@mneme-ai/core 2.58.0 → 2.60.0

package/dist/skeleton_key/bypass_graph.js

@@ -0,0 +1,89 @@
+/**
+ * v2.60.0 — SKELETON KEY bypass graph.
+ *
+ * Models MCP servers as graph nodes; edges = capability overlap. Computes
+ * transitive bypass paths so we surface that e.g. shell-mcp + git-mcp +
+ * file-mcp = THREE independent ways to delete the repo, even if each is
+ * "lightly scoped" in isolation.
+ *
+ * Most security audit tools stop at single-server analysis. SKELETON KEY
+ * computes the GRAPH because the actual security model is the union of
+ * all capabilities reachable through ANY allowed server.
+ */
+/** Goal → set of contributing capabilities (any one enables it). */
+const GOAL_TO_CAPABILITIES = {
+    delete_repo: ["exec", "write_fs", "git_write"],
+    exfiltrate_secret: ["read_fs", "network", "exec", "read_memory"],
+    drop_database: ["db_ddl", "exec"],
+    modify_ci_pipeline: ["git_write", "write_fs", "exec"],
+    unauthorized_cloud_change: ["cloud_mutate", "exec"],
+    ssrf_internal_network: ["browser_automation", "network", "exec"],
+};
+export function buildBypassGraph(nodes) {
+    // Capability inverted index.
+    const capToServers = new Map();
+    for (const n of nodes) {
+        for (const c of n.risk.capabilities) {
+            const list = capToServers.get(c) ?? [];
+            list.push(n);
+            capToServers.set(c, list);
+        }
+    }
+    const overlaps = [];
+    for (const [cap, servers] of capToServers.entries()) {
+        if (servers.length >= 2) {
+            overlaps.push({
+                capability: cap,
+                servers: servers.map((s) => s.name),
+                count: servers.length,
+            });
+        }
+    }
+    overlaps.sort((a, b) => b.count - a.count);
+    const bypassPaths = [];
+    for (const [goal, requiredCaps] of Object.entries(GOAL_TO_CAPABILITIES)) {
+        // For each contributing cap, collect ALL servers that expose it.
+        const stepsByCap = [];
+        for (const cap of requiredCaps) {
+            const servers = capToServers.get(cap) ?? [];
+            if (servers.length > 0)
+                stepsByCap.push({ cap, servers });
+        }
+        // If at least 2 different capabilities are reachable (or 1 cap with 2+ servers),
+        // we can build a bypass narrative.
+        const totalDistinctServers = new Set();
+        for (const s of stepsByCap)
+            for (const x of s.servers)
+                totalDistinctServers.add(x.name);
+        if (totalDistinctServers.size >= 2) {
+            // Pick the lowest-friction route: one server per required cap.
+            const steps = stepsByCap.map((s) => ({
+                server: s.servers[0].name,
+                via: s.cap,
+            }));
+            const allSeverities = stepsByCap.flatMap((s) => s.servers.map((x) => x.risk.severity));
+            // Weakest link = the LOWEST severity any path step requires — the attacker only
+            // needs the easiest unguarded surface.
+            const weakestSeverity = Math.min(...allSeverities);
+            bypassPaths.push({
+                goal,
+                steps,
+                weakestSeverity,
+                narrative: `${goal.replace(/_/g, " ")}: attacker can chain ${steps.map((s) => `\`${s.server}\`(${s.via})`).join(" → ")} (weakest-link severity ${(weakestSeverity * 100).toFixed(0)}%)`,
+            });
+        }
+    }
+    bypassPaths.sort((a, b) => b.weakestSeverity - a.weakestSeverity);
+    return { nodes, overlaps, bypassPaths };
+}
+/**
+ * Compute a single risk-budget score 0..N.
+ * = Σ (severity × capability count per server).
+ * Lower = safer.
