@quint-security/proxy 0.3.0

package/dist/interceptor.js

@@ -0,0 +1,95 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.inspectRequest = inspectRequest;
+exports.inspectResponse = inspectResponse;
+exports.buildDenyResponse = buildDenyResponse;
+const core_1 = require("@quint-security/core");
+/**
+ * Try to parse a line as JSON-RPC and determine the policy verdict.
+ * Non-parseable lines or non-tools/call methods get "passthrough".
+ */
+function inspectRequest(line, serverName, policy) {
+    let parsed;
+    try {
+        parsed = JSON.parse(line);
+    }
+    catch {
+        return {
+            message: null,
+            verdict: "passthrough",
+            toolName: null,
+            argumentsJson: null,
+            method: "unknown",
+            messageId: null,
+        };
+    }
+    if (!(0, core_1.isJsonRpcRequest)(parsed)) {
+        return {
+            message: parsed,
+            verdict: "passthrough",
+            toolName: null,
+            argumentsJson: null,
+            method: "unknown",
+            messageId: extractId(parsed),
+        };
+    }
+    const req = parsed;
+    const toolInfo = (0, core_1.extractToolInfo)(req);
+    const toolName = toolInfo?.name ?? null;
+    const argumentsJson = toolInfo ? JSON.stringify(toolInfo.args) : null;
+    // Only policy-check tools/call; everything else is passthrough
+    let verdict;
+    if ((0, core_1.isToolCallRequest)(req)) {
+        verdict = (0, core_1.evaluatePolicy)(policy, serverName, toolName);
+    }
+    else {
+        verdict = "passthrough";
+    }
+    return {
+        message: req,
+        verdict,
+        toolName,
+        argumentsJson,
+        method: req.method,
+        messageId: req.id != null ? String(req.id) : null,
+    };
+}
+/**
+ * Inspect a response line from the child (just for logging purposes — responses always pass through).
+ */
+function inspectResponse(line) {
+    let parsed;
+    try {
+        parsed = JSON.parse(line);
+    }
+    catch {
+        return { method: "unknown", messageId: null, responseJson: null };
+    }
+    return {
+        method: "response",
+        messageId: extractId(parsed),
+        responseJson: line,
+    };
+}
+/**
+ * Build a JSON-RPC error response for a denied tool call.
+ */
+function buildDenyResponse(requestId) {
+    const response = {
+        jsonrpc: "2.0",
+        id: requestId,
+        error: {
+            code: -32600,
+            message: "Quint: tool call denied by policy",
+        },
+    };
+    return JSON.stringify(response);
+}
+function extractId(obj) {
+    if (typeof obj === "object" && obj !== null && "id" in obj) {
+        const id = obj.id;
+        return id != null ? String(id) : null;
+    }
+    return null;
+}
+//# sourceMappingURL=interceptor.js.map

package/dist/interceptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interceptor.js","sourceRoot":"","sources":["../src/interceptor.ts"],"names":[],"mappings":";;AA8BA,wCAmDC;AAKD,0CAiBC;AAKD,8CAUC;AAtHD,+CAS8B;AAiB9B;;;GAGG;AACH,SAAgB,cAAc,CAC5B,IAAY,EACZ,UAAkB,EAClB,MAAoB;IAEpB,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,IAAI;YACd,aAAa,EAAE,IAAI;YACnB,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,IAAI;SAChB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAA,uBAAgB,EAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,OAAO;YACL,OAAO,EAAE,MAAwB;YACjC,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,IAAI;YACd,aAAa,EAAE,IAAI;YACnB,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,SAAS,CAAC,MAAM,CAAC;SAC7B,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAwB,CAAC;IACrC,MAAM,QAAQ,GAAG,IAAA,sBAAe,EAAC,GAAG,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,QAAQ,EAAE,IAAI,IAAI,IAAI,CAAC;IACxC,MAAM,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEtE,+DAA+D;IAC/D,IAAI,OAAgB,CAAC;IACrB,IAAI,IAAA,wBAAiB,EAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,GAAG,IAAA,qBAAc,EAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IACzD,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,aAAa,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,OAAO,EAAE,GAAG;QACZ,OAAO;QACP,QAAQ;QACR,aAAa;QACb,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,SAAS,EAAE,GAAG,CAAC,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI;KAClD,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,IAAY;IAK1C,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACpE,CAAC;IAED,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,SAAS,CAAC,MAAM,CAAC;QAC5B,YAAY,EAAE,IAAI;KACnB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,SAAiC;IACjE,MAAM,QAAQ,GAAG;QACf,OAAO,EAAE,KAAc;QACvB,EAAE,EAAE,SAAS;QACb,KAAK,EAAE;YACL,IAAI,EAAE,CAAC,KAAK;YACZ,OAAO,EAAE,mCAAmC;SAC7C;KACF,CAAC;IACF,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,SAAS,CAAC,GAAY;IAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;QAC3D,MAAM,EAAE,GAAI,GAA+B,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACxC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/logger.d.ts

