@mcp-guardian/server 1.2.0 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -1
- package/dist/proxy/http-proxy-server.d.ts +3 -1
- package/dist/proxy/http-proxy-server.d.ts.map +1 -1
- package/dist/proxy/http-proxy-server.js +14 -3
- package/dist/proxy/http-proxy-server.js.map +1 -1
- package/dist/utils/mtls-config.d.ts +27 -0
- package/dist/utils/mtls-config.d.ts.map +1 -0
- package/dist/utils/mtls-config.js +82 -0
- package/dist/utils/mtls-config.js.map +1 -0
- package/package.json +8 -2
package/README.md
CHANGED
|
@@ -3,14 +3,17 @@
|
|
|
3
3
|
**Security, cost, and health audit for MCP infrastructure.**
|
|
4
4
|
|
|
5
5
|
[](https://www.npmjs.com/package/@mcp-guardian/server)
|
|
6
|
+
[](https://www.npmjs.com/package/@mcp-guardian/server)
|
|
6
7
|
[](https://www.typescriptlang.org/)
|
|
7
8
|
[](https://github.com/modelcontextprotocol/typescript-sdk)
|
|
8
9
|
[](LICENSE)
|
|
9
10
|
[](https://github.com/rudraneel93/mcp-guardian/actions/workflows/ci.yml)
|
|
10
11
|
|
|
12
|
+
> **Always use the latest version:** `npm install @mcp-guardian/server@latest` — current is **v1.3.1**. See the [Changelog](./CHANGELOG.md) for full version history and [GitHub Releases](https://github.com/rudraneel93/mcp-guardian/releases) for per-version source tags.
|
|
13
|
+
|
|
11
14
|
MCP Guardian is a **security and governance proxy** for [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) infrastructure. It sits between AI clients and MCP servers, enforcing active security policies, tracking real token costs, and monitoring health — all while providing enterprise-grade observability and audit trails.
|
|
12
15
|
|
|
13
|
-
**Key positioning:** Runtime governance and security proxy for MCP infrastructure.
|
|
16
|
+
**Key positioning:** Runtime governance and security proxy for MCP infrastructure — with threat modeling, semantic shell analysis, mTLS, and zero-trust networking.
|
|
14
17
|
|
|
15
18
|
It works as both an **MCP server** (so AI assistants like Cline/Claude can invoke its tools) and a **standalone CLI**.
|
|
16
19
|
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { HistoryDatabase } from '../database/history-db.js';
|
|
2
2
|
import { PolicyEngine } from '../policy/policy-engine.js';
|
|
3
3
|
import { OAuthValidator } from '../auth/oauth.js';
|
|
4
|
+
import { MtlsConfig } from '../utils/mtls-config.js';
|
|
4
5
|
/**
|
|
5
6
|
* HTTP/SSE Proxy for remote MCP servers.
|
|
6
7
|
* Reuses the same auth, policy, circuit breaker, and metrics stack as the stdio proxy.