+ */
+export function totalRiskBudget(nodes) {
+    return +nodes
+        .reduce((s, n) => s + n.risk.severity * Math.max(1, n.risk.capabilities.length), 0)
+        .toFixed(2);
+}
+//# sourceMappingURL=bypass_graph.js.map

package/dist/skeleton_key/bypass_graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bypass_graph.js","sourceRoot":"","sources":["../../src/skeleton_key/bypass_graph.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AA8BH,oEAAoE;AACpE,MAAM,oBAAoB,GAA6B;IACrD,WAAW,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,WAAW,CAAC;IAC9C,iBAAiB,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,CAAC;IAChE,aAAa,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC;IACjC,kBAAkB,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC;IACrD,yBAAyB,EAAE,CAAC,cAAc,EAAE,MAAM,CAAC;IACnD,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,SAAS,EAAE,MAAM,CAAC;CACjE,CAAC;AAYF,MAAM,UAAU,gBAAgB,CAAC,KAAmB;IAClD,6BAA6B;IAC7B,MAAM,YAAY,GAAG,IAAI,GAAG,EAAwB,CAAC;IACrD,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACvC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACb,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAwB,EAAE,CAAC;IACzC,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,YAAY,CAAC,OAAO,EAAE,EAAE,CAAC;QACpD,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACxB,QAAQ,CAAC,IAAI,CAAC;gBACZ,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;gBACnC,KAAK,EAAE,OAAO,CAAC,MAAM;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAE3C,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACxE,iEAAiE;QACjE,MAAM,UAAU,GAAkD,EAAE,CAAC;QACrE,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YAC5C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;gBAAE,UAAU,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,CAAC;QACD,iFAAiF;QACjF,mCAAmC;QACnC,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/C,KAAK,MAAM,CAAC,IAAI,UAAU;YAAE,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO;gBAAE,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACxF,IAAI,oBAAoB,CAAC,IAAI,IAAI,CAAC,EAAE,CAAC;YACnC,+DAA+D;YAC/D,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACnC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC,IAAI;gBAC1B,GAAG,EAAE,CAAC,CAAC,GAAG;aACX,CAAC,CAAC,CAAC;YACJ,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACvF,gFAAgF;YAChF,uCAAuC;YACvC,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,CAAC;YACnD,WAAW,CAAC,IAAI,CAAC;gBACf,IAAI;gBACJ,KAAK;gBACL,eAAe;gBACf,SAAS,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,wBAAwB,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,2BAA2B,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;aACxL,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,GAAG,CAAC,CAAC,eAAe,CAAC,CAAC;IAElE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;AAC1C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,KAAmB;IACjD,OAAO,CAAC,KAAK;SACV,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;SAClF,OAAO,CAAC,CAAC,CAAC,CAAC;AAChB,CAAC"}

package/dist/skeleton_key/capability_probe.d.ts

@@ -0,0 +1,58 @@
+/**
+ * v2.60.0 — SKELETON KEY capability probe.
+ *
+ * Dark-magic angle (parallel to AUTOPROBE for CLI tools): instead of
+ * guessing a server's risk from its NAME ("filesystem-mcp" → assume
+ * write-fs), we EMPIRICALLY spawn the server in a JSON-RPC handshake
+ * and ask it for its tools/list. Then we KNOW which tools it exposes,
+ * and we can promote the heuristic capabilities to the actual ones.
+ *
+ * Hand-written rules can be out of date or guess wrong; an empirical
+ * tools/list cannot — it's what the server actually serves.
+ *
+ * Safety contract:
+ *   - We only call `initialize` + `tools/list` (read-only JSON-RPC).
+ *   - We never `tools/call` from inside the probe.
+ *   - 5s timeout; force-kill on hang.
+ *   - All spawns happen in a child process; failures are caught.
+ */
+export interface ProbeInput {
+    /** Server name (used for logging). */
+    name: string;
+    /** Command to execute (e.g. "node", "mneme", "uvx"). */
+    command: string;
+    /** Args to pass (e.g. ["server.js"], ["mcp"]). */
+    args?: string[];
+    /** Env vars to inject. */
+    env?: Record<string, string>;
+    /** Per-probe timeout ms (default 8000). */
+    timeoutMs?: number;
+}
+export interface ProbedTool {
+    /** Tool name as the server returned it. */
+    name: string;
+    /** Optional description. */
+    description?: string;
+    /** Capability tags we INFER from the tool name + description. */
+    inferredCapabilities: string[];
+}
+export interface ProbeResult {
+    name: string;
+    /** True if we got a tools/list response. */
+    reachable: boolean;
+    tools: ProbedTool[];
+    /** All distinct capabilities inferred across the tools. */
+    capabilities: string[];
+    /** Latency to first tools/list response. */
+    latencyMs: number;
+    /** Brief failure reason when reachable=false. */
+    reason?: string;
+}
+/**
+ * Probe a single MCP server via JSON-RPC over stdio.
