@hasna/mcps 0.0.14 → 0.0.15

package/dist/index.js

@@ -25242,6 +25242,185 @@ class StreamableHTTPClientTransport {
 // src/lib/proxy.ts
 init_config2();
 init_db();
+
+// src/lib/local-command-consent.ts
+class LocalCommandConsentError extends Error {
+  review;
+  constructor(message, review) {
+    super(message);
+    this.name = "LocalCommandConsentError";
+    this.review = review;
+  }
+}
+var SHELL_COMMANDS = new Set(["bash", "sh", "zsh", "fish", "cmd", "cmd.exe", "powershell", "powershell.exe", "pwsh"]);
+var DESTRUCTIVE_COMMANDS = new Set([
+  "rm",
+  "dd",
+  "mkfs",
+  "shutdown",
+  "reboot",
+  "poweroff",
+  "halt",
+  "killall",
+  "pkill"
+]);
+var SHELL_EVAL_FLAGS = new Set(["-c", "/c", "-Command", "-command", "-EncodedCommand", "-encodedcommand"]);
+var SECRET_FLAG_PATTERN = /(?:^|[-_])(api[-_]?key|token|secret|password|passwd|credential|auth|private[-_]?key)(?:$|[-_])/i;
+var SECRET_KEY_PATTERN = /(?:^|[_-])(api[_-]?key|token|secret|password|passwd|credential|auth|private[_-]?key)(?:$|[_-])/i;
+var SECRET_VALUE_PATTERN = /^(sk_(?:live|test)_[A-Za-z0-9_]+|ghp_[A-Za-z0-9_]+|github_pat_[A-Za-z0-9_]+|xox[baprs]-[A-Za-z0-9-]+|AIza[A-Za-z0-9_-]{20,}|eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)$/;
+var SHELL_META_PATTERN = /[;&|`<>]|\$\(/;
+function commandBase(command) {
+  return command.trim().split(/[\\/]/).pop()?.toLowerCase() || command.trim().toLowerCase();
+}
+function normalizeArgs(args) {
+  return (args ?? []).map((arg) => String(arg));
+}
+function isSecretKey(key) {
+  return SECRET_KEY_PATTERN.test(key) || SECRET_FLAG_PATTERN.test(key);
+}
+function isSecretValue(value) {
+  return SECRET_VALUE_PATTERN.test(value.trim());
+}
+function isSecretAssignment(arg) {
+  const eqIdx = arg.indexOf("=");
+  if (eqIdx <= 0)
+    return false;
+  const key = arg.slice(0, eqIdx);
+  const value = arg.slice(eqIdx + 1);
+  return isSecretKey(key) || isSecretValue(value);
+}
+function isSecretArg(args, index) {
+  const arg = args[index] ?? "";
+  const previous = args[index - 1] ?? "";
+  return isSecretAssignment(arg) || isSecretValue(arg) || SECRET_FLAG_PATTERN.test(previous);
+}
+function quoteArg(value) {
+  return JSON.stringify(value);
+}
+function displayCommand(command, args) {
+  return [quoteArg(command), ...args.map((arg, index) => quoteArg(isSecretArg(args, index) ? "<redacted>" : arg))].join(" ");
+}
+function pushRisk(risks, risk) {
+  if (risks.some((existing) => existing.code === risk.code && existing.evidence === risk.evidence))
+    return;
+  risks.push(risk);
+}
+function inspectRisks(command, args, env) {
+  const risks = [];
+  const base = commandBase(command);
+  const joined = [command, ...args].join(" ");
+  if (SHELL_COMMANDS.has(base)) {
+    pushRisk(risks, {
+      code: "shell_interpreter",
+      severity: "warning",
+      message: "Command launches a shell interpreter.",
+      evidence: base
+    });
+    if (args.some((arg) => SHELL_EVAL_FLAGS.has(arg))) {
+      pushRisk(risks, {
+        code: "shell_eval",
+        severity: "danger",
+        message: "Shell command evaluates an inline script.",
+        evidence: base
+      });
+    }
+  }
+  if (base === "sudo") {
+    pushRisk(risks, {
+      code: "privilege_escalation",
+      severity: "danger",
+      message: "Command requests elevated privileges.",
+      evidence: base
+    });
+  }
+  if (DESTRUCTIVE_COMMANDS.has(base) || /\brm\s+-[^\s]*[rf][^\s]*\b/.test(joined) || /--no-preserve-root\b/.test(joined)) {
+    pushRisk(risks, {
+      code: "destructive_command",
+      severity: "danger",
+      message: "Command includes a destructive system operation.",
+      evidence: base
+    });
+  }
+  if (/\b(curl|wget)\b[\s\S]*\|[\s\S]*\b(sh|bash|zsh|fish)\b/.test(joined)) {
