@guardion/guardion 0.3.0 → 0.4.0

package/dist/core/mcp/transport/http-server-side.cjs

@@ -0,0 +1,89 @@
+'use strict';
+/**
+ * Streamable-HTTP MCP server endpoint (the side a host connects TO). Reused by
+ * http_input (stdio upstream) and http_reverse (HTTP upstream).
+ *
+ *   • POST <path>  a JSON-RPC message → routed to onInbound; the matching
+ *     response (correlated by id) is written back on that same connection as
+ *     application/json. Notification-only POSTs get 202 Accepted.
+ *   • GET  <path>  (Accept: text/event-stream) → a server→client SSE stream that
+ *     carries server-initiated messages (e.g. sampling/createMessage) and any
+ *     emit() not tied to a pending POST.
+ *
+ * Zero-dep. emit(obj) routes a message to the right place (pending POST or SSE).
+ */
+const http = require('http');
+const J = require('../jsonrpc.cjs');
+
+function createHttpServerSide(opts) {
+  const { port = 0, host = '127.0.0.1', mcpPath = '/', log = () => {} } = opts;
+  let _onInbound = () => {};
+  const pendingPost = new Map();   // request id → http.ServerResponse
+  const sseClients = new Set();    // open GET streams (http.ServerResponse)
+
+  function writeJson(res, obj, code) {
+    const body = J.serialize(obj);
+    res.writeHead(code || 200, { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) });
+    res.end(body);
+  }
+
+  const server = http.createServer((req, res) => {
+    const url = req.url || '/';
+    if (req.method === 'GET' && url.startsWith(mcpPath)) {
+      if (!String(req.headers.accept || '').includes('text/event-stream')) { res.writeHead(405).end(); return; }
+      res.writeHead(200, { 'Content-Type': 'text/event-stream', 'Cache-Control': 'no-cache', Connection: 'keep-alive' });
+      sseClients.add(res);
+      req.on('close', () => sseClients.delete(res));
+      return;
+    }
+    if (req.method === 'POST' && url.startsWith(mcpPath)) {
+      let b = ''; req.setEncoding('utf8');
+      req.on('data', (c) => { b += c; });
+      req.on('end', () => {
+        let parsed = J.parse(b);
+        if (parsed == null) { res.writeHead(400).end(); return; }
+        const batch = Array.isArray(parsed) ? parsed : [parsed];
+        const reqIds = batch.filter((m) => J.isRequest(m)).map((m) => m.id);
+        if (reqIds.length === 0) {                 // notifications/responses only
+          res.writeHead(202).end();
+          for (const m of batch) Promise.resolve(_onInbound(m)).catch(() => {});
+          return;
+        }
+        // hold the connection until the (first) request's response is emitted
+        pendingPost.set(reqIds[0], res);
+        req.on('close', () => { if (pendingPost.get(reqIds[0]) === res) pendingPost.delete(reqIds[0]); });
+        for (const m of batch) Promise.resolve(_onInbound(m)).catch(() => {});
+        return;
+      });
+      return;
+    }
+    res.writeHead(404).end();
+  });
+
+  function emit(obj) {
+    if (J.isResponse(obj) && pendingPost.has(obj.id)) {
+      const res = pendingPost.get(obj.id); pendingPost.delete(obj.id);
+      try { writeJson(res, obj); } catch { /* client gone */ }
+      return;
+    }
+    // server-initiated request/notification → broadcast on the SSE stream(s)
+    const frame = `data: ${J.serialize(obj)}\n\n`;
+    for (const c of sseClients) { try { c.write(frame); } catch { sseClients.delete(c); } }
+  }
+
+  function listen() {
+    return new Promise((resolve) => {
+      server.listen(port, host, () => {
+        const addr = server.address();
+        log(`http endpoint listening on http://${host}:${addr.port}${mcpPath}`);
+        resolve(addr.port);
+      });
+    });
+  }
+
+  function close() { try { server.close(); } catch { /* ignore */ } for (const c of sseClients) { try { c.end(); } catch { /* ignore */ } } }
+
+  return { emit, listen, close, onInbound(cb) { _onInbound = cb || (() => {}); }, get port() { const a = server.address(); return a && a.port; } };
+}
+
+module.exports = { createHttpServerSide };