+ * Sends `initialize` + `tools/list` then exits.
+ *
+ * NEVER throws — returns reachable:false with reason on any failure.
+ */
+export declare function probeServer(input: ProbeInput): Promise<ProbeResult>;
+//# sourceMappingURL=capability_probe.d.ts.map

package/dist/skeleton_key/capability_probe.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability_probe.d.ts","sourceRoot":"","sources":["../../src/skeleton_key/capability_probe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH,MAAM,WAAW,UAAU;IACzB,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,OAAO,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,0BAA0B;IAC1B,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,2CAA2C;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,2CAA2C;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iEAAiE;IACjE,oBAAoB,EAAE,MAAM,EAAE,CAAC;CAChC;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,2DAA2D;IAC3D,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,4CAA4C;IAC5C,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAyBD;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,CAyFzE"}

package/dist/skeleton_key/capability_probe.js

@@ -0,0 +1,149 @@
+/**
+ * v2.60.0 — SKELETON KEY capability probe.
+ *
+ * Dark-magic angle (parallel to AUTOPROBE for CLI tools): instead of
+ * guessing a server's risk from its NAME ("filesystem-mcp" → assume
+ * write-fs), we EMPIRICALLY spawn the server in a JSON-RPC handshake
+ * and ask it for its tools/list. Then we KNOW which tools it exposes,
+ * and we can promote the heuristic capabilities to the actual ones.
+ *
+ * Hand-written rules can be out of date or guess wrong; an empirical
+ * tools/list cannot — it's what the server actually serves.
+ *
+ * Safety contract:
+ *   - We only call `initialize` + `tools/list` (read-only JSON-RPC).
+ *   - We never `tools/call` from inside the probe.
+ *   - 5s timeout; force-kill on hang.
+ *   - All spawns happen in a child process; failures are caught.
+ */
+import { spawn } from "node:child_process";
+import { performance } from "node:perf_hooks";
+// Tool-name → capability tags. Conservative: when in doubt, flag the cap.
+const TOOL_NAME_CAPABILITY_HINTS = [
+    { rx: /\b(exec|spawn|shell|bash|cmd|command|process)/i, caps: ["exec"] },
+    { rx: /\b(read[_-]?file|cat|stat|ls|find|search[_-]?file)/i, caps: ["read_fs"] },
+    { rx: /\b(write[_-]?file|create[_-]?file|delete|rm|unlink|mkdir|move|rename|edit[_-]?file|patch)/i, caps: ["write_fs"] },
+    { rx: /\b(fetch|http|request|get_url|post|put)/i, caps: ["network"] },
+    { rx: /\b(query|select|insert|update|delete|drop|alter|create[_-]?table)/i, caps: ["db_read", "db_write"] },
+    { rx: /\b(drop[_-]?(table|database)|truncate)/i, caps: ["db_ddl"] },
+    { rx: /\b(git[_-]?(push|commit|tag|reset|merge)|create[_-]?(repo|branch|pr|pull[_-]?request))/i, caps: ["git_write"] },
+    { rx: /\b(apply|create|delete|patch)[_-]?(deployment|pod|service|configmap|secret|namespace)/i, caps: ["cluster_mutate"] },
+    { rx: /\b(start[_-]?instance|terminate|create[_-]?bucket|delete[_-]?bucket|put[_-]?object)/i, caps: ["cloud_mutate"] },
+    { rx: /\b(navigate|click|screenshot|page[_-]?(open|close))/i, caps: ["browser_automation", "network"] },
+];
+function inferCapabilities(toolName, description) {
+    const blob = `${toolName} ${description ?? ""}`.toLowerCase();
+    const caps = new Set();
+    for (const hint of TOOL_NAME_CAPABILITY_HINTS) {
+        if (hint.rx.test(blob))
+            hint.caps.forEach((c) => caps.add(c));
+    }
+    return Array.from(caps);
+}
+/**
+ * Probe a single MCP server via JSON-RPC over stdio.
