@mcp-guardian/server 0.3.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +362 -136
- package/dist/auth/auth-types.d.ts +40 -0
- package/dist/auth/auth-types.d.ts.map +1 -0
- package/dist/auth/auth-types.js +5 -0
- package/dist/auth/auth-types.js.map +1 -0
- package/dist/auth/dashboard-auth.d.ts +97 -0
- package/dist/auth/dashboard-auth.d.ts.map +1 -0
- package/dist/auth/dashboard-auth.js +319 -0
- package/dist/auth/dashboard-auth.js.map +1 -0
- package/dist/auth/dpop.d.ts +38 -0
- package/dist/auth/dpop.d.ts.map +1 -0
- package/dist/auth/dpop.js +72 -0
- package/dist/auth/dpop.js.map +1 -0
- package/dist/auth/oauth.d.ts +25 -0
- package/dist/auth/oauth.d.ts.map +1 -0
- package/dist/auth/oauth.js +96 -0
- package/dist/auth/oauth.js.map +1 -0
- package/dist/auth/redis-session-cache.d.ts +21 -0
- package/dist/auth/redis-session-cache.d.ts.map +1 -0
- package/dist/auth/redis-session-cache.js +74 -0
- package/dist/auth/redis-session-cache.js.map +1 -0
- package/dist/auth/session-cache.d.ts +47 -0
- package/dist/auth/session-cache.d.ts.map +1 -0
- package/dist/auth/session-cache.js +91 -0
- package/dist/auth/session-cache.js.map +1 -0
- package/dist/cli.js +48 -3
- package/dist/cli.js.map +1 -1
- package/dist/database/database-interface.d.ts +17 -0
- package/dist/database/database-interface.d.ts.map +1 -0
- package/dist/database/database-interface.js +2 -0
- package/dist/database/database-interface.js.map +1 -0
- package/dist/database/postgres-db.d.ts +18 -0
- package/dist/database/postgres-db.d.ts.map +1 -0
- package/dist/database/postgres-db.js +118 -0
- package/dist/database/postgres-db.js.map +1 -0
- package/dist/index.js +1 -1
- package/dist/policy/policy-engine.d.ts +19 -0
- package/dist/policy/policy-engine.d.ts.map +1 -0
- package/dist/policy/policy-engine.js +87 -0
- package/dist/policy/policy-engine.js.map +1 -0
- package/dist/policy/policy-types.d.ts +42 -0
- package/dist/policy/policy-types.d.ts.map +1 -0
- package/dist/policy/policy-types.js +5 -0
- package/dist/policy/policy-types.js.map +1 -0
- package/dist/policy/policy-watcher.d.ts +24 -0
- package/dist/policy/policy-watcher.d.ts.map +1 -0
- package/dist/policy/policy-watcher.js +68 -0
- package/dist/policy/policy-watcher.js.map +1 -0
- package/dist/policy/shell-tokenizer.d.ts +92 -0
- package/dist/policy/shell-tokenizer.d.ts.map +1 -0
- package/dist/policy/shell-tokenizer.js +300 -0
- package/dist/policy/shell-tokenizer.js.map +1 -0
- package/dist/proxy/http-proxy-server.d.ts +26 -0
- package/dist/proxy/http-proxy-server.d.ts.map +1 -0
- package/dist/proxy/http-proxy-server.js +172 -0
- package/dist/proxy/http-proxy-server.js.map +1 -0
- package/dist/proxy/proxy-manager.d.ts +5 -1
- package/dist/proxy/proxy-manager.d.ts.map +1 -1
- package/dist/proxy/proxy-manager.js +12 -3
- package/dist/proxy/proxy-manager.js.map +1 -1
- package/dist/proxy/proxy-server.d.ts +20 -5
- package/dist/proxy/proxy-server.d.ts.map +1 -1
- package/dist/proxy/proxy-server.js +126 -9
- package/dist/proxy/proxy-server.js.map +1 -1
- package/dist/utils/circuit-breaker.d.ts +29 -0
- package/dist/utils/circuit-breaker.d.ts.map +1 -0
- package/dist/utils/circuit-breaker.js +81 -0
- package/dist/utils/circuit-breaker.js.map +1 -0
