@prism-llm-labs/mcp-proxy 0.1.0

package/dist/cli.js

@@ -0,0 +1,350 @@
+#!/usr/bin/env node
+"use strict";
+
+// src/proxy.ts
+var import_server = require("@modelcontextprotocol/sdk/server/index.js");
+var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
+var import_client = require("@modelcontextprotocol/sdk/client/index.js");
+var import_stdio2 = require("@modelcontextprotocol/sdk/client/stdio.js");
+var import_types = require("@modelcontextprotocol/sdk/types.js");
+var import_mcp_sdk = require("@prism-llm-labs/mcp-sdk");
+var DEFAULT_REDACT_KEYS = ["password", "token", "key", "secret", "api_key", "authorization"];
+function redactObject(obj, keys) {
+  if (typeof obj !== "object" || obj === null) return obj;
+  if (Array.isArray(obj)) return obj.map((v) => redactObject(v, keys));
+  const out = {};
+  for (const [k, v] of Object.entries(obj)) {
+    out[k] = keys.some((r) => k.toLowerCase().includes(r.toLowerCase())) ? "[REDACTED]" : redactObject(v, keys);
+  }
+  return out;
+}
+function safeJson(val, redactKeys, maxLen) {
+  try {
+    const s = JSON.stringify(redactObject(val, redactKeys));
+    return s.length <= maxLen ? s : s.slice(0, maxLen) + "\u2026";
+  } catch {
+    return "[unserializable]";
+  }
+}
+function orgFromKey(key) {
+  const parts = key.split("_");
+  return parts.length >= 4 ? parts[2] ?? "" : "";
+}
+function ts() {
+  return (/* @__PURE__ */ new Date()).toISOString().replace("T", " ").slice(0, 23);
+}
+var PrismMcpProxy = class {
+  constructor(targetCommand, targetArgs, options = {}) {
+    this.targetCommand = targetCommand;
+    this.targetArgs = targetArgs;
+    const key = options.prismKey ?? process.env["PRISM_API_KEY"] ?? "";
+    if (!key) {
+      process.stderr.write("[prism-proxy] PRISM_API_KEY not set \u2014 telemetry disabled\n");
+    }
+    this.opts = {
+      prismKey: key,
+      serverName: options.serverName ?? targetCommand.split(/[\\/]/).pop() ?? "mcp-server",
+      project: options.project ?? process.env["PRISM_PROJECT"] ?? "",
+      team: options.team ?? process.env["PRISM_TEAM"] ?? "",
+      environment: options.environment ?? process.env["PRISM_ENVIRONMENT"] ?? "production",
+      sessionId: options.sessionId ?? crypto.randomUUID(),
+      sessionBudgetUsd: options.sessionBudgetUsd,
+      maxToolCallsPerSession: options.maxToolCallsPerSession,
+      captureInputs: options.captureInputs ?? false,
+      captureOutputs: options.captureOutputs ?? false,
+      costOverrides: options.costOverrides ?? {}
+    };
+    this.redactKeys = options.redactKeys ?? DEFAULT_REDACT_KEYS;
+    this.tracker = new import_mcp_sdk.McpEventTracker(key, this.opts.serverName, options.ingestUrl);
+    this.budget = new import_mcp_sdk.SessionBudgetChecker(orgFromKey(key));
+  }
+  /**
+   * Start the proxy. Blocks until the AI client disconnects.
+   * Spawn the target server, connect both transports, then wait.