package/dist/core/mcp/transport/http-upstream.cjs

@@ -0,0 +1,111 @@
+'use strict';
+/**
+ * Streamable-HTTP MCP upstream client (spec 2025-03-26). Talks to a remote MCP
+ * server over HTTP so the interposer can govern URL servers — not just stdio.
+ *
+ *   • POST <url>  with a JSON-RPC message; the response is either
+ *       application/json      → a single JSON-RPC message, or
+ *       text/event-stream     → SSE frames, each `data:` a JSON-RPC message
+ *       (the server may interleave its own requests, e.g. sampling/createMessage)
+ *   • GET  <url>  (Accept: text/event-stream) → a standalone server→client stream
+ *   • the server may issue an `Mcp-Session-Id` header on initialize; we echo it
+ *
+ * Zero-dep. Routes every inbound JSON-RPC message to the registered onMessage.
+ */
+const http = require('http');
+const https = require('https');
+const J = require('../jsonrpc.cjs');
+
+function createHttpUpstream(opts) {
+  const { url, headers = {}, timeout = 30000, log = () => {} } = opts;
+  let u; try { u = new URL(url); } catch { throw new Error(`bad upstream url: ${url}`); }
+  const tr = u.protocol === 'https:' ? https : http;
+  let sessionId = '';
+  let _onMessage = () => {};
+
+  function baseHeaders(extra) {
+    const h = {
+      'Content-Type': 'application/json',
+      'Accept': 'application/json, text/event-stream',
+      ...headers,
+    };
+    if (sessionId) h['Mcp-Session-Id'] = sessionId;
+    return Object.assign(h, extra || {});
+  }
+
+  // Parse an SSE body incrementally and emit each data payload as a message.
+  function makeSseConsumer() {
+    let buf = '';
+    return (chunk) => {
+      buf += chunk;
+      let idx;
+      while ((idx = buf.indexOf('\n\n')) >= 0) {
+        const frame = buf.slice(0, idx); buf = buf.slice(idx + 2);
+        const data = frame.split('\n')
+          .filter((l) => l.startsWith('data:'))
+          .map((l) => l.slice(5).trim()).join('\n');
+        if (!data) continue;
+        const msg = J.parse(data);
+        if (msg) Promise.resolve(_onMessage(msg)).catch(() => {});
+      }
+    };
+  }
+
+  function send(obj) {
+    return new Promise((resolve) => {
+      const body = J.serialize(obj);
+      const req = tr.request({
+        hostname: u.hostname, port: u.port || (u.protocol === 'https:' ? 443 : 80),
+        path: u.pathname + u.search, method: 'POST', timeout,
+        headers: baseHeaders({ 'Content-Length': Buffer.byteLength(body) }),
+      }, (r) => {
+        const sid = r.headers['mcp-session-id'];
+        if (sid) sessionId = Array.isArray(sid) ? sid[0] : sid;
+        const ctype = String(r.headers['content-type'] || '');
+        r.setEncoding('utf8');
+        if (ctype.includes('text/event-stream')) {
+          const consume = makeSseConsumer();
+          r.on('data', consume);
+          r.on('end', () => resolve());
+        } else {
+          let d = '';
+          r.on('data', (c) => { d += c; });
+          r.on('end', () => { const m = J.parse(d); if (m) Promise.resolve(_onMessage(m)).catch(() => {}); resolve(); });
+        }
+      });
+      req.on('error', (e) => { log(`upstream POST error: ${e.message}`); resolve(); });
+      req.on('timeout', () => { req.destroy(); resolve(); });
+      req.write(body); req.end();
+    });
+  }
+
+  // Open the optional standalone server→client SSE stream (best-effort).
+  function startStream() {
+    let req;
+    try {
+      req = tr.request({
+        hostname: u.hostname, port: u.port || (u.protocol === 'https:' ? 443 : 80),
+        path: u.pathname + u.search, method: 'GET',
+        headers: baseHeaders({ 'Accept': 'text/event-stream' }),
+      }, (r) => {
+        if (String(r.headers['content-type'] || '').includes('text/event-stream')) {
+          const consume = makeSseConsumer();
+          r.setEncoding('utf8');
+          r.on('data', consume);
+        } else { r.resume(); }       // server doesn't offer a GET stream — fine
+      });
+      req.on('error', () => {});      // optional; ignore
+      req.end();
+    } catch { /* optional */ }
+    return () => { try { req && req.destroy(); } catch { /* ignore */ } };
+  }
+
+  return {
+    send,
+    startStream,
+    onMessage(cb) { _onMessage = cb || (() => {}); },
+    get sessionId() { return sessionId; },
+  };
+}
+
+module.exports = { createHttpUpstream };

