@provos/ironcurtain 0.1.0

package/dist/types/argument-roles.js

@@ -0,0 +1,344 @@
+/**
+ * ArgumentRole Registry -- Central definition of argument role semantics.
+ *
+ * Each role is paired with metadata describing its security semantics
+ * and a normalizer function for canonicalizing argument values. This
+ * eliminates scattered hardcoded role strings and enables annotation-driven
+ * normalization instead of fragile heuristics.
+ *
+ * Roles are organized into categories that determine which structural
+ * invariant applies in the policy engine:
+ *   - path: filesystem path containment checks
+ *   - url: domain allowlist checks
+ *   - opaque: no structural invariant (semantic meaning only)
+ */
+import { execFileSync } from 'node:child_process';
+import { realpathSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { resolve, dirname, basename, join } from 'node:path';
+// ---------------------------------------------------------------------------
+// Normalizer functions
+// ---------------------------------------------------------------------------
+/** Expands a leading `~` or `~/` to the current user's home directory. */
+export function expandTilde(filePath) {
+    if (filePath === '~')
+        return homedir();
+    if (filePath.startsWith('~/'))
+        return homedir() + filePath.slice(1);
+    return filePath;
+}
+/**
+ * Resolves a filesystem path to its canonical real path, following symlinks.
+ *
+ * Tries three strategies in order:
+ * 1. `realpathSync(path)` — works for existing paths, follows all symlinks
+ * 2. `realpathSync(parent) + basename` — works for new files in existing dirs
+ * 3. `path.resolve(path)` — fallback for entirely new paths
+ *
+ * This is security-critical: without symlink resolution, a symlinked
+ * directory inside the sandbox could escape containment checks.
+ */
+export function resolveRealPath(filePath) {
+    const absolute = resolve(filePath);
+    try {
+        return realpathSync(absolute);
+    }
+    catch {
+        try {
+            return join(realpathSync(dirname(absolute)), basename(absolute));
+        }
+        catch {
+            return absolute;
+        }
+    }
+}
+/** Tilde expansion + symlink resolution to produce a canonical real path. */
+export function normalizePath(value) {
+    return resolveRealPath(expandTilde(value));
+}
+/** Identity function -- returns the value unchanged. */
+function identity(value) {
+    return value;
+}
+// ---------------------------------------------------------------------------
+// URL normalizers and domain extractors
+// ---------------------------------------------------------------------------
+/** Normalizes an HTTP(S) URL to a canonical form. Returns value as-is on parse failure. */
+export function normalizeUrl(value) {
+    try {
+        const url = new URL(value);
+        if (url.pathname === '/')
+            url.pathname = '';
+        return url.toString().replace(/\/$/, '');
+    }
+    catch {
+        return value;
+    }
+}
+/** Extracts the hostname from an HTTP(S) URL. Returns value as-is on parse failure. */
+export function extractDomain(value) {
+    try {
+        return new URL(value).hostname;
+    }
+    catch {
+        return value;
+    }
+}
+/** Normalizes a git URL (HTTP or SSH format). SSH URLs are returned as-is. */
+export function normalizeGitUrl(value) {
+    // SSH format: git@host:path -- no further normalization needed
+    const sshMatch = value.match(/^(?:[\w.+-]+@)?([^:]+):/);
+    if (sshMatch && !value.includes('://'))
+        return value;
+    return normalizeUrl(value);
+}
+/** Extracts the domain from a git URL (HTTP or SSH format). */
+export function extractGitDomain(value) {
+    // SSH format: git@host:path
+    const sshMatch = value.match(/^(?:[\w.+-]+@)?([^:]+):/);
+    if (sshMatch && !value.includes('://'))
+        return sshMatch[1];
+    return extractDomain(value);
+}
+/**
+ * Resolves a git remote value to a URL for policy evaluation.
+ *
+ * If the value is already a URL (contains :// or matches SSH pattern),
+ * returns it as-is. Otherwise, treats it as a named remote and runs
+ * `git remote get-url <name>` in the repository directory (found via
+ * the `path` sibling argument).
+ *
+ * Uses execFileSync (not execSync) to avoid command injection --
+ * the value comes from agent-controlled tool call arguments.
+ *
+ * When resolution fails (repo doesn't exist, remote not found, git
+ * not installed), returns the original value. This causes the domain
+ * check to escalate (the value won't match any allowed domain),