+ * Sends `initialize` + `tools/list` then exits.
+ *
+ * NEVER throws — returns reachable:false with reason on any failure.
+ */
+export async function probeServer(input) {
+    const t0 = performance.now();
+    const timeoutMs = input.timeoutMs ?? 8000;
+    return new Promise((resolve) => {
+        let done = false;
+        const finalize = (r) => {
+            if (done)
+                return;
+            done = true;
+            resolve({ name: input.name, latencyMs: +(performance.now() - t0).toFixed(2), ...r });
+        };
+        let child;
+        try {
+            child = spawn(input.command, input.args ?? [], {
+                env: { ...process.env, ...(input.env ?? {}) },
+                stdio: ["pipe", "pipe", "pipe"],
+            });
+        }
+        catch (e) {
+            finalize({ reachable: false, tools: [], capabilities: [], reason: `spawn failed: ${e.message}` });
+            return;
+        }
+        const timer = setTimeout(() => {
+            try {
+                child.kill();
+            }
+            catch { /* noop */ }
+            finalize({ reachable: false, tools: [], capabilities: [], reason: `timeout (${timeoutMs}ms)` });
+        }, timeoutMs);
+        let stdoutBuf = "";
+        let initialized = false;
+        child.stdout.on("data", (chunk) => {
+            stdoutBuf += chunk.toString("utf8");
+            let nl;
+            while ((nl = stdoutBuf.indexOf("\n")) !== -1) {
+                const line = stdoutBuf.slice(0, nl).trim();
+                stdoutBuf = stdoutBuf.slice(nl + 1);
+                if (!line)
+                    continue;
+                try {
+                    const msg = JSON.parse(line);
+                    if (msg.id === 1 && msg.result) {
+                        initialized = true;
+                        // Send tools/list
+                        child.stdin.write(JSON.stringify({ jsonrpc: "2.0", id: 2, method: "tools/list", params: {} }) + "\n");
+                    }
+                    else if (msg.id === 2 && msg.result) {
+                        const rawTools = (msg.result.tools ?? []);
+                        const tools = rawTools.filter((t) => typeof t.name === "string").map((t) => ({
+                            name: t.name,
+                            description: t.description,
+                            inferredCapabilities: inferCapabilities(t.name, t.description),
+                        }));
+                        const capSet = new Set();
+                        for (const t of tools)
+                            for (const c of t.inferredCapabilities)
+                                capSet.add(c);
+                        clearTimeout(timer);
+                        try {
+                            child.kill();
+                        }
+                        catch { /* noop */ }
+                        finalize({ reachable: true, tools, capabilities: Array.from(capSet) });
+                    }
+                }
+                catch {
+                    // Non-JSON line (server stderr leaking) — ignore.
+                }
+            }
+        });
+        child.stderr.on("data", () => { });
+        child.on("error", (e) => {
+            clearTimeout(timer);
+            finalize({ reachable: false, tools: [], capabilities: [], reason: `child error: ${e.message}` });
+        });
+        child.on("exit", () => {
+            if (!initialized) {
+                clearTimeout(timer);
+                finalize({ reachable: false, tools: [], capabilities: [], reason: "server exited before responding" });
+            }
+        });
+        // Send initialize after the child is up.