@@ -0,0 +1,21 @@
+import { type AuditDb, type Verdict, type PolicyConfig } from "@quint-security/core";
+export declare class AuditLogger {
+    private db;
+    private privateKey;
+    private publicKey;
+    private policyHash;
+    constructor(db: AuditDb, privateKey: string, publicKey: string, policy: PolicyConfig);
+    log(opts: {
+        serverName: string;
+        direction: "request" | "response";
+        method: string;
+        messageId: string | null;
+        toolName: string | null;
+        argumentsJson: string | null;
+        responseJson: string | null;
+        verdict: Verdict;
+        riskScore?: number | null;
+        riskLevel?: string | null;
+    }): number;
+}
+//# sourceMappingURL=logger.d.ts.map

package/dist/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,OAAO,EACZ,KAAK,OAAO,EACZ,KAAK,YAAY,EAIlB,MAAM,sBAAsB,CAAC;AAG9B,qBAAa,WAAW;IACtB,OAAO,CAAC,EAAE,CAAU;IACpB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,UAAU,CAAS;gBAEf,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY;IAOpF,GAAG,CAAC,IAAI,EAAE;QACR,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,SAAS,GAAG,UAAU,CAAC;QAClC,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;QACzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;QAC7B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAC5B,OAAO,EAAE,OAAO,CAAC;QACjB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KAC3B,GAAG,MAAM;CAiDX"}

package/dist/logger.js

@@ -0,0 +1,65 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditLogger = void 0;
+const core_1 = require("@quint-security/core");
+const node_crypto_1 = require("node:crypto");
+class AuditLogger {
+    db;
+    privateKey;
+    publicKey;
+    policyHash;
+    constructor(db, privateKey, publicKey, policy) {
+        this.db = db;
+        this.privateKey = privateKey;
+        this.publicKey = publicKey;
+        this.policyHash = (0, core_1.sha256)((0, core_1.canonicalize)(policy));
+    }
+    log(opts) {
+        // Use insertAtomic to read last signature and insert in one transaction,
+        // preventing chain breaks when multiple proxy instances share the same DB.
+        return this.db.insertAtomic((prevSignature) => {
+            const timestamp = new Date().toISOString();
+            const nonce = (0, node_crypto_1.randomUUID)();
+            const prevHash = prevSignature ? (0, core_1.sha256)(prevSignature) : "";
+            const signable = {
+                timestamp,
+                server_name: opts.serverName,
+                direction: opts.direction,
+                method: opts.method,
+                message_id: opts.messageId,
+                tool_name: opts.toolName,
+                arguments_json: opts.argumentsJson,
+                response_json: opts.responseJson,
+                verdict: opts.verdict,
+                risk_score: opts.riskScore ?? null,
+                risk_level: opts.riskLevel ?? null,
+                policy_hash: this.policyHash,
+                prev_hash: prevHash,
+                nonce,
+                public_key: this.publicKey,
+            };
+            const canonical = (0, core_1.canonicalize)(signable);
+            const signature = (0, core_1.signData)(canonical, this.privateKey);
+            return {
+                timestamp,
+                server_name: opts.serverName,
+                direction: opts.direction,
+                method: opts.method,
+                message_id: opts.messageId,
+                tool_name: opts.toolName,
+                arguments_json: opts.argumentsJson,
+                response_json: opts.responseJson,
+                verdict: opts.verdict,
+                risk_score: opts.riskScore ?? null,
+                risk_level: opts.riskLevel ?? null,
+                policy_hash: this.policyHash,
+                prev_hash: prevHash,
+                nonce,
+                signature,
+                public_key: this.publicKey,
+            };
+        });
+    }
+}
+exports.AuditLogger = AuditLogger;
+//# sourceMappingURL=logger.js.map