package/dist/core/mcp/transport/http_forward.cjs

@@ -0,0 +1,40 @@
+'use strict';
+/**
+ * http_forward transport: the host launches us over stdio, but the REAL MCP
+ * server is remote (HTTP / streamable-HTTP). We bridge stdio ⇄ HTTP so URL
+ * servers get the same governance as local stdio servers — fixing the gap where
+ * mcp-protect could only interpose stdio commands.
+ *
+ *   client (host)  ⇄  process.stdin / process.stdout   (stdio)
+ *   server (real)  ⇄  POST/GET <url>                    (HTTP)
+ */
+const J = require('../jsonrpc.cjs');
+const { createHttpUpstream } = require('./http-upstream.cjs');
+
+function createHttpForwardChannel(opts) {
+  const { url, headers, timeout, log = () => {} } = opts;
+  const upstream = createHttpUpstream({ url, headers, timeout, log });
+
+  function sendClient(obj) { process.stdout.write(J.serialize(obj) + '\n'); }
+  function sendServer(obj) { return upstream.send(obj); }   // POST; responses routed to onServer
+
+  function start(handlers) {
+    upstream.onMessage((m) => handlers.onServer(m));
+    const inF = new J.LineFramer();
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (d) => {
+      for (const line of inF.push(d)) {
+        const msg = J.parse(line);
+        if (msg) Promise.resolve(handlers.onClient(msg)).catch(() => {});
+        // unparseable lines are dropped: HTTP upstream requires JSON-RPC objects
+      }
+    });
+    upstream.startStream();          // optional server→client stream
+  }
+
+  function close() { /* nothing to tear down (no child) */ }
+
+  return { sendClient, sendServer, start, close };
+}
+
+module.exports = { createHttpForwardChannel };

package/dist/core/mcp/transport/http_input.cjs

@@ -0,0 +1,46 @@
+'use strict';
+/**
+ * http_input transport: we LISTEN as a streamable-HTTP MCP server (the host
+ * connects to us over HTTP) and forward to a local stdio MCP server we spawn.
+ * Lets HTTP-speaking hosts get governance in front of a stdio server.
+ *
+ *   client (host)  ⇄  POST/GET <url>   (HTTP, we listen)
+ *   server (real)  ⇄  child.stdin/out  (stdio, we spawn)
+ */
+const { spawn } = require('child_process');
+const J = require('../jsonrpc.cjs');
+const { createHttpServerSide } = require('./http-server-side.cjs');
+
+function createHttpInputChannel(opts) {
+  const { target, env, port, host, mcpPath, onExit, log = () => {} } = opts;
+  if (!Array.isArray(target) || target.length === 0) {
+    throw new Error('http_input transport requires a target command after --');
+  }
+  const child = spawn(target[0], target.slice(1), { stdio: ['pipe', 'pipe', 'inherit'], env: env || process.env });
+  child.on('error', (e) => { log(`spawn error: ${e.message}`); process.exit(1); });
+  child.on('exit', (code) => { if (onExit) onExit(code); });
+
+  const httpSide = createHttpServerSide({ port, host, mcpPath, log });
+
+  function sendClient(obj) { httpSide.emit(obj); }                              // → host (HTTP)
+  function sendServer(obj) { try { child.stdin.write(J.serialize(obj) + '\n'); } catch { /* gone */ } } // → server (stdio)
+
+  function start(handlers) {
+    httpSide.onInbound((m) => handlers.onClient(m));
+    const outF = new J.LineFramer();
+    child.stdout.setEncoding('utf8');
+    child.stdout.on('data', (d) => {
+      for (const line of outF.push(d)) {
+        const msg = J.parse(line);
+        if (msg) Promise.resolve(handlers.onServer(msg)).catch(() => {});
+      }
+    });
+    return httpSide.listen();
+  }
+
+  function close() { try { child.kill(); } catch { /* ignore */ } httpSide.close(); }
+
+  return { sendClient, sendServer, start, close, child, get port() { return httpSide.port; } };
+}
+
+module.exports = { createHttpInputChannel };

