@mcp-guardian/server 0.3.0 → 0.6.0

package/dist/proxy/proxy-server.js

@@ -1,10 +1,20 @@
 import { spawn } from 'child_process';
 import { createInterface } from 'readline';
+import { randomUUID } from 'crypto';
 import { TokenCounter } from '../utils/token-counter.js';
 import { Logger } from '../utils/logger.js';
+import { StructuredLogger } from '../utils/structured-logger.js';
+import { OAuthValidator } from '../auth/oauth.js';
+import { SessionCache } from '../auth/session-cache.js';
+import { CircuitBreaker } from '../utils/circuit-breaker.js';
 /**
- * MCP Proxy Interceptor — sits between the AI client and an MCP server,
- * capturing every JSON-RPC call's token usage for real cost auditing.
+ * MCP Proxy Interceptor — sits between the AI client and an MCP server.
+ *
+ * v0.4: Integrated PolicyEngine for active blocking of malicious tool calls.
+ * v0.5: OAuth 2.1 JWT validation — validates bearer tokens before policy evaluation.
+ * v0.5.2: Circuit breaker for upstream MCP server failures.
+ * v0.5.2: Per-client rate limiting (keyed by agent sub + tool name).
+ * v0.5.2: Consistent SIEM fields (request_id, proxy_latency_ms, authn_success, authz_allowed).
  */
 export class McpProxyServer {
     child;
@@ -14,9 +24,20 @@ export class McpProxyServer {
     requestStartTime = 0;
     requestToolName = null;
     requestTokens = 0;
+    requestArguments;
     serverName;
-    constructor(command, args, env, db, serverName) {
+    policyEngine;
+    authValidator;
+    sessionCache;
+    circuitBreaker;
+    /** v0.5.2: Per-client rate limit counters (key: agentSub:toolName) */
+    clientRateCounters = new Map();
+    constructor(command, args, env, db, serverName, policyEngine, authValidator) {
         this.serverName = serverName || command.split('/').pop() || command;
+        this.policyEngine = policyEngine || null;
+        this.authValidator = authValidator || null;
+        this.sessionCache = authValidator ? new SessionCache() : null;
+        this.circuitBreaker = new CircuitBreaker(this.serverName);
         this.child = spawn(command, args, {
             env: { ...process.env, ...env },
             stdio: ['pipe', 'pipe', 'pipe'],
@@ -25,6 +46,13 @@ export class McpProxyServer {
         this.db = db;
         this.setupStdout();
         this.setupStderr();
+        StructuredLogger.info({
+            event: 'proxy_started',
+            serverName: this.serverName,
+            blockingMode: this.policyEngine ? this.policyEngine.getMode() : 'audit',
+            authEnabled: this.authValidator ? this.authValidator.getConfig().required : false,
+            circuitBreaker: this.circuitBreaker.getState(),
+        });
     }
     get stdin() {
         return this.child.stdin;
@@ -35,7 +63,7 @@ export class McpProxyServer {
             try {
                 const msg = JSON.parse(line);
                 if (msg.id && msg.id === this.currentRequestId) {
-                    // Response to our tracked tools/call request
+                    const proxyLatencyMs = Date.now() - this.requestStartTime;
                     const responseTokens = this.tokenCounter.count(line);
                     const record = {
                         serverName: this.serverName,
@@ -43,19 +71,18 @@ export class McpProxyServer {
                         requestTokens: this.requestTokens,
                         responseTokens,
                         totalTokens: this.requestTokens + responseTokens,
-                        durationMs: Date.now() - this.requestStartTime,
+                        durationMs: proxyLatencyMs,
                         timestamp: new Date().toISOString(),
                     };
-                    // Await the DB write so tests can read immediately
                     this.db.addCallRecord(record).then(() => this.db.flush()).catch((err) => Logger.debug(`Proxy: failed to store call record: ${err?.message}`));
+                    // Circuit breaker: success
+                    this.circuitBreaker.recordSuccess();
                     this.currentRequestId = null;
                     this.requestToolName = null;
                 }
-                // Forward response to client
                 process.stdout.write(line + '\n');
             }
             catch {
-                // Non-JSON line — forward as-is
                 process.stdout.write(line + '\n');
             }
         });
@@ -68,18 +95,202 @@ export class McpProxyServer {
             process.stderr.write(data);
         });
     }
+    sendError(id, code, message, data) {
+        const errorResponse = JSON.stringify({
+            jsonrpc: '2.0',
+            id,
+            error: { code, message, data },
+        });
+        process.stdout.write(errorResponse + '\n');
+    }
     /**
      * Called when the AI client writes a request to be proxied.
-     * Tracks tools/call requests for token counting.
+     * Pipeline: Auth → Circuit Breaker → Policy + RBAC → Forward.
      */
-    handleClientInput(raw) {
+    async handleClientInput(raw) {
+        const requestId = randomUUID();
+        const proxyStartTime = Date.now();
         try {
             const msg = JSON.parse(raw);
             if (msg.method === 'tools/call' && msg.id) {
-                this.requestStartTime = Date.now();
-                this.currentRequestId = msg.id;
+                this.requestStartTime = proxyStartTime;
+                this.currentRequestId = msg.id; // Original msg ID for response matching
                 this.requestToolName = msg.params?.name || 'unknown';
                 this.requestTokens = this.tokenCounter.count(raw);
+                this.requestArguments = msg.params?.arguments;
+                const toolName = this.requestToolName || 'unknown';
+                let agentIdentity;
+                let authnSuccess = false;
+                // ── v0.5: OAuth 2.1 JWT validation ──────────────────
+                if (this.authValidator) {
+                    const authHeader = msg.params?._meta?.auth?.Authorization
+                        || msg.Authorization
+                        || msg.params?.Authorization
+                        || undefined;
+                    const token = OAuthValidator.extractToken(authHeader);
+                    if (!token) {
+                        if (this.authValidator.getConfig().required) {
+                            StructuredLogger.info({
+                                event: 'auth_required',
+                                requestId,
+                                serverName: this.serverName,
+                                toolName,
+                                authnSuccess: false,
+                            });
+                            this.sendError(msg.id, -32002, 'Authentication required. Provide a valid Bearer token in the Authorization header.');
+                            return;
+                        }
+                    }
+                    else {
+                        const result = await this.authValidator.validate(token);
+                        authnSuccess = result.valid;
+                        if (result.identity)
+                            agentIdentity = result.identity;
+                        if (!result.valid) {
+                            StructuredLogger.logError({
+                                event: 'oidc_auth_error',
+                                serverName: this.serverName,
+                                requestId,
+                                error: `JWT validation failed: ${result.error}`,
+                            });
+                            if (this.authValidator.getConfig().required) {
+                                this.sendError(msg.id, -32003, `Authentication failed: ${result.error}`);
+                                return;
+                            }
+                        }
