npm - @sentinel-atl/trust-gateway - Versions diffs - 0.3.0 - Mend

@sentinel-atl/trust-gateway 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/dist/gateway.js ADDED Viewed

@@ -0,0 +1,245 @@
+/**
+ * Trust Gateway — runtime MCP request enforcement using YAML policies and STCs.
+ *
+ * For every incoming tool call, the gateway:
+ * 1. Identifies which server policy applies
+ * 2. Checks the server's STC trust score against the policy
+ * 3. Enforces tool allow/block lists
+ * 4. Applies rate limiting
+ * 5. Logs the decision to the audit trail
+ */
+import { AuditLog } from '@sentinel-atl/audit';
+import { TrustStore } from './trust-store.js';
+// ─── Rate Limiter ────────────────────────────────────────────────────
+class RateLimiter {
+    maxRequests;
+    windowMs;
+    windows = new Map();
+    constructor(maxRequests, windowMs) {
+        this.maxRequests = maxRequests;
+        this.windowMs = windowMs;
+    }
+    check(key) {
+        const now = Date.now();
+        const entry = this.windows.get(key);
+        if (!entry || now >= entry.resetAt) {
+            this.windows.set(key, { count: 1, resetAt: now + this.windowMs });
+            return true;
+        }
+        if (entry.count >= this.maxRequests)
+            return false;
+        entry.count++;
+        return true;
+    }
+}
+function parseRateLimit(spec) {
+    const match = spec.match(/^(\d+)\/(min|hour|day)$/);
+    if (!match)
+        return { max: 100, windowMs: 60_000 };
+    const max = parseInt(match[1]);
+    const windowMs = match[2] === 'min' ? 60_000
+        : match[2] === 'hour' ? 3_600_000
+            : 86_400_000;
+    return { max, windowMs };
+}
+// ─── Grade Comparison ────────────────────────────────────────────────
+const GRADE_ORDER = { A: 4, B: 3, C: 2, D: 1, F: 0 };
+function gradeAtLeast(actual, required) {
+    return (GRADE_ORDER[actual] ?? 0) >= (GRADE_ORDER[required] ?? 0);
+}
+// ─── Gateway ─────────────────────────────────────────────────────────
+export class TrustGateway {
+    config;
+    trustStore;
+    auditLog;
+    rateLimiters = new Map();
+    stats = {
+        totalRequests: 0,
+        allowed: 0,
+        denied: 0,
+        warned: 0,
+    };
+    constructor(config, trustStore, auditLog) {
+        this.config = config;
+        this.trustStore = trustStore ?? new TrustStore();
+        this.auditLog = auditLog ?? new AuditLog({
+            logPath: config.gateway.logPath ?? './sentinel-gateway-audit.jsonl',
+        });
+        // Initialize rate limiters for each server
+        for (const server of config.servers) {
+            if (server.rateLimit) {
+                const { max, windowMs } = parseRateLimit(server.rateLimit);
+                this.rateLimiters.set(server.name, new RateLimiter(max, windowMs));
+            }
+        }
+    }
+    /**
+     * Get the trust store for loading certificates.
+     */
+    getTrustStore() {
+        return this.trustStore;
+    }
+    /**
+     * Process a tool call request through the trust pipeline.