package/dist/core/mcp/transport/http_reverse.cjs

@@ -0,0 +1,33 @@
+'use strict';
+/**
+ * http_reverse transport: a full HTTP↔HTTP reverse proxy. We LISTEN as a
+ * streamable-HTTP MCP server for the host AND forward to a remote HTTP MCP
+ * server — governing remote servers for HTTP-speaking hosts with no stdio at all.
+ *
+ *   client (host)  ⇄  POST/GET <listen>   (HTTP, we listen)
+ *   server (real)  ⇄  POST/GET <url>       (HTTP, we forward)
+ */
+const { createHttpServerSide } = require('./http-server-side.cjs');
+const { createHttpUpstream } = require('./http-upstream.cjs');
+
+function createHttpReverseChannel(opts) {
+  const { url, headers, timeout, port, host, mcpPath, log = () => {} } = opts;
+  const httpSide = createHttpServerSide({ port, host, mcpPath, log });
+  const upstream = createHttpUpstream({ url, headers, timeout, log });
+
+  function sendClient(obj) { httpSide.emit(obj); }     // → host (HTTP)
+  function sendServer(obj) { return upstream.send(obj); } // → server (HTTP)
+
+  function start(handlers) {
+    httpSide.onInbound((m) => handlers.onClient(m));
+    upstream.onMessage((m) => handlers.onServer(m));
+    upstream.startStream();
+    return httpSide.listen();
+  }
+
+  function close() { httpSide.close(); }
+
+  return { sendClient, sendServer, start, close, get port() { return httpSide.port; } };
+}
+
+module.exports = { createHttpReverseChannel };

package/dist/core/mcp/transport/index.cjs

@@ -0,0 +1,32 @@
+'use strict';
+/**
+ * Transport factory. Picks the channel implementation from the parsed flags.
+ *
+ *   stdio        spawn a local server, relay over its stdin/stdout (default)
+ *   http_forward stdio host ⇄ remote HTTP server   (--url)
+ *   http_input   HTTP host  ⇄ local stdio server   (--listen, -- cmd)
+ *   http_reverse HTTP host  ⇄ remote HTTP server    (--listen, --url)
+ *   sse_bridge   stdio host ⇄ remote legacy SSE server (--url)
+ *
+ * Every channel exposes the same contract: sendClient / sendServer / start / close.
+ */
+const { createStdioChannel } = require('./stdio.cjs');
+const { createHttpForwardChannel } = require('./http_forward.cjs');
+const { createHttpInputChannel } = require('./http_input.cjs');
+const { createHttpReverseChannel } = require('./http_reverse.cjs');
+const { createSseBridgeChannel } = require('./sse_bridge.cjs');
+
+const TRANSPORTS = new Set(['stdio', 'http_forward', 'http_input', 'http_reverse', 'sse_bridge']);
+
+function selectTransport(kind, opts) {
+  switch (kind) {
+    case 'stdio': return createStdioChannel(opts);
+    case 'http_forward': return createHttpForwardChannel(opts);
+    case 'http_input': return createHttpInputChannel(opts);
+    case 'http_reverse': return createHttpReverseChannel(opts);
+    case 'sse_bridge': return createSseBridgeChannel(opts);
+    default: throw new Error(`unknown transport: ${kind}`);
+  }
+}
+
+module.exports = { selectTransport, TRANSPORTS };

