@mcp-guardian/server 1.0.0 → 1.0.1

package/dist/cli.js

@@ -45,7 +45,7 @@ const program = new Command();
 program
     .name('mcp-guardian')
     .description('Security, cost, and health audit for MCP infrastructure')
-    .version('1.0.0');
+    .version('1.0.1');
 program
     .command('scan')
     .description('Run security scan on MCP servers')

package/dist/index.js

@@ -9,7 +9,7 @@ import { Logger } from './utils/logger.js';
 import { createContainer } from './container.js';
 const container = createContainer();
 const reporter = new ReportGenerator();
-const server = new Server({ name: 'mcp-guardian', version: '1.0.0' }, { capabilities: { tools: {} } });
+const server = new Server({ name: 'mcp-guardian', version: '1.0.1' }, { capabilities: { tools: {} } });
 // ── Logging capability (MCP spec requirement) ─────────────────────
 let currentLogLevel = 'info';
 server.setRequestHandler(SetLevelRequestSchema, async (request) => {

package/dist/utils/policy-auditor.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Policy Audit Trail — records every policy change for compliance.
+ * Logs: who changed what, when, old/new values, and rollback info.
+ * Enable with: POLICY_AUDIT_ENABLED=true
+ */
+export interface PolicyChangeRecord {
+    timestamp: string;
+    actor: string;
+    change: string;
+    oldValue?: string;
+    newValue?: string;
+    sourceHash?: string;
+}
+export declare class PolicyAuditor {
+    private auditPath;
+    private enabled;
+    private lastHash;
+    constructor(auditPath?: string);
+    record(change: PolicyChangeRecord): void;
+    readAuditTrail(): PolicyChangeRecord[];
+    computeHash(content: string): string;
+    hasChanged(content: string): boolean;
+}
+//# sourceMappingURL=policy-auditor.d.ts.map

package/dist/utils/policy-auditor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-auditor.d.ts","sourceRoot":"","sources":["../../src/utils/policy-auditor.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,OAAO,CAAU;IACzB,OAAO,CAAC,QAAQ,CAAuB;gBAE3B,SAAS,CAAC,EAAE,MAAM;IAK9B,MAAM,CAAC,MAAM,EAAE,kBAAkB,GAAG,IAAI;IAWxC,cAAc,IAAI,kBAAkB,EAAE;IAUtC,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IAUpC,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;CASrC"}

package/dist/utils/policy-auditor.js

@@ -0,0 +1,58 @@
+/**
+ * Policy Audit Trail — records every policy change for compliance.
+ * Logs: who changed what, when, old/new values, and rollback info.
+ * Enable with: POLICY_AUDIT_ENABLED=true
+ */
+import { writeFileSync, readFileSync, existsSync } from 'fs';
+import { Logger } from './logger.js';
+export class PolicyAuditor {
+    auditPath;
+    enabled;
+    lastHash = null;
+    constructor(auditPath) {
+        this.enabled = process.env['POLICY_AUDIT_ENABLED'] === 'true';
+        this.auditPath = auditPath || process.env['POLICY_AUDIT_LOG'] || './policy-audit.jsonl';
+    }
+    record(change) {
+        if (!this.enabled)
+            return;
+        try {
+            const line = JSON.stringify({ ...change, source: 'mcp-guardian-policy-auditor' }) + '\n';
+            writeFileSync(this.auditPath, line, { flag: 'a' });
+            Logger.debug(`[policy-auditor] Change recorded: ${change.change}`);
+        }
+        catch (err) {
+            Logger.error(`[policy-auditor] Failed to write audit log: ${err?.message}`);
+        }
+    }
+    readAuditTrail() {
+        if (!existsSync(this.auditPath))
+            return [];
+        try {
+            const content = readFileSync(this.auditPath, 'utf-8');
+            return content.trim().split('\n').filter(Boolean).map(l => JSON.parse(l));
+        }
+        catch {
+            return [];
+        }
+    }
+    computeHash(content) {
+        let hash = 0;
+        for (let i = 0; i < content.length; i++) {
+            const char = content.charCodeAt(i);
+            hash = ((hash << 5) - hash) + char;
+            hash |= 0;
+        }
+        return hash.toString(16);
+    }
+    hasChanged(content) {
+        const currentHash = this.computeHash(content);
+        if (this.lastHash && this.lastHash !== currentHash) {
+            this.lastHash = currentHash;
+            return true;
+        }
+        this.lastHash = currentHash;
+        return false;
+    }
+}
+//# sourceMappingURL=policy-auditor.js.map

package/dist/utils/policy-auditor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-auditor.js","sourceRoot":"","sources":["../../src/utils/policy-auditor.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAWrC,MAAM,OAAO,aAAa;IAChB,SAAS,CAAS;IAClB,OAAO,CAAU;IACjB,QAAQ,GAAkB,IAAI,CAAC;IAEvC,YAAY,SAAkB;QAC5B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,KAAK,MAAM,CAAC;QAC9D,IAAI,CAAC,SAAS,GAAG,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,sBAAsB,CAAC;IAC1F,CAAC;IAED,MAAM,CAAC,MAA0B;QAC/B,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAC1B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC,GAAG,IAAI,CAAC;YACzF,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;YACnD,MAAM,CAAC,KAAK,CAAC,qCAAqC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QACrE,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,+CAA+C,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,cAAc;QACZ,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,CAAC;QAC3C,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACtD,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,WAAW,CAAC,OAAe;QACzB,IAAI,IAAI,GAAG,CAAC,CAAC;QACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,MAAM,IAAI,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;YACnC,IAAI,IAAI,CAAC,CAAC;QACZ,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC3B,CAAC;IAED,UAAU,CAAC,OAAe;QACxB,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACnD,IAAI,CAAC,QAAQ,GAAG,WAAW,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,WAAW,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/utils/tracing.d.ts