- package/dist/utils/dashboard-server.d.ts +19 -0
- package/dist/utils/dashboard-server.d.ts.map +1 -0
- package/dist/utils/dashboard-server.js +258 -0
- package/dist/utils/dashboard-server.js.map +1 -0
- package/dist/utils/metrics.d.ts +17 -0
- package/dist/utils/metrics.d.ts.map +1 -0
- package/dist/utils/metrics.js +79 -0
- package/dist/utils/metrics.js.map +1 -0
- package/dist/utils/mtls-config.d.ts +27 -0
- package/dist/utils/mtls-config.d.ts.map +1 -0
- package/dist/utils/mtls-config.js +82 -0
- package/dist/utils/mtls-config.js.map +1 -0
- package/dist/utils/payload-normalizer.d.ts +62 -0
- package/dist/utils/payload-normalizer.d.ts.map +1 -0
- package/dist/utils/payload-normalizer.js +240 -0
- package/dist/utils/payload-normalizer.js.map +1 -0
- package/dist/utils/policy-auditor.d.ts +24 -0
- package/dist/utils/policy-auditor.d.ts.map +1 -0
- package/dist/utils/policy-auditor.js +58 -0
- package/dist/utils/policy-auditor.js.map +1 -0
- package/dist/utils/redis-rate-limiter.d.ts +22 -0
- package/dist/utils/redis-rate-limiter.d.ts.map +1 -0
- package/dist/utils/redis-rate-limiter.js +61 -0
- package/dist/utils/redis-rate-limiter.js.map +1 -0
- package/dist/utils/structured-logger.d.ts +47 -0
- package/dist/utils/structured-logger.d.ts.map +1 -0
- package/dist/utils/structured-logger.js +48 -0
- package/dist/utils/structured-logger.js.map +1 -0
- package/dist/utils/tracing.d.ts +7 -0
- package/dist/utils/tracing.d.ts.map +1 -0
- package/dist/utils/tracing.js +34 -0
- package/dist/utils/tracing.js.map +1 -0
- package/package.json +14 -8
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Redis-backed rate limit counters for multi-replica HA.
|
|
3
|
+
* Extends the in-memory counters with shared Redis state.
|
|
4
|
+
* Enable with: REDIS_URL=redis://localhost:6379
|
|
5
|
+
*/
|
|
6
|
+
export declare class RedisRateLimiter {
|
|
7
|
+
private redis;
|
|
8
|
+
private prefix;
|
|
9
|
+
private local;
|
|
10
|
+
constructor();
|
|
11
|
+
/**
|
|
12
|
+
* Check and increment a rate limit counter.
|
|
13
|
+
* Returns the new count, or -1 if the limit is exceeded.
|
|
14
|
+
* Counter resets every windowMs milliseconds.
|
|
15
|
+
*/
|
|
16
|
+
checkAndIncrement(key: string, maxRequests: number, windowMs?: number): Promise<{
|
|
17
|
+
allowed: boolean;
|
|
18
|
+
count: number;
|
|
19
|
+
}>;
|
|
20
|
+
close(): Promise<void>;
|
|
21
|
+
}
|
|
22
|
+
//# sourceMappingURL=redis-rate-limiter.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"redis-rate-limiter.d.ts","sourceRoot":"","sources":["../../src/utils/redis-rate-limiter.ts"],"names":[],"mappings":"AAGA;;;;GAIG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAAQ;IACrB,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,KAAK,CAA8D;;IAQ3E;;;;OAIG;IACG,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAc,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAoC3H,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAG7B"}
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
import { Redis } from 'ioredis';
|
|
2
|
+
import { Logger } from './logger.js';
|
|
3
|
+
/**
|
|
4
|
+
* Redis-backed rate limit counters for multi-replica HA.
|
|
5
|
+
* Extends the in-memory counters with shared Redis state.