package/dist/core/mcp/transport/sse_bridge.cjs

@@ -0,0 +1,101 @@
+'use strict';
+/**
+ * sse_bridge transport: bridge a legacy SSE MCP server (the pre-2025-03-26 HTTP+SSE
+ * transport) to a stdio-speaking host. The host launches us over stdio; we connect
+ * to the remote server's SSE endpoint.
+ *
+ *   client (host)  ⇄  process.stdin / process.stdout         (stdio)
+ *   server (real)  ⇄  GET <url> (SSE: endpoint + messages)   +  POST <endpoint>
+ *
+ * Legacy SSE handshake: open GET <url>; the server emits an `endpoint` event whose
+ * data is the URL to POST client→server messages to; subsequent `message` events
+ * carry server→client JSON-RPC. We queue outbound sends until the endpoint arrives.
+ */
+const http = require('http');
+const https = require('https');
+const J = require('../jsonrpc.cjs');
+
+function createSseBridgeChannel(opts) {
+  const { url, headers = {}, log = () => {} } = opts;
+  let u; try { u = new URL(url); } catch { throw new Error(`bad sse url: ${url}`); }
+  const tr = u.protocol === 'https:' ? https : http;
+  let messageUrl = null;        // resolved POST endpoint (from the `endpoint` event)
+  const outbox = [];            // sends queued before endpoint is known
+  let _onServer = () => {};
+
+  function sendClient(obj) { process.stdout.write(J.serialize(obj) + '\n'); }
+
+  function postMessage(obj) {
+    if (!messageUrl) { outbox.push(obj); return Promise.resolve(); }
+    return new Promise((resolve) => {
+      const m = new URL(messageUrl);
+      const t = m.protocol === 'https:' ? https : http;
+      const body = J.serialize(obj);
+      const req = t.request({
+        hostname: m.hostname, port: m.port || (m.protocol === 'https:' ? 443 : 80),
+        path: m.pathname + m.search, method: 'POST',
+        headers: { 'Content-Type': 'application/json', ...headers, 'Content-Length': Buffer.byteLength(body) },
+      }, (r) => { r.resume(); r.on('end', resolve); });
+      req.on('error', (e) => { log(`sse POST error: ${e.message}`); resolve(); });
+      req.write(body); req.end();
+    });
+  }
+  function sendServer(obj) { return postMessage(obj); }
+
+  function flushOutbox() { const q = outbox.splice(0); for (const o of q) postMessage(o); }
+
+  function openSse() {
+    const req = tr.request({
+      hostname: u.hostname, port: u.port || (u.protocol === 'https:' ? 443 : 80),
+      path: u.pathname + u.search, method: 'GET',
+      headers: { Accept: 'text/event-stream', ...headers },
+    }, (r) => {
+      r.setEncoding('utf8');
+      let buf = '';
+      r.on('data', (chunk) => {
+        buf += chunk;
+        let idx;
+        while ((idx = buf.indexOf('\n\n')) >= 0) {
+          const frame = buf.slice(0, idx); buf = buf.slice(idx + 2);
+          let event = 'message';
+          const dataLines = [];
+          for (const line of frame.split('\n')) {
+            if (line.startsWith('event:')) event = line.slice(6).trim();
+            else if (line.startsWith('data:')) dataLines.push(line.slice(5).trim());
+          }
+          const data = dataLines.join('\n');
+          if (!data) continue;
+          if (event === 'endpoint') {
+            try { messageUrl = new URL(data, u).toString(); flushOutbox(); }
+            catch { log(`bad endpoint event: ${data}`); }
+            continue;
+          }
+          const msg = J.parse(data);
+          if (msg) Promise.resolve(_onServer(msg)).catch(() => {});
+        }
+      });
+    });
+    req.on('error', (e) => { log(`sse GET error: ${e.message}`); });
+    req.end();
+    return req;
+  }
+
+  function start(handlers) {
+    _onServer = handlers.onServer;
+    const inF = new J.LineFramer();
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (d) => {
+      for (const line of inF.push(d)) {
+        const msg = J.parse(line);
+        if (msg) Promise.resolve(handlers.onClient(msg)).catch(() => {});
+      }
+    });
+    openSse();
+  }
+
+  function close() { /* sockets close with the process */ }
+
+  return { sendClient, sendServer, start, close };
+}
+
+module.exports = { createSseBridgeChannel };

