@raghulm/aegis-mcp 1.0.5 → 1.0.7

package/audit/audit_logger.py

@@ -1,62 +1,62 @@
-from __future__ import annotations
-
-from functools import wraps
-from time import perf_counter
-from typing import Any, Callable
-
-from server.logging import get_logger
-
-logger = get_logger("mcp.aegis.audit")
-
-
-
-def audit_tool_call(tool_name: str) -> Callable[[Callable[..., Any]], Callable[..., Any]]:
-    """Decorator that emits structured audit records for every tool invocation."""
-
-    def decorator(func: Callable[..., Any]) -> Callable[..., Any]:
-        @wraps(func)
-        def wrapper(*args: Any, **kwargs: Any) -> Any:
-            started = perf_counter()
-            logger.info(
-                "tool_call_started",
-                extra={
-                    "extra_payload": {
-                        "event": "tool_call_started",
-                        "tool": tool_name,
-                        "args": str(args),
-                        "kwargs": kwargs,
-                    }
-                },
-            )
-            try:
-                result = func(*args, **kwargs)
-                duration_ms = int((perf_counter() - started) * 1000)
-                logger.info(
-                    "tool_call_succeeded",
-                    extra={
-                        "extra_payload": {
-                            "event": "tool_call_succeeded",
-                            "tool": tool_name,
-                            "duration_ms": duration_ms,
-                        }
-                    },
-                )
-                return result
-            except Exception as exc:  # noqa: BLE001
-                duration_ms = int((perf_counter() - started) * 1000)
-                logger.error(
-                    "tool_call_failed",
-                    extra={
-                        "extra_payload": {
-                            "event": "tool_call_failed",
-                            "tool": tool_name,
-                            "duration_ms": duration_ms,
-                            "error": str(exc),
-                        }
-                    },
-                )
-                raise
-
-        return wrapper
-
-    return decorator
+from __future__ import annotations
+
+from functools import wraps
+from time import perf_counter
+from typing import Any, Callable
+
+from server.logging import get_logger
+
+logger = get_logger("mcp.aegis.audit")
+
+
+
+def audit_tool_call(tool_name: str) -> Callable[[Callable[..., Any]], Callable[..., Any]]:
+    """Decorator that emits structured audit records for every tool invocation."""
+
+    def decorator(func: Callable[..., Any]) -> Callable[..., Any]:
+        @wraps(func)
+        def wrapper(*args: Any, **kwargs: Any) -> Any:
+            started = perf_counter()
+            logger.info(
+                "tool_call_started",
+                extra={
+                    "extra_payload": {
+                        "event": "tool_call_started",
+                        "tool": tool_name,
+                        "args": str(args),
+                        "kwargs": kwargs,
+                    }
+                },
+            )
+            try:
+                result = func(*args, **kwargs)
+                duration_ms = int((perf_counter() - started) * 1000)
+                logger.info(
+                    "tool_call_succeeded",
+                    extra={
+                        "extra_payload": {
+                            "event": "tool_call_succeeded",
+                            "tool": tool_name,
+                            "duration_ms": duration_ms,
+                        }
+                    },
+                )
+                return result
+            except Exception as exc:  # noqa: BLE001
+                duration_ms = int((perf_counter() - started) * 1000)
+                logger.error(
+                    "tool_call_failed",
+                    extra={
+                        "extra_payload": {
+                            "event": "tool_call_failed",
+                            "tool": tool_name,
+                            "duration_ms": duration_ms,
+                            "error": str(exc),
+                        }
+                    },
+                )
+                raise
+
+        return wrapper
+
+    return decorator