|
|
@@ -16,7 +17,8 @@ export declare class HttpProxyServer {
|
|
|
16
17
|
private db;
|
|
17
18
|
private port;
|
|
18
19
|
private server;
|
|
19
|
-
|
|
20
|
+
private httpsAgent;
|
|
21
|
+
constructor(targetUrl: string, serverName: string, policyEngine?: PolicyEngine, authValidator?: OAuthValidator, db?: HistoryDatabase, port?: number, mtlsConfig?: MtlsConfig);
|
|
20
22
|
start(): Promise<void>;
|
|
21
23
|
private handleRequest;
|
|
22
24
|
stop(): Promise<void>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"http-proxy-server.d.ts","sourceRoot":"","sources":["../../src/proxy/http-proxy-server.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAG1D,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"http-proxy-server.d.ts","sourceRoot":"","sources":["../../src/proxy/http-proxy-server.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAG1D,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAIlD,OAAO,EAAE,UAAU,EAAmB,MAAM,yBAAyB,CAAC;AAItE;;;GAGG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,YAAY,CAAsB;IAC1C,OAAO,CAAC,aAAa,CAAwB;IAC7C,OAAO,CAAC,YAAY,CAAsB;IAC1C,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,EAAE,CAAkB;IAC5B,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,MAAM,CAAgD;IAC9D,OAAO,CAAC,UAAU,CAAyB;gBAGzC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,YAAY,CAAC,EAAE,YAAY,EAC3B,aAAa,CAAC,EAAE,cAAc,EAC9B,EAAE,CAAC,EAAE,eAAe,EACpB,IAAI,GAAE,MAAa,EACnB,UAAU,CAAC,EAAE,UAAU;IAkBnB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAOd,aAAa;IAgIrB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;CAM5B"}
|
|
@@ -7,6 +7,7 @@ import { HistoryDatabase } from '../database/history-db.js';
|
|
|
7
7
|
import { OAuthValidator } from '../auth/oauth.js';
|
|
8
8
|
import { SessionCache } from '../auth/session-cache.js';
|
|
9
9
|
import { CircuitBreaker } from '../utils/circuit-breaker.js';
|
|
10
|
+
import { createMtlsAgent } from '../utils/mtls-config.js';
|
|
10
11
|
import * as Metrics from '../utils/metrics.js';
|
|
11
12
|
import { Logger } from '../utils/logger.js';
|
|
12
13
|
/**
|
|
@@ -24,7 +25,8 @@ export class HttpProxyServer {
|
|
|
24
25
|
db;
|
|
25
26
|
port;
|
|
26
27
|
server = null;
|
|
27
|
-
|
|
28
|
+
httpsAgent;
|
|
29
|
+
constructor(targetUrl, serverName, policyEngine, authValidator, db, port = 4000, mtlsConfig) {
|
|
28
30
|
this.serverName = serverName;
|
|
29
31
|
this.targetUrl = targetUrl.replace(/\/$/, '');
|
|
30
32
|
this.policyEngine = policyEngine || null;
|
|
@@ -34,7 +36,11 @@ export class HttpProxyServer {
|
|
|
34
36
|
this.tokenCounter = new TokenCounter();
|
|
35
37
|
this.db = db || new HistoryDatabase(':memory:');
|
|
36
38
|
this.port = port;
|
|
39
|
+
this.httpsAgent = createMtlsAgent(mtlsConfig || { enabled: false, rejectUnauthorized: true });
|
|
37
40
|
Metrics.circuitBreakerState.set({ server_name: this.serverName }, 0);
|
|
41
|
+
if (this.httpsAgent) {
|
|
42
|
+
Logger.info(`[http-proxy:${this.serverName}] mTLS enabled for upstream connection`);
|
|
43
|
+
}
|
|
38
44
|
}
|
|
39
45
|
async start() {
|
|
40
46
|
this.server = createServer((req, res) => this.handleRequest(req, res));
|
|
@@ -118,13 +124,18 @@ export class HttpProxyServer {
|
|
|
118
124
|
try {
|
|
119
125
|
const upstreamUrl = new URL(this.targetUrl + (req.url || '/'));
|
|
120
126
|
const isHttps = upstreamUrl.protocol === 'https:';
|
|
121
|
-
const
|
|
127
|
+
const reqOpts = {
|
|
122
128
|
hostname: upstreamUrl.hostname,
|
|
123
129
|
port: upstreamUrl.port || (isHttps ? 443 : 80),
|
|
124
130
|
path: upstreamUrl.pathname + upstreamUrl.search,
|
|
125
131
|
method: req.method,
|
|
126
132
|
headers: { ...req.headers, host: upstreamUrl.hostname },
|
|
127
|
-
}
|
|
133
|
+
};
|
|
134
|
+
// Attach mTLS agent for HTTPS connections
|
|
135
|
+
if (isHttps && this.httpsAgent) {
|
|
136
|
+
reqOpts.agent = this.httpsAgent;
|
|
137
|
+
}
|
|
138
|
+
const proxyReq = (isHttps ? httpsReq : httpReq)(reqOpts, (upstreamRes) => {
|
|
128
139
|
res.writeHead(upstreamRes.statusCode || 200, upstreamRes.headers);
|
|
129
140