+   */
+  async run() {
+    const targetTransport = new import_stdio2.StdioClientTransport({
+      command: this.targetCommand,
+      args: this.targetArgs,
+      stderr: "pipe"
+      // don't let target's stderr pollute our stdout
+    });
+    const targetClient = new import_client.Client(
+      { name: "prism-proxy-client", version: "1.0.0" },
+      { capabilities: {} }
+    );
+    await targetClient.connect(targetTransport);
+    const caps = targetClient.getServerCapabilities() ?? {};
+    const hasTools = !!caps.tools;
+    const hasResources = !!caps.resources;
+    const hasPrompts = !!caps.prompts;
+    const proxyCaps = {};
+    if (hasTools) proxyCaps.tools = {};
+    if (hasResources) proxyCaps.resources = { listChanged: false, subscribe: false };
+    if (hasPrompts) proxyCaps.prompts = { listChanged: false };
+    const proxyServer = new import_server.Server(
+      { name: this.opts.serverName, version: "1.0.0" },
+      { capabilities: proxyCaps }
+    );
+    if (hasTools) {
+      proxyServer.setRequestHandler(
+        import_types.ListToolsRequestSchema,
+        () => targetClient.listTools()
+      );
+      proxyServer.setRequestHandler(
+        import_types.CallToolRequestSchema,
+        (req) => this._handleToolCall(req.params.name, req.params.arguments ?? {}, targetClient)
+      );
+    }
+    if (hasResources) {
+      proxyServer.setRequestHandler(
+        import_types.ListResourcesRequestSchema,
+        () => targetClient.listResources()
+      );
+      proxyServer.setRequestHandler(
+        import_types.ListResourceTemplatesRequestSchema,
+        async () => {
+          try {
+            return await targetClient.listResourceTemplates();
+          } catch {
+            return { resourceTemplates: [] };
+          }
+        }
+      );
+      proxyServer.setRequestHandler(
+        import_types.ReadResourceRequestSchema,
+        (req) => this._handleResourceRead(req.params.uri, targetClient)
+      );
+    }
+    if (hasPrompts) {
+      proxyServer.setRequestHandler(
+        import_types.ListPromptsRequestSchema,
+        () => targetClient.listPrompts()
+      );
+      proxyServer.setRequestHandler(
+        import_types.GetPromptRequestSchema,
+        (req) => this._handlePromptGet(
+          req.params.name,
+          req.params.arguments,
+          targetClient
+        )
+      );
+    }
+    const proxyTransport = new import_stdio.StdioServerTransport();
+    await proxyServer.connect(proxyTransport);
+    await new Promise((resolve) => {
+      proxyTransport.onclose = resolve;
+    });
+    try {
+      await targetClient.close();
+    } catch {
+    }
+  }
+  // ── Private: tool call intercept ──────────────────────────────────────────
+  async _handleToolCall(name, args, target) {
+    await this._checkBudget();
+    const estimatedCost = (0, import_mcp_sdk.lookupToolCost)(name, this.opts.costOverrides);
+    const start = Date.now();
+    const eventTags = {};
+    if (this.opts.captureInputs) {
+      eventTags["tool_input"] = safeJson(args, this.redactKeys, 1e3);
+    }
+    let status = "ok";
+    let errorMsg = "";
+    let result;
+    try {
+      result = await target.callTool({ name, arguments: args });
+    } catch (err) {
+      status = "error";
+      errorMsg = err instanceof Error ? err.message : String(err);
+      this._ship("tool", name, Date.now() - start, estimatedCost, "estimated", status, errorMsg, eventTags);
+      throw err;
+    }
+    const latencyMs = Date.now() - start;
+    if (result.isError) {
+      status = "error";
+      const content = result.content;
+      const errBlock = Array.isArray(content) ? content.find((c) => c?.type === "text") : null;
+      errorMsg = errBlock?.text ?? "Tool returned error";
+    }
+    if (this.opts.captureOutputs) {
+      eventTags["tool_output"] = safeJson(result.content, this.redactKeys, 1e3);
+    }
+    this._ship("tool", name, latencyMs, estimatedCost, "estimated", status, errorMsg, eventTags);
+    return result;
+  }
+  // ── Private: resource read intercept ─────────────────────────────────────
+  async _handleResourceRead(uri, target) {
+    await this._checkBudget();
+    const start = Date.now();
+    let status = "ok";
+    let errorMsg = "";
+    let result;
+    try {
+      result = await target.readResource({ uri });
+    } catch (err) {
+      status = "error";