|
|
6
|
+
* Enable with: REDIS_URL=redis://localhost:6379
|
|
7
|
+
*/
|
|
8
|
+
export class RedisRateLimiter {
|
|
9
|
+
redis;
|
|
10
|
+
prefix = 'mcp_guardian:ratelimit:';
|
|
11
|
+
local = new Map();
|
|
12
|
+
constructor() {
|
|
13
|
+
const redisUrl = process.env['REDIS_URL'] || 'redis://localhost:6379';
|
|
14
|
+
this.redis = new Redis(redisUrl, { maxRetriesPerRequest: 2, lazyConnect: false });
|
|
15
|
+
Logger.info(`[redis-rate-limiter] Connected to ${redisUrl}`);
|
|
16
|
+
}
|
|
17
|
+
/**
|
|
18
|
+
* Check and increment a rate limit counter.
|
|
19
|
+
* Returns the new count, or -1 if the limit is exceeded.
|
|
20
|
+
* Counter resets every windowMs milliseconds.
|
|
21
|
+
*/
|
|
22
|
+
async checkAndIncrement(key, maxRequests, windowMs = 60000) {
|
|
23
|
+
const redisKey = `${this.prefix}${key}`;
|
|
24
|
+
try {
|
|
25
|
+
// Use Redis MULTI for atomic increment + TTL
|
|
26
|
+
const count = await this.redis.incr(redisKey);
|
|
27
|
+
if (count === 1) {
|
|
28
|
+
await this.redis.pexpire(redisKey, windowMs);
|
|
29
|
+
}
|
|
30
|
+
// Also update local for fast reads
|
|
31
|
+
const now = Date.now();
|
|
32
|
+
let localCounter = this.local.get(key);
|
|
33
|
+
if (!localCounter || now > localCounter.resetAt) {
|
|
34
|
+
localCounter = { count: 1, resetAt: now + windowMs };
|
|
35
|
+
}
|
|
36
|
+
else {
|
|
37
|
+
localCounter.count++;
|
|
38
|
+
}
|
|
39
|
+
this.local.set(key, localCounter);
|
|
40
|
+
return { allowed: count <= maxRequests, count };
|
|
41
|
+
}
|
|
42
|
+
catch (err) {
|
|
43
|
+
// Redis unavailable — fall back to local
|
|
44
|
+
Logger.debug(`[redis-rate-limiter] Redis error, using local: ${err?.message}`);
|
|
45
|
+
const now = Date.now();
|
|
46
|
+
let localCounter = this.local.get(key);
|
|
47
|
+
if (!localCounter || now > localCounter.resetAt) {
|
|
48
|
+
localCounter = { count: 1, resetAt: now + windowMs };
|
|
49
|
+
}
|
|
50
|
+
else {
|
|
51
|
+
localCounter.count++;
|
|
52
|
+
}
|
|
53
|
+
this.local.set(key, localCounter);
|
|
54
|
+
return { allowed: localCounter.count <= maxRequests, count: localCounter.count };
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
async close() {
|
|
58
|
+
await this.redis.quit();
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
//# sourceMappingURL=redis-rate-limiter.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"redis-rate-limiter.js","sourceRoot":"","sources":["../../src/utils/redis-rate-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAChC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC;;;;GAIG;AACH,MAAM,OAAO,gBAAgB;IACnB,KAAK,CAAQ;IACb,MAAM,GAAG,yBAAyB,CAAC;IACnC,KAAK,GAAoD,IAAI,GAAG,EAAE,CAAC;IAE3E;QACE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,wBAAwB,CAAC;QACtE,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE,oBAAoB,EAAE,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,MAAM,CAAC,IAAI,CAAC,qCAAqC,QAAQ,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CAAC,GAAW,EAAE,WAAmB,EAAE,WAAmB,KAAK;QAChF,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAExC,IAAI,CAAC;YACH,6CAA6C;YAC7C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9C,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBAChB,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC/C,CAAC;YAED,mCAAmC;YACnC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACvC,IAAI,CAAC,YAAY,IAAI,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,CAAC;gBAChD,YAAY,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,QAAQ,EAAE,CAAC;YACvD,CAAC;iBAAM,CAAC;gBACN,YAAY,CAAC,KAAK,EAAE,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAElC,OAAO,EAAE,OAAO,EAAE,KAAK,IAAI,WAAW,EAAE,KAAK,EAAE,CAAC;QAClD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,yCAAyC;YACzC,MAAM,CAAC,KAAK,CAAC,kDAAkD,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;YAC/E,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACvC,IAAI,CAAC,YAAY,IAAI,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,CAAC;gBAChD,YAAY,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,QAAQ,EAAE,CAAC;YACvD,CAAC;iBAAM,CAAC;gBACN,YAAY,CAAC,KAAK,EAAE,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAClC,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,KAAK,IAAI,WAAW,EAAE,KAAK,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC;QACnF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;CACF"}