+     */
+    async processRequest(request) {
+        const start = performance.now();
+        this.stats.totalRequests++;
+        // Find the server policy
+        const policy = this.config.servers.find(s => s.name === request.serverName);
+        if (!policy) {
+            this.stats.denied++;
+            return this.makeResponse(request, 'deny-unknown-server', `Server "${request.serverName}" is not configured`, start);
+        }
+        // Rate limit check
+        const limiter = this.rateLimiters.get(request.serverName);
+        if (limiter && !limiter.check(`${request.callerId}:${request.serverName}`)) {
+            this.stats.denied++;
+            return this.makeResponse(request, 'deny-rate-limit', 'Rate limit exceeded', start);
+        }
+        // Tool allow/block list check
+        if (policy.blockedTools?.includes(request.toolName)) {
+            this.stats.denied++;
+            return this.makeResponse(request, 'deny-blocked-tool', `Tool "${request.toolName}" is blocked for server "${request.serverName}"`, start);
+        }
+        if (policy.allowedTools && !policy.allowedTools.includes(request.toolName)) {
+            this.stats.denied++;
+            return this.makeResponse(request, 'deny-not-allowed', `Tool "${request.toolName}" is not in the allowed list for server "${request.serverName}"`, start);
+        }
+        // Trust verification
+        const trustResult = this.checkTrust(request.serverName, policy);
+        if (trustResult.decision !== 'allow') {
+            if (this.config.gateway.mode === 'permissive') {
+                // Permissive mode: warn but allow
+                this.stats.warned++;
+                await this.audit(request, 'warn', trustResult.reason);
+                return {
+                    allowed: true,
+                    decision: 'warn',
+                    reason: `[WARN] ${trustResult.reason}`,
+                    serverName: request.serverName,
+                    toolName: request.toolName,
+                    trustScore: trustResult.trustScore,
+                    grade: trustResult.grade,
+                    latencyMs: performance.now() - start,
+                };
+            }
+            this.stats.denied++;
+            await this.audit(request, trustResult.decision, trustResult.reason);
+            return {
+                allowed: false,
+                decision: trustResult.decision,
+                reason: trustResult.reason,
+                serverName: request.serverName,
+                toolName: request.toolName,
+                trustScore: trustResult.trustScore,
+                grade: trustResult.grade,
+                latencyMs: performance.now() - start,
+            };
+        }
+        // All checks passed
+        this.stats.allowed++;
+        await this.audit(request, 'allow');
+        return {
+            allowed: true,
+            decision: 'allow',
+            serverName: request.serverName,
+            toolName: request.toolName,
+            trustScore: trustResult.trustScore,
+            grade: trustResult.grade,
+            latencyMs: performance.now() - start,
+        };
+    }
+    /**
+     * Get gateway stats.
+     */
+    getStats() {
+        return { ...this.stats };
+    }
+    // ─── Trust Verification ─────────────────────────────────────────
+    checkTrust(serverName, policy) {
+        const trust = policy.trust ?? {};
+        const globalMinScore = this.config.gateway.minTrustScore;
+        const globalMinGrade = this.config.gateway.minGrade;
+        // Check if certificate is required
+        const cert = this.trustStore.getCertificate(serverName);
+        if (trust.requireCertificate && !cert) {
+            return { decision: 'deny-no-cert', reason: `No trust certificate found for "${serverName}"` };
+        }
+        // If no cert and not required, skip cert-dependent checks
+        if (!cert) {
+            // Apply global minimums if set — without a cert we can't verify
+            if (globalMinScore !== undefined || globalMinGrade !== undefined) {
+                return { decision: 'deny-no-cert', reason: `Trust score/grade required but no certificate available for "${serverName}"` };
+            }
+            return { decision: 'allow' };
+        }
+        if (!cert.verified) {
+            return { decision: 'deny-invalid-cert', reason: 'Certificate signature is invalid', trustScore: cert.certificate.trustScore.overall, grade: cert.certificate.trustScore.grade };
+        }
+        // Expiry check
+        if (new Date(cert.certificate.expiresAt) < new Date()) {