+        try {
+            child.stdin.write(JSON.stringify({
+                jsonrpc: "2.0",
+                id: 1,
+                method: "initialize",
+                params: {
+                    protocolVersion: "2024-11-05",
+                    capabilities: {},
+                    clientInfo: { name: "mneme-skeleton-key", version: "1.0.0" },
+                },
+            }) + "\n");
+        }
+        catch (e) {
+            clearTimeout(timer);
+            finalize({ reachable: false, tools: [], capabilities: [], reason: `init write failed: ${e.message}` });
+        }
+    });
+}
+//# sourceMappingURL=capability_probe.js.map

package/dist/skeleton_key/capability_probe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability_probe.js","sourceRoot":"","sources":["../../src/skeleton_key/capability_probe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAqC9C,0EAA0E;AAC1E,MAAM,0BAA0B,GAA0C;IACxE,EAAE,EAAE,EAAE,gDAAgD,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE;IACxE,EAAE,EAAE,EAAE,qDAAqD,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;IAChF,EAAE,EAAE,EAAE,4FAA4F,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE;IACxH,EAAE,EAAE,EAAE,0CAA0C,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;IACrE,EAAE,EAAE,EAAE,oEAAoE,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE;IAC3G,EAAE,EAAE,EAAE,yCAAyC,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;IACnE,EAAE,EAAE,EAAE,yFAAyF,EAAE,IAAI,EAAE,CAAC,WAAW,CAAC,EAAE;IACtH,EAAE,EAAE,EAAE,wFAAwF,EAAE,IAAI,EAAE,CAAC,gBAAgB,CAAC,EAAE;IAC1H,EAAE,EAAE,EAAE,sFAAsF,EAAE,IAAI,EAAE,CAAC,cAAc,CAAC,EAAE;IACtH,EAAE,EAAE,EAAE,sDAAsD,EAAE,IAAI,EAAE,CAAC,oBAAoB,EAAE,SAAS,CAAC,EAAE;CACxG,CAAC;AAEF,SAAS,iBAAiB,CAAC,QAAgB,EAAE,WAAoB;IAC/D,MAAM,IAAI,GAAG,GAAG,QAAQ,IAAI,WAAW,IAAI,EAAE,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9D,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,0BAA0B,EAAE,CAAC;QAC9C,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,KAAiB;IACjD,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,IAAI,CAAC;IAC1C,OAAO,IAAI,OAAO,CAAc,CAAC,OAAO,EAAE,EAAE;QAC1C,IAAI,IAAI,GAAG,KAAK,CAAC;QACjB,MAAM,QAAQ,GAAG,CAAC,CAA0C,EAAE,EAAE;YAC9D,IAAI,IAAI;gBAAE,OAAO;YACjB,IAAI,GAAG,IAAI,CAAC;YACZ,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QACvF,CAAC,CAAC;QACF,IAAI,KAA+B,CAAC;QACpC,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,IAAI,EAAE,EAAE;gBAC7C,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE;gBAC7C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,QAAQ,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,iBAAkB,CAAW,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC7G,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,IAAI,CAAC;gBAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;YAC1C,QAAQ,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,YAAY,SAAS,KAAK,EAAE,CAAC,CAAC;QAClG,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,SAAS,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACpC,IAAI,EAAE,CAAC;YACP,OAAO,CAAC,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;gBAC7C,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3C,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBACpC,IAAI,CAAC,IAAI;oBAAE,SAAS;gBACpB,IAAI,CAAC;oBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAC7B,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;wBAC/B,WAAW,GAAG,IAAI,CAAC;wBACnB,kBAAkB;wBAClB,KAAK,CAAC,KAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;oBACzG,CAAC;yBAAM,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;wBACtC,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAmD,CAAC;wBAC5F,MAAM,KAAK,GAAiB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;4BACzF,IAAI,EAAE,CAAC,CAAC,IAAK;4BACb,WAAW,EAAE,CAAC,CAAC,WAAW;4BAC1B,oBAAoB,EAAE,iBAAiB,CAAC,CAAC,CAAC,IAAK,EAAE,CAAC,CAAC,WAAW,CAAC;yBAChE,CAAC,CAAC,CAAC;wBACJ,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;wBACjC,KAAK,MAAM,CAAC,IAAI,KAAK;4BAAE,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,oBAAoB;gCAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;wBAC7E,YAAY,CAAC,KAAK,CAAC,CAAC;wBACpB,IAAI,CAAC;4BAAC,KAAK,CAAC,IAAI,EAAE,CAAC;wBAAC,CAAC;wBAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;wBAC1C,QAAQ,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;oBACzE,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,kDAAkD;gBACpD,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,MAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,GAAiB,CAAC,CAAC,CAAC;QAClD,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;YACtB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,QAAQ,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,gBAAgB,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACnG,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;YACpB,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,QAAQ,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC,CAAC;YACzG,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,yCAAyC;QACzC,IAAI,CAAC;YACH,KAAK,CAAC,KAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;gBAChC,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,OAAO,EAAE;iBAC7D;aACF,CAAC,GAAG,IAAI,CAAC,CAAC;QACb,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,QAAQ,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,sBAAuB,CAAW,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACpH,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/skeleton_key/index.d.ts

@@ -0,0 +1,142 @@
+/**
+ * v2.60.0 — SKELETON KEY: MCP server security auditor.