+ * which is the correct behavior -- escalate when we can't verify.
+ */
+export function resolveGitRemote(value, allArgs) {
+    // Already a URL -- return as-is
+    if (value.includes('://') || /^[\w.+-]+@[^:]+:/.test(value)) {
+        return value;
+    }
+    // Named remote -- resolve via git (no shell, no injection risk)
+    const rawPath = typeof allArgs.path === 'string' ? allArgs.path : '.';
+    const repoPath = resolve(rawPath);
+    try {
+        return execFileSync('git', ['remote', 'get-url', value], {
+            cwd: repoPath,
+            encoding: 'utf-8',
+            timeout: 5000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+    }
+    catch {
+        return value; // Resolution failed -- escalation will catch it
+    }
+}
+// ---------------------------------------------------------------------------
+// Registry
+// ---------------------------------------------------------------------------
+const registryEntries = [
+    [
+        'read-path',
+        {
+            description: 'Filesystem path that will be read',
+            isResourceIdentifier: true,
+            category: 'path',
+            normalize: normalizePath,
+            annotationGuidance: 'Assign to arguments that are filesystem paths the tool will read from. ' +
+                'Includes file and directory paths used for input.',
+        },
+    ],
+    [
+        'write-path',
+        {
+            description: 'Filesystem path that will be written to',
+            isResourceIdentifier: true,
+            category: 'path',
+            normalize: normalizePath,
+            annotationGuidance: 'Assign to arguments that are filesystem paths the tool will write or create. ' +
+                'Includes destination paths for file creation and modification.',
+        },
+    ],
+    [
+        'delete-path',
+        {
+            description: 'Filesystem path that will be deleted',
+            isResourceIdentifier: true,
+            category: 'path',
+            normalize: normalizePath,
+            annotationGuidance: 'Assign to arguments that are filesystem paths the tool will delete or remove. ' +
+                'Also assign to the source argument of move operations (source is deleted after copy).',
+        },
+    ],
+    [
+        'write-history',
+        {
+            description: 'Filesystem path where git history will be rewritten',
+            isResourceIdentifier: true,
+            category: 'path',
+            normalize: normalizePath,
+            annotationGuidance: 'Assign to the repository path argument of git operations that rewrite history or modify refs. ' +
+                'Includes git_reset, git_rebase, git_merge, git_cherry_pick, and similar operations. ' +
+                'These operations are dangerous even within the sandbox and require human oversight.',
+            serverNames: ['git'],
+        },
+    ],
+    [
+        'delete-history',
+        {
+            description: 'Filesystem path where git refs or history will be deleted',
+            isResourceIdentifier: true,
+            category: 'path',
+            normalize: normalizePath,
+            annotationGuidance: 'Assign to the repository path argument of git operations that delete refs (branches, tags). ' +
+                'Includes git_branch (delete mode), git_tag (delete mode), and similar operations. ' +
+                'These operations are dangerous even within the sandbox and require human oversight.',
+            serverNames: ['git'],
+        },
+    ],
+    [
+        'fetch-url',
+        {
+            description: 'URL that will be fetched via HTTP(S)',
+            isResourceIdentifier: true,
+            category: 'url',
+            normalize: normalizeUrl,
+            prepareForPolicy: extractDomain,
+            annotationGuidance: 'Assign to arguments that are HTTP(S) URLs the tool will fetch. ' +
+                'Typically applies to web-fetch server tools.',
+        },
+    ],
+    [
+        'git-remote-url',
+        {
+            description: 'Git remote URL or named remote for network operations',
+            isResourceIdentifier: true,
+            category: 'url',
+            normalize: normalizeGitUrl,
+            prepareForPolicy: extractGitDomain,
+            resolveForPolicy: resolveGitRemote,
+            annotationGuidance: 'Assign to arguments that identify a git remote (URL or named remote like "origin"). ' +
+                'Typically applies to git server tools like git_clone, git_push, git_pull, git_fetch, git_remote.',