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
import { PolicyDecision, CallContext } from '../policy/policy-types.js';
|
|
2
|
+
export interface AuditLogEntry {
|
|
3
|
+
event: 'policy_decision';
|
|
4
|
+
requestId: string | number;
|
|
5
|
+
serverName: string;
|
|
6
|
+
toolName: string;
|
|
7
|
+
decision: PolicyDecision;
|
|
8
|
+
context: CallContext;
|
|
9
|
+
}
|
|
10
|
+
export interface BlockLogEntry {
|
|
11
|
+
event: 'tool_blocked';
|
|
12
|
+
requestId: string | number;
|
|
13
|
+
serverName: string;
|
|
14
|
+
toolName: string;
|
|
15
|
+
reason: string;
|
|
16
|
+
rule: string;
|
|
17
|
+
}
|
|
18
|
+
export interface ErrorLogEntry {
|
|
19
|
+
event: 'proxy_error' | 'oidc_discovery_error' | 'oidc_auth_error';
|
|
20
|
+
requestId?: string | number;
|
|
21
|
+
serverName: string;
|
|
22
|
+
error: string;
|
|
23
|
+
stack?: string;
|
|
24
|
+
}
|
|
25
|
+
export declare class StructuredLogger {
|
|
26
|
+
/**
|
|
27
|
+
* Log a policy decision (pass, flag, or block).
|
|
28
|
+
*/
|
|
29
|
+
static logPolicyDecision(entry: AuditLogEntry): void;
|
|
30
|
+
/**
|
|
31
|
+
* Log a blocked tool call — always at WARN level for SIEM alerting.
|
|
32
|
+
*/
|
|
33
|
+
static logBlocked(entry: BlockLogEntry): void;
|
|
34
|
+
/**
|
|
35
|
+
* Log proxy internal errors.
|
|
36
|
+
*/
|
|
37
|
+
static logError(entry: ErrorLogEntry): void;
|
|
38
|
+
/**
|
|
39
|
+
* Log general proxy lifecycle events.
|
|
40
|
+
*/
|
|
41
|
+
static info(msg: object | string): void;
|
|
42
|
+
/**
|
|
43
|
+
* Debug-level log for development.
|
|
44
|
+
*/
|
|
45
|
+
static debug(msg: object | string): void;
|
|
46
|
+
}
|
|
47
|
+
//# sourceMappingURL=structured-logger.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"structured-logger.d.ts","sourceRoot":"","sources":["../../src/utils/structured-logger.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAkBxE,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,iBAAiB,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,cAAc,CAAC;IACzB,OAAO,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,cAAc,CAAC;IACtB,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,aAAa,GAAG,sBAAsB,GAAG,iBAAiB,CAAC;IAClE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,gBAAgB;IAC3B;;OAEG;IACH,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAIpD;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAI7C;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAI3C;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAIvC;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;CAGzC"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
import pino from 'pino';
|
|
2
|
+
/**
|
|
3
|
+
* Structured JSON logger for enterprise SIEM ingestion.
|
|
4
|
+
* Uses pino for high-performance structured logging with request-ID tracing.
|
|
5
|
+
*/
|
|
6
|
+
const level = process.env.LOG_LEVEL || 'info';
|
|
7
|
+
const logger = pino({
|
|
8
|
+
level: level.toLowerCase(),
|
|
9
|
+
formatters: {
|
|
10
|
+
level(label) {
|
|
11
|
+
return { level: label };
|
|
12
|
+
},
|
|
13
|
+
},
|
|
14
|
+
timestamp: pino.stdTimeFunctions.isoTime,
|
|
15
|
+
});
|
|
16
|
+
export class StructuredLogger {
|
|
17
|
+
/**
|
|
18
|
+
* Log a policy decision (pass, flag, or block).
