@mcp-guardian/server 0.4.0 → 0.5.0

package/dist/utils/redis-rate-limiter.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Redis-backed rate limit counters for multi-replica HA.
+ * Extends the in-memory counters with shared Redis state.
+ * Enable with: REDIS_URL=redis://localhost:6379
+ */
+export declare class RedisRateLimiter {
+    private redis;
+    private prefix;
+    private local;
+    constructor();
+    /**
+     * Check and increment a rate limit counter.
+     * Returns the new count, or -1 if the limit is exceeded.
+     * Counter resets every windowMs milliseconds.
+     */
+    checkAndIncrement(key: string, maxRequests: number, windowMs?: number): Promise<{
+        allowed: boolean;
+        count: number;
+    }>;
+    close(): Promise<void>;
+}
+//# sourceMappingURL=redis-rate-limiter.d.ts.map

package/dist/utils/redis-rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis-rate-limiter.d.ts","sourceRoot":"","sources":["../../src/utils/redis-rate-limiter.ts"],"names":[],"mappings":"AAGA;;;;GAIG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAAQ;IACrB,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,KAAK,CAA8D;;IAQ3E;;;;OAIG;IACG,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAc,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAoC3H,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAG7B"}

package/dist/utils/redis-rate-limiter.js

@@ -0,0 +1,61 @@
+import { Redis } from 'ioredis';
+import { Logger } from './logger.js';
+/**
+ * Redis-backed rate limit counters for multi-replica HA.
+ * Extends the in-memory counters with shared Redis state.
+ * Enable with: REDIS_URL=redis://localhost:6379
+ */
+export class RedisRateLimiter {
+    redis;
+    prefix = 'mcp_guardian:ratelimit:';
+    local = new Map();
+    constructor() {
+        const redisUrl = process.env['REDIS_URL'] || 'redis://localhost:6379';
+        this.redis = new Redis(redisUrl, { maxRetriesPerRequest: 2, lazyConnect: false });
+        Logger.info(`[redis-rate-limiter] Connected to ${redisUrl}`);
+    }
+    /**
+     * Check and increment a rate limit counter.
+     * Returns the new count, or -1 if the limit is exceeded.
+     * Counter resets every windowMs milliseconds.
+     */
+    async checkAndIncrement(key, maxRequests, windowMs = 60000) {
+        const redisKey = `${this.prefix}${key}`;
+        try {
+            // Use Redis MULTI for atomic increment + TTL
+            const count = await this.redis.incr(redisKey);
+            if (count === 1) {
+                await this.redis.pexpire(redisKey, windowMs);
+            }
+            // Also update local for fast reads
+            const now = Date.now();
+            let localCounter = this.local.get(key);
+            if (!localCounter || now > localCounter.resetAt) {
+                localCounter = { count: 1, resetAt: now + windowMs };
+            }
+            else {
+                localCounter.count++;
+            }
+            this.local.set(key, localCounter);
+            return { allowed: count <= maxRequests, count };
+        }
+        catch (err) {
+            // Redis unavailable — fall back to local
+            Logger.debug(`[redis-rate-limiter] Redis error, using local: ${err?.message}`);
+            const now = Date.now();
+            let localCounter = this.local.get(key);
+            if (!localCounter || now > localCounter.resetAt) {
+                localCounter = { count: 1, resetAt: now + windowMs };
+            }
+            else {
+                localCounter.count++;
+            }
+            this.local.set(key, localCounter);
+            return { allowed: localCounter.count <= maxRequests, count: localCounter.count };
+        }
+    }
+    async close() {
+        await this.redis.quit();
+    }
+}
+//# sourceMappingURL=redis-rate-limiter.js.map

package/dist/utils/redis-rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis-rate-limiter.js","sourceRoot":"","sources":["../../src/utils/redis-rate-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAChC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC;;;;GAIG;AACH,MAAM,OAAO,gBAAgB;IACnB,KAAK,CAAQ;IACb,MAAM,GAAG,yBAAyB,CAAC;IACnC,KAAK,GAAoD,IAAI,GAAG,EAAE,CAAC;IAE3E;QACE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,wBAAwB,CAAC;QACtE,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE,oBAAoB,EAAE,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,MAAM,CAAC,IAAI,CAAC,qCAAqC,QAAQ,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CAAC,GAAW,EAAE,WAAmB,EAAE,WAAmB,KAAK;QAChF,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAExC,IAAI,CAAC;YACH,6CAA6C;YAC7C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9C,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBAChB,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC/C,CAAC;YAED,mCAAmC;YACnC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACvC,IAAI,CAAC,YAAY,IAAI,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,CAAC;gBAChD,YAAY,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,QAAQ,EAAE,CAAC;YACvD,CAAC;iBAAM,CAAC;gBACN,YAAY,CAAC,KAAK,EAAE,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAElC,OAAO,EAAE,OAAO,EAAE,KAAK,IAAI,WAAW,EAAE,KAAK,EAAE,CAAC;QAClD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,yCAAyC;YACzC,MAAM,CAAC,KAAK,CAAC,kDAAkD,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;YAC/E,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACvC,IAAI,CAAC,YAAY,IAAI,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,CAAC;gBAChD,YAAY,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,QAAQ,EAAE,CAAC;YACvD,CAAC;iBAAM,CAAC;gBACN,YAAY,CAAC,KAAK,EAAE,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAClC,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,KAAK,IAAI,WAAW,EAAE,KAAK,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC;QACnF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;CACF"}