+    pushRisk(risks, {
+      code: "download_pipe_shell",
+      severity: "danger",
+      message: "Command downloads remote content and pipes it to a shell."
+    });
+  }
+  if ([command, ...args].some((part) => SHELL_META_PATTERN.test(part))) {
+    pushRisk(risks, {
+      code: "shell_metacharacters",
+      severity: "warning",
+      message: "Command or arguments contain shell metacharacters."
+    });
+  }
+  if (args.some((arg, index) => isSecretArg(args, index))) {
+    pushRisk(risks, {
+      code: "inline_secret",
+      severity: "danger",
+      message: "Command arguments appear to contain inline secret material."
+    });
+  }
+  const secretEnvKeys = Object.keys(env).filter(isSecretKey).sort();
+  if (secretEnvKeys.length > 0) {
+    pushRisk(risks, {
+      code: "secret_env",
+      severity: "warning",
+      message: "Environment contains secret-like keys; values are redacted from consent output.",
+      evidence: secretEnvKeys.join(", ")
+    });
+  }
+  return risks;
+}
+function inspectLocalCommand(input) {
+  const args = normalizeArgs(input.args);
+  const env = input.env ?? {};
+  const transport = input.transport ?? "stdio";
+  const risks = inspectRisks(input.command, args, env);
+  return {
+    requiresConsent: transport === "stdio",
+    operation: input.operation ?? "launch",
+    command: input.command,
+    args,
+    displayCommand: displayCommand(input.command, args),
+    envKeys: Object.keys(env).sort(),
+    risks,
+    hasDangerousRisk: risks.some((risk) => risk.severity === "danger")
+  };
+}
+function formatLocalCommandReview(review) {
+  const lines = [
+    `Command: ${review.displayCommand}`,
+    review.envKeys.length > 0 ? `Env keys: ${review.envKeys.join(", ")}` : "Env keys: <none>"
+  ];
+  if (review.risks.length > 0) {
+    lines.push("Risks:");
+    for (const risk of review.risks) {
+      lines.push(`- ${risk.severity}: ${risk.code} - ${risk.message}${risk.evidence ? ` (${risk.evidence})` : ""}`);
+    }
+  } else {
+    lines.push("Risks: none detected");
+  }
+  return lines.join(`
+`);
+}
+function assertLocalCommandConsent(input, consent = {}) {
+  const review = inspectLocalCommand(input);
+  if (!review.requiresConsent)
+    return review;
+  if (consent.approved !== true) {
+    throw new LocalCommandConsentError(`local stdio command approval is required before ${review.operation}.
+${formatLocalCommandReview(review)}`, review);
+  }
+  if (review.hasDangerousRisk && consent.allowRisky !== true) {
+    throw new LocalCommandConsentError(`risky command approval is required before ${review.operation}.
+${formatLocalCommandReview(review)}`, review);
+  }
+  return review;
+}
+
+// src/lib/proxy.ts
 var connections = new Map;
 var inflightConnections = new Map;
 function buildEnv(extra) {
@@ -25267,7 +25446,7 @@ function requireUrl(entry) {
     throw new Error(`Server "${entry.id}" has an invalid URL: ${entry.url}`);
   }
 }
-async function connectToServer(entry) {
+async function connectToServer(entry, options = {}) {
   if (connections.has(entry.id)) {
     return connections.get(entry.id);
   }
@@ -25283,6 +25462,13 @@ async function connectToServer(entry) {
         if (!entry.command?.trim()) {
           throw new Error(`Server "${entry.id}" is missing a command`);
         }
+        assertLocalCommandConsent({
+          command: entry.command,
+          args: entry.args,
+          env: entry.env,
+          transport: entry.transport,
+          operation: "launch"
+        }, options.localCommandConsent);
         transport = new StdioClientTransport({
           command: entry.command,
           args: entry.args,
@@ -25418,13 +25604,28 @@ async function refreshTools(id) {
 }
 