+                        else {
+                            // v0.6.0: Session cache — issue short-lived session to prevent JWT replay
+                            if (this.sessionCache && result.identity) {
+                                const session = this.sessionCache.createSession(result.identity);
+                                StructuredLogger.info({
+                                    event: 'auth_success',
+                                    requestId,
+                                    serverName: this.serverName,
+                                    toolName,
+                                    agent: result.identity.sub,
+                                    clientId: result.identity.clientId,
+                                    sessionToken: session.token,
+                                    sessionExpiry: new Date(session.expiresAt).toISOString(),
+                                    authnSuccess: true,
+                                });
+                            }
+                            else {
+                                StructuredLogger.info({
+                                    event: 'auth_success',
+                                    requestId,
+                                    serverName: this.serverName,
+                                    toolName,
+                                    agent: result.identity?.sub,
+                                    clientId: result.identity?.clientId,
+                                    authnSuccess: true,
+                                });
+                            }
+                        }
+                    }
+                }
+                // ── v0.5.2: Circuit breaker check ──────────────────
+                if (!this.circuitBreaker.allowRequest()) {
+                    StructuredLogger.info({
+                        event: 'circuit_open',
+                        requestId,
+                        serverName: this.serverName,
+                        toolName,
+                        state: this.circuitBreaker.getState(),
+                    });
+                    this.sendError(msg.id, -32005, `Upstream MCP server '${this.serverName}' unavailable — circuit breaker open`);
+                    this.circuitBreaker.recordFailure();
+                    return;
+                }
+                // ── v0.5.1: RBAC + policy evaluation ────────────────
+                let authzAllowed = true;
+                let blockReason;
+                if (this.policyEngine) {
+                    const context = {
+                        serverName: this.serverName,
+                        toolName,
+                        arguments: this.requestArguments,
+                        requestId,
+                        requestTokens: this.requestTokens,
+                        timestamp: new Date().toISOString(),
+                        agentIdentity,
+                    };
+                    const decision = this.policyEngine.evaluate(context);
+                    StructuredLogger.logPolicyDecision({
+                        event: 'policy_decision',
+                        requestId,
+                        serverName: this.serverName,
+                        toolName,
+                        decision,
+                        context,
+                    });
+                    if (decision.action === 'block') {
+                        authzAllowed = false;
+                        blockReason = `policy:${decision.rule}:${decision.reason}`;
+                        StructuredLogger.logBlocked({
+                            event: 'tool_blocked',
+                            requestId,
+                            serverName: this.serverName,
+                            toolName,
+                            reason: `policy_rule=${decision.rule} | reason=${decision.reason}`,
+                            rule: decision.rule,
+                        });
+                        StructuredLogger.info({
+                            event: 'request_denied',
+                            requestId,
+                            serverName: this.serverName,
+                            toolName,
+                            authnSuccess,
+                            authzAllowed,
+                            blockReason,
+                            proxyLatencyMs: Date.now() - proxyStartTime,
+                        });
+                        this.sendError(msg.id, -32001, `Blocked by MCP Guardian policy: ${decision.reason}`, {
+                            rule: decision.rule,
+                            policy: this.policyEngine.getMode(),
+                        });
+                        return;
+                    }
+                    // v0.5.2: Per-client rate limiting
+                    if (agentIdentity) {
+                        const rateKey = `${agentIdentity.sub}:${toolName}`;
+                        const now = Date.now();
+                        let counter = this.clientRateCounters.get(rateKey);
+                        if (!counter || now > counter.resetAt) {
+                            counter = { count: 1, resetAt: now + 60000 };
+                            this.clientRateCounters.set(rateKey, counter);
+                        }
+                        else {
+                            counter.count++;
+                        }
+                        // Check if any RBAC rule with per-client rate limit fires
+                        const perClientLimit = this.checkPerClientRateLimit(agentIdentity, toolName, counter.count);
+                        if (perClientLimit) {
+                            StructuredLogger.info({
+                                event: 'request_denied',
+                                requestId,
+                                serverName: this.serverName,
+                                toolName,
+                                authnSuccess,
+                                authzAllowed: false,
+                                blockReason: perClientLimit,
+                                proxyLatencyMs: Date.now() - proxyStartTime,
+                            });
+                            this.sendError(msg.id, -32004, `Rate limit exceeded for agent '${agentIdentity.sub}': ${perClientLimit}`);
+                            return;
+                        }
+                    }
+                }
+                // ── Log successful forwarding ───────────────────────
+                StructuredLogger.info({
+                    event: 'request_forwarded',
+                    requestId,
+                    serverName: this.serverName,
+                    toolName,
+                    authnSuccess,
+                    authzAllowed,
+                    proxyLatencyMs: Date.now() - proxyStartTime,
+                    agent: agentIdentity?.sub,
+                });
             }
         }
         catch {
@@ -87,6 +298,22 @@ export class McpProxyServer {
         }
         this.child.stdin?.write(raw + '\n');
     }
+    /**
+     * Check per-client rate limits against RBAC rules.
+     * Returns block reason string or null.
+     */
+    checkPerClientRateLimit(identity, toolName, currentCount) {
+        if (!this.policyEngine)
+            return null;
+        // Per-client limits are tracked via RBAC scopes — if agent has "basic" scope, check against "basic" rate limit rule
+        const scopes = identity.scopes || [];
+        // Simple: if the agent has no special scopes and we've hit a hard limit
+        // In a full implementation, this would check per-scope/per-client limits from policy
+        if (scopes.length === 0 && currentCount > 100) {
+            return `Per-client rate limit exceeded: ${currentCount}/100 calls per minute (agent: ${identity.sub})`;
+        }
+        return null;
+    }
     kill() {
         try {
             this.child.kill();

