@icoretech/warden-mcp 0.1.8 → 0.1.10

package/README.md

@@ -367,12 +367,14 @@ Credential resolution:
 Mutation control:
 
 - Set `READONLY=true` to block all write operations (create/edit/delete/move/restore/attachments).
+- Set `NOREVEAL=true` to force all `reveal` parameters to `false` server-side. Clients can still request `reveal: true`, but the server will silently downgrade to redacted output. This prevents prompt injection from tricking an LLM agent into exfiltrating secrets.
 - Session guardrails:
   - `KEYCHAIN_SESSION_MAX_COUNT` (default `32`)
   - `KEYCHAIN_SESSION_TTL_MS` (default `900000`)
   - `KEYCHAIN_SESSION_SWEEP_INTERVAL_MS` (default `60000`)
   - `KEYCHAIN_MAX_HEAP_USED_MB` (default `1536`, set `0` to disable memory fuse)
   - `KEYCHAIN_METRICS_LOG_INTERVAL_MS` (default `0`, disabled)
+  - `NOREVEAL` / `KEYCHAIN_NOREVEAL` (default `false`; force all reveals to false)
   - `KEYCHAIN_ALLOW_ENV_FALLBACK` (default `false`; HTTP env-var credential fallback)
 
 Redaction defaults (item reads):
@@ -390,6 +392,26 @@ Reveal rules:
 - Secret helper tools (`get_password`, `get_totp`, `get_notes`, `generate`, `get_password_history`) return `structuredContent.result = { kind, value, revealed }`.
   - When `reveal` is omitted/false, `value` is `null` (or historic passwords are `null`) and `revealed: false`.
 
+## Production Deployment Checklist
+
+If you run `warden-mcp` beyond local development, review these items:
+
+1. **TLS everywhere.** Always terminate TLS in front of the HTTP endpoint. `X-BW-*` headers carry master passwords in cleartext — without TLS they are visible to anyone on the network.
+
+2. **Network isolation.** Bind the server to `127.0.0.1` or place it behind an authenticated reverse proxy. The service has no built-in authentication; anyone who can reach `/sse` can issue vault operations.
+
+3. **Do not enable `KEYCHAIN_ALLOW_ENV_FALLBACK` on shared networks.** This flag makes the server's own vault credentials available to any HTTP client that omits headers. Only use it in single-tenant setups where the network is fully trusted.
+
+4. **Enable `READONLY=true` when writes are not needed.** This blocks all mutating tools at the MCP layer, limiting blast radius if an agent or client is compromised.
+
+5. **Restrict filesystem access to `/data/bw-profiles`.** The `bw` CLI stores decrypted state under its HOME directory. Ensure the profile directory is not world-readable and is mounted with appropriate permissions (the Docker image runs as non-root by default).
+
+6. **Disable debug logging in production.** `KEYCHAIN_DEBUG_BW` and `KEYCHAIN_DEBUG_HTTP` emit request details and CLI invocations to stdout. Debug logs may include session metadata and request structure. Keep them off unless actively troubleshooting.
+
+7. **Set `NOREVEAL=true` when secrets should never leave the server.** This forces all `reveal` parameters to `false` server-side, regardless of what the client requests. Use this when the MCP host is an LLM agent that could be influenced by prompt injection — it prevents tricked agents from exfiltrating passwords or TOTP codes.
+
+8. **Monitor `/metricsz`.** The endpoint is intentionally unauthenticated (for scraper compatibility) but exposes session counts, heap usage, and rejection counters. If this data is sensitive in your environment, restrict access at the network level.
+
 ## Quick Start
 