|
|
19
|
+
*/
|
|
20
|
+
static logPolicyDecision(entry) {
|
|
21
|
+
logger.info(entry);
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Log a blocked tool call — always at WARN level for SIEM alerting.
|
|
25
|
+
*/
|
|
26
|
+
static logBlocked(entry) {
|
|
27
|
+
logger.warn(entry);
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Log proxy internal errors.
|
|
31
|
+
*/
|
|
32
|
+
static logError(entry) {
|
|
33
|
+
logger.error(entry);
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Log general proxy lifecycle events.
|
|
37
|
+
*/
|
|
38
|
+
static info(msg) {
|
|
39
|
+
logger.info(msg);
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* Debug-level log for development.
|
|
43
|
+
*/
|
|
44
|
+
static debug(msg) {
|
|
45
|
+
logger.debug(msg);
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
//# sourceMappingURL=structured-logger.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"structured-logger.js","sourceRoot":"","sources":["../../src/utils/structured-logger.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAGxB;;;GAGG;AACH,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,MAAM,CAAC;AAE9C,MAAM,MAAM,GAAG,IAAI,CAAC;IAClB,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE;IAC1B,UAAU,EAAE;QACV,KAAK,CAAC,KAAK;YACT,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC1B,CAAC;KACF;IACD,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,OAAO;CACzC,CAAC,CAAC;AA4BH,MAAM,OAAO,gBAAgB;IAC3B;;OAEG;IACH,MAAM,CAAC,iBAAiB,CAAC,KAAoB;QAC3C,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAoB;QACpC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAoB;QAClC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,GAAoB;QAC9B,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,GAAoB;QAC/B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;CACF"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* OpenTelemetry tracing for distributed request tracking across proxy + MCP servers.
|
|
3
|
+
* Enable with: OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
|
|
4
|
+
* Uses OTLP HTTP exporter (gRPC exporter deprecated due to critical CVE in protobufjs).
|
|
5
|
+
*/
|
|
6
|
+
export declare function initTracing(): Promise<void>;
|
|
7
|
+
//# sourceMappingURL=tracing.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tracing.d.ts","sourceRoot":"","sources":["../../src/utils/tracing.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC,CA8BjD"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
import { Logger } from './logger.js';
|
|
2
|
+
/**
|
|
3
|
+
* OpenTelemetry tracing for distributed request tracking across proxy + MCP servers.
|
|
4
|
+
* Enable with: OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
|
|
5
|
+
* Uses OTLP HTTP exporter (gRPC exporter deprecated due to critical CVE in protobufjs).
|
|
6
|
+
*/
|
|
7
|
+
export async function initTracing() {
|
|
8
|
+
if (!process.env['OTEL_EXPORTER_OTLP_ENDPOINT']) {
|
|
9
|
+
Logger.debug('[tracing] OpenTelemetry not configured (set OTEL_EXPORTER_OTLP_ENDPOINT)');
|
|
10
|
+
return;
|
|
11
|
+
}
|
|
12
|
+
try {
|
|
13
|
+
const { NodeSDK } = await import('@opentelemetry/sdk-node');
|
|
14
|
+
const { getNodeAutoInstrumentations } = await import('@opentelemetry/auto-instrumentations-node');
|
|
15
|
+
// Use OTLP HTTP exporter instead of deprecated gRPC
|
|
16
|
+
const { OTLPTraceExporter } = await import('@opentelemetry/exporter-trace-otlp-http');