+            return { decision: 'deny-expired', reason: 'Certificate has expired', trustScore: cert.certificate.trustScore.overall, grade: cert.certificate.trustScore.grade };
+        }
+        const score = cert.certificate.trustScore.overall;
+        const grade = cert.certificate.trustScore.grade;
+        // Score checks (server-specific overrides global)
+        const minScore = trust.minScore ?? globalMinScore;
+        if (minScore !== undefined && score < minScore) {
+            return { decision: 'deny-score', reason: `Trust score ${score} is below minimum ${minScore}`, trustScore: score, grade };
+        }
+        // Grade checks
+        const minGrade = trust.minGrade ?? globalMinGrade;
+        if (minGrade && !gradeAtLeast(grade, minGrade)) {
+            return { decision: 'deny-grade', reason: `Grade ${grade} is below minimum ${minGrade}`, trustScore: score, grade };
+        }
+        // Finding limits
+        const summary = cert.certificate.findingSummary;
+        if (trust.maxFindingsCritical !== undefined && summary.critical > trust.maxFindingsCritical) {
+            return { decision: 'deny-findings', reason: `${summary.critical} critical findings exceeds max ${trust.maxFindingsCritical}`, trustScore: score, grade };
+        }
+        if (trust.maxFindingsHigh !== undefined && summary.high > trust.maxFindingsHigh) {
+            return { decision: 'deny-findings', reason: `${summary.high} high findings exceeds max ${trust.maxFindingsHigh}`, trustScore: score, grade };
+        }
+        // Permission checks
+        if (trust.allowedPermissions) {
+            const forbidden = cert.certificate.permissions.filter(p => !trust.allowedPermissions.includes(p));
+            if (forbidden.length > 0) {
+                return { decision: 'deny-permissions', reason: `Forbidden permissions detected: ${forbidden.join(', ')}`, trustScore: score, grade };
+            }
+        }
+        if (trust.blockedPermissions) {
+            const blocked = cert.certificate.permissions.filter(p => trust.blockedPermissions.includes(p));
+            if (blocked.length > 0) {
+                return { decision: 'deny-permissions', reason: `Blocked permissions detected: ${blocked.join(', ')}`, trustScore: score, grade };
+            }
+        }
+        return { decision: 'allow', trustScore: score, grade };
+    }
+    // ─── Helpers ────────────────────────────────────────────────────
+    async audit(request, decision, reason) {
+        await this.auditLog.log({
+            eventType: decision === 'allow' ? 'session_created' : 'handshake_failed',
+            actorDid: request.callerId,
+            result: decision === 'allow' || decision === 'warn' ? 'success' : 'failure',
+            metadata: {
+                server: request.serverName,
+                tool: request.toolName,
+                decision,
+                reason,
+            },
+        });
+    }
+    makeResponse(request, decision, reason, startTime) {
+        this.audit(request, decision, reason);
+        return {
+            allowed: false,
+            decision,
+            reason,
+            serverName: request.serverName,
+            toolName: request.toolName,
+            latencyMs: performance.now() - startTime,
+        };
+    }
+}
+//# sourceMappingURL=gateway.js.map

package/dist/gateway.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"gateway.js","sourceRoot":"","sources":["../src/gateway.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAE/C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAyC9C,wEAAwE;AAExE,MAAM,WAAW;IAIL;IACA;IAJF,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAC;IAExE,YACU,WAAmB,EACnB,QAAgB;QADhB,gBAAW,GAAX,WAAW,CAAQ;QACnB,aAAQ,GAAR,QAAQ,CAAQ;IACvB,CAAC;IAEJ,KAAK,CAAC,GAAW;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEpC,IAAI,CAAC,KAAK,IAAI,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YACnC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAClE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO,KAAK,CAAC;QAClD,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAElD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,MAAM;QAC1C,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC,SAAS;YACjC,CAAC,CAAC,UAAU,CAAC;IAEf,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC;AAC3B,CAAC;AAED,wEAAwE;AAExE,MAAM,WAAW,GAA2B,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;AAE7E,SAAS,YAAY,CAAC,MAAc,EAAE,QAAgB;IACpD,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,wEAAwE;AAExE,MAAM,OAAO,YAAY;IACf,MAAM,CAAgB;IACtB,UAAU,CAAa;IACvB,QAAQ,CAAW;IACnB,YAAY,