package/dist/core/mcp/transport/stdio.cjs

@@ -0,0 +1,60 @@
+'use strict';
+/**
+ * stdio transport: the host launches us in place of the real server and speaks
+ * newline-delimited JSON-RPC over our stdin/stdout; we spawn the real server and
+ * relay over its stdin/stdout. This is the default, universal interposer mode.
+ *
+ *   client (host)  ⇄  process.stdin / process.stdout
+ *   server (real)  ⇄  child.stdin   / child.stdout
+ *
+ * Channel contract (shared by every transport):
+ *   sendClient(obj) — emit toward the host
+ *   sendServer(obj) — emit toward the real server
+ *   start({ onClient, onServer }) — begin relaying parsed messages; unparseable
+ *      lines are forwarded verbatim (opaque) so we never corrupt the stream
+ *   close()
+ */
+const { spawn } = require('child_process');
+const J = require('../jsonrpc.cjs');
+
+function createStdioChannel(opts) {
+  const { target, env, onExit, log = () => {} } = opts;
+  if (!Array.isArray(target) || target.length === 0) {
+    throw new Error('stdio transport requires a target command after --');
+  }
+  const child = spawn(target[0], target.slice(1), { stdio: ['pipe', 'pipe', 'inherit'], env: env || process.env });
+  child.on('error', (e) => { log(`spawn error: ${e.message}`); process.exit(1); });
+  child.on('exit', (code) => { if (onExit) onExit(code); });
+
+  function sendClient(obj) { process.stdout.write(J.serialize(obj) + '\n'); }
+  function sendServer(obj) { try { child.stdin.write(J.serialize(obj) + '\n'); } catch { /* server gone */ } }
+  function sendServerRaw(line) { try { child.stdin.write(line + '\n'); } catch { /* server gone */ } }
+  function sendClientRaw(line) { process.stdout.write(line + '\n'); }
+
+  function start(handlers) {
+    const inF = new J.LineFramer();
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (d) => {
+      for (const line of inF.push(d)) {
+        const msg = J.parse(line);
+        if (msg) Promise.resolve(handlers.onClient(msg)).catch(() => {});
+        else sendServerRaw(line);                // opaque → pass through
+      }
+    });
+    const outF = new J.LineFramer();
+    child.stdout.setEncoding('utf8');
+    child.stdout.on('data', (d) => {
+      for (const line of outF.push(d)) {
+        const msg = J.parse(line);
+        if (msg) Promise.resolve(handlers.onServer(msg)).catch(() => {});
+        else sendClientRaw(line);                // opaque → pass through
+      }
+    });
+  }
+
+  function close() { try { child.kill(); } catch { /* ignore */ } }
+
+  return { sendClient, sendServer, start, close, child };
+}
+
+module.exports = { createStdioChannel };