package/package.json

@@ -1,54 +1,52 @@
-{
-  "name": "@raghulm/aegis-mcp",
-  "version": "1.0.5",
-  "description": "DevSecOps-focused MCP server for AWS, Kubernetes, CI/CD, and security tooling.",
-  "license": "MIT",
-  "author": "Raghul M",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/raghulvj01/aegis-mcp.git"
-  },
-  "bugs": {
-    "url": "https://github.com/raghulvj01/aegis-mcp/issues"
-  },
-  "homepage": "https://github.com/raghulvj01/aegis-mcp#readme",
-  "type": "commonjs",
-  "bin": {
-    "aegis-mcp": "bin/aegis-mcp.js"
-  },
-  "scripts": {
-    "setup:python": "node ./bin/prepare-python-env.js",
-    "start": "node ./bin/aegis-mcp.js",
-    "pack:check": "npm pack --dry-run"
-  },
-  "files": [
-    "audit/**/*.py",
-    "bin/*.js",
-    "policies/*.yaml",
-    "server/**/*.py",
-    "tools/**/*.py",
-    "requirements.txt",
-    "run_stdio.py",
-    "README.md",
-    "LICENSE"
-  ],
-  "keywords": [
-    "mcp",
-    "model-context-protocol",
-    "devsecops",
-    "security",
-    "aws",
-    "kubernetes",
-    "claude",
-    "jenkins"
-  ],
-  "publishConfig": {
-    "access": "public"
-  },
-  "engines": {
-    "node": ">=18"
-  },
-  "dependencies": {
-    "@raghulm/aegis-mcp": "^1.0.5"
-  }
-}
+{
+  "name": "@raghulm/aegis-mcp",
+  "version": "1.0.7",
+  "description": "DevSecOps-focused MCP server for AWS, Kubernetes, CI/CD, and security tooling.",
+  "license": "MIT",
+  "author": "Raghul M",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/raghulvj01/aegis-mcp.git"
+  },
+  "bugs": {
+    "url": "https://github.com/raghulvj01/aegis-mcp/issues"
+  },
+  "homepage": "https://github.com/raghulvj01/aegis-mcp#readme",
+  "type": "commonjs",
+  "bin": {
+    "aegis-mcp": "bin/aegis-mcp.js"
+  },
+  "scripts": {
+    "setup:python": "node ./bin/prepare-python-env.js",
+    "start": "node ./bin/aegis-mcp.js",
+    "pack:check": "npm pack --dry-run"
+  },
+  "files": [
+    "audit/**/*.py",
+    "bin/*.js",
+    "policies/*.yaml",
+    "server/**/*.py",
+    "tools/**/*.py",
+    "requirements.txt",
+    "run_stdio.py",
+    "README.md",
+    "LICENSE"
+  ],
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "devsecops",
+    "security",
+    "aws",
+    "kubernetes",
+    "claude",
+    "jenkins"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://npm.pkg.github.com"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}

package/policies/roles.yaml

@@ -1,34 +1,34 @@
-roles:
-  viewer:
-    - aws_list_ec2_instances
-    - k8s_list_pods
-    - git_recent_commits
-    - security_check_ssl_certificate
-    - security_check_http_headers
-    - network_port_scan
-    - security_semgrep_scan
-  security:
-    - k8s_security_audit
-    - security_run_trivy_scan
-    - git_recent_commits
-    - security_scan_secrets
-    - security_check_ssl_certificate
-    - security_check_dependencies
-    - security_check_http_headers
-    - security_semgrep_scan
-    - aws_check_s3_public_access
-    - network_port_scan
-  admin:
-    - aws_list_ec2_instances
-    - k8s_list_pods
-    - k8s_security_audit
-    - security_run_trivy_scan
-    - git_recent_commits
-    - cicd_pipeline_status
-    - security_scan_secrets
-    - security_check_ssl_certificate
-    - security_check_dependencies
-    - security_check_http_headers
-    - security_semgrep_scan
-    - aws_check_s3_public_access
-    - network_port_scan
+roles:
+  viewer:
+    - aws_list_ec2_instances
+    - k8s_list_pods
+    - git_recent_commits
+    - security_check_ssl_certificate
+    - security_check_http_headers
+    - network_port_scan
+    - security_semgrep_scan
+  security:
+    - k8s_security_audit
+    - security_run_trivy_scan
+    - git_recent_commits
+    - security_scan_secrets
+    - security_check_ssl_certificate
+    - security_check_dependencies
+    - security_check_http_headers
+    - security_semgrep_scan
+    - aws_check_s3_public_access
+    - network_port_scan
+  admin:
+    - aws_list_ec2_instances
+    - k8s_list_pods
+    - k8s_security_audit
+    - security_run_trivy_scan
+    - git_recent_commits
+    - cicd_pipeline_status
+    - security_scan_secrets
+    - security_check_ssl_certificate
+    - security_check_dependencies
+    - security_check_http_headers
+    - security_semgrep_scan
+    - aws_check_s3_public_access
+    - network_port_scan