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,KAAK,GAAG;QACd,aAAa,EAAE,CAAC;QAChB,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,CAAC;QACT,MAAM,EAAE,CAAC;KACV,CAAC;IAEF,YAAY,MAAqB,EAAE,UAAuB,EAAE,QAAmB;QAC7E,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,IAAI,UAAU,EAAE,CAAC;QACjD,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,IAAI,QAAQ,CAAC;YACvC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,gCAAgC;SACpE,CAAC,CAAC;QAEH,2CAA2C;QAC3C,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACrB,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC3D,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,WAAW,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,aAAa;QACX,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,OAAuB;QAC1C,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;QAE3B,yBAAyB;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;QAC5E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,qBAAqB,EACrD,WAAW,OAAO,CAAC,UAAU,qBAAqB,EAAE,KAAK,CAAC,CAAC;QAC/D,CAAC;QAED,mBAAmB;QACnB,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC1D,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC,EAAE,CAAC;YAC3E,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,KAAK,CAAC,CAAC;QACrF,CAAC;QAED,8BAA8B;QAC9B,IAAI,MAAM,CAAC,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,mBAAmB,EACnD,SAAS,OAAO,CAAC,QAAQ,4BAA4B,OAAO,CAAC,UAAU,GAAG,EAAE,KAAK,CAAC,CAAC;QACvF,CAAC;QAED,IAAI,MAAM,CAAC,YAAY,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3E,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,kBAAkB,EAClD,SAAS,OAAO,CAAC,QAAQ,4CAA4C,OAAO,CAAC,UAAU,GAAG,EAAE,KAAK,CAAC,CAAC;QACvG,CAAC;QAED,qBAAqB;QACrB,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAEhE,IAAI,WAAW,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACrC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC9C,kCAAkC;gBAClC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;gBACpB,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;gBACtD,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,QAAQ,EAAE,MAAM;oBAChB,MAAM,EAAE,UAAU,WAAW,CAAC,MAAM,EAAE;oBACtC,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,UAAU,EAAE,WAAW,CAAC,UAAU;oBAClC,KAAK,EAAE,WAAW,CAAC,KAAK;oBACxB,SAAS,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACrC,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,WAAW,CAAC,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,QAAQ,EAAE,WAAW,CAAC,QAAQ;gBAC9B,MAAM,EAAE,WAAW,CAAC,MAAM;gBAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,UAAU,EAAE,WAAW,CAAC,UAAU;gBAClC,KAAK,EAAE,WAAW,CAAC,KAAK;gBACxB,SAAS,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;aACrC,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QACrB,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEnC,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,OAAO;YACjB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,UAAU,EAAE,WAAW,CAAC,UAAU;YAClC,KAAK,EAAE,WAAW,CAAC,KAAK;YACxB,SAAS,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SACrC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC3B,CAAC;IAED,mEAAmE;IAE3D,UAAU,CAChB,UAAkB,EAClB,MAAoB;QAEpB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACjC,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC;QACzD,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;QAEpD,mCAAmC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAExD,IAAI,KAAK,CAAC,kBAAkB,IAAI,CAAC,IAAI,EAAE,CAAC;YACtC,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,EAAE,mCAAmC,UAAU,GAAG,EAAE,CAAC;QAChG,CAAC;QAED,0DAA0D;QAC1D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,gEAAgE;YAChE,IAAI,cAAc,KAAK,SAAS,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBACjE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,EAAE,gEAAgE,UAAU,GAAG,EAAE,CAAC;YAC7H,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;QAC/B,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,EAAE,kCAAkC,EAAE,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QAClL,CAAC;QAED,eAAe;QACf,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACtD,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,EAAE,yBAAyB,EAAE,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACpK,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,CAAC;QAClD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC;QAEhD,kDAAkD;QAClD,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,cAAc,CAAC;QAClD,IAAI,QAAQ,KAAK,SAAS,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;YAC/C,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,eAAe,KAAK,qBAAqB,QAAQ,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC3H,CAAC;QAED,eAAe;QACf,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