+ *
+ * MCP ecosystem reality (2026): ~500+ servers, mostly community-built,
+ * no central security review. Users wire 5-15 servers into Claude
+ * Desktop / Cursor / Continue / Cline without realizing the
+ * UNION of their capabilities = a much larger attack surface than any
+ * individual server.
+ *
+ * SKELETON KEY is the first MCP security auditor. Five wild innovations:
+ *
+ *  1. EMPIRICAL CAPABILITY PROBE — spawn each MCP server + read its
+ *     real tools/list (not name-guess). Hand-written rules can lie;
+ *     a tools/list cannot.
+ *
+ *  2. TRANSITIVE BYPASS GRAPH — model servers as graph nodes; edges =
+ *     capability overlap; compute paths to attacker goals (delete_repo,
+ *     exfiltrate_secret, drop_database, etc). Most audit tools stop at
+ *     single-server analysis. We compute the graph.
+ *
+ *  3. HMAC CONFIG PINNING — snapshot the user's MCP configs; detect
+ *     tampering / silent new-server-added on next audit. Tamper-evident
+ *     drift report.
+ *
+ *  4. RISK BUDGET — single score 0..N quantifying total surface. User
+ *     sets a budget (e.g. 5.0); new servers that push over budget are
+ *     refused at install time.
+ *
+ *  5. CWE COMPLIANCE MAPPING — every finding maps to a CWE id, making
+ *     the output audit-grade for security teams.
+ *
+ * Pure ESM. Defensive — never throws on disk / parse / spawn errors.
+ */
+import { type RiskHeuristic } from "./risk_heuristics.js";
+import { type BypassGraph } from "./bypass_graph.js";
+export interface McpServerConfig {
+    /** Server name (key in the host's mcpServers map). */
+    name: string;
+    /** spawn command. */
+    command?: string;
+    /** spawn args. */
+    args?: string[];
+    /** env map. */
+    env?: Record<string, string>;
+    /** Source file the config came from. */
+    source: string;
+}
+export interface SkeletonKeyAudit {
+    ok: boolean;
+    at: string;
+    totalServers: number;
+    /** All distinct config files that contributed servers. */
+    sources: string[];
+    /** Per-server risk findings, sorted by severity desc. */
+    findings: Array<{
+        server: string;
+        risk: RiskHeuristic;
+        /** "heuristic" if matched by name; "empirical" if capability-probe upgraded. */
+        source: "heuristic" | "empirical" | "unknown";
+        /** When empirical, the tool count we discovered. */
+        toolCount?: number;
+    }>;
+    /** Capability overlaps + bypass paths. */
+    graph: BypassGraph;
+    /** Total risk budget score (sum). */
+    riskBudget: number;
+    /** User-set budget cap (default 5.0). */
+    budgetCap: number;
+    /** True iff riskBudget ≤ budgetCap. */
+    withinBudget: boolean;
+    /** Plain-English summary. */
+    summary: string;
+    /** HMAC seal of the audit body for tamper detection. */
+    hmac: string;
+}
+export interface AuditOpts {
+    /** Override discovery paths. */
+    configPaths?: string[];
+    /** Set the budget cap (default 5.0). */
+    budgetCap?: number;
+    /** Run empirical capability probe on each server (slow; ~1-2s per server). */
+    empiricalProbe?: boolean;
+    /** Limit empirical probe to specific server names. */
+    probeOnly?: string[];
+}
+/** Default paths for Claude Desktop / Cursor / Continue / Cline configs. */
+export declare function defaultConfigPaths(): string[];
+/**
+ * Read each config file, extract MCP server declarations.