|
|
17
|
+
const exporter = new OTLPTraceExporter({
|
|
18
|
+
url: `${process.env['OTEL_EXPORTER_OTLP_ENDPOINT']}/v1/traces`,
|
|
19
|
+
});
|
|
20
|
+
const instruments = getNodeAutoInstrumentations({
|
|
21
|
+
'@opentelemetry/instrumentation-http': { enabled: true },
|
|
22
|
+
});
|
|
23
|
+
const sdk = new NodeSDK({
|
|
24
|
+
traceExporter: exporter,
|
|
25
|
+
instrumentations: [instruments],
|
|
26
|
+
});
|
|
27
|
+
await sdk.start();
|
|
28
|
+
Logger.info('[tracing] OpenTelemetry tracing initialized — exporting to OTLP HTTP endpoint');
|
|
29
|
+
}
|
|
30
|
+
catch (err) {
|
|
31
|
+
Logger.warn(`[tracing] OpenTelemetry initialization failed: ${err?.message}`);
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
//# sourceMappingURL=tracing.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tracing.js","sourceRoot":"","sources":["../../src/utils/tracing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,EAAE,CAAC;QAChD,MAAM,CAAC,KAAK,CAAC,0EAA0E,CAAC,CAAC;QACzF,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAC5D,MAAM,EAAE,2BAA2B,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;QAClG,oDAAoD;QACpD,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,yCAAyC,CAAC,CAAC;QAEtF,MAAM,QAAQ,GAAG,IAAI,iBAAiB,CAAC;YACrC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,YAAY;SAC/D,CAAQ,CAAC;QAEV,MAAM,WAAW,GAAG,2BAA2B,CAAC;YAC9C,qCAAqC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;SACzD,CAAQ,CAAC;QAEV,MAAM,GAAG,GAAG,IAAI,OAAO,CAAC;YACtB,aAAa,EAAE,QAAQ;YACvB,gBAAgB,EAAE,CAAC,WAAW,CAAC;SAChC,CAAC,CAAC;QAEH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAC;IAC/F,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,kDAAkD,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAChF,CAAC;AACH,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,9 +1,11 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@mcp-guardian/server",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.5.0",
|
|
4
4
|
"description": "Security, cost, and health audit for MCP infrastructure",
|
|
5
5
|
"type": "module",
|
|
6
|
-
"files": [
|
|
6
|
+
"files": [
|
|
7
|
+
"dist"
|
|
8
|
+
],
|
|
7
9
|
"main": "./dist/index.js",
|
|
8
10
|
"bin": {
|
|
9
11
|
"mcp-guardian": "./dist/cli.js"
|
|
@@ -13,7 +15,7 @@
|
|
|
13
15
|
},
|
|
14
16
|
"repository": "github:rudraneel93/mcp-guardian",
|
|
15
17
|
"bugs": "https://github.com/rudraneel93/mcp-guardian/issues",
|
|
16
|
-
"homepage": "https://
|
|
18
|
+
"homepage": "https://www.npmjs.com/package/@mcp-guardian/server",
|
|
17
19
|
"keywords": [
|
|
18
20
|
"mcp",
|
|
19
21
|
"model-context-protocol",
|
|
@@ -36,17 +38,21 @@
|
|
|
36
38
|
},
|
|
37
39
|
"dependencies": {
|
|
38
40
|
"@modelcontextprotocol/sdk": "^1.0.0",
|
|
39
|
-
"tiktoken": "^1.0.15",
|
|
40
|
-
"sql.js": "^1.11.0",
|
|
41
41
|
"axios": "^1.7.0",
|
|
42
|
-
"commander": "^12.0.0",
|
|
43
42
|
"chalk": "^5.3.0",
|
|
43
|
+
"commander": "^12.0.0",
|
|
44
|
+
"jose": "^6.2.3",
|
|
45
|
+
"js-yaml": "^4.1.1",
|
|
46
|
+
"pino": "^10.3.1",
|
|
47
|
+
"sql.js": "^1.11.0",
|
|
48
|
+
"tiktoken": "^1.0.15",
|
|
44
49
|
"zod": "^3.23.0"
|
|
45
50
|
},
|
|
46
51
|
"devDependencies": {
|
|
52
|
+
"@types/js-yaml": "^4.0.9",
|
|
47
53
|
"@types/node": "^20.0.0",
|
|
48
|
-
"typescript": "^5.4.0",
|
|
49
54
|
"tsx": "^4.7.0",
|
|
55
|
+
"typescript": "^5.4.0",
|
|
50
56
|
"vitest": "^1.6.0"
|
|
51
57
|
}
|
|
52
|
-
}
|
|
58
|
+
}
|