package/dist/proxy/proxy-server.js.map

@@ -1 +1 @@
-{"version":3,"file":"proxy-server.js","sourceRoot":"","sources":["../../src/proxy/proxy-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAgB,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAGzD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C;;;GAGG;AACH,MAAM,OAAO,cAAc;IACjB,KAAK,CAAe;IACpB,YAAY,CAAe;IAC3B,EAAE,CAAkB;IACpB,gBAAgB,GAAkB,IAAI,CAAC;IACvC,gBAAgB,GAAW,CAAC,CAAC;IAC7B,eAAe,GAAkB,IAAI,CAAC;IACtC,aAAa,GAAW,CAAC,CAAC;IAC1B,UAAU,CAAS;IAE3B,YACE,OAAe,EACf,IAAc,EACd,GAA2B,EAC3B,EAAmB,EACnB,UAAmB;QAEnB,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC;QACpE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE;YAChC,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE;YAC/B,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QACH,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,IAAI,CAAC,WAAW,EAAE,CAAC;IACrB,CAAC;IAED,IAAI,KAAK;QACP,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;IAC1B,CAAC;IAEO,WAAW;QACjB,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAO,EAAE,CAAC,CAAC;QAC1D,EAAE,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC7B,IAAI,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,KAAK,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBAC/C,6CAA6C;oBAC7C,MAAM,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrD,MAAM,MAAM,GAAoB;wBAC9B,UAAU,EAAE,IAAI,CAAC,UAAU;wBAC3B,QAAQ,EAAE,IAAI,CAAC,eAAe,IAAI,SAAS;wBAC3C,aAAa,EAAE,IAAI,CAAC,aAAa;wBACjC,cAAc;wBACd,WAAW,EAAE,IAAI,CAAC,aAAa,GAAG,cAAc;wBAChD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,gBAAgB;wBAC9C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;qBACpC,CAAC;oBACF,mDAAmD;oBACnD,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CACtE,MAAM,CAAC,KAAK,CAAC,uCAAuC,GAAG,EAAE,OAAO,EAAE,CAAC,CACpE,CAAC;oBACF,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;oBAC7B,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;gBAC9B,CAAC;gBACD,6BAA6B;gBAC7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;gBAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;YACpC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAClB,MAAM,CAAC,KAAK,CAAC,UAAU,IAAI,CAAC,UAAU,iBAAiB,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,WAAW;QACjB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,iBAAiB,CAAC,GAAW;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBAC1C,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBACnC,IAAI,CAAC,gBAAgB,GAAG,GAAG,CAAC,EAAE,CAAC;gBAC/B,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,MAAM,EAAE,IAAI,IAAI,SAAS,CAAC;gBACrD,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;QACnC,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;IACtC,CAAC;IAED,IAAI;QACF,IAAI,CAAC;YACH,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"proxy-server.js","sourceRoot":"","sources":["../../src/proxy/proxy-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAgB,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAGzD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAG5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAElD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D;;;;;;;;GAQG;AACH,MAAM,OAAO,cAAc;IACjB,KAAK,CAAe;IACpB,YAAY,CAAe;IAC3B,EAAE,CAAkB;IACpB,gBAAgB,GAAkB,IAAI,CAAC;IACvC,gBAAgB,GAAW,CAAC,CAAC;IAC7B,eAAe,GAAkB,IAAI,CAAC;IACtC,aAAa,GAAW,CAAC,CAAC;IAC1B,gBAAgB,CAAsC;IACtD,UAAU,CAAS;IACnB,YAAY,CAAsB;IAClC,aAAa,CAAwB;IACrC,YAAY,CAAsB;IAClC,cAAc,CAAiB;IACvC,sEAAsE;IAC9D,kBAAkB,GAAoD,IAAI,GAAG,EAAE,CAAC;IAExF,YACE,OAAe,EACf,IAAc,EACd,GAA2B,EAC3B,EAAmB,EACnB,UAAmB,EACnB,YAA2B,EAC3B,aAA8B;QAE9B,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC;QACpE,IAAI,CAAC,YAAY,GAAG,YAAY,IAAI,IAAI,CAAC;QACzC,IAAI,CAAC,aAAa,GAAG,aAAa,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,IAAI,YAAY,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9D,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1D,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE;YAChC,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE;YAC/B,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QACH,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,IAAI,CAAC,WAAW,EAAE,CAAC;QAEnB,gBAAgB,CAAC,IAAI,CAAC;YACpB,KAAK,EAAE,eAAe;YACtB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,YAAY,