 // src/lib/doctor.ts
-async function diagnoseServer(server) {
+async function diagnoseServer(server, options = {}) {
   const checks3 = [];
+  let hasLocalConsent = true;
   if (server.transport === "stdio") {
+    try {
+      assertLocalCommandConsent({
+        command: server.command,
+        args: server.args,
+        env: server.env,
+        transport: server.transport,
+        operation: "diagnose"
+      }, options.localCommandConsent);
+    } catch (err) {
+      hasLocalConsent = false;
+      checks3.push({ name: "local command consent", pass: false, message: err.message });
+    }
     try {
       const path = execFileSync("which", [server.command], { stdio: "pipe" }).toString().trim();
       let version2 = "";
       try {
+        if (!hasLocalConsent)
+          throw new Error("local stdio command approval is required before version probing");
         version2 = execFileSync(server.command, ["--version"], { stdio: "pipe" }).toString().trim().split(`
 `)[0];
       } catch {}
@@ -25455,10 +25656,10 @@ async function diagnoseServer(server) {
       checks3.push({ name: "URL reachable", pass: false, message: `unreachable: ${err.message}` });
     }
   }
-  if (server.enabled) {
+  if (server.enabled && hasLocalConsent) {
     try {
       await Promise.race([
-        connectToServer(server),
+        connectToServer(server, { localCommandConsent: options.localCommandConsent }),
         new Promise((_, reject) => setTimeout(() => reject(new Error("timeout after 10s")), 1e4))
       ]);
       await disconnectServer(server.id);
@@ -25466,8 +25667,10 @@ async function diagnoseServer(server) {
     } catch (err) {
       checks3.push({ name: "connect & list tools", pass: false, message: err.message });
     }
-  } else {
+  } else if (!server.enabled) {
     checks3.push({ name: "connect & list tools", pass: true, message: "skipped (server disabled)" });
+  } else {
+    checks3.push({ name: "connect & list tools", pass: false, message: "skipped until local stdio command is approved" });
   }
   return {
     server,
@@ -25507,7 +25710,7 @@ async function getRegistryServer(id) {
   const all = entries.map(parseRegistryEntry);
   return all.find((s) => s.id === id) || null;
 }
-async function installFromRegistry(id) {
+async function installFromRegistry(id, options = {}) {
   const server = await getRegistryServer(id);
   if (!server) {
     throw new Error(`Server "${id}" not found in registry`);
@@ -25527,6 +25730,13 @@ async function installFromRegistry(id) {
       transport = pkg.transport.type;
     }
   }
+  assertLocalCommandConsent({
+    command,
+    args,
+    transport,
+    env: {},
+    operation: "register"
+  }, options.localCommandConsent);
   return addServer({
     name: server.name,
     description: server.description,
@@ -25763,11 +25973,19 @@ function installProviderProfile(id, options = {}) {
   if (!command) {
     throw new Error(`Provider profile "${id}" does not define an install fallback command`);
   }
+  assertLocalCommandConsent({
+    command,
+    args,
+    env: fallback?.env ?? {},
+    transport: useFallback ? "stdio" : profile.transport,
+    operation: "register"
+  }, options.localCommandConsent);
   return addServer({
     name: options.name ?? profile.displayName,
     description: profile.description ?? undefined,
     command,
     args,
+    env: fallback?.env,
     transport: useFallback ? "stdio" : profile.transport,
     url: useFallback ? fallback?.url : profile.endpoint ?? undefined,
     source: "provider-profile"
@@ -25856,7 +26074,22 @@ function installToGemini(entry) {
     return { agent: "gemini", success: false, error: err.message };
   }
 }
-function installToAgents(entry, targets = ["claude", "codex", "gemini"]) {
+function installToAgents(entry, targets = ["claude", "codex", "gemini"], options = {}) {
+  try {
+    assertLocalCommandConsent({
+      command: entry.command,
+      args: entry.args,
+      env: entry.env,
+      transport: entry.transport,
+      operation: "install"
+    }, options.localCommandConsent);
+  } catch (err) {
+    return targets.map((target) => ({
+      agent: target,
+      success: false,
+      error: err.message
+    }));
+  }
   return targets.map((target) => {
     if (target === "claude")
       return installToClaude(entry);
@@ -26819,6 +27052,7 @@ export {
   installToAgents,
   installProviderProfile,
   installFromRegistry,
+  inspectLocalCommand,
   getToolCounts,
   getSource,
   getServer,
@@ -26827,6 +27061,7 @@ export {
   getMachine,
   getDb,
   getCachedTools,
+  formatLocalCommandReview,
   findServers,
   enableSource,
   enableServer,
@@ -26841,9 +27076,11 @@ export {
   closeDb,
   cloneServer,
   callTool,
+  assertLocalCommandConsent,
   addSource,
   addServer,
   addMachine,
+  LocalCommandConsentError,
   DEFAULT_PROVIDER_PROFILE_SEEDS,
   DEFAULT_MACHINE_SEEDS
 };