,cAAc,CAAC;QAClD,IAAI,QAAQ,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;YAC/C,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,KAAK,qBAAqB,QAAQ,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QACrH,CAAC;QAED,iBAAiB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC;QAChD,IAAI,KAAK,CAAC,mBAAmB,KAAK,SAAS,IAAI,OAAO,CAAC,QAAQ,GAAG,KAAK,CAAC,mBAAmB,EAAE,CAAC;YAC5F,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,QAAQ,kCAAkC,KAAK,CAAC,mBAAmB,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC3J,CAAC;QACD,IAAI,KAAK,CAAC,eAAe,KAAK,SAAS,IAAI,OAAO,CAAC,IAAI,GAAG,KAAK,CAAC,eAAe,EAAE,CAAC;YAChF,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,8BAA8B,KAAK,CAAC,eAAe,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC/I,CAAC;QAED,oBAAoB;QACpB,IAAI,KAAK,CAAC,kBAAkB,EAAE,CAAC;YAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,kBAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACnG,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACzB,OAAO,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,EAAE,mCAAmC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;YACvI,CAAC;QACH,CAAC;QACD,IAAI,KAAK,CAAC,kBAAkB,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,kBAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YAChG,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,OAAO,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,EAAE,iCAAiC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;YACnI,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACzD,CAAC;IAED,mEAAmE;IAE3D,KAAK,CAAC,KAAK,CACjB,OAAuB,EACvB,QAAuB,EACvB,MAAe;QAEf,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;YACtB,SAAS,EAAE,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,kBAAkB;YACxE,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,MAAM,EAAE,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;YAC3E,QAAQ,EAAE;gBACR,MAAM,EAAE,OAAO,CAAC,UAAU;gBAC1B,IAAI,EAAE,OAAO,CAAC,QAAQ;gBACtB,QAAQ;gBACR,MAAM;aACP;SACF,CAAC,CAAC;IACL,CAAC;IAEO,YAAY,CAClB,OAAuB,EACvB,QAAuB,EACvB,MAAc,EACd,SAAiB;QAEjB,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACtC,OAAO;YACL,OAAO,EAAE,KAAK;YACd,QAAQ;YACR,MAAM;YACN,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,SAAS,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;SACzC,CAAC;IACJ,CAAC;CACF"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * @sentinel-atl/trust-gateway — YAML-Configured MCP Trust Gateway
+ *
+ * A runtime trust enforcement proxy for MCP servers.
+ * Reads a sentinel.yaml config file and enforces trust policies:
+ *
+ *   Client → [Trust Gateway: verify STC, check score, enforce permissions] → MCP Server
+ *
+ * Usage:
+ *   sentinel-gateway --config sentinel.yaml
+ */
+export { loadConfig, validateConfig, type GatewayConfig, type ServerPolicy, type TrustRequirements, } from './config.js';
+export { TrustGateway, type GatewayRequest, type GatewayResponse, type TrustDecision, } from './gateway.js';
+export { TrustStore, type StoredCertificate, type TrustStoreOptions, } from './trust-store.js';
+export { TrustGatewayProxy, type ProxyOptions, } from './proxy.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,UAAU,EACV,cAAc,EACd,KAAK,aAAa,EAClB,KAAK,YAAY,EACjB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,YAAY,EACZ,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,aAAa,GACnB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,UAAU,EACV,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,GACvB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,iBAAiB,EACjB,KAAK,YAAY,GAClB,MAAM,YAAY,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * @sentinel-atl/trust-gateway — YAML-Configured MCP Trust Gateway
+ *
+ * A runtime trust enforcement proxy for MCP servers.
+ * Reads a sentinel.yaml config file and enforces trust policies:
+ *
+ *   Client → [Trust Gateway: verify STC, check score, enforce permissions] → MCP Server
+ *
+ * Usage:
+ *   sentinel-gateway --config sentinel.yaml
+ */
+export { loadConfig, validateConfig, } from './config.js';
+export { TrustGateway, } from './gateway.js';
+export { TrustStore, } from './trust-store.js';
+export { TrustGatewayProxy, } from './proxy.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,UAAU,EACV,cAAc,GAIf,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,YAAY,GAIb,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,UAAU,GAGX,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,iBAAiB,GAElB,MAAM,YAAY,CAAC"}

package/dist/proxy.d.ts ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * Trust Gateway HTTP Proxy — sits between MCP client and server,
+ * enforcing trust policies on every tool call.