package/policies/scope_rules.yaml

@@ -1,16 +1,16 @@
-scopes:
-  aegis.read:
-    - aws_list_ec2_instances
-    - k8s_list_pods
-    - git_recent_commits
-    - cicd_pipeline_status
-    - security_check_ssl_certificate
-    - security_check_http_headers
-    - network_port_scan
-    - aws_check_s3_public_access
-    - security_semgrep_scan
-  aegis.security:
-    - security_run_trivy_scan
-    - security_scan_secrets
-    - security_check_dependencies
-    - security_semgrep_scan
+scopes:
+  aegis.read:
+    - aws_list_ec2_instances
+    - k8s_list_pods
+    - git_recent_commits
+    - cicd_pipeline_status
+    - security_check_ssl_certificate
+    - security_check_http_headers
+    - network_port_scan
+    - aws_check_s3_public_access
+    - security_semgrep_scan
+  aegis.security:
+    - security_run_trivy_scan
+    - security_scan_secrets
+    - security_check_dependencies
+    - security_semgrep_scan

package/requirements.txt

@@ -1,8 +1,8 @@
-mcp>=1.0.0
-boto3>=1.34.0
-requests>=2.32.0
-fastapi>=0.111.0
-uvicorn>=0.30.0
-pyyaml>=6.0.1
-semgrep>=1.60.0
-python-jenkins>=1.8.0
+mcp>=1.0.0
+boto3>=1.34.0
+requests>=2.32.0
+fastapi>=0.111.0
+uvicorn>=0.30.0
+pyyaml>=6.0.1
+semgrep>=1.60.0
+python-jenkins>=1.8.0

package/run_stdio.py

@@ -1,22 +1,22 @@
-"""Launcher script for Claude Desktop — ensures the project root is on sys.path."""
-import sys
-import os
-
-# Set working directory and sys.path to the project root so that
-# relative policy file paths (policies/roles.yaml etc.) resolve correctly
-PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))
-os.chdir(PROJECT_ROOT)
-sys.path.insert(0, PROJECT_ROOT)
-
-# Disable JWT auth for local stdio sessions (Claude Desktop cannot supply tokens)
-os.environ.setdefault("MCP_AUTH_DISABLED", "true")
-
-# Ensure the venv Scripts dir is on PATH so pysemgrep / semgrep-core are found
-venv_scripts = os.path.join(PROJECT_ROOT, ".venv", "Scripts")
-if os.path.isdir(venv_scripts) and venv_scripts not in os.environ.get("PATH", ""):
-    os.environ["PATH"] = venv_scripts + os.pathsep + os.environ.get("PATH", "")
-
-from server.main import mcp
-
-if __name__ == "__main__":
-    mcp.run(transport="stdio")
+"""Launcher script for Claude Desktop — ensures the project root is on sys.path."""
+import sys
+import os
+
+# Set working directory and sys.path to the project root so that
+# relative policy file paths (policies/roles.yaml etc.) resolve correctly
+PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))
+os.chdir(PROJECT_ROOT)
+sys.path.insert(0, PROJECT_ROOT)
+
+# Disable JWT auth for local stdio sessions (Claude Desktop cannot supply tokens)
+os.environ.setdefault("MCP_AUTH_DISABLED", "true")
+
+# Ensure the venv Scripts dir is on PATH so pysemgrep / semgrep-core are found
+venv_scripts = os.path.join(PROJECT_ROOT, ".venv", "Scripts")
+if os.path.isdir(venv_scripts) and venv_scripts not in os.environ.get("PATH", ""):
+    os.environ["PATH"] = venv_scripts + os.pathsep + os.environ.get("PATH", "")
+
+from server.main import mcp
+
+if __name__ == "__main__":
+    mcp.run(transport="stdio")