+      errorMsg = err instanceof Error ? err.message : String(err);
+      this._ship("resource", uri, Date.now() - start, 0, "estimated", status, errorMsg, {});
+      throw err;
+    }
+    this._ship("resource", uri, Date.now() - start, 0, "estimated", status, errorMsg, {});
+    return result;
+  }
+  // ── Private: prompt get intercept ────────────────────────────────────────
+  async _handlePromptGet(name, args, target) {
+    await this._checkBudget();
+    const start = Date.now();
+    let status = "ok";
+    let errorMsg = "";
+    let result;
+    try {
+      result = await target.getPrompt({ name, arguments: args });
+    } catch (err) {
+      status = "error";
+      errorMsg = err instanceof Error ? err.message : String(err);
+      this._ship("prompt", name, Date.now() - start, 0, "estimated", status, errorMsg, {});
+      throw err;
+    }
+    this._ship("prompt", name, Date.now() - start, 0, "estimated", status, errorMsg, {});
+    return result;
+  }
+  // ── Private: shared helpers ───────────────────────────────────────────────
+  async _checkBudget() {
+    await this.budget.checkOrThrow(
+      this.opts.sessionId,
+      this.opts.sessionBudgetUsd,
+      this.opts.maxToolCallsPerSession
+    );
+  }
+  _ship(primitiveType, toolName, latencyMs, costUsd, costStatus, status, errorMessage, tags) {
+    this.tracker.capture({
+      timestamp: ts(),
+      session_id: this.opts.sessionId,
+      project_id: this.opts.project,
+      team_id: this.opts.team,
+      user_id: "",
+      environment: this.opts.environment,
+      tool_name: toolName,
+      downstream_resource: "",
+      execution_latency_ms: latencyMs,
+      tool_cost_usd: costUsd,
+      cost_status: costStatus,
+      status,
+      error_message: errorMessage,
+      llm_request_id: "",
+      primitive_type: primitiveType,
+      tags
+    }).catch(() => {
+    });
+  }
+};
+
+// src/cli.ts
+function usage() {
+  process.stderr.write(
+    "Usage: mcp-proxy [options] -- <command> [args...]\n\nOptions:\n  --prism-key <key>          Prism API key (default: $PRISM_API_KEY)\n  --server-name <name>       Name shown in dashboard\n  --project <id>             Project ID for attribution\n  --team <id>                Team attribution tag\n  --environment <env>        production|staging|development\n  --session-id <id>          Explicit session ID\n  --session-budget <usd>     Session budget in USD\n  --max-tool-calls <n>       Max calls per session\n  --capture-inputs           Log call arguments to tags\n  --capture-outputs          Log call results to tags\n  --ingest-url <url>         Override Prism ingest URL\n  --cost <tool=usd,...>      Per-tool cost overrides\n\nExample:\n  mcp-proxy -- npx @modelcontextprotocol/server-filesystem /path/to/dir\n"
+  );
+}
+function parseArgs(argv) {
+  const args = argv.slice(2);
+  const opts = {};
+  let i = 0;
+  const dashDash = args.indexOf("--");
+  if (dashDash === -1) {
+    process.stderr.write("[mcp-proxy] Error: missing -- separator before target command\n");
+    return null;
+  }
+  const target = args.slice(dashDash + 1);
+  if (target.length === 0) {
+    process.stderr.write("[mcp-proxy] Error: no target command after --\n");
+    return null;
+  }
+  const optArgs = args.slice(0, dashDash);
+  while (i < optArgs.length) {
+    const flag = optArgs[i];
+    switch (flag) {
+      case "--prism-key":
+        opts.prismKey = optArgs[++i];
+        break;
+      case "--server-name":
+        opts.serverName = optArgs[++i];
+        break;
+      case "--project":
+        opts.project = optArgs[++i];
+        break;
+      case "--team":
+        opts.team = optArgs[++i];
+        break;
+      case "--environment":
+        opts.environment = optArgs[++i];
+        break;
+      case "--session-id":
+        opts.sessionId = optArgs[++i];
+        break;
+      case "--session-budget": {
+        const budget = parseFloat(optArgs[++i] ?? "");
+        if (!isNaN(budget)) opts.sessionBudgetUsd = budget;
+        break;
+      }
+      case "--max-tool-calls": {
+        const max = parseInt(optArgs[++i] ?? "", 10);
+        if (!isNaN(max)) opts.maxToolCallsPerSession = max;
+        break;
+      }
+      case "--capture-inputs":
+        opts.captureInputs = true;
+        break;
+      case "--capture-outputs":
+        opts.captureOutputs = true;
+        break;
+      case "--ingest-url":
