@mcp-guardian/server 1.3.4 → 1.3.6

package/README.md

@@ -9,7 +9,7 @@
 [![License](https://img.shields.io/badge/License-MIT-yellow)](LICENSE)
 [![CI](https://github.com/rudraneel93/mcp-guardian/actions/workflows/ci.yml/badge.svg)](https://github.com/rudraneel93/mcp-guardian/actions/workflows/ci.yml)
 
-> **Always use the latest version:** `npm install @mcp-guardian/server@latest` — current is **v1.3.3**. See the [Changelog](./CHANGELOG.md) for full version history and [GitHub Releases](https://github.com/rudraneel93/mcp-guardian/releases) for per-version source tags.
+> **Always use the latest version:** `npm install -g @mcp-guardian/server@latest` — current is **v1.3.5**. See the [Changelog](./CHANGELOG.md) for full version history and [GitHub Releases](https://github.com/rudraneel93/mcp-guardian/releases) for per-version source tags.
 
 MCP Guardian is a **security and governance proxy** for [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) infrastructure. It sits between AI clients and MCP servers, enforcing active security policies, tracking real token costs, and monitoring health — all while providing enterprise-grade observability and audit trails.
 

package/SECURITY.md

@@ -0,0 +1,131 @@
+# Security Policy
+
+## Threat Model (STRIDE per MCP Interaction)
+
+MCP Guardian's security posture is modeled against the STRIDE framework for each MCP interaction vector.
+
+### 1. Spoofing (Identity Forgery)
+
+| Threat | Mitigation |
+|---|---|
+| Typo-squatted MCP server packages | Typo-squat detector with Levenshtein distance against 24 known official packages |
+| Fake MCP server responding to health probes | TLS certificate validation for SSE/HTTP transports |
+| Malicious server impersonating a trusted tool | Command validation flags non-standard executables |
+
+### 2. Tampering (Data/Command Injection)
+
+| Threat | Mitigation |
+|---|---|
+| Shell injection via tool arguments | Active policy engine blocks patterns (rm -rf, shell chaining, backtick substitution) |
+| Encoded payload bypasses (URL, hex, unicode, HTML entities) | PayloadNormalizer (v1.2) — multi-stage decode before regex evaluation |
+| Shell obfuscation (ANSI-C quoting, quote splitting, backslash escapes) | ShellTokenizer (v1.2) — semantic AST analysis of command structure |
+| Path traversal | Active policy engine blocks ../ patterns |
+| Supply chain compromise of MCP server package | CVE checker queries OSV.dev and NVD for known vulnerabilities |
+
+### 3. Repudiation (Deniability)
+
+| Threat | Mitigation |
+|---|---|
+| No audit trail for blocked/allowed tool calls | Structured JSON logging (pino) captures every policy_decision |
+| Policy changes without audit | PolicyAuditor (v1.0.1) records every policy change with hash verification |
+| Denied access attempts not recorded | tool_blocked events logged at WARN level for SIEM alerting |
+
+### 4. Information Disclosure (Secrets/Data Leakage)
+
+| Threat | Mitigation |
+|---|---|
+| Hardcoded API keys, tokens, passwords in MCP config | Secret scanner (6 regex patterns) |
+| Unauthenticated dashboard access | DashboardAuth (v1.2) — JWT sessions, API keys, CSRF protection, rate-limited login |
+| Unencrypted transport | Auth prober flags unencrypted transports |
+| Sensitive data in generated reports | Reports use config names, not raw secrets |
+
+### 5. Denial of Service (Availability)
+
+| Threat | Mitigation |
+|---|---|
+| Token bombs | Token budget rule (maxTokens) flags/blocks oversized calls |
+| Tool overload (>15 tools) | Health monitor detects overload; --fail-on-overload CLI flag |
+| Rate abuse | Rate limiting rule (maxCallsPerMinute) per server+tool |
+| API ban on CVE lookup services | Token-bucket rate limiter on OSV.dev (5 req/min) and NVD (20 req/min with key) |
+
+### 6. Elevation of Privilege (Agent Hijacking)
+
+| Threat | Mitigation |
+|---|---|
+| Confused deputy attack | Tool allowlist/denylist in policy engine; argument pattern blocking |
+| Agent tricked into calling dangerous tools | Default policy denies execute_command, bash, sh, eval, exec |
+| Missing authentication on MCP servers | OAuth 2.1/OIDC JWT validation with RBAC (scopes, client IDs) |
+
+## Supported Versions
+
+| Version | Status | Security Updates |
+|---|---|---|
+| 1.0.x | ✅ Current | All updates |
+| 0.7.x | ✅ Supported | Critical only |
+| <0.7.0 | ❌ Unsupported | None |
+
+## Reporting a Vulnerability
+
+**Do not open a public issue for security vulnerabilities.**
+
+Email **rudraneel93@gmail.com** with:
+- Description of the vulnerability
+- Steps to reproduce
+- Affected version(s)
+- Any proof-of-concept or crash data
+
+Response timeline:
+- **24 hours:** Acknowledgement
+- **72 hours:** Initial assessment
+- **7 days:** Patch or mitigation plan
+
+## Incident Response
+
+### Severity Classification
+
+| Level | Example | Response |
+|---|---|---|
+| **Critical** | RCE via proxy, auth bypass, secret leak | Patch within 24 hours, CVE disclosure |
+| **High** | Policy bypass, DoS vulnerability | Patch within 72 hours |
+| **Medium** | Information disclosure, limited impact | Patch in next release |
+| **Low** | Minor configuration issues | Documented workaround |
+
+### Emergency Patch Process
+
+1. **Isolate:** If a vulnerability is confirmed, immediately document the affected versions and attack vector
+2. **Mitigate:** Provide a temporary workaround (policy rule, config change) within 24 hours
+3. **Patch:** Release a fix with full test coverage
+4. **Disclose:** Publish advisory in GitHub Security Advisories and npm audit
+
+### Dependency Supply Chain
+
+- All dependencies are pinned via `package-lock.json`
+- CI pipeline runs `npm audit` on every commit
+- Critical dependencies (`@modelcontextprotocol/sdk`, `jose`, `pg`) are reviewed on each major version bump
+- OTel gRPC exporter removed (v1.0.1) due to critical CVE in protobufjs dependency chain
+
+## Security Design Principles
+
+1. **Least Privilege:** The policy engine denies by default when configured with allowlists
+2. **Defense in Depth:** Static scanning (config audit) + runtime enforcement (proxy policy) + SIEM logging
+3. **Fail Secure:** Graceful shutdown flushes DB before exit; blocked calls return explicit errors
+4. **Auditability:** Every policy decision, block, and proxy event is logged as structured JSON. Policy changes are recorded via PolicyAuditor
+5. **Zero Trust on Input:** All tool arguments are pattern-checked regardless of source
+
+## Dependencies
+
+MCP Guardian requires these critical dependencies:
+
+| Dependency | Purpose | Security Notes |
+|---|---|---|
+| `@modelcontextprotocol/sdk` | MCP protocol implementation | Keep updated to latest; CVE monitoring |
+| `tiktoken` | Token counting (o200k_base encoding) | Pure JS, no native bindings |
+| `sql.js` | SQLite storage | WASM-based, no native compilation |
+| `pino` | Structured logging | High-performance JSON logger |
+| `js-yaml` | YAML policy parsing | Policy files only |
+| `jose` | JWT/JWK validation | OAuth 2.1/OIDC support |
+| `ioredis` | Redis client | Session cache and rate limit store |
+| `pg` | PostgreSQL client | Production DB backend |
+| `prom-client` | Prometheus metrics | Monitoring |
+
+Run `npm audit` regularly and update dependencies through Dependabot or similar tools.