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO;YACvE,WAAW,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK;YACjF,cAAc,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE;SAC/C,CAAC,CAAC;IACL,CAAC;IAED,IAAI,KAAK;QACP,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;IAC1B,CAAC;IAEO,WAAW;QACjB,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAO,EAAE,CAAC,CAAC;QAC1D,EAAE,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC7B,IAAI,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,KAAK,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBAC/C,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,gBAAgB,CAAC;oBAC1D,MAAM,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrD,MAAM,MAAM,GAAoB;wBAC9B,UAAU,EAAE,IAAI,CAAC,UAAU;wBAC3B,QAAQ,EAAE,IAAI,CAAC,eAAe,IAAI,SAAS;wBAC3C,aAAa,EAAE,IAAI,CAAC,aAAa;wBACjC,cAAc;wBACd,WAAW,EAAE,IAAI,CAAC,aAAa,GAAG,cAAc;wBAChD,UAAU,EAAE,cAAc;wBAC1B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;qBACpC,CAAC;oBACF,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CACtE,MAAM,CAAC,KAAK,CAAC,uCAAuC,GAAG,EAAE,OAAO,EAAE,CAAC,CACpE,CAAC;oBACF,2BAA2B;oBAC3B,IAAI,CAAC,cAAc,CAAC,aAAa,EAAE,CAAC;oBACpC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;oBAC7B,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;gBAC9B,CAAC;gBACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;YACpC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAClB,MAAM,CAAC,KAAK,CAAC,UAAU,IAAI,CAAC,UAAU,iBAAiB,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,WAAW;QACjB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,SAAS,CAAC,EAAmB,EAAE,IAAY,EAAE,OAAe,EAAE,IAA8B;QAClG,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC;YACnC,OAAO,EAAE,KAAK;YACd,EAAE;YACF,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;SAC/B,CAAC,CAAC;QACH,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB,CAAC,GAAW;QACjC,MAAM,SAAS,GAAG,UAAU,EAAE,CAAC;QAC/B,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAElC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBAC9C,IAAI,CAAC,gBAAgB,GAAG,cAAc,CAAC;gBACvC,IAAI,CAAC,gBAAgB,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC,wCAAwC;gBACpE,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,MAAM,EAAE,IAAI,IAAI,SAAS,CAAC;gBACrD,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAClD,IAAI,CAAC,gBAAgB,GAAG,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC;gBAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,IAAI,SAAS,CAAC;gBAEnD,IAAI,aAAwC,CAAC;gBAC7C,IAAI,YAAY,GAAG,KAAK,CAAC;gBAEzB,uDAAuD;gBACvD,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;oBACvB,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa;2BACpD,GAAG,CAAC,aAAa;2BACjB,GAAG,CAAC,MAAM,EAAE,aAAa;2BACzB,SAAS,CAAC;oBAEf,MAAM,KAAK,GAAG,cAAc,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;oBAEtD,IAAI,CAAC,KAAK,EAAE,CAAC;wBACX,IAAI,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,CAAC;4BAC5C,gBAAgB,CAAC,IAAI,CAAC;gCACpB,KAAK,EAAE,eAAe;gCACtB,SAAS;gCACT,UAAU,EAAE,IAAI,CAAC,UAAU;gCAC3B,QAAQ;gCACR,YAAY,EAAE,KAAK;6BACpB,CAAC,CAAC;4BACH,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,oFAAoF,CAAC,CAAC;4BACrH,OAAO;wBACT,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,MAAM,MAAM,GAAyB,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;wBAC9E,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC;wBAC5B,IAAI,MAAM,CAAC,QAAQ;4BAAE,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC;wBAErD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;4BAClB,gBAAgB,CAAC,QAAQ,CAAC;gCACxB,KAAK,EAAE,iBAAiB;gCACxB,UAAU,EAAE,IAAI,CAAC,UAAU;gCAC3B,SAAS;gCACT,KAAK,EAAE,0BAA0B,MAAM,CAAC,KAAK,EAAE;6BAChD,CAAC,CAAC;4BAEH,IAAI,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,CAAC;gCAC5C,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,0BAA0B,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;gCACzE,OAAO;4BACT,CAAC;wBACH,CAAC;6BAAM,CAAC;4BACN,0EAA0E;4BAC1E,IAAI,IAAI,CAAC,YAAY,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gCACzC,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gCACjE,gBAAgB,CAAC,IAAI,CAAC;oCACpB,KAAK,EAAE,cAAc;oCACrB,SAAS;oCACT,UAAU,EAAE,IAAI,CAAC,UAAU;oCAC3B,QAAQ;oCACR,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG;oCAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ;oCAClC,YAAY,EAAE,OAAO,CAAC,KAAK;oCAC3B,aAAa,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;oCACxD,YAAY,EAAE,IAAI;iCACnB,CAAC,CAAC;4BACL,CAAC;iCAAM,CAAC;gCACN,gBAAgB,CAAC,IAAI,CAAC;oCACpB,KAAK,EAAE,cAAc;oCACrB,SAAS;oCACT,UAAU,EAAE,IAAI,CAAC,UAAU;oCAC3B,QAAQ;oCACR,KAAK,EAAE,MAAM,CAAC,QAAQ,EAAE,GAAG;oCAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,QAAQ;oCACnC,YAAY,EAAE,IAAI;iCACnB,CAAC,CAAC;4BACL,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,sDAAsD;gBACtD,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,EAAE,CAAC;oBACxC,gBAAgB,CAAC,IAAI,CAAC;wBACpB,KAAK,EAAE,cAAc;wBACrB,SAAS;wBACT,UAAU,EAAE,IAAI,CAAC,UAAU;wBAC3B,QAAQ;wBACR,KAAK,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE;qBACtC,CAAC,CAAC;oBACH,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,wBAAwB,IAAI,CAAC,UAAU,sCAAsC,CAAC,CAAC;oBAC9G,IAAI,CAAC,cAAc,CAAC,aAAa,EAAE,CAAC;oBACpC,OAAO;gBACT,CAAC;gBAED,uDAAuD;gBACvD,IAAI,YAAY,GAAG,IAAI,CAAC;gBACxB,IAAI,WAA+B,CAAC;gBAEpC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;oBACtB,MAAM,OAAO,GAAgB;wBAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;wBAC3B,QAAQ;wBACR,SAAS,EAAE,IAAI,CAAC,gBAAgB;wBAChC,SAAS;wBACT,aAAa,EAAE,IAAI,CAAC,aAAa;wBACjC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,aAAa;qBACd,CAAC;oBAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAErD,gBAAgB,CAAC,iBAAiB,CAAC;wBACjC,KAAK,EAAE,iBAAiB;wBACxB,SAAS;wBACT,UAAU,EAAE,IAAI,CAAC,UAAU;wBAC3B,QAAQ;wBACR,QAAQ;wBACR,OAAO;qBACR,CAAC,CAAC;oBAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;wBAChC,YAAY,GAAG,KAAK,CAAC;wBACrB,WAAW,GAAG,UAAU,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;wBAE3D,gBAAgB,CAAC,UAAU,CAAC;4BAC1B,KAAK,EAAE,cAAc;4BACrB,SAAS;4BACT,UAAU,EAAE,IAAI,CAAC,UAAU;4BAC3B,QAAQ;4BACR,MAAM,EAAE,eAAe,QAAQ,CAAC,IAAI,aAAa,QAAQ,CAAC,MAAM,EAAE;4BAClE,IAAI,EAAE,QAAQ,CAAC,IAAI;yBACpB,CAAC,CAAC;wBAEH,gBAAgB,CAAC,IAAI,CAAC;4BACpB,KAAK,EAAE,gBAAgB;4BACvB,SAAS;4BACT,UAAU,EAAE,IAAI,CAAC,UAAU;4BAC3B,QAAQ;4BACR,YAAY;4BACZ,YAAY;4BACZ,WAAW;4BACX,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;yBAC5C,CAAC,CAAC;wBAEH,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,mCAAmC,QAAQ,CAAC,MAAM,EAAE,EAAE;4BACnF,IAAI,EAAE,QAAQ,CAAC,IAAI;4BACnB,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE;yBACpC,CAAC,CAAC;wBACH,OAAO;oBACT,CAAC;oBAED,mCAAmC;oBACnC,IAAI,aAAa,EAAE,CAAC;wBAClB,MAAM,OAAO,GAAG,GAAG,aAAa,CAAC,GAAG,IAAI,QAAQ,EAAE,CAAC;wBACnD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;wBACvB,IAAI,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;wBACnD,IAAI,CAAC,OAAO,IAAI,GAAG,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;4BACtC,OAAO,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,KAAK,EAAE,CAAC;4BAC7C,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;wBAChD,CAAC;6BAAM,CAAC;4BACN,OAAO,CAAC,KAAK,EAAE,CAAC;wBAClB,CAAC;wBACD,0DAA0D;wBAC1D,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,aAAa,EAAE,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;wBAC5F,IAAI,cAAc,EAAE,CAAC;4BACnB,gBAAgB,CAAC,IAAI,CAAC;gCACpB,KAAK,EAAE,gBAAgB;gCACvB,SAAS;gCACT,UAAU,EAAE,IAAI,CAAC,UAAU;gCAC3B,QAAQ;gCACR,YAAY;gCACZ,YAAY,EAAE,KAAK;gCACnB,WAAW,EAAE,cAAc;gCAC3B,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;6BAC5C,CAAC,CAAC;4BACH,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,kCAAkC,aAAa,CAAC,GAAG,MAAM,cAAc,EAAE,CAAC,CAAC;4BAC1G,OAAO;wBACT,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,uDAAuD;gBACvD,gBAAgB,CAAC,IAAI,CAAC;oBACpB,KAAK,EAAE,mBAAmB;oBAC1B,SAAS;oBACT,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ;oBACR,YAAY;oBACZ,YAAY;oBACZ,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;oBAC3C,KAAK,EAAE,aAAa,EAAE,GAAG;iBAC1B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;QACnC,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;IACtC,CAAC;IAED;;;OAGG;IACK,uBAAuB,CAAC,QAAuB,EAAE,QAAgB,EAAE,YAAoB;QAC7F,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QACpC,oHAAoH;QACpH,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,IAAI,EAAE,CAAC;QACrC,wEAAwE;QACxE,qFAAqF;QACrF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,YAAY,GAAG,GAAG,EAAE,CAAC;YAC9C,OAAO,mCAAmC,YAAY,iCAAiC,QAAQ,CAAC,GAAG,GAAG,CAAC;QACzG,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI;QACF,IAAI,CAAC;YACH,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;CACF"}