 ### Minimal local run

package/dist/bw/bwCli.js

@@ -16,9 +16,10 @@ export async function runBw(args, opts = {}) {
     const bwBin = process.env.BW_BIN ?? 'bw';
     // Ensure the CLI never blocks waiting for a prompt (e.g. master password).
     // This is critical for running as an MCP server / in test automation.
-    const finalArgs = args.includes('--nointeraction')
-        ? args
-        : ['--nointeraction', ...args];
+    const injectNoInteraction = opts.noInteraction ?? true;
+    const finalArgs = injectNoInteraction && !args.includes('--nointeraction')
+        ? ['--nointeraction', ...args]
+        : args;
     const env = { ...process.env, ...(opts.env ?? {}) };
     const debug = (process.env.KEYCHAIN_DEBUG_BW ?? 'false').toLowerCase() === 'true';
     const startedAt = Date.now();

package/dist/bw/bwSession.js

@@ -169,7 +169,7 @@ export class BwSessionManager {
         });
         const tryUnlock = async () => {
             try {
-                const { stdout } = await runBw(['unlock', '--passwordenv', 'BW_PASSWORD', '--raw'], { env: unlockEnv, timeoutMs: 60_000 });
+                const { stdout } = await runBw(['unlock', '--passwordenv', 'BW_PASSWORD', '--raw'], { env: unlockEnv, timeoutMs: 60_000, noInteraction: false });
                 return stdout.trim();
             }
             catch {
@@ -186,6 +186,7 @@ export class BwSessionManager {
                             BW_HOST: this.env.host,
                         }),
                         timeoutMs: 60_000,
+                        noInteraction: false,
                     });
                     return stdout.trim();
                 }
@@ -195,7 +196,7 @@ export class BwSessionManager {
                     '--passwordenv',
                     'BW_PASSWORD',
                     '--raw',
-                ], { env: unlockEnv, timeoutMs: 60_000 });
+                ], { env: unlockEnv, timeoutMs: 60_000, noInteraction: false });
                 return stdout.trim();
             }
             catch {

package/dist/sdk/keychainSdk.js

@@ -418,6 +418,10 @@ export class KeychainSdk {
         });
     }
     async receive(input) {
+        const parsed = new URL(input.url);
+        if (parsed.protocol !== 'https:') {
+            throw new Error('receive URL must use HTTPS');
+        }
         return this.bw.withSession(async (session) => {
             const opts = ['receive'];
             if (typeof input.password === 'string')

package/dist/sdk/usernameGenerator.js

@@ -63,35 +63,34 @@ const CODAS = [
     'ng',
 ];
 function titleCase(s) {
-    if (!s)
-        return s;
-    const first = s.charAt(0);
-    return first.toUpperCase() + s.slice(1);
+    return s.charAt(0).toUpperCase() + s.slice(1);
 }
 function randomWord(opts, deps) {
     // "Word-like" usernames without pulling a large word list dependency.
     // Produces a pronounceable-ish token such as "cravon" or "Plenast7".
-    for (let i = 0; i < 12; i++) {
-        const syllables = 2 + deps.randInt(2); // 2-3
-        let s = '';
-        for (let j = 0; j < syllables; j++) {
-            s += ONSETS[deps.randInt(ONSETS.length)] ?? 'k';
-            s += VOWELS[deps.randInt(VOWELS.length)] ?? 'a';
-            const coda = CODAS[deps.randInt(CODAS.length)] ?? '';
-            // Avoid overly long tokens by preferring empty coda on earlier syllables.
-            s += j === syllables - 1 ? coda : coda.length > 1 ? '' : coda;
+    // With the current arrays, minimum output is 4 chars ("baba") and maximum
+    // is ~14 chars, so the length check always passes on the first iteration.
+    const syllables = 2 + deps.randInt(2); // 2-3
+    let s = '';
+    for (let j = 0; j < syllables; j++) {
+        const onset = ONSETS[deps.randInt(ONSETS.length)];
+        const vowel = VOWELS[deps.randInt(VOWELS.length)];
+        const coda = CODAS[deps.randInt(CODAS.length)];
+        s += onset;
+        s += vowel;
+        // Avoid overly long tokens by preferring empty coda on earlier syllables.
+        if (j === syllables - 1) {
+            s += coda;
+        }
+        else if (coda.length <= 1) {
+            s += coda;
         }
-        if (s.length < 4 || s.length > 18)
-            continue;
-        if (opts.capitalize)
-            s = titleCase(s);
-        if (opts.includeNumber)
-            s += String(deps.randInt(10));
-        return s;
     }
-    // Fallback: still deterministic with deps.randInt in tests.
-    const fallback = `user${deps.randInt(1_000_000)}`;
-    return opts.capitalize ? titleCase(fallback) : fallback;
+    if (opts.capitalize)
+        s = titleCase(s);
+    if (opts.includeNumber)
+        s += String(deps.randInt(10));
+    return s;
 }
 function parseEmail(email) {
     const trimmed = email.trim();
@@ -126,7 +125,7 @@ export function generateUsername(input = {}, deps) {
             throw new Error('email is required for plus_addressed_email');
         }
         const { local, domain } = parseEmail(input.email);
-        const baseLocal = local.split('+')[0] ?? local;
+        const baseLocal = local.split('+')[0];
         return `${baseLocal}+${word}@${domain}`;
     }
     if (type === 'catch_all_email') {
@@ -136,7 +135,6 @@ export function generateUsername(input = {}, deps) {
         const domain = normalizeDomain(input.domain);
         return `${word}@${domain}`;
     }
-    // Exhaustive check.
-    const _never = type;
-    return _never;
+    // Exhaustive check — TypeScript errors here if a new type is added without a handler.
+    throw new Error(`Unsupported username generator type: ${type}`);
 }