|
upstreamRes.pipe(res);
|
|
130
141
|
this.circuitBreaker.recordSuccess();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"http-proxy-server.js","sourceRoot":"","sources":["../../src/proxy/http-proxy-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAmC,MAAM,MAAM,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,OAAO,IAAI,QAAQ,
|
|
1
|
+
{"version":3,"file":"http-proxy-server.js","sourceRoot":"","sources":["../../src/proxy/http-proxy-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAmC,MAAM,MAAM,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,OAAO,IAAI,QAAQ,EAAuB,MAAM,OAAO,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAEzD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAI5D,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAElD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAc,eAAe,EAAE,MAAM,yBAAyB,CAAC;AACtE,OAAO,KAAK,OAAO,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C;;;GAGG;AACH,MAAM,OAAO,eAAe;IAClB,UAAU,CAAS;IACnB,SAAS,CAAS;IAClB,YAAY,CAAsB;IAClC,aAAa,CAAwB;IACrC,YAAY,CAAsB;IAClC,cAAc,CAAiB;IAC/B,YAAY,CAAe;IAC3B,EAAE,CAAkB;IACpB,IAAI,CAAS;IACb,MAAM,GAA2C,IAAI,CAAC;IACtD,UAAU,CAAyB;IAE3C,YACE,SAAiB,EACjB,UAAkB,EAClB,YAA2B,EAC3B,aAA8B,EAC9B,EAAoB,EACpB,OAAe,IAAI,EACnB,UAAuB;QAEvB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,YAAY,GAAG,YAAY,IAAI,IAAI,CAAC;QACzC,IAAI,CAAC,aAAa,GAAG,aAAa,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,IAAI,YAAY,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9D,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC;QACrF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,IAAI,eAAe,CAAC,UAAU,CAAC,CAAC;QAChD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,eAAe,CAAC,UAAU,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9F,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC;QACrE,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,UAAU,wCAAwC,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QACvE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE;YACjC,MAAM,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,UAAU,iCAAiC,IAAI,CAAC,IAAI,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;QAC9G,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,GAAoB,EAAE,GAAmB;QACnE,MAAM,SAAS,GAAG,UAAU,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEzB,4DAA4D;QAC5D,IAAI,aAAwC,CAAC;QAC7C,IAAI,YAAY,GAAG,KAAK,CAAC;QAEzB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;YAChD,MAAM,KAAK,GAAG,cAAc,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;YAEtD,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,CAAC;gBACtD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC,CAAC;gBAC9D,OAAO;YACT,CAAC;YAED,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,MAAM,GAAyB,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;gBAC9E,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC;gBAC5B,IAAI,MAAM,CAAC,QAAQ;oBAAE,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC;gBAErD,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,CAAC;oBAC7D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;oBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,0BAA0B,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;oBAC7E,OAAO;gBACT,CAAC;YACH,CAAC;QACH,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,EAAE,CAAC;YACxC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,4CAA4C,EAAE,CAAC,CAAC,CAAC;YACjF,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YACpH,OAAO;QACT,CAAC;QAED,4DAA4D;QAC5D,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;QAE9C,4DAA4D;QAC5D,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC7B,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;oBAChC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,IAAI,IAAI,SAAS,CAAC;oBAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAE7C,MAAM,OAAO,GAAgB;wBAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;wBAC3B,QAAQ;wBACR,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,SAAS;wBAChC,SAAS;wBACT,aAAa,EAAE,MAAM;wBACrB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,aAAa;qBACd,CAAC;oBAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAErD,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;wBAChC,OAAO,CAAC,oBAAoB,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,YAAY,EAAE,UAAU,QAAQ,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;wBACjI,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;wBACpH,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;wBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;4BACrB,OAAO,EAAE,KAAK;4BACd,EAAE,EAAE,GAAG,CAAC,EAAE;4BACV,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,mCAAmC,QAAQ,CAAC,MAAM,EAAE,EAAE;yBACvF,CAAC,CAAC,CAAC;wBACJ,OAAO;oBACT,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,sCAAsC;YACxC,CAAC;QACH,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC;YAC/D,MAAM,OAAO,GAAG,WAAW,CAAC,QAAQ,KAAK,QAAQ,CAAC;YAElD,MAAM,OAAO,GAAQ;gBACnB,QAAQ,EAAE,WAAW,CAAC,QAAQ;gBAC9B,IAAI,EAAE,WAAW,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9C,IAAI,EAAE,WAAW,CAAC,QAAQ,GAAG,WAAW,CAAC,MAAM;gBAC/C,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,OAAO,EAAE,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,WAAW,CAAC,QAAQ,EAAE;aACxD,CAAC;YAEF,0CAA0C;YAC1C,IAAI,OAAO,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC/B,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC;YAClC,CAAC;YAED,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,EAAE;gBACvE,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,UAAU,IAAI,GAAG,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;gBAClE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACtB,IAAI,CAAC,cAAc,CAAC,aAAa,EAAE,CAAC;gBACpC,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACrH,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;gBACrF,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YACrH,CAAC,CAAC,CAAC;YAEH,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC3B,IAAI,CAAC,cAAc,CAAC,aAAa,EAAE,CAAC;gBACpC,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC;gBACrE,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;oBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;oBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;gBACvE,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACrB,QAAQ,CAAC,GAAG,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,CAAC,cAAc,CAAC,aAAa,EAAE,CAAC;YACpC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,OAAO,CAAO,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC5D,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
import { Agent as HttpsAgent } from 'https';
|
|
2
|
+
export interface MtlsConfig {
|
|
3
|
+
enabled: boolean;
|
|
4
|
+
ca?: Buffer;
|
|
5
|
+
cert?: Buffer;
|
|
6
|
+
key?: Buffer;
|
|
7
|
+
rejectUnauthorized: boolean;
|
|
8
|
+
}
|
|
9
|
+
/**
|
|
10
|
+
* Load mTLS configuration from environment variables.
|
|
11
|
+
*/
|
|
12
|
+
export declare function loadMtlsConfig(): MtlsConfig;
|
|
13
|
+
/**
|
|
14
|
+
* Create an HTTPS Agent configured with mTLS client certificate and CA.
|
|
15
|
+
*/
|
|
16
|
+
export declare function createMtlsAgent(config: MtlsConfig): HttpsAgent | undefined;
|
|
17
|
+
/**
|
|
18
|
+
* CLI flag names for mTLS configuration.
|
|
19
|
+
*/
|
|
20
|
+
export declare const MTL_CLI_FLAGS: {
|
|
21
|
+
readonly tlsEnabled: "--mtls";
|
|
22
|
+
readonly tlsCa: "--mtls-ca <path>";
|
|
23
|
+
readonly tlsCert: "--mtls-cert <path>";
|
|
24
|
+
readonly tlsKey: "--mtls-key <path>";
|
|
25
|
+
readonly tlsInsecure: "--mtls-insecure";
|
|
26
|
+
};
|
|
27
|
+
//# sourceMappingURL=mtls-config.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mtls-config.d.ts","sourceRoot":"","sources":["../../src/utils/mtls-config.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,OAAO,CAAC;AAG5C,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,wBAAgB,cAAc,IAAI,UAAU,CAsC3C;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,UAAU,GAAG,UAAU,GAAG,SAAS,CAW1E;AAED;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;;CAMhB,CAAC"}
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* mTLS Configuration for Zero-Trust Proxy ↔ Upstream Communication.