@@ -1,7 +1,7 @@
 /**
  * OpenTelemetry tracing for distributed request tracking across proxy + MCP servers.
- * Enable with: OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
- * Falls back gracefully if OpenTelemetry SDK is not installed.
+ * Enable with: OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
+ * Uses OTLP HTTP exporter (gRPC exporter deprecated due to critical CVE in protobufjs).
  */
 export declare function initTracing(): Promise<void>;
 //# sourceMappingURL=tracing.d.ts.map

package/dist/utils/tracing.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tracing.d.ts","sourceRoot":"","sources":["../../src/utils/tracing.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC,CA2BjD"}
+{"version":3,"file":"tracing.d.ts","sourceRoot":"","sources":["../../src/utils/tracing.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC,CA8BjD"}

package/dist/utils/tracing.js

@@ -1,8 +1,8 @@
 import { Logger } from './logger.js';
 /**
  * OpenTelemetry tracing for distributed request tracking across proxy + MCP servers.
- * Enable with: OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
- * Falls back gracefully if OpenTelemetry SDK is not installed.
+ * Enable with: OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
+ * Uses OTLP HTTP exporter (gRPC exporter deprecated due to critical CVE in protobufjs).
  */
 export async function initTracing() {
     if (!process.env['OTEL_EXPORTER_OTLP_ENDPOINT']) {
@@ -12,18 +12,20 @@ export async function initTracing() {
     try {
         const { NodeSDK } = await import('@opentelemetry/sdk-node');
         const { getNodeAutoInstrumentations } = await import('@opentelemetry/auto-instrumentations-node');
-        const { OTLPTraceExporter } = await import('@opentelemetry/exporter-otlp-grpc');
-        const exporter = new OTLPTraceExporter();
+        // Use OTLP HTTP exporter instead of deprecated gRPC
+        const { OTLPTraceExporter } = await import('@opentelemetry/exporter-trace-otlp-http');
+        const exporter = new OTLPTraceExporter({
+            url: `${process.env['OTEL_EXPORTER_OTLP_ENDPOINT']}/v1/traces`,
+        });
         const instruments = getNodeAutoInstrumentations({
             '@opentelemetry/instrumentation-http': { enabled: true },
-            '@opentelemetry/instrumentation-pino': { enabled: false },
         });
         const sdk = new NodeSDK({
             traceExporter: exporter,
             instrumentations: [instruments],
         });
         await sdk.start();
-        Logger.info('[tracing] OpenTelemetry tracing initialized — exporting to OTLP endpoint');
+        Logger.info('[tracing] OpenTelemetry tracing initialized — exporting to OTLP HTTP endpoint');
     }
     catch (err) {
         Logger.warn(`[tracing] OpenTelemetry initialization failed: ${err?.message}`);

package/dist/utils/tracing.js.map

@@ -1 +1 @@
-{"version":3,"file":"tracing.js","sourceRoot":"","sources":["../../src/utils/tracing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,EAAE,CAAC;QAChD,MAAM,CAAC,KAAK,CAAC,0EAA0E,CAAC,CAAC;QACzF,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAC5D,MAAM,EAAE,2BAA2B,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;QAClG,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,mCAAmC,CAAC,CAAC;QAEhF,MAAM,QAAQ,GAAG,IAAI,iBAAiB,EAAS,CAAC;QAChD,MAAM,WAAW,GAAG,2BAA2B,CAAC;YAC9C,qCAAqC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;YACxD,qCAAqC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE;SAC1D,CAAQ,CAAC;QAEV,MAAM,GAAG,GAAG,IAAI,OAAO,CAAC;YACtB,aAAa,EAAE,QAAQ;YACvB,gBAAgB,EAAE,CAAC,WAAW,CAAC;SAChC,CAAC,CAAC;QAEH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC;IAC1F,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,kDAAkD,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAChF,CAAC;AACH,CAAC"}
+{"version":3,"file":"tracing.js","sourceRoot":"","sources":["../../src/utils/tracing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,EAAE,CAAC;QAChD,MAAM,CAAC,KAAK,CAAC,0EAA0E,CAAC,CAAC;QACzF,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAC5D,MAAM,EAAE,2BAA2B,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;QAClG,oDAAoD;QACpD,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,yCAAyC,CAAC,CAAC;QAEtF,MAAM,QAAQ,GAAG,IAAI,iBAAiB,CAAC;YACrC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,YAAY;SAC/D,CAAQ,CAAC;QAEV,MAAM,WAAW,GAAG,2BAA2B,CAAC;YAC9C,qCAAqC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;SACzD,CAAQ,CAAC;QAEV,MAAM,GAAG,GAAG,IAAI,OAAO,CAAC;YACtB,aAAa,EAAE,QAAQ;YACvB,gBAAgB,EAAE,CAAC,WAAW,CAAC;SAChC,CAAC,CAAC;QAEH,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAC;IAC/F,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,kDAAkD,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAChF,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-guardian/server",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Security, cost, and health audit for MCP infrastructure",
   "type": "module",
   "files": [
@@ -40,7 +40,7 @@
     "@modelcontextprotocol/sdk": "^1.0.0",
     "@opentelemetry/api": "^1.9.1",
     "@opentelemetry/auto-instrumentations-node": "^0.75.0",
-    "@opentelemetry/exporter-otlp-grpc": "^0.26.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.217.0",
     "@opentelemetry/sdk-node": "^0.217.0",
     "axios": "^1.7.0",
     "chalk": "^5.3.0",