+        opts.ingestUrl = optArgs[++i];
+        break;
+      case "--cost": {
+        const overrides = {};
+        const pairs = (optArgs[++i] ?? "").split(",");
+        for (const pair of pairs) {
+          const [tool, cost] = pair.split("=");
+          if (tool && cost) {
+            const usd = parseFloat(cost);
+            if (!isNaN(usd)) overrides[tool] = usd;
+          }
+        }
+        opts.costOverrides = overrides;
+        break;
+      }
+      case "--help":
+      case "-h":
+        usage();
+        process.exit(0);
+        break;
+      default:
+        process.stderr.write(`[mcp-proxy] Unknown flag: ${flag}
+`);
+        return null;
+    }
+    i++;
+  }
+  return { target, opts };
+}
+async function main() {
+  const parsed = parseArgs(process.argv);
+  if (!parsed) {
+    usage();
+    process.exit(1);
+  }
+  const [targetCommand, ...targetArgs] = parsed.target;
+  const proxy = new PrismMcpProxy(targetCommand, targetArgs, parsed.opts);
+  for (const sig of ["SIGINT", "SIGTERM"]) {
+    process.on(sig, () => process.exit(0));
+  }
+  try {
+    await proxy.run();
+  } catch (err) {
+    process.stderr.write(`[mcp-proxy] Fatal: ${err instanceof Error ? err.message : String(err)}
+`);
+    process.exit(1);
+  }
+}
+main();

package/dist/index.d.mts

@@ -0,0 +1,94 @@
+interface ProxyOptions {
+    /** Prism API key — or set PRISM_API_KEY env var */
+    prismKey?: string;
+    /**
+     * Name shown in the Prism dashboard as the MCP server name.
+     * Defaults to the basename of the target command.
+     */
+    serverName?: string;
+    /** Project ID for cost attribution */
+    project?: string;
+    /** Team attribution tag */
+    team?: string;
+    /** "production" | "staging" | "development" (default: "production") */
+    environment?: string;
+    /**
+     * Explicit session ID. Auto-generated UUID if omitted.
+     * One proxy process = one session = one agent run.
+     */
+    sessionId?: string;
+    /**
+     * Session budget in USD. All tool/resource/prompt calls are blocked
+     * when combined session cost exceeds this value.
+     */
+    sessionBudgetUsd?: number;
+    /**
+     * Maximum MCP primitive calls per session.
+     * Blocks further calls when exceeded — loop detection guard.
+     */
+    maxToolCallsPerSession?: number;
+    /**
+     * Log call arguments into tags["tool_input"] (truncated to 1000 chars).
+     * Opt-in only — disabled by default for privacy.
+     */
+    captureInputs?: boolean;
+    /**
+     * Log call results into tags["tool_output"] (truncated to 1000 chars).
+     * Opt-in only — disabled by default for privacy.
+     */
+    captureOutputs?: boolean;
+    /**
+     * Keys to redact from captured inputs/outputs.
+     * Default: ["password", "token", "key", "secret", "api_key", "authorization"]
+     */
+    redactKeys?: string[];
+    /** Override ingest URL (for testing / self-hosted Prism) */
+    ingestUrl?: string;
+    /** Per-tool cost overrides in USD per call (tool_name → usd) */
+    costOverrides?: Record<string, number>;
+}
+
+/**
+ * PrismMcpProxy — transparent process-level MCP proxy.
+ *
+ * Architecture:
+ *   AI Client (Claude Desktop, Cline, etc.)
+ *       ↕  MCP / stdio
+ *   PrismMcpProxy                ← this package
+ *       ↕  MCP / stdio
+ *   Target MCP server (any server, unmodified)
+ *
+ * The proxy:
+ *  1. Spawns the target as a child process via StdioClientTransport
+ *  2. Discovers what capabilities the target declares (tools / resources / prompts)
+ *  3. Creates a proxy Server that re-advertises those same capabilities
+ *  4. Intercepts every tool call, resource read, and prompt get:
+ *       – checks session budget + loop limits (pre-call)
+ *       – forwards the request to the target
+ *       – measures wall-clock latency
+ *       – ships a fire-and-forget McpEvent to /api/mcp/ingest
+ *       – returns the target's response unchanged
+ *  5. Connects the proxy Server to the caller via StdioServerTransport
+ */
+
+declare class PrismMcpProxy {
+    private readonly targetCommand;
+    private readonly targetArgs;
+    private readonly opts;
+    private readonly tracker;
+    private readonly budget;
+    private readonly redactKeys;
+    constructor(targetCommand: string, targetArgs: string[], options?: ProxyOptions);
+    /**
+     * Start the proxy. Blocks until the AI client disconnects.