|
|
3
|
+
*
|
|
4
|
+
* When MCP_TLS_ENABLED=true, the HTTP/SSE proxy validates the upstream
|
|
5
|
+
* server's certificate AND presents a client certificate for mutual
|
|
6
|
+
* authentication. This prevents MITM attacks and ensures only authorized
|
|
7
|
+
* proxies can connect to upstream MCP servers.
|
|
8
|
+
*
|
|
9
|
+
* Configuration via environment variables:
|
|
10
|
+
* MCP_TLS_ENABLED=true|false
|
|
11
|
+
* MCP_TLS_CA=/path/to/ca-cert.pem (required — trusted CA bundle)
|
|
12
|
+
* MCP_TLS_CERT=/path/to/client-cert.pem (required — proxy's client cert)
|
|
13
|
+
* MCP_TLS_KEY=/path/to/client-key.pem (required — proxy's client key)
|
|
14
|
+
* MCP_TLS_REJECT_UNAUTHORIZED=true|false (default: true — strict mode)
|
|
15
|
+
*/
|
|
16
|
+
import { readFileSync } from 'fs';
|
|
17
|
+
import { Agent as HttpsAgent } from 'https';
|
|
18
|
+
import { Logger } from './logger.js';
|
|
19
|
+
/**
|
|
20
|
+
* Load mTLS configuration from environment variables.
|
|
21
|
+
*/
|
|
22
|
+
export function loadMtlsConfig() {
|
|
23
|
+
const enabled = process.env['MCP_TLS_ENABLED'] === 'true';
|
|
24
|
+
if (!enabled) {
|
|
25
|
+
return { enabled: false, rejectUnauthorized: true };
|
|
26
|
+
}
|
|
27
|
+
const caPath = process.env['MCP_TLS_CA'];
|
|
28
|
+
const certPath = process.env['MCP_TLS_CERT'];
|
|
29
|
+
const keyPath = process.env['MCP_TLS_KEY'];
|
|
30
|
+
const rejectUnauthorized = process.env['MCP_TLS_REJECT_UNAUTHORIZED'] !== 'false';
|
|
31
|
+
const missing = [];
|
|
32
|
+
if (!caPath)
|
|
33
|
+
missing.push('MCP_TLS_CA');
|
|
34
|
+
if (!certPath)
|
|
35
|
+
missing.push('MCP_TLS_CERT');
|
|
36
|
+
if (!keyPath)
|
|
37
|
+
missing.push('MCP_TLS_KEY');
|
|
38
|
+
if (missing.length > 0) {
|
|
39
|
+
Logger.error(`[mtls] mTLS enabled but missing env vars: ${missing.join(', ')}`);
|
|
40
|
+
throw new Error(`mTLS misconfigured: missing ${missing.join(', ')}`);
|
|
41
|
+
}
|
|
42
|
+
let ca;
|
|
43
|
+
let cert;
|
|
44
|
+
let key;
|
|
45
|
+
try {
|
|
46
|
+
ca = readFileSync(caPath);
|
|
47
|
+
cert = readFileSync(certPath);
|
|
48
|
+
key = readFileSync(keyPath);
|
|
49
|
+
}
|
|
50
|
+
catch (err) {
|
|
51
|
+
Logger.error(`[mtls] Failed to read TLS files: ${err?.message}`);
|
|
52
|
+
throw err;
|
|
53
|
+
}
|
|
54
|
+
Logger.info(`[mtls] mTLS enabled (CA: ${caPath}, cert: ${certPath}, rejectUnauthorized: ${rejectUnauthorized})`);
|
|
55
|
+
return { enabled: true, ca, cert, key, rejectUnauthorized };
|
|
56
|
+
}
|
|
57
|
+
/**
|
|
58
|
+
* Create an HTTPS Agent configured with mTLS client certificate and CA.