package/dist/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":";;;AAAA,+CAQ8B;AAC9B,6CAAyC;AAEzC,MAAa,WAAW;IACd,EAAE,CAAU;IACZ,UAAU,CAAS;IACnB,SAAS,CAAS;IAClB,UAAU,CAAS;IAE3B,YAAY,EAAW,EAAE,UAAkB,EAAE,SAAiB,EAAE,MAAoB;QAClF,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,UAAU,GAAG,IAAA,aAAM,EAAC,IAAA,mBAAY,EAAC,MAA4C,CAAC,CAAC,CAAC;IACvF,CAAC;IAED,GAAG,CAAC,IAWH;QACC,yEAAyE;QACzE,2EAA2E;QAC3E,OAAO,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,aAA4B,EAAE,EAAE;YAC3D,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,IAAA,wBAAU,GAAE,CAAC;YAC3B,MAAM,QAAQ,GAAG,aAAa,CAAC,CAAC,CAAC,IAAA,aAAM,EAAC,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAE5D,MAAM,QAAQ,GAA4B;gBACxC,SAAS;gBACT,WAAW,EAAE,IAAI,CAAC,UAAU;gBAC5B,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,UAAU,EAAE,IAAI,CAAC,SAAS;gBAC1B,SAAS,EAAE,IAAI,CAAC,QAAQ;gBACxB,cAAc,EAAE,IAAI,CAAC,aAAa;gBAClC,aAAa,EAAE,IAAI,CAAC,YAAY;gBAChC,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,UAAU,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI;gBAClC,UAAU,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI;gBAClC,WAAW,EAAE,IAAI,CAAC,UAAU;gBAC5B,SAAS,EAAE,QAAQ;gBACnB,KAAK;gBACL,UAAU,EAAE,IAAI,CAAC,SAAS;aAC3B,CAAC;YAEF,MAAM,SAAS,GAAG,IAAA,mBAAY,EAAC,QAAQ,CAAC,CAAC;YACzC,MAAM,SAAS,GAAG,IAAA,eAAQ,EAAC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;YAEvD,OAAO;gBACL,SAAS;gBACT,WAAW,EAAE,IAAI,CAAC,UAAU;gBAC5B,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,UAAU,EAAE,IAAI,CAAC,SAAS;gBAC1B,SAAS,EAAE,IAAI,CAAC,QAAQ;gBACxB,cAAc,EAAE,IAAI,CAAC,aAAa;gBAClC,aAAa,EAAE,IAAI,CAAC,YAAY;gBAChC,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,UAAU,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI;gBAClC,UAAU,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI;gBAClC,WAAW,EAAE,IAAI,CAAC,UAAU;gBAC5B,SAAS,EAAE,QAAQ;gBACnB,KAAK;gBACL,SAAS;gBACT,UAAU,EAAE,IAAI,CAAC,SAAS;aAC3B,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAzED,kCAyEC"}