+ * Tolerates multiple known schemas: claude_desktop, cursor settings,
+ * continue, cline, windsurf.
+ */
+export declare function discoverServers(configPaths: string[]): McpServerConfig[];
+export declare function auditMcpConfigs(opts?: AuditOpts): Promise<SkeletonKeyAudit>;
+export declare function verifyAudit(a: SkeletonKeyAudit): boolean;
+export interface ConfigSnapshot {
+    at: string;
+    /** SHA-like digest of every discovered server (deterministic). */
+    servers: Array<{
+        name: string;
+        commandHash: string;
+        source: string;
+    }>;
+    hmac: string;
+}
+export declare function pinConfigSnapshot(cwd: string, configPaths?: string[]): ConfigSnapshot;
+export interface DriftReport {
+    ok: boolean;
+    hasSnapshot: boolean;
+    added: Array<{
+        name: string;
+        source: string;
+    }>;
+    removed: Array<{
+        name: string;
+        source: string;
+    }>;
+    modified: Array<{
+        name: string;
+        oldHash: string;
+        newHash: string;
+    }>;
+    snapshotAt?: string;
+    currentAt: string;
+    hint: string;
+}
+export declare function detectConfigDrift(cwd: string, configPaths?: string[]): DriftReport;
+export interface Recommendation {
+    server: string;
+    severity: number;
+    cwe: string;
+    action: string;
+}
+export declare function buildRecommendations(audit: SkeletonKeyAudit): Recommendation[];
+export declare function renderAuditBanner(a: SkeletonKeyAudit): string;
+export { RISK_HEURISTICS, UNKNOWN_HEURISTIC, matchHeuristic } from "./risk_heuristics.js";
+export type { RiskHeuristic } from "./risk_heuristics.js";
+export { buildBypassGraph, totalRiskBudget } from "./bypass_graph.js";
+export type { BypassGraph, BypassPath, CapabilityOverlap, ServerNode } from "./bypass_graph.js";
+export { probeServer } from "./capability_probe.js";
+export type { ProbeInput, ProbeResult, ProbedTool } from "./capability_probe.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/skeleton_key/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/skeleton_key/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAOH,OAAO,EAIL,KAAK,aAAa,EACnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAGL,KAAK,WAAW,EAEjB,MAAM,mBAAmB,CAAC;AAO3B,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB;IAClB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,eAAe;IACf,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,OAAO,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,0DAA0D;IAC1D,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,yDAAyD;IACzD,QAAQ,EAAE,KAAK,CAAC;QACd,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,aAAa,CAAC;QACpB,gFAAgF;QAChF,MAAM,EAAE,WAAW,GAAG,WAAW,GAAG,SAAS,CAAC;QAC9C,oDAAoD;QACpD,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;IACH,0CAA0C;IAC1C,KAAK,EAAE,WAAW,CAAC;IACnB,qCAAqC;IACrC,UAAU,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,YAAY,EAAE,OAAO,CAAC;IACtB,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,wDAAwD;IACxD,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,SAAS;IACxB,gCAAgC;IAChC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,wCAAwC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8EAA8E;IAC9E,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,sDAAsD;IACtD,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,4EAA4E;AAC5E,wBAAgB,kBAAkB,IAAI,MAAM,EAAE,CAmB7C;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,eAAe,EAAE,CAgCxE;AAmBD,wBAAsB,eAAe,CAAC,IAAI,GAAE,SAAc,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAsDrF;AAED,wBAAgB,WAAW,CAAC,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAKxD;AAID,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,kEAAkE;IAClE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,IAAI,EAAE,MAAM,CAAC;CACd;AAWD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,EAAE,GAAG,cAAc,CAiBrF;AAED,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,OAAO,CAAC;IACZ,WAAW,EAAE,OAAO,CAAC;IACrB,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACjD,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACpE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,EAAE,GAAG,WAAW,CAyClF;AAID,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,gBAAgB,GAAG,cAAc,EAAE,CA4B9E;AAID,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,gBAAgB,GAAG,MAAM,CAoB7D;AAED,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC1F,YAAY,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACtE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAChG,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC"}