+ *
+ * Supports upstream protocols:
+ *   - http:// / https://  → SSE-based MCP server
+ *   - stdio://             → stdio-based MCP server (spawns child process)
+ *
+ * Endpoints exposed:
+ *   GET  /sse              → SSE stream (proxied from upstream)
+ *   POST /message          → JSON-RPC message relay (tool calls pass through trust engine)
+ *   GET  /health           → Proxy health
+ *   GET  /stats            → Gateway stats
+ */
+import { TrustGateway } from './gateway.js';
+import type { GatewayConfig } from './config.js';
+import { TrustStore } from './trust-store.js';
+import { type AuthConfig, type CorsConfig, type TlsConfig } from '@sentinel-atl/hardening';
+export interface ProxyOptions {
+    /** Gateway config */
+    config: GatewayConfig;
+    /** Pre-configured trust store (optional) */
+    trustStore?: TrustStore;
+    /** Default caller ID when none provided */
+    defaultCallerId?: string;
+    /** API key authentication config */
+    auth?: AuthConfig;
+    /** CORS configuration */
+    cors?: CorsConfig;
+    /** TLS configuration */
+    tls?: TlsConfig;
+}
+export declare class TrustGatewayProxy {
+    private server;
+    private gateway;
+    private config;
+    private sseClients;
+    private stdioUpstreams;
+    private defaultCallerId;
+    private authConfig;
+    private corsConfig;
+    private tlsConfig?;
+    private globalRateLimiter?;
+    constructor(options: ProxyOptions);
+    getGateway(): TrustGateway;
+    /**
+     * Start the HTTP proxy server.
+     */
+    start(): Promise<{
+        port: number;
+    }>;
+    /**
+     * Stop the proxy and clean up.
+     */
+    stop(): Promise<void>;
+    private handleRequest;
+    private handleHealth;
+    private handleStats;
+    private handleSSE;
+    private sendSSEEvent;
+    private handleMessage;
+    private findUpstream;
+    private forwardToUpstream;
+    private forwardHttp;
+    private connectStdio;
+    private forwardStdio;
+}
+//# sourceMappingURL=proxy.d.ts.map

package/dist/proxy.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"proxy.d.ts","sourceRoot":"","sources":["../src/proxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,OAAO,EAAE,YAAY,EAAwB,MAAM,cAAc,CAAC;AAClE,OAAO,KAAK,EAAE,aAAa,EAAgB,MAAM,aAAa,CAAC;AAC/D,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAOL,KAAK,UAAU,EAAE,KAAK,UAAU,EAAE,KAAK,SAAS,EACjD,MAAM,yBAAyB,CAAC;AAIjC,MAAM,WAAW,YAAY;IAC3B,qBAAqB;IACrB,MAAM,EAAE,aAAa,CAAC;IACtB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,2CAA2C;IAC3C,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oCAAoC;IACpC,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,yBAAyB;IACzB,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,wBAAwB;IACxB,GAAG,CAAC,EAAE,SAAS,CAAC;CACjB;AAgBD,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,OAAO,CAAe;IAC9B,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,UAAU,CAAwB;IAC1C,OAAO,CAAC,cAAc,CAAoC;IAC1D,OAAO,CAAC,eAAe,CAAS;IAChC,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,SAAS,CAAC,CAAY;IAC9B,OAAO,CAAC,iBAAiB,CAAC,CAAsB;gBAEpC,OAAO,EAAE,YAAY;IAejC,UAAU,IAAI,YAAY;IAI1B;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAuBxC;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IA2B3B,OAAO,CAAC,aAAa;IAiCrB,OAAO,CAAC,YAAY;IAcpB,OAAO,CAAC,WAAW;IAOnB,OAAO,CAAC,SAAS;IA0BjB,OAAO,CAAC,YAAY;YAMN,aAAa;IAgI3B,OAAO,CAAC,YAAY;YAMN,iBAAiB;YAcjB,WAAW;IAqBzB,OAAO,CAAC,YAAY;IAoDpB,OAAO,CAAC,YAAY;CAqBrB"}