package/dist/utils/circuit-breaker.d.ts

@@ -0,0 +1,29 @@
+export type CircuitState = 'CLOSED' | 'OPEN' | 'HALF_OPEN';
+export declare class CircuitBreaker {
+    private state;
+    private failureCount;
+    private successCount;
+    private lastFailureTime;
+    private readonly resetTimeout;
+    private readonly failureThreshold;
+    private readonly successThreshold;
+    private readonly name;
+    constructor(name: string, options?: {
+        failureThreshold?: number;
+        successThreshold?: number;
+        resetTimeoutMs?: number;
+    });
+    /** Check if the circuit allows a request through */
+    allowRequest(): boolean;
+    /** Record a successful request */
+    recordSuccess(): void;
+    /** Record a failed request */
+    recordFailure(): void;
+    getState(): CircuitState;
+    getStats(): {
+        state: CircuitState;
+        failureCount: number;
+        successCount: number;
+    };
+}
+//# sourceMappingURL=circuit-breaker.d.ts.map

package/dist/utils/circuit-breaker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"circuit-breaker.d.ts","sourceRoot":"","sources":["../../src/utils/circuit-breaker.ts"],"names":[],"mappings":"AASA,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,WAAW,CAAC;AAE3D,qBAAa,cAAc;IACzB,OAAO,CAAC,KAAK,CAA0B;IACvC,OAAO,CAAC,YAAY,CAAa;IACjC,OAAO,CAAC,YAAY,CAAa;IACjC,OAAO,CAAC,eAAe,CAAa;IACpC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;gBAG5B,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE;QAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,CAAC,EAAE,MAAM,CAAA;KAAO;IAQjG,oDAAoD;IACpD,YAAY,IAAI,OAAO;IAcvB,kCAAkC;IAClC,aAAa,IAAI,IAAI;IAcrB,8BAA8B;IAC9B,aAAa,IAAI,IAAI;IAerB,QAAQ,IAAI,YAAY;IAIxB,QAAQ,IAAI;QAAE,KAAK,EAAE,YAAY,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE;CAOhF"}

