLeaves, setByPath,
+};