package/default-policy.yaml

@@ -0,0 +1,53 @@
+---
+# MCP Guardian — Default Policy Configuration
+# Use with: mcp-guardian proxy --policy ./default-policy.yaml
+
+version: "1.0"
+policy:
+  # Mode: audit (passive, log only), warn (block → flag), block (active enforcement)
+  mode: warn
+
+  rules:
+    # ── Block shell injection patterns ──────────────────────────
+    - name: "block-shell-injection"
+      description: "Block tool calls containing shell injection or command chaining"
+      action: block
+      patterns:
+        - "curl\\s|wget\\s"           # Network download tools
+        - "rm\\s+-rf"                 # Destructive commands
+        - ";\\s*\\w"                  # Shell chaining
+        - "&&|\\|\\|"                 # Shell logical operators
+        - "\\$\\{"                    # Shell variable expansion
+        - "`[^`]+`"                   # Backtick command substitution
+        - "/etc/passwd|/etc/shadow"   # Sensitive system files
+
+    # ── Block path traversal ─────────────────────────────────────
+    - name: "block-path-traversal"
+      description: "Block tool calls with path traversal attempts"
+      action: block
+      patterns:
+        - "\\.\\.\\/"                 # Path traversal
+
+    # ── Deny dangerous tools ─────────────────────────────────────
+    - name: "deny-dangerous-tools"
+      description: "Explicitly deny tools that can execute arbitrary code"
+      action: block
+      tools:
+        deny:
+          - "execute_command"
+          - "bash"
+          - "sh"
+          - "eval"
+          - "exec"
+
+    # ── Rate limit ───────────────────────────────────────────────
+    - name: "rate-limit-tool-calls"
+      description: "Limit tool calls to 120 per minute per server+tool"
+      action: flag
+      maxCallsPerMinute: 120
+
+    # ── Token budget ─────────────────────────────────────────────
+    - name: "token-budget"
+      description: "Flag tool calls exceeding 50K input tokens"
+      action: flag
+      maxTokens: 50000

package/package.json

@@ -1,10 +1,14 @@
 {
   "name": "@mcp-guardian/server",
-  "version": "1.3.4",
+  "version": "1.3.6",
   "description": "Security, cost, and health audit for MCP infrastructure",
   "type": "module",
   "files": [
-    "dist"
+    "dist",
+    "README.md",
+    "LICENSE",
+    "SECURITY.md",
+    "default-policy.yaml"
   ],
   "bin": {
     "mcp-guardian": "./dist/cli.js"