package/dist/core/mcp-interpose.cjs

@@ -0,0 +1,141 @@
+#!/usr/bin/env node
+'use strict';
+/**
+ * Guardion MCP interposer (Layer 2, AGT MCP-Security-Gateway-1.0 contract).
+ *
+ * A UNIVERSAL, host-agnostic way to scan every MCP message for ANY agent app that
+ * uses MCP servers (Claude Desktop, ChatGPT Desktop, Cursor, Cline, Windsurf, …).
+ * It relays JSON-RPC both ways and delegates ALL detection to Guard (POST /v1/guard)
+ * — we never re-implement detection here.
+ *
+ *   stdio (default):   node mcp-interpose.cjs --server <name> -- <cmd> <args...>
+ *   http_forward:      node mcp-interpose.cjs --server <name> --url https://host/mcp
+ *   http_input:        node mcp-interpose.cjs --server <name> --listen 8900 -- <cmd>
+ *   http_reverse:      node mcp-interpose.cjs --server <name> --listen 8900 --url https://host/mcp
+ *   sse_bridge:        node mcp-interpose.cjs --server <name> --transport sse_bridge --url https://host/sse
+ *
+ * Scanned (delegated to Guard):
+ *   • tools/call · resources/read · prompts/get  request  → INPUT  (PreTool)
+ *   • their results                               → OUTPUT (PostTool): deny ⇒ error,
+ *                                                    correction ⇒ in-proxy redaction
+ *   • sampling/createMessage (server-initiated)   → INPUT  (host LLM feed)
+ *   • tools/list result → integrity AT CONNECT: rug-pull (local fingerprint drift)
+ *     strips changed tools; a Guard deny refuses the poisoned server
+ *
+ * Zero external deps (node builtins only). Fail-OPEN by default; never blocks the
+ * transport on its own errors. Enforcement gated by config.enforce (default off).
+ */
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const { createGuardClient } = require('./mcp/guard-client.cjs');
+const { createInterceptor } = require('./mcp/interceptor.cjs');
+const { selectTransport, TRANSPORTS } = require('./mcp/transport/index.cjs');
+let fingerprint = null;
+try { fingerprint = require('./fingerprint.cjs'); } catch { /* pin optional */ }
+
+function log(msg) { process.stderr.write(`[guardion] mcp-interpose: ${msg}\n`); }
+
+// ── argv parsing: flags before `--`, target command after ────────────────────
+const argv = process.argv.slice(2);
+const dd = argv.indexOf('--');
+const flags = argv.slice(0, dd === -1 ? argv.length : dd);
+const target = dd === -1 ? [] : argv.slice(dd + 1);
+
+function flagVal(name) { const i = flags.indexOf(name); return i >= 0 ? (flags[i + 1] || '') : ''; }
+function flagAll(name) { const out = []; for (let i = 0; i < flags.length; i++) if (flags[i] === name) out.push(flags[i + 1] || ''); return out; }
+
+const serverName = flagVal('--server');
+const upstreamUrl = flagVal('--url');
+const listenSpec = flagVal('--listen');
+const headerArgs = flagAll('--header');   // 'Authorization: Bearer x'
+
+// transport: explicit flag, else inferred from --url / --listen / target.
+function inferTransport() {
+  const explicit = flagVal('--transport');
+  if (explicit) return explicit;
+  if (upstreamUrl && listenSpec) return 'http_reverse';
+  if (upstreamUrl) return 'http_forward';
+  if (listenSpec && target.length) return 'http_input';
+  return 'stdio';
+}
+const transportKind = inferTransport();
+if (!TRANSPORTS.has(transportKind)) { log(`unknown --transport ${transportKind}`); process.exit(1); }
+
+// ── config / token (same resolution as the hook) ─────────────────────────────
+function loadConfig() {
+  try { return JSON.parse(fs.readFileSync(path.join(os.homedir(), '.guardion', 'config.json'), 'utf8')); } catch { return {}; }
+}
+const cfg = loadConfig();