+     * Spawn the target server, connect both transports, then wait.
+     */
+    run(): Promise<void>;
+    private _handleToolCall;
+    private _handleResourceRead;
+    private _handlePromptGet;
+    private _checkBudget;
+    private _ship;
+}
+
+export { PrismMcpProxy, type ProxyOptions };

package/dist/index.d.ts

@@ -0,0 +1,94 @@
+interface ProxyOptions {
+    /** Prism API key — or set PRISM_API_KEY env var */
+    prismKey?: string;
+    /**
+     * Name shown in the Prism dashboard as the MCP server name.
+     * Defaults to the basename of the target command.
+     */
+    serverName?: string;
+    /** Project ID for cost attribution */
+    project?: string;
+    /** Team attribution tag */
+    team?: string;
+    /** "production" | "staging" | "development" (default: "production") */
+    environment?: string;
+    /**
+     * Explicit session ID. Auto-generated UUID if omitted.
+     * One proxy process = one session = one agent run.
+     */
+    sessionId?: string;
+    /**
+     * Session budget in USD. All tool/resource/prompt calls are blocked
+     * when combined session cost exceeds this value.
+     */
+    sessionBudgetUsd?: number;
+    /**
+     * Maximum MCP primitive calls per session.
+     * Blocks further calls when exceeded — loop detection guard.
+     */
+    maxToolCallsPerSession?: number;
+    /**
+     * Log call arguments into tags["tool_input"] (truncated to 1000 chars).
+     * Opt-in only — disabled by default for privacy.
+     */
+    captureInputs?: boolean;
+    /**
+     * Log call results into tags["tool_output"] (truncated to 1000 chars).
+     * Opt-in only — disabled by default for privacy.
+     */
+    captureOutputs?: boolean;
+    /**
+     * Keys to redact from captured inputs/outputs.
+     * Default: ["password", "token", "key", "secret", "api_key", "authorization"]
+     */
+    redactKeys?: string[];
+    /** Override ingest URL (for testing / self-hosted Prism) */
+    ingestUrl?: string;
+    /** Per-tool cost overrides in USD per call (tool_name → usd) */
+    costOverrides?: Record<string, number>;
+}
+
+/**
+ * PrismMcpProxy — transparent process-level MCP proxy.
+ *
+ * Architecture:
+ *   AI Client (Claude Desktop, Cline, etc.)
+ *       ↕  MCP / stdio
+ *   PrismMcpProxy                ← this package
+ *       ↕  MCP / stdio
+ *   Target MCP server (any server, unmodified)
+ *
+ * The proxy:
+ *  1. Spawns the target as a child process via StdioClientTransport
+ *  2. Discovers what capabilities the target declares (tools / resources / prompts)
+ *  3. Creates a proxy Server that re-advertises those same capabilities
+ *  4. Intercepts every tool call, resource read, and prompt get:
+ *       – checks session budget + loop limits (pre-call)
+ *       – forwards the request to the target
+ *       – measures wall-clock latency
+ *       – ships a fire-and-forget McpEvent to /api/mcp/ingest
+ *       – returns the target's response unchanged
+ *  5. Connects the proxy Server to the caller via StdioServerTransport
+ */
+
+declare class PrismMcpProxy {
+    private readonly targetCommand;
+    private readonly targetArgs;
+    private readonly opts;
+    private readonly tracker;
+    private readonly budget;
+    private readonly redactKeys;
+    constructor(targetCommand: string, targetArgs: string[], options?: ProxyOptions);
+    /**
+     * Start the proxy. Blocks until the AI client disconnects.
+     * Spawn the target server, connect both transports, then wait.
+     */
+    run(): Promise<void>;
+    private _handleToolCall;
+    private _handleResourceRead;
+    private _handlePromptGet;
+    private _checkBudget;
+    private _ship;
+}
+
+export { PrismMcpProxy, type ProxyOptions };