package/server/auth.py

@@ -1,69 +1,69 @@
-from __future__ import annotations
-
-import base64
-import json
-from dataclasses import dataclass
-
-from server.config import Settings
-
-
-@dataclass(frozen=True)
-class Principal:
-    subject: str
-    role: str
-    scopes: list[str]
-
-
-class AuthorizationError(PermissionError):
-    pass
-
-
-
-def _decode_jwt_payload(token: str) -> dict:
-    parts = token.split(".")
-    if len(parts) < 2:
-        return {}
-    payload = parts[1]
-    padding = "=" * ((4 - len(payload) % 4) % 4)
-    decoded = base64.urlsafe_b64decode(payload + padding)
-    return json.loads(decoded.decode("utf-8"))
-
-
-
-def decode_bearer_token(token: str, settings: Settings) -> Principal:
-    """Decode claims from a bearer token payload.
-
-    This implementation parses JWT payload claims and is intended as a scaffold.
-    Replace with strict signature/JWKS validation in production.
-    """
-    claims = _decode_jwt_payload(token)
-
-    if settings.oidc_issuer and claims.get("iss") != settings.oidc_issuer:
-        raise AuthorizationError("token issuer mismatch")
-    if settings.oidc_audience and settings.oidc_audience not in str(claims.get("aud", "")):
-        raise AuthorizationError("token audience mismatch")
-
-    role = str(claims.get("role", "viewer"))
-    scope_claim = claims.get("scope", "")
-    scopes = scope_claim.split() if isinstance(scope_claim, str) else []
-    return Principal(subject=str(claims.get("sub", "unknown")), role=role, scopes=scopes)
-
-
-
-def authorize_tool(
-    principal: Principal,
-    tool_name: str,
-    role_policies: dict[str, list[str]],
-    scope_policies: dict[str, list[str]],
-) -> None:
-    allowed_by_role = set(role_policies.get(principal.role, []))
-    allowed_by_scope: set[str] = set()
-    for scope in principal.scopes:
-        allowed_by_scope.update(scope_policies.get(scope, []))
-
-    if tool_name in allowed_by_role or tool_name in allowed_by_scope:
-        return
-
-    raise AuthorizationError(
-        f"principal '{principal.subject}' with role '{principal.role}' is not allowed to call '{tool_name}'"
-    )
+from __future__ import annotations
+
+import base64
+import json
+from dataclasses import dataclass
+
+from server.config import Settings
+
+
+@dataclass(frozen=True)
+class Principal:
+    subject: str
+    role: str
+    scopes: list[str]
+
+
+class AuthorizationError(PermissionError):
+    pass
+
+
+
+def _decode_jwt_payload(token: str) -> dict:
+    parts = token.split(".")
+    if len(parts) < 2:
+        return {}
+    payload = parts[1]
+    padding = "=" * ((4 - len(payload) % 4) % 4)
+    decoded = base64.urlsafe_b64decode(payload + padding)
+    return json.loads(decoded.decode("utf-8"))
+
+
+
+def decode_bearer_token(token: str, settings: Settings) -> Principal:
+    """Decode claims from a bearer token payload.
+
+    This implementation parses JWT payload claims and is intended as a scaffold.
+    Replace with strict signature/JWKS validation in production.
+    """
+    claims = _decode_jwt_payload(token)
+
+    if settings.oidc_issuer and claims.get("iss") != settings.oidc_issuer:
+        raise AuthorizationError("token issuer mismatch")
+    if settings.oidc_audience and settings.oidc_audience not in str(claims.get("aud", "")):
+        raise AuthorizationError("token audience mismatch")
+
+    role = str(claims.get("role", "viewer"))
+    scope_claim = claims.get("scope", "")
+    scopes = scope_claim.split() if isinstance(scope_claim, str) else []
+    return Principal(subject=str(claims.get("sub", "unknown")), role=role, scopes=scopes)
+
+
+
+def authorize_tool(
+    principal: Principal,
+    tool_name: str,
+    role_policies: dict[str, list[str]],
+    scope_policies: dict[str, list[str]],
+) -> None:
+    allowed_by_role = set(role_policies.get(principal.role, []))
+    allowed_by_scope: set[str] = set()
+    for scope in principal.scopes:
+        allowed_by_scope.update(scope_policies.get(scope, []))
+
+    if tool_name in allowed_by_role or tool_name in allowed_by_scope:
+        return
+
+    raise AuthorizationError(
+        f"principal '{principal.subject}' with role '{principal.role}' is not allowed to call '{tool_name}'"
+    )