+            serverNames: ['git'],
+        },
+    ],
+    [
+        'branch-name',
+        {
+            description: 'Git branch name',
+            isResourceIdentifier: false,
+            category: 'opaque',
+            normalize: identity,
+            annotationGuidance: 'Assign to arguments that are git branch names. ' +
+                'Typically applies to git server tools like git_branch, git_checkout, git_merge, git_push.',
+            serverNames: ['git'],
+        },
+    ],
+    [
+        'commit-message',
+        {
+            description: 'Git commit message text',
+            isResourceIdentifier: false,
+            category: 'opaque',
+            normalize: identity,
+            annotationGuidance: 'Assign to arguments that are git commit messages. ' +
+                'Typically applies to git_commit.',
+            serverNames: ['git'],
+        },
+    ],
+    [
+        'none',
+        {
+            description: 'Argument carries no resource-identifier semantics',
+            isResourceIdentifier: false,
+            category: 'opaque',
+            normalize: identity,
+            annotationGuidance: 'Assign to arguments that have no resource-identifier semantics. ' +
+                'Use for flags, counts, patterns, messages, and other non-path, non-URL values.',
+        },
+    ],
+];
+export const ARGUMENT_ROLE_REGISTRY = new Map(registryEntries);
+// ---------------------------------------------------------------------------
+// Compile-time completeness check
+// ---------------------------------------------------------------------------
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+const _ROLE_COMPLETENESS_CHECK = {
+    'read-path': true,
+    'write-path': true,
+    'delete-path': true,
+    'write-history': true,
+    'delete-history': true,
+    'fetch-url': true,
+    'git-remote-url': true,
+    'branch-name': true,
+    'commit-message': true,
+    'none': true,
+};
+// ---------------------------------------------------------------------------
+// Convenience accessors
+// ---------------------------------------------------------------------------
+/** Returns the RoleDefinition for a role. Throws if not registered. */
+export function getRoleDefinition(role) {
+    const def = ARGUMENT_ROLE_REGISTRY.get(role);
+    if (!def) {
+        throw new Error(`No registry entry for role: ${role}`);
+    }
+    return def;
+}
+/** Returns all roles where isResourceIdentifier is true. */
+export function getResourceRoles() {
+    return Array.from(ARGUMENT_ROLE_REGISTRY)
+        .filter(([, def]) => def.isResourceIdentifier)
+        .map(([role]) => role);
+}
+/** Type guard: returns true if the value is a valid ArgumentRole string. */
+export function isArgumentRole(value) {
+    return ARGUMENT_ROLE_REGISTRY.has(value);
+}
+/** All role values as a tuple for z.enum() compatibility. */
+export function getArgumentRoleValues() {
+    const roles = [...ARGUMENT_ROLE_REGISTRY.keys()];
+    return roles;
+}
+/**
+ * Returns roles relevant to a specific MCP server.
+ * Universal roles (no serverNames) are always included.
+ * Server-specific roles are included only when the server matches.
+ */
+export function getRolesForServer(serverName) {
+    return Array.from(ARGUMENT_ROLE_REGISTRY)
+        .filter(([, def]) => !def.serverNames || def.serverNames.includes(serverName));
+}
+/** Returns all roles with the given category. */
+export function getRolesByCategory(category) {
+    return Array.from(ARGUMENT_ROLE_REGISTRY)
+        .filter(([, def]) => def.category === category)
+        .map(([role]) => role);
+}
+/** Returns path-category roles only. Used by Phase 1a/1b structural invariants. */
+export function getPathRoles() {
+    return getRolesByCategory('path');
+}
+/** Returns url-category roles only. Used by Phase 1c domain checks. */
+export function getUrlRoles() {
+    return getRolesByCategory('url');
+}
+/**
+ * Path roles that Phase 1b sandbox containment is allowed to auto-resolve.
+ *
+ * Basic filesystem operations (read, write, delete) are safe within the
+ * sandbox boundary. Higher-risk path roles like `write-history` and
+ * `delete-history` are NOT sandbox-safe: even when the repo path is inside
+ * the sandbox, these operations require Phase 2 policy evaluation (and
+ * typically human approval) because they can destroy git history.
+ */
+export const SANDBOX_SAFE_PATH_ROLES = new Set([
+    'read-path',
+    'write-path',
+    'delete-path',
+]);
+//# sourceMappingURL=argument-roles.js.map