package/dist/utils/structured-logger.d.ts

@@ -16,7 +16,7 @@ export interface BlockLogEntry {
     rule: string;
 }
 export interface ErrorLogEntry {
-    event: 'proxy_error';
+    event: 'proxy_error' | 'oidc_discovery_error' | 'oidc_auth_error';
     requestId?: string | number;
     serverName: string;
     error: string;

package/dist/utils/structured-logger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"structured-logger.d.ts","sourceRoot":"","sources":["../../src/utils/structured-logger.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAkBxE,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,iBAAiB,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,cAAc,CAAC;IACzB,OAAO,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,cAAc,CAAC;IACtB,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,aAAa,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,gBAAgB;IAC3B;;OAEG;IACH,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAIpD;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAI7C;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAI3C;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAIvC;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;CAGzC"}
+{"version":3,"file":"structured-logger.d.ts","sourceRoot":"","sources":["../../src/utils/structured-logger.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAkBxE,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,iBAAiB,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,cAAc,CAAC;IACzB,OAAO,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,cAAc,CAAC;IACtB,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,aAAa,GAAG,sBAAsB,GAAG,iBAAiB,CAAC;IAClE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,gBAAgB;IAC3B;;OAEG;IACH,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAIpD;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAI7C;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAI3C;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAIvC;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;CAGzC"}

package/dist/utils/tracing.d.ts

@@ -0,0 +1,7 @@
+/**
+ * OpenTelemetry tracing for distributed request tracking across proxy + MCP servers.
+ * Enable with: OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
+ * Uses OTLP HTTP exporter (gRPC exporter deprecated due to critical CVE in protobufjs).
+ */
+export declare function initTracing(): Promise<void>;
+//# sourceMappingURL=tracing.d.ts.map

package/dist/utils/tracing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracing.d.ts","sourceRoot":"","sources":["../../src/utils/tracing.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC,CA8BjD"}

package/dist/utils/tracing.js

@@ -0,0 +1,34 @@
+import { Logger } from './logger.js';
+/**
+ * OpenTelemetry tracing for distributed request tracking across proxy + MCP servers.
+ * Enable with: OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
+ * Uses OTLP HTTP exporter (gRPC exporter deprecated due to critical CVE in protobufjs).
+ */
+export async function initTracing() {
+    if (!process.env['OTEL_EXPORTER_OTLP_ENDPOINT']) {
+        Logger.debug('[tracing] OpenTelemetry not configured (set OTEL_EXPORTER_OTLP_ENDPOINT)');
+        return;
+    }
+    try {
+        const { NodeSDK } = await import('@opentelemetry/sdk-node');
+        const { getNodeAutoInstrumentations } = await import('@opentelemetry/auto-instrumentations-node');
+        // Use OTLP HTTP exporter instead of deprecated gRPC
+        const { OTLPTraceExporter } = await import('@opentelemetry/exporter-trace-otlp-http');
+        const exporter = new OTLPTraceExporter({
+            url: `${process.env['OTEL_EXPORTER_OTLP_ENDPOINT']}/v1/traces`,
+        });
+        const instruments = getNodeAutoInstrumentations({
+            '@opentelemetry/instrumentation-http': { enabled: true },
+        });
+        const sdk = new NodeSDK({
+            traceExporter: exporter,
+            instrumentations: [instruments],
+        });
+        await sdk.start();
+        Logger.info('[tracing] OpenTelemetry tracing initialized — exporting to OTLP HTTP endpoint');
+    }
+    catch (err) {
+        Logger.warn(`[tracing] OpenTelemetry initialization failed: ${err?.message}`);
+    }
+}
+//# sourceMappingURL=tracing.js.map

package/dist/utils/tracing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracing.js","sourceRoot":"","sources":["../../src/utils/tracing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,EAAE,CAAC;QAChD,MAAM,CAAC,KAAK,CAAC,0EAA0E,CAAC,CAAC;QACzF,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAC5D,MAAM,EAAE,2BAA2B,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;QAClG,oDAAoD;QACpD,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,yCAAyC,CAAC,CAAC;QAEtF,MAAM,QAAQ,GAAG,IAAI,iBAAiB,CAAC;YACrC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,YAAY;SAC/D,CAAQ,CAAC;QAEV,MAAM,WAAW,GAAG,2BAA2B,CAAC;YAC9C,qCAAqC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;SACzD,CAAQ,CAAC;QAEV,MAAM,GAAG,GAAG,IAAI,OAAO,CAAC;YACtB,aAAa,EAAE,QAAQ;YACvB,gBAAgB,EAAE,CAAC,WAAW,CAAC;SAChC,CAAC,CAAC;QAEH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAC;IAC/F,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,kDAAkD,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAChF,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-guardian/server",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Security, cost, and health audit for MCP infrastructure",
   "type": "module",
   "files": [
@@ -41,6 +41,7 @@
     "axios": "^1.7.0",
     "chalk": "^5.3.0",
     "commander": "^12.0.0",
+    "jose": "^6.2.3",
     "js-yaml": "^4.1.1",
     "pino": "^10.3.1",
     "sql.js": "^1.11.0",