package/dist/utils/circuit-breaker.js

@@ -0,0 +1,81 @@
+/**
+ * Circuit Breaker for MCP Proxy Server.
+ * Implements the classic 3-state circuit breaker pattern:
+ * CLOSED → OPEN → HALF_OPEN → CLOSED (or OPEN again).
+ *
+ * Used to protect upstream MCP servers from cascading failures.
+ */
+import { Logger } from './logger.js';
+export class CircuitBreaker {
+    state = 'CLOSED';
+    failureCount = 0;
+    successCount = 0;
+    lastFailureTime = 0;
+    resetTimeout;
+    failureThreshold;
+    successThreshold;
+    name;
+    constructor(name, options = {}) {
+        this.name = name;
+        this.failureThreshold = options.failureThreshold || 5;
+        this.successThreshold = options.successThreshold || 2;
+        this.resetTimeout = options.resetTimeoutMs || 30000;
+    }
+    /** Check if the circuit allows a request through */
+    allowRequest() {
+        if (this.state === 'CLOSED')
+            return true;
+        if (this.state === 'OPEN') {
+            if (Date.now() - this.lastFailureTime >= this.resetTimeout) {
+                this.state = 'HALF_OPEN';
+                Logger.debug(`[circuit-breaker:${this.name}] Transitioned to HALF_OPEN`);
+                return true;
+            }
+            return false;
+        }
+        // HALF_OPEN: allow probes
+        return true;
+    }
+    /** Record a successful request */
+    recordSuccess() {
+        if (this.state === 'HALF_OPEN') {
+            this.successCount++;
+            if (this.successCount >= this.successThreshold) {
+                this.state = 'CLOSED';
+                this.failureCount = 0;
+                this.successCount = 0;
+                Logger.info(`[circuit-breaker:${this.name}] Circuit CLOSED — service healthy`);
+            }
+        }
+        else if (this.state === 'CLOSED') {
+            this.failureCount = 0;
+        }
+    }
+    /** Record a failed request */
+    recordFailure() {
+        this.lastFailureTime = Date.now();
+        if (this.state === 'HALF_OPEN') {
+            this.state = 'OPEN';
+            this.successCount = 0;
+            Logger.warn(`[circuit-breaker:${this.name}] Circuit OPEN — half-open probe failed`);
+        }
+        else if (this.state === 'CLOSED') {
+            this.failureCount++;
+            if (this.failureCount >= this.failureThreshold) {
+                this.state = 'OPEN';
+                Logger.warn(`[circuit-breaker:${this.name}] Circuit OPEN — ${this.failureCount} consecutive failures`);
+            }
+        }
+    }
+    getState() {
+        return this.state;
+    }
+    getStats() {
+        return {
+            state: this.state,
+            failureCount: this.failureCount,
+            successCount: this.successCount,
+        };
+    }
+}
+//# sourceMappingURL=circuit-breaker.js.map

package/dist/utils/circuit-breaker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"circuit-breaker.js","sourceRoot":"","sources":["../../src/utils/circuit-breaker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAIrC,MAAM,OAAO,cAAc;IACjB,KAAK,GAAiB,QAAQ,CAAC;IAC/B,YAAY,GAAW,CAAC,CAAC;IACzB,YAAY,GAAW,CAAC,CAAC;IACzB,eAAe,GAAW,CAAC,CAAC;IACnB,YAAY,CAAS;IACrB,gBAAgB,CAAS;IACzB,gBAAgB,CAAS;IACzB,IAAI,CAAS;IAE9B,YACE,IAAY,EACZ,UAA6F,EAAE;QAE/F,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,CAAC,CAAC;QACtD,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,CAAC,CAAC;QACtD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,cAAc,IAAI,KAAK,CAAC;IACtD,CAAC;IAED,oDAAoD;IACpD,YAAY;QACV,IAAI,IAAI,CAAC,KAAK,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACzC,IAAI,IAAI,CAAC,KAAK,KAAK,MAAM,EAAE,CAAC;YAC1B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBAC3D,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC;gBACzB,MAAM,CAAC,KAAK,CAAC,oBAAoB,IAAI,CAAC,IAAI,6BAA6B,CAAC,CAAC;gBACzE,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,0BAA0B;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,kCAAkC;IAClC,aAAa;QACX,IAAI,IAAI,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC/C,IAAI,CAAC,KAAK,GAAG,QAAQ,CAAC;gBACtB,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC;gBACtB,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC;gBACtB,MAAM,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,oCAAoC,CAAC,CAAC;YACjF,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACnC,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,aAAa;QACX,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC;YACpB,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC;YACtB,MAAM,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,yCAAyC,CAAC,CAAC;QACtF,CAAC;aAAM,IAAI,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACnC,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC/C,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC;gBACpB,MAAM,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,oBAAoB,IAAI,CAAC,YAAY,uBAAuB,CAAC,CAAC;YACzG,CAAC;QACH,CAAC;IACH,CAAC;IAED,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,QAAQ;QACN,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,YAAY,EAAE,IAAI,CAAC,YAAY;SAChC,CAAC;IACJ,CAAC;CACF"}

package/dist/utils/structured-logger.d.ts

@@ -0,0 +1,47 @@
+import { PolicyDecision, CallContext } from '../policy/policy-types.js';
+export interface AuditLogEntry {
+    event: 'policy_decision';
+    requestId: string | number;
+    serverName: string;
+    toolName: string;
+    decision: PolicyDecision;
+    context: CallContext;
+}
+export interface BlockLogEntry {
+    event: 'tool_blocked';
+    requestId: string | number;
+    serverName: string;
+    toolName: string;
+    reason: string;
+    rule: string;
+}
+export interface ErrorLogEntry {
+    event: 'proxy_error' | 'oidc_discovery_error' | 'oidc_auth_error';
+    requestId?: string | number;
+    serverName: string;
+    error: string;
+    stack?: string;
+}
+export declare class StructuredLogger {
+    /**
+     * Log a policy decision (pass, flag, or block).
+     */
+    static logPolicyDecision(entry: AuditLogEntry): void;
+    /**
+     * Log a blocked tool call — always at WARN level for SIEM alerting.
+     */
+    static logBlocked(entry: BlockLogEntry): void;
+    /**
+     * Log proxy internal errors.
+     */
+    static logError(entry: ErrorLogEntry): void;
+    /**
+     * Log general proxy lifecycle events.
+     */
+    static info(msg: object | string): void;
+    /**
+     * Debug-level log for development.
+     */
+    static debug(msg: object | string): void;
+}
+//# sourceMappingURL=structured-logger.d.ts.map