package/dist/types/argument-roles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"argument-roles.js","sourceRoot":"","sources":["../../src/types/argument-roles.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAqD7D,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,0EAA0E;AAC1E,MAAM,UAAU,WAAW,CAAC,QAAgB;IAC1C,IAAI,QAAQ,KAAK,GAAG;QAAE,OAAO,OAAO,EAAE,CAAC;IACvC,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,OAAO,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACpE,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC9C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QACnE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC;AACH,CAAC;AAED,6EAA6E;AAC7E,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,OAAO,eAAe,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,wDAAwD;AACxD,SAAS,QAAQ,CAAC,KAAa;IAC7B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,wCAAwC;AACxC,8EAA8E;AAE9E,2FAA2F;AAC3F,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG;YAAE,GAAG,CAAC,QAAQ,GAAG,EAAE,CAAC;QAC5C,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,uFAAuF;AACvF,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,+DAA+D;IAC/D,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACxD,IAAI,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrD,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,4BAA4B;IAC5B,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACxD,IAAI,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,gBAAgB,CAC9B,KAAa,EACb,OAAgC;IAEhC,gCAAgC;IAChC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gEAAgE;IAChE,MAAM,OAAO,GAAG,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC,EAAE;YACvD,GAAG,EAAE,QAAQ;YACb,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC,CAAC,gDAAgD;IAChE,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E,MAAM,eAAe,GAAqC;IACxD;QACE,WAAW;QACX;YACE,WAAW,EAAE,mCAAmC;YAChD,oBAAoB,EAAE,IAAI;YAC1B,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,aAAa;YACxB,kBAAkB,EAChB,yEAAyE;gBACzE,mDAAmD;SACtD;KACF;IACD;QACE,YAAY;QACZ;YACE,WAAW,EAAE,yCAAyC;YACtD,oBAAoB,EAAE,IAAI;YAC1B,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,aAAa;YACxB,kBAAkB,EAChB,+EAA+E;gBAC/E,gEAAgE;SACnE;KACF;IACD;QACE,aAAa;QACb;YACE,WAAW,EAAE,sCAAsC;YACnD,oBAAoB,EAAE,IAAI;YAC1B,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,aAAa;YACxB,kBAAkB,EAChB,gFAAgF;gBAChF,uFAAuF;SAC1F;KACF;IACD;QACE,eAAe;QACf;YACE,WAAW,EAAE,qDAAqD;YAClE,oBAAoB,EAAE,IAAI;YAC1B,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,aAAa;YACxB,kBAAkB,EAChB,gGAAgG;gBAChG,sFAAsF;gBACtF,qFAAqF;YACvF,WAAW,EAAE,CAAC,KAAK,CAAC;SACrB;KACF;IACD;QACE,gBAAgB;QAChB;YACE,WAAW,EAAE,2DAA2D;YACxE,oBAAoB,EAAE,IAAI;YAC1B,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,aAAa;YACxB,kBAAkB,EAChB,8FAA8F;gBAC9F,oFAAoF;gBACpF,qFAAqF;YACvF,WAAW,EAAE,CAAC,KAAK,CAAC;SACrB;KACF;IACD;QACE,WAAW;QACX;YACE,WAAW,EAAE,sCAAsC;YACnD,oBAAoB,EAAE,IAAI;YAC1B,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,YAAY;YACvB,gBAAgB,EAAE,aAAa;YAC/B,kBAAkB,EAChB,iEAAiE;gBACjE,8CAA8C;SACjD;KACF;IACD;QACE,gBAAgB;QAChB;YACE,WAAW,EAAE,uDAAuD;YACpE,oBAAoB,EAAE,IAAI;YAC1B,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,eAAe;YAC1B,gBAAgB,EAAE,gBAAgB;YAClC,gBAAgB,EAAE,gBAAgB;YAClC,kBAAkB,EAChB,sFAAsF;gBACtF,kGAAkG;YACpG,WAAW,EAAE,CAAC,KAAK,CAAC;SACrB;KACF;IACD;QACE,aAAa;QACb;YACE,WAAW,EAAE,iBAAiB;YAC9B,oBAAoB,EAAE,KAAK;YAC3B,QAAQ,EAAE,QAAQ;YAClB,SAAS,EAAE,QAAQ;YACnB,kBAAkB,EAChB,iDAAiD;gBACjD,2FAA2F;YAC7F,WAAW,EAAE,CAAC,KAAK,CAAC;SACrB;KACF;IACD;QACE,gBAAgB;QAChB;YACE,WAAW,EAAE,yBAAyB;YACtC,oBAAoB,EAAE,KAAK;YAC3B,QAAQ,EAAE,QAAQ;YAClB,SAAS,EAAE,QAAQ;YACnB,kBAAkB,EAChB,oDAAoD;gBACpD,kCAAkC;YACpC,WAAW,EAAE,CAAC,KAAK,CAAC;SACrB;KACF;IACD;QACE,MAAM;QACN;YACE,WAAW,EAAE,mDAAmD;YAChE,oBAAoB,EAAE,KAAK;YAC3B,QAAQ,EAAE,QAAQ;YAClB,SAAS,EAAE,QAAQ;YACnB,kBAAkB,EAChB,kEAAkE;gBAClE,gFAAgF;SACnF;KACF;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,sBAAsB,GACjC,IAAI,GAAG,CAAC,eAAe,CAAC,CAAC;AAE3B,8EAA8E;AAC9E,kCAAkC;AAClC,8EAA8E;AAE9E,6DAA6D;AAC7D,MAAM,wBAAwB,GAA+B;IAC3D,WAAW,EAAE,IAAI;IACjB,YAAY,EAAE,IAAI;IAClB,aAAa,EAAE,IAAI;IACnB,eAAe,EAAE,IAAI;IACrB,gBAAgB,EAAE,IAAI;IACtB,WAAW,EAAE,IAAI;IACjB,gBAAgB,EAAE,IAAI;IACtB,aAAa,EAAE,IAAI;IACnB,gBAAgB,EAAE,IAAI;IACtB,MAAM,EAAE,IAAI;CACb,CAAC;AAEF,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E,uEAAuE;AACvE,MAAM,UAAU,iBAAiB,CAAC,IAAkB;IAClD,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC7C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,+BAA+B,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,4DAA4D;AAC5D,MAAM,UAAU,gBAAgB;IAC9B,OAAO,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC;SACtC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,oBAAoB,CAAC;SAC7C,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,OAAO,sBAAsB,CAAC,GAAG,CAAC,KAAqB,CAAC,CAAC;AAC3D,CAAC;AAED,6DAA6D;AAC7D,MAAM,UAAU,qBAAqB;IACnC,MAAM,KAAK,GAAG,CAAC,GAAG,sBAAsB,CAAC,IAAI,EAAE,CAAC,CAAC;IACjD,OAAO,KAA0C,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAAkB;IAClD,OAAO,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC;SACtC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;AACnF,CAAC;AAED,iDAAiD;AACjD,MAAM,UAAU,kBAAkB,CAAC,QAAsB;IACvD,OAAO,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC;SACtC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;SAC9C,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,YAAY;IAC1B,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,WAAW;IACzB,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAA8B,IAAI,GAAG,CAAC;IACxE,WAAW;IACX,YAAY;IACZ,aAAa;CACd,CAAC,CAAC"}