+const API_URL = process.env.GUARDION_API_URL || cfg.api_url || 'https://api.guardion.ai';
+// --policy flag > env > config. Lets `guardion mcp --policy x` target a policy per server.
+const POLICY = flagVal('--policy') || process.env.GUARDION_POLICY || cfg.policy || undefined;
+const APPLICATION = cfg.application || 'mcp-interpose';
+const TIMEOUT = (cfg.hooks && cfg.hooks.timeout_ms) || 3000;
+
+// Mode resolution: an explicit `--mode` (or GUARDION_MODE / cfg.mode) is the single knob
+// the `guardion mcp` command sets; it OVERRIDES the individual env flags.
+//   dlp     → anonymize via corrections, never block      (default)
+//   enforce → block on a deny verdict + anonymize
+//   monitor → observe-only, fire-and-forget (no modification)
+const MODE = (flagVal('--mode') || process.env.GUARDION_MODE || cfg.mode || '').toLowerCase();
+let ENFORCE = cfg.enforce === true || process.env.GUARDION_ENFORCE === 'true';
+let DLP = cfg.dlp === true || process.env.GUARDION_DLP === 'true';
+if (MODE === 'dlp') { DLP = true; ENFORCE = false; }
+else if (MODE === 'enforce') { ENFORCE = true; }
+else if (MODE === 'monitor' || MODE === 'observe') { DLP = false; ENFORCE = false; }
+const FAIL_CLOSED = cfg.fail_closed === true || process.env.GUARDION_FAIL_CLOSED === 'true';
+const INTEGRITY = cfg.integrity !== false;   // default on (tool-list integrity at connect)
+const REDACT = cfg.redact !== false;         // default on (in-proxy redaction)
+
+function resolveToken() {
+  if (process.env.GUARDION_TOKEN) return process.env.GUARDION_TOKEN.trim();
+  for (const p of ['/etc/guardion/token', path.join(os.homedir(), '.guardion', 'token')]) {
+    try { const t = fs.readFileSync(p, 'utf8').trim(); if (t) return t; } catch { /* absent */ }
+  }
+  return '';
+}
+const TOKEN = resolveToken();
+
+function parseHeaders(items) {
+  const h = {};
+  for (const it of items) { const i = it.indexOf(':'); if (i > 0) h[it.slice(0, i).trim()] = it.slice(i + 1).trim(); }
+  return h;
+}
+function parseListen(spec) {
+  if (!spec) return { host: '127.0.0.1', port: 0 };
+  const i = spec.lastIndexOf(':');
+  if (i > 0) return { host: spec.slice(0, i), port: parseInt(spec.slice(i + 1), 10) || 0 };
+  return { host: '127.0.0.1', port: parseInt(spec, 10) || 0 };
+}
+
+// ── wire guard client + interceptor + transport ──────────────────────────────
+const guard = createGuardClient({
+  apiUrl: API_URL, token: TOKEN, policy: POLICY, application: APPLICATION,
+  timeout: TIMEOUT, failClosed: FAIL_CLOSED,
+});
+
+const listen = parseListen(listenSpec);
+let channel;
+try {
+  channel = selectTransport(transportKind, {
+    target, env: process.env, url: upstreamUrl, headers: parseHeaders(headerArgs),
+    timeout: 30000, port: listen.port, host: listen.host, mcpPath: '/',
+    onExit: (code) => process.exit(code == null ? 0 : code), log,
+  });
+} catch (e) { log(e.message); process.exit(1); }
+
+const interceptor = createInterceptor({
+  guard, enforce: ENFORCE, dlp: DLP, integrity: INTEGRITY, redact: REDACT,
+  fingerprint, pinPath: path.join(os.homedir(), '.guardion', 'fingerprints.json'),
+  serverName, log,
+  sendClient: channel.sendClient, sendServer: channel.sendServer,
+});
+
+Promise.resolve(channel.start({ onClient: interceptor.onClient, onServer: interceptor.onServer })).catch((e) => { log(`start error: ${e && e.message}`); });
+
+// stdio-host transports without a child exit when the host closes stdin.
+if (transportKind === 'http_forward' || transportKind === 'sse_bridge') {
+  process.stdin.on('end', () => process.exit(0));
+}