package/dist/utils/structured-logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"structured-logger.d.ts","sourceRoot":"","sources":["../../src/utils/structured-logger.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAkBxE,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,iBAAiB,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,cAAc,CAAC;IACzB,OAAO,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,cAAc,CAAC;IACtB,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,aAAa,GAAG,sBAAsB,GAAG,iBAAiB,CAAC;IAClE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,gBAAgB;IAC3B;;OAEG;IACH,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAIpD;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAI7C;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAI3C;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAIvC;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;CAGzC"}

package/dist/utils/structured-logger.js

@@ -0,0 +1,48 @@
+import pino from 'pino';
+/**
+ * Structured JSON logger for enterprise SIEM ingestion.
+ * Uses pino for high-performance structured logging with request-ID tracing.
+ */
+const level = process.env.LOG_LEVEL || 'info';
+const logger = pino({
+    level: level.toLowerCase(),
+    formatters: {
+        level(label) {
+            return { level: label };
+        },
+    },
+    timestamp: pino.stdTimeFunctions.isoTime,
+});
+export class StructuredLogger {
+    /**
+     * Log a policy decision (pass, flag, or block).
+     */
+    static logPolicyDecision(entry) {
+        logger.info(entry);
+    }
+    /**
+     * Log a blocked tool call — always at WARN level for SIEM alerting.
+     */
+    static logBlocked(entry) {
+        logger.warn(entry);
+    }
+    /**
+     * Log proxy internal errors.
+     */
+    static logError(entry) {
+        logger.error(entry);
+    }
+    /**
+     * Log general proxy lifecycle events.
+     */
+    static info(msg) {
+        logger.info(msg);
+    }
+    /**
+     * Debug-level log for development.
+     */
+    static debug(msg) {
+        logger.debug(msg);
+    }
+}
+//# sourceMappingURL=structured-logger.js.map

package/dist/utils/structured-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"structured-logger.js","sourceRoot":"","sources":["../../src/utils/structured-logger.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAGxB;;;GAGG;AACH,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,MAAM,CAAC;AAE9C,MAAM,MAAM,GAAG,IAAI,CAAC;IAClB,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE;IAC1B,UAAU,EAAE;QACV,KAAK,CAAC,KAAK;YACT,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC1B,CAAC;KACF;IACD,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,OAAO;CACzC,CAAC,CAAC;AA4BH,MAAM,OAAO,gBAAgB;IAC3B;;OAEG;IACH,MAAM,CAAC,iBAAiB,CAAC,KAAoB;QAC3C,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAoB;QACpC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAoB;QAClC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,GAAoB;QAC9B,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,GAAoB;QAC/B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;CACF"}

package/package.json

@@ -1,9 +1,11 @@
 {
   "name": "@mcp-guardian/server",
-  "version": "0.3.0",
+  "version": "0.6.0",
   "description": "Security, cost, and health audit for MCP infrastructure",
   "type": "module",
-  "files": ["dist"],
+  "files": [
+    "dist"
+  ],
   "main": "./dist/index.js",
   "bin": {
     "mcp-guardian": "./dist/cli.js"
@@ -13,7 +15,7 @@
   },
   "repository": "github:rudraneel93/mcp-guardian",
   "bugs": "https://github.com/rudraneel93/mcp-guardian/issues",
-  "homepage": "https://github.com/rudraneel93/mcp-guardian#readme",
+  "homepage": "https://www.npmjs.com/package/@mcp-guardian/server",
   "keywords": [
     "mcp",
     "model-context-protocol",
@@ -36,17 +38,25 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",
-    "tiktoken": "^1.0.15",
-    "sql.js": "^1.11.0",
     "axios": "^1.7.0",
-    "commander": "^12.0.0",
     "chalk": "^5.3.0",
+    "chokidar": "^5.0.0",
+    "commander": "^12.0.0",
+    "jose": "^6.2.3",
+    "js-yaml": "^4.1.1",
+    "pg": "^8.20.0",
+    "pino": "^10.3.1",
+    "sql.js": "^1.11.0",
+    "tiktoken": "^1.0.15",
     "zod": "^3.23.0"
   },
   "devDependencies": {
+    "@types/chokidar": "^1.7.5",
+    "@types/js-yaml": "^4.0.9",
     "@types/node": "^20.0.0",
-    "typescript": "^5.4.0",
+    "@types/pg": "^8.20.0",
     "tsx": "^4.7.0",
+    "typescript": "^5.4.0",
     "vitest": "^1.6.0"
   }
-}
+}