package/dist/types/audit.d.ts

@@ -0,0 +1,18 @@
+import type { PolicyDecision } from './mcp.js';
+export interface AuditEntry {
+    timestamp: string;
+    requestId: string;
+    serverName: string;
+    toolName: string;
+    arguments: Record<string, unknown>;
+    policyDecision: PolicyDecision;
+    escalationResult?: 'approved' | 'denied';
+    result: {
+        status: 'success' | 'denied' | 'error';
+        content?: unknown;
+        error?: string;
+    };
+    durationMs: number;
+    /** Whether the MCP server process was running inside an OS-level sandbox. */
+    sandboxed?: boolean;
+}

package/dist/types/audit.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=audit.js.map

package/dist/types/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/types/audit.ts"],"names":[],"mappings":""}

package/dist/types/mcp.d.ts

@@ -0,0 +1,20 @@
+export interface ToolCallRequest {
+    requestId: string;
+    serverName: string;
+    toolName: string;
+    arguments: Record<string, unknown>;
+    timestamp: string;
+}
+export type PolicyDecisionStatus = 'allow' | 'deny' | 'escalate';
+export interface PolicyDecision {
+    status: PolicyDecisionStatus;
+    rule: string;
+    reason: string;
+}
+export interface ToolCallResult {
+    requestId: string;
+    status: 'success' | 'denied' | 'error';
+    content: unknown;
+    policyDecision: PolicyDecision;
+    durationMs: number;
+}

package/dist/types/mcp.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=mcp.js.map

package/dist/types/mcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp.js","sourceRoot":"","sources":["../../src/types/mcp.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,83 @@
+{
+  "name": "@provos/ironcurtain",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "Secure agent runtime with trusted process mediation",
+  "license": "Apache-2.0",
+  "author": "Niels Provos",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/provos/ironcurtain.git"
+  },
+  "bugs": {
+    "url": "https://github.com/provos/ironcurtain/issues"
+  },
+  "homepage": "https://github.com/provos/ironcurtain#readme",
+  "keywords": [
+    "mcp",
+    "agent",
+    "security",
+    "sandbox",
+    "policy",
+    "trusted-process",
+    "model-context-protocol"
+  ],
+  "engines": {
+    "node": ">=18.3.0"
+  },
+  "bin": {
+    "ironcurtain": "dist/cli.js"
+  },
+  "main": "dist/index.js",
+  "files": [
+    "dist/",
+    "src/config/constitution.md",
+    "src/config/mcp-servers.json",
+    "src/config/generated/compiled-policy.json",
+    "src/config/generated/tool-annotations.json",
+    "src/config/generated/test-scenarios.json",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc && node scripts/copy-assets.mjs",
+    "start": "tsx src/cli.ts start",
+    "annotate-tools": "tsx src/cli.ts annotate-tools",
+    "compile-policy": "tsx src/cli.ts compile-policy",
+    "prepublishOnly": "npm run build",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "eslint src/ test/"
+  },
+  "dependencies": {
+    "@ai-sdk/anthropic": "^3.0.44",
+    "@ai-sdk/google": "^3.0.30",
+    "@ai-sdk/openai": "^3.0.30",
+    "@anthropic-ai/sandbox-runtime": "^0.0.37",
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "@utcp/code-mode": "^1.2.11",
+    "@utcp/mcp": "^1.1.1",
+    "ai": "^6.0.86",
+    "chalk": "^5.6.2",
+    "cli-highlight": "^2.1.11",
+    "dotenv": "^17.3.1",
+    "marked": "^15.0.12",
+    "marked-terminal": "^7.3.0",
+    "ora": "^9.3.0",
+    "@cyanheads/git-mcp-server": "^2.8.4",
+    "shell-quote": "^1.8.3",
+    "uuid": "^13.0.0",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.39.2",
+    "@types/node": "^22.0.0",
+    "@types/shell-quote": "^1.7.5",
+    "@types/uuid": "^10.0.0",
+    "eslint": "^9.39.2",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0",
+    "typescript-eslint": "^8.56.0",
+    "vitest": "^3.0.0"
+  }
+}

package/src/config/constitution.md

@@ -0,0 +1,16 @@
+# IronCurtain Constitution
+
+## Guiding Principles
+
+1. **Least privilege**: The agent may only access resources explicitly permitted by policy.
+2. **No destruction**: Delete operations outside the sandbox are never permitted.
+3. **Human oversight**: Operations outside the sandbox require explicit human approval.
+
+## Concrete Guidance which supersedes the guiding principles
+ - The agent is allowed to read, write and delete content in the Downloads folder
+ - The agent is allowed to read documents in the Users document folder.
+ - The agent may perform read-only git operations (status, diff, log, show, blame) within the sandbox without approval.
+ - The agent may stage files (git add) and commit within the sandbox without approval.
+ - The agent must receive human approval before git push, git pull, git fetch, or any remote-contacting operation.
+ - The agent must receive human approval before git reset, git rebase, git merge, or any history-rewriting operation.
+ - The agent must receive human approval before git branch deletion or force operations.