package/dist/lib/doctor.d.ts

@@ -1,4 +1,5 @@
 import type { McpServerEntry } from "../types.js";
+import { type LocalCommandConsent } from "./local-command-consent.js";
 export interface DoctorCheck {
     name: string;
     pass: boolean;
@@ -11,4 +12,6 @@ export interface DoctorReport {
     checks: DoctorCheck[];
     healthy: boolean;
 }
-export declare function diagnoseServer(server: McpServerEntry): Promise<DoctorReport>;
+export declare function diagnoseServer(server: McpServerEntry, options?: {
+    localCommandConsent?: LocalCommandConsent;
+}): Promise<DoctorReport>;

package/dist/lib/install.d.ts

@@ -1,8 +1,12 @@
 import type { McpServerEntry } from "../types.js";
+import { type LocalCommandConsent } from "./local-command-consent.js";
 export type AgentTarget = "claude" | "codex" | "gemini";
 export interface InstallResult {
     agent: AgentTarget;
     success: boolean;
     error?: string;
 }
-export declare function installToAgents(entry: McpServerEntry, targets?: AgentTarget[]): InstallResult[];
+export interface InstallToAgentsOptions {
+    localCommandConsent?: LocalCommandConsent;
+}
+export declare function installToAgents(entry: McpServerEntry, targets?: AgentTarget[], options?: InstallToAgentsOptions): InstallResult[];

package/dist/lib/local-command-consent.d.ts

@@ -0,0 +1,38 @@
+import type { McpServerEntry } from "../types.js";
+export type LocalCommandOperation = "register" | "install" | "launch" | "diagnose";
+export type LocalCommandRiskSeverity = "warning" | "danger";
+export interface LocalCommandInput {
+    command: string;
+    args?: string[];
+    env?: Record<string, string>;
+    transport?: McpServerEntry["transport"];
+    operation?: LocalCommandOperation;
+}
+export interface LocalCommandConsent {
+    approved?: boolean;
+    allowRisky?: boolean;
+    source?: string;
+}
+export interface LocalCommandRisk {
+    code: string;
+    severity: LocalCommandRiskSeverity;
+    message: string;
+    evidence?: string;
+}
+export interface LocalCommandReview {
+    requiresConsent: boolean;
+    operation: LocalCommandOperation;
+    command: string;
+    args: string[];
+    displayCommand: string;
+    envKeys: string[];
+    risks: LocalCommandRisk[];
+    hasDangerousRisk: boolean;
+}
+export declare class LocalCommandConsentError extends Error {
+    readonly review: LocalCommandReview;
+    constructor(message: string, review: LocalCommandReview);
+}
+export declare function inspectLocalCommand(input: LocalCommandInput): LocalCommandReview;
+export declare function formatLocalCommandReview(review: LocalCommandReview): string;
+export declare function assertLocalCommandConsent(input: LocalCommandInput, consent?: LocalCommandConsent): LocalCommandReview;

package/dist/lib/proxy.d.ts

@@ -1,5 +1,9 @@
+import { type LocalCommandConsent } from "./local-command-consent.js";
 import type { McpServerEntry, McpTool, ConnectedServer } from "../types.js";
-export declare function connectToServer(entry: McpServerEntry): Promise<ConnectedServer>;
+export interface ConnectOptions {
+    localCommandConsent?: LocalCommandConsent;
+}
+export declare function connectToServer(entry: McpServerEntry, options?: ConnectOptions): Promise<ConnectedServer>;
 export declare function disconnectServer(id: string): Promise<void>;
 export declare function disconnectAll(): Promise<void>;
 export declare function listAllTools(): McpTool[];
@@ -10,4 +14,4 @@ export declare function callTool(prefixedName: string, args: Record<string, unkn
     }>;
 }>;
 export declare function refreshTools(id: string): Promise<McpTool[]>;
-export declare function connectAllEnabled(): Promise<ConnectedServer[]>;
+export declare function connectAllEnabled(options?: ConnectOptions): Promise<ConnectedServer[]>;

package/dist/lib/remote.d.ts

@@ -1,4 +1,7 @@
+import { type LocalCommandConsent } from "./local-command-consent.js";
 import type { RegistryServer, McpServerEntry } from "../types.js";
 export declare function searchRegistry(query: string): Promise<RegistryServer[]>;
 export declare function getRegistryServer(id: string): Promise<RegistryServer | null>;
-export declare function installFromRegistry(id: string): Promise<McpServerEntry>;
+export declare function installFromRegistry(id: string, options?: {
+    localCommandConsent?: LocalCommandConsent;
+}): Promise<McpServerEntry>;