|
|
59
|
+
*/
|
|
60
|
+
export function createMtlsAgent(config) {
|
|
61
|
+
if (!config.enabled)
|
|
62
|
+
return undefined;
|
|
63
|
+
return new HttpsAgent({
|
|
64
|
+
ca: config.ca,
|
|
65
|
+
cert: config.cert,
|
|
66
|
+
key: config.key,
|
|
67
|
+
rejectUnauthorized: config.rejectUnauthorized,
|
|
68
|
+
keepAlive: true,
|
|
69
|
+
keepAliveMsecs: 30000,
|
|
70
|
+
});
|
|
71
|
+
}
|
|
72
|
+
/**
|
|
73
|
+
* CLI flag names for mTLS configuration.
|
|
74
|
+
*/
|
|
75
|
+
export const MTL_CLI_FLAGS = {
|
|
76
|
+
tlsEnabled: '--mtls',
|
|
77
|
+
tlsCa: '--mtls-ca <path>',
|
|
78
|
+
tlsCert: '--mtls-cert <path>',
|
|
79
|
+
tlsKey: '--mtls-key <path>',
|
|
80
|
+
tlsInsecure: '--mtls-insecure',
|
|
81
|
+
};
|
|
82
|
+
//# sourceMappingURL=mtls-config.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mtls-config.js","sourceRoot":"","sources":["../../src/utils/mtls-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,OAAO,CAAC;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAUrC;;GAEG;AACH,MAAM,UAAU,cAAc;IAC5B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,KAAK,MAAM,CAAC;IAE1D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC;IACtD,CAAC;IAED,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC3C,MAAM,kBAAkB,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,KAAK,OAAO,CAAC;IAElF,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,MAAM;QAAE,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACxC,IAAI,CAAC,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO;QAAE,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAE1C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,KAAK,CAAC,6CAA6C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAChF,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,EAAsB,CAAC;IAC3B,IAAI,IAAwB,CAAC;IAC7B,IAAI,GAAuB,CAAC;IAE5B,IAAI,CAAC;QACH,EAAE,GAAG,YAAY,CAAC,MAAO,CAAC,CAAC;QAC3B,IAAI,GAAG,YAAY,CAAC,QAAS,CAAC,CAAC;QAC/B,GAAG,GAAG,YAAY,CAAC,OAAQ,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,KAAK,CAAC,oCAAoC,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,4BAA4B,MAAM,WAAW,QAAQ,yBAAyB,kBAAkB,GAAG,CAAC,CAAC;IAEjH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,kBAAkB,EAAE,CAAC;AAC9D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,MAAkB;IAChD,IAAI,CAAC,MAAM,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAEtC,OAAO,IAAI,UAAU,CAAC;QACpB,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;QAC7C,SAAS,EAAE,IAAI;QACf,cAAc,EAAE,KAAK;KACtB,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,UAAU,EAAE,QAAQ;IACpB,KAAK,EAAE,kBAAkB;IACzB,OAAO,EAAE,oBAAoB;IAC7B,MAAM,EAAE,mBAAmB;IAC3B,WAAW,EAAE,iBAAiB;CACtB,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@mcp-guardian/server",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.3.1",
|
|
4
4
|
"description": "Security, cost, and health audit for MCP infrastructure",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"files": [
|
|
@@ -13,9 +13,15 @@
|
|
|
13
13
|
"engines": {
|
|
14
14
|
"node": ">=18"
|
|
15
15
|
},
|
|
16
|
-
"repository":
|
|
16
|
+
"repository": {
|
|
17
|
+
"type": "git",
|
|
18
|
+
"url": "git+https://github.com/rudraneel93/mcp-guardian.git"
|
|
19
|
+
},
|
|
17
20
|
"bugs": "https://github.com/rudraneel93/mcp-guardian/issues",
|
|
18
21
|
"homepage": "https://www.npmjs.com/package/@mcp-guardian/server",
|
|
22
|
+
"publishConfig": {
|
|
23
|
+
"access": "public"
|
|
24
|
+
},
|
|
19
25
|
"keywords": [
|
|
20
26
|
"mcp",
|
|
21
27
|
"model-context-protocol",
|