package/dist/tools/registerTools.js

@@ -2,12 +2,22 @@
 import { z } from 'zod';
 export function registerTools(server, deps) {
     const toolMeta = {};
-    const isReadOnly = (() => {
-        const v = (process.env.READONLY ?? process.env.KEYCHAIN_READONLY ?? 'false')
-            .trim()
-            .toLowerCase();
-        return v === '1' || v === 'true' || v === 'yes' || v === 'on';
-    })();
+    function parseBoolEnv(...names) {
+        for (const name of names) {
+            const v = process.env[name];
+            if (v !== undefined) {
+                const lower = v.trim().toLowerCase();
+                if (lower === '1' ||
+                    lower === 'true' ||
+                    lower === 'yes' ||
+                    lower === 'on')
+                    return true;
+            }
+        }
+        return false;
+    }
+    const isReadOnly = parseBoolEnv('READONLY', 'KEYCHAIN_READONLY');
+    const isNoReveal = parseBoolEnv('NOREVEAL', 'KEYCHAIN_NOREVEAL');
     function readonlyBlocked() {
         return {
             structuredContent: { ok: false, error: 'READONLY' },
@@ -15,6 +25,16 @@ export function registerTools(server, deps) {
             isError: true,
         };
     }
+    /** Strip reveal from input when NOREVEAL is set. */
+    function clampReveal(input) {
+        if (isNoReveal && input.reveal) {
+            return { ...input, reveal: false };
+        }
+        return input;
+    }
+    function effectiveReveal(input) {
+        return isNoReveal ? false : (input.reveal ?? false);
+    }
     function toolResult(kind, value, revealed) {
         return { result: { kind, value, revealed } };
     }
@@ -120,7 +140,7 @@ export function registerTools(server, deps) {
         _meta: toolMeta,
     }, async (input, extra) => {
         const sdk = await deps.getSdk(extra.authInfo);
-        const result = await sdk.generate(input);
+        const result = await sdk.generate(clampReveal(input));
         return {
             structuredContent: toolResult('generated', result.value, result.revealed),
             content: [{ type: 'text', text: 'OK' }],
@@ -148,7 +168,7 @@ export function registerTools(server, deps) {
         _meta: toolMeta,
     }, async (input, extra) => {
         const sdk = await deps.getSdk(extra.authInfo);
-        const result = await sdk.generateUsername(input);
+        const result = await sdk.generateUsername(clampReveal(input));
         return {
             structuredContent: toolResult('generated', result.value, result.revealed),
             content: [{ type: 'text', text: 'OK' }],
@@ -427,7 +447,9 @@ export function registerTools(server, deps) {
         _meta: toolMeta,
     }, async (input, extra) => {
         const sdk = await deps.getSdk(extra.authInfo);
-        const item = await sdk.getItem(input.id, { reveal: input.reveal });
+        const item = await sdk.getItem(input.id, {
+            reveal: effectiveReveal(input),
+        });
         return {
             structuredContent: { item },
             content: [{ type: 'text', text: 'OK' }],
@@ -460,7 +482,7 @@ export function registerTools(server, deps) {
         _meta: toolMeta,
     }, async (input, extra) => {
         const sdk = await deps.getSdk(extra.authInfo);
-        const notes = await sdk.getNotes({ term: input.term }, { reveal: input.reveal });
+        const notes = await sdk.getNotes({ term: input.term }, { reveal: effectiveReveal(input) });
         return {
             structuredContent: toolResult('notes', notes.value, notes.revealed),