package/dist/relay.d.ts

@@ -0,0 +1,34 @@
+import { EventEmitter } from "node:events";
+export interface RelayEvents {
+    /** Fired for every line received on stdin (from parent / AI agent) */
+    parentMessage: (line: string) => void;
+    /** Fired for every line the child process writes to stdout */
+    childMessage: (line: string) => void;
+    /** Child process exited */
+    childExit: (code: number | null, signal: string | null) => void;
+    /** Unrecoverable error */
+    error: (err: Error) => void;
+}
+/**
+ * Relay manages:
+ *  - Spawning the real MCP server as a child process
+ *  - Reading JSON-RPC lines from stdin and forwarding to child stdin
+ *  - Reading JSON-RPC lines from child stdout and forwarding to parent stdout
+ *
+ * The interceptor hooks into parentMessage/childMessage events to inspect,
+ * allow, deny, or modify messages before they are forwarded.
+ */
+export declare class Relay extends EventEmitter {
+    private child;
+    private command;
+    private args;
+    constructor(command: string, args: string[]);
+    start(): void;
+    /** Send a line to the child process's stdin */
+    sendToChild(line: string): void;
+    /** Send a line to the parent process's stdout */
+    sendToParent(line: string): void;
+    /** Gracefully shut down the child */
+    stop(): void;
+}
+//# sourceMappingURL=relay.d.ts.map

package/dist/relay.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay.d.ts","sourceRoot":"","sources":["../src/relay.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,MAAM,WAAW,WAAW;IAC1B,sEAAsE;IACtE,aAAa,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IACtC,8DAA8D;IAC9D,YAAY,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IACrC,2BAA2B;IAC3B,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,KAAK,IAAI,CAAC;IAChE,0BAA0B;IAC1B,KAAK,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,IAAI,CAAC;CAC7B;AAED;;;;;;;;GAQG;AACH,qBAAa,KAAM,SAAQ,YAAY;IACrC,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,IAAI,CAAW;gBAEX,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE;IAM3C,KAAK,IAAI,IAAI;IAsCb,+CAA+C;IAC/C,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAM/B,iDAAiD;IACjD,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAIhC,qCAAqC;IACrC,IAAI,IAAI,IAAI;CAGb"}

package/dist/relay.js

@@ -0,0 +1,72 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Relay = void 0;
+const node_child_process_1 = require("node:child_process");
+const node_readline_1 = require("node:readline");
+const node_events_1 = require("node:events");
+/**
+ * Relay manages:
+ *  - Spawning the real MCP server as a child process
+ *  - Reading JSON-RPC lines from stdin and forwarding to child stdin
+ *  - Reading JSON-RPC lines from child stdout and forwarding to parent stdout
+ *
+ * The interceptor hooks into parentMessage/childMessage events to inspect,
+ * allow, deny, or modify messages before they are forwarded.
+ */
+class Relay extends node_events_1.EventEmitter {
+    child = null;
+    command;
+    args;
+    constructor(command, args) {
+        super();
+        this.command = command;
+        this.args = args;
+    }
+    start() {
+        // Spawn the real MCP server
+        this.child = (0, node_child_process_1.spawn)(this.command, this.args, {
+            stdio: ["pipe", "pipe", "pipe"],
+            env: process.env,
+        });
+        // Forward child stderr to our stderr (pass through diagnostics)
+        this.child.stderr?.pipe(process.stderr);
+        this.child.on("error", (err) => {
+            this.emit("error", err);
+        });
+        this.child.on("exit", (code, signal) => {
+            this.emit("childExit", code, signal);
+        });
+        // Read lines from child stdout
+        if (this.child.stdout) {
+            const childRl = (0, node_readline_1.createInterface)({ input: this.child.stdout });
+            childRl.on("line", (line) => {
+                this.emit("childMessage", line);
+            });
+        }
+        // Read lines from parent stdin
+        const parentRl = (0, node_readline_1.createInterface)({ input: process.stdin });
+        parentRl.on("line", (line) => {
+            this.emit("parentMessage", line);
+        });
+        parentRl.on("close", () => {
+            // Parent closed stdin — close child's stdin so it can finish and exit
+            this.child?.stdin?.end();
+        });
+    }
+    /** Send a line to the child process's stdin */
+    sendToChild(line) {
+        if (this.child?.stdin?.writable) {
+            this.child.stdin.write(line + "\n");
+        }
+    }
+    /** Send a line to the parent process's stdout */
+    sendToParent(line) {
+        process.stdout.write(line + "\n");
+    }
+    /** Gracefully shut down the child */
+    stop() {
+        this.child?.kill();
+    }
+}
+exports.Relay = Relay;
+//# sourceMappingURL=relay.js.map