             content: [{ type: 'text', text: 'OK' }],
@@ -618,7 +640,7 @@ export function registerTools(server, deps) {
         if (isReadOnly)
             return readonlyBlocked();
         const sdk = await deps.getSdk(extra.authInfo);
-        const item = await sdk.createAttachment(input);
+        const item = await sdk.createAttachment(clampReveal(input));
         return {
             structuredContent: { item },
             content: [{ type: 'text', text: 'Attached.' }],
@@ -637,7 +659,7 @@ export function registerTools(server, deps) {
         if (isReadOnly)
             return readonlyBlocked();
         const sdk = await deps.getSdk(extra.authInfo);
-        const item = await sdk.deleteAttachment(input);
+        const item = await sdk.deleteAttachment(clampReveal(input));
         return {
             structuredContent: { item },
             content: [{ type: 'text', text: 'Deleted.' }],
@@ -885,7 +907,7 @@ export function registerTools(server, deps) {
         _meta: toolMeta,
     }, async (input, extra) => {
         const sdk = await deps.getSdk(extra.authInfo);
-        const password = await sdk.getPassword({ term: input.term }, { reveal: input.reveal });
+        const password = await sdk.getPassword({ term: input.term }, { reveal: effectiveReveal(input) });
         return {
             structuredContent: toolResult('password', password.value, password.revealed),
             content: [{ type: 'text', text: 'OK' }],
@@ -902,7 +924,7 @@ export function registerTools(server, deps) {
         _meta: toolMeta,
     }, async (input, extra) => {
         const sdk = await deps.getSdk(extra.authInfo);
-        const totp = await sdk.getTotp({ term: input.term }, { reveal: input.reveal });
+        const totp = await sdk.getTotp({ term: input.term }, { reveal: effectiveReveal(input) });
         return {
             structuredContent: toolResult('totp', totp.value, totp.revealed),
             content: [{ type: 'text', text: 'OK' }],
@@ -920,7 +942,7 @@ export function registerTools(server, deps) {
     }, async (input, extra) => {
         const sdk = await deps.getSdk(extra.authInfo);
         const history = await sdk.getPasswordHistory(input.id, {
-            reveal: input.reveal,
+            reveal: effectiveReveal(input),
         });
         return {
             structuredContent: toolResult('password_history', history.value, history.revealed),
@@ -1050,7 +1072,7 @@ export function registerTools(server, deps) {
             id: input.id,
             mode: input.mode,
             uris: normalizeUrisInput(input.uris) ?? [],
-            reveal: input.reveal,
+            reveal: effectiveReveal(input),
         });
         return {
             structuredContent: { item: updated },

package/package.json

@@ -1,7 +1,7 @@
 {
   "private": false,
   "name": "@icoretech/warden-mcp",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "type": "module",
   "license": "MIT",
   "description": "Vaultwarden/Bitwarden MCP server backed by Bitwarden CLI (bw).",
@@ -37,6 +37,7 @@
     "build": "tsc -p .",
     "start": "node dist/server.js",
     "test": "npm run build && node --test \"dist/**/*.test.js\"",
+    "test:coverage": "npm run build && node --test --experimental-test-coverage \"dist/**/*.test.js\"",
     "test:integration": "npm run build && node --test --test-timeout=45000 \"dist/integration/**/*.test.js\"",
     "test:session-regression": "node scripts/session-flood-regression.mjs",
     "lint": "biome check --write --assist-enabled=true . && tsc --noEmit"