package/dist/relay.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay.js","sourceRoot":"","sources":["../src/relay.ts"],"names":[],"mappings":";;;AAAA,2DAA8D;AAC9D,iDAAgD;AAChD,6CAA2C;AAa3C;;;;;;;;GAQG;AACH,MAAa,KAAM,SAAQ,0BAAY;IAC7B,KAAK,GAAwB,IAAI,CAAC;IAClC,OAAO,CAAS;IAChB,IAAI,CAAW;IAEvB,YAAY,OAAe,EAAE,IAAc;QACzC,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;IAED,KAAK;QACH,4BAA4B;QAC5B,IAAI,CAAC,KAAK,GAAG,IAAA,0BAAK,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE;YAC1C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,GAAG,EAAE,OAAO,CAAC,GAAG;SACjB,CAAC,CAAC;QAEH,gEAAgE;QAChE,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAExC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,+BAA+B;QAC/B,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,IAAA,+BAAe,EAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;YAC9D,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;gBAC1B,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;YAClC,CAAC,CAAC,CAAC;QACL,CAAC;QAED,+BAA+B;QAC/B,MAAM,QAAQ,GAAG,IAAA,+BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QAC3D,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC3B,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACxB,sEAAsE;YACtE,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,+CAA+C;IAC/C,WAAW,CAAC,IAAY;QACtB,IAAI,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,YAAY,CAAC,IAAY;QACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IACpC,CAAC;IAED,qCAAqC;IACrC,IAAI;QACF,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;IACrB,CAAC;CACF;AAjED,sBAiEC"}

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@quint-security/proxy",
+  "version": "0.3.0",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Quint-Security/cli.git",
+    "directory": "packages/proxy"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc"
+  },
+  "dependencies": {
+    "@quint-security/core": "*"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.4.0"
+  }
+}

package/src/http-proxy.ts

@@ -0,0 +1,176 @@
+import {
+  type PolicyConfig,
+  ensureKeyPair,
+  openAuditDb,
+  openAuthDb,
+  authenticateBearer,
+  resolveDataDir,
+  setLogLevel,
+  logDebug,
+  logInfo,
+  logWarn,
+  logError,
+  RiskEngine,
+} from "@quint-security/core";
+import { HttpRelay } from "./http-relay.js";
+import { inspectRequest, inspectResponse, buildDenyResponse } from "./interceptor.js";
+import { AuditLogger } from "./logger.js";
+
+export interface HttpProxyOptions {
+  serverName: string;
+  port: number;
+  targetUrl: string;
+  policy: PolicyConfig;
+  requireAuth?: boolean;
+}
+
+/**
+ * Start the HTTP proxy: run a local HTTP server, intercept all JSON-RPC
+ * requests, enforce policy, sign and log everything, forward to remote.
+ */
+export async function startHttpProxy(opts: HttpProxyOptions): Promise<void> {
+  setLogLevel(opts.policy.log_level);
+  const dataDir = resolveDataDir(opts.policy.data_dir);
+
+  // Ensure signing keys exist
+  const kp = ensureKeyPair(dataDir);
+
+  // Open audit database
+  const db = openAuditDb(dataDir);
+
+  // Create audit logger
+  const logger = new AuditLogger(db, kp.privateKey, kp.publicKey, opts.policy);
+
+  // Create risk engine
+  const riskEngine = new RiskEngine();
+
+  // Create HTTP relay (with optional auth)
+  const authDb = opts.requireAuth ? openAuthDb(dataDir) : null;
+  const relay = new HttpRelay(opts.port, opts.targetUrl, opts.requireAuth ? (req) => {
+    const authHeader = req.headers.authorization;
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      return "Quint: missing or invalid Authorization header. Use: Bearer <api-key>";
+    }
+    const token = authHeader.slice(7);
+    const result = authenticateBearer(authDb!, token);
+    if (!result) {
+      return "Quint: invalid or expired API key";
+    }
+    return null;
+  } : undefined);
+
+  // ── Handle requests from agent → remote MCP server ──
+
+  relay.on("request", (line: string, requestKey: string) => {
+    const result = inspectRequest(line, opts.serverName, opts.policy);
+
+    // Log the request
+    logger.log({
+      serverName: opts.serverName,
+      direction: "request",
+      method: result.method,
+      messageId: result.messageId,
+      toolName: result.toolName,
+      argumentsJson: result.argumentsJson,
+      responseJson: null,
+      verdict: result.verdict,
+    });
+
+    if (result.verdict === "deny") {
+      // Send error response back to agent
+      const reqId = result.message && "id" in result.message ? result.message.id : null;
+      const errorResponse = buildDenyResponse(reqId ?? null);
+      relay.respondToClient(requestKey, errorResponse);
+      logInfo(`denied ${result.toolName} on ${opts.serverName}`);
+
+      // Log the synthetic deny response
+      logger.log({
+        serverName: opts.serverName,
+        direction: "response",
+        method: result.method,
+        messageId: result.messageId,
+        toolName: result.toolName,
+        argumentsJson: null,
+        responseJson: errorResponse,
+        verdict: "deny",
+      });
+    } else if (result.toolName) {
+      // Run risk scoring on tool calls that passed policy
+      const risk = riskEngine.score(result.toolName, result.argumentsJson, "anonymous");
+      const riskAction = riskEngine.evaluate(risk);
+
+      if (riskAction === "deny") {
+        // Risk score too high — auto-deny
+        const reqId = result.message && "id" in result.message ? result.message.id : null;
+        const errorResponse = buildDenyResponse(reqId ?? null);
+        relay.respondToClient(requestKey, errorResponse);
+        logWarn(`risk-denied ${result.toolName} (score=${risk.score}, level=${risk.level}): ${risk.reasons.join("; ")}`);
+
+        logger.log({
+          serverName: opts.serverName,
+          direction: "response",
+          method: result.method,
+          messageId: result.messageId,
+          toolName: result.toolName,
+          argumentsJson: null,
+          responseJson: errorResponse,
+          verdict: "deny",
+        });
+      } else {
+        if (riskAction === "flag") {
+          logWarn(`high-risk ${result.toolName} (score=${risk.score}, level=${risk.level}): ${risk.reasons.join("; ")}`);
+        }
+        logDebug(`forwarding ${result.method} (risk=${risk.score}) to remote`);
+        relay.forwardToRemote(requestKey);
+      }
+
+      // Check for revocation threshold
+      if (riskEngine.shouldRevoke("anonymous")) {
+        logWarn(`repeated high-risk actions detected — consider revoking agent credentials`);
+      }
+    } else {
+      // Non-tool-call (initialize, tools/list, etc.) — forward directly
+      logDebug(`forwarding ${result.method} (${result.verdict}) to remote`);
+      relay.forwardToRemote(requestKey);
+    }
+  });
+
+  // ── Handle responses from remote MCP server ──
+
+  relay.on("response", (line: string) => {
+    const result = inspectResponse(line);
+
+    // Log the response
+    logger.log({
+      serverName: opts.serverName,
+      direction: "response",
+      method: result.method,
+      messageId: result.messageId,
+      toolName: null,
+      argumentsJson: null,
+      responseJson: result.responseJson,
+      verdict: "passthrough",
+    });
+  });
+
+  // ── Handle errors ──
+
+  relay.on("error", (err: Error) => {
+    logError(`http-proxy error: ${err.message}`);
+  });
+
+  // Handle shutdown
+  const shutdown = () => {
+    relay.stop();
+    db.close();
+    authDb?.close();
+    process.exit(0);
+  };
+
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+
+  // Start listening
+  await relay.start();
+  logInfo(`HTTP proxy listening on http://localhost:${opts.port} → ${opts.targetUrl}`);
+}