@skillsmith/mcp-server 0.1.0

package/dist/src/middleware/csp.d.ts

@@ -0,0 +1,87 @@
+/**
+ * Content Security Policy middleware and utilities for MCP server
+ *
+ * While the MCP server currently uses stdio transport, these utilities
+ * provide CSP support for potential HTTP transport scenarios.
+ */
+/**
+ * CSP directive types
+ */
+export interface CspDirectives {
+    'default-src'?: string[];
+    'script-src'?: string[];
+    'style-src'?: string[];
+    'img-src'?: string[];
+    'font-src'?: string[];
+    'connect-src'?: string[];
+    'media-src'?: string[];
+    'object-src'?: string[];
+    'frame-src'?: string[];
+    'worker-src'?: string[];
+    'form-action'?: string[];
+    'frame-ancestors'?: string[];
+    'base-uri'?: string[];
+    'manifest-src'?: string[];
+    sandbox?: string[];
+    'report-uri'?: string[];
+    'report-to'?: string;
+    'require-trusted-types-for'?: string[];
+    'upgrade-insecure-requests'?: boolean;
+    'block-all-mixed-content'?: boolean;
+}
+/**
+ * CSP validation result with details
+ */
+export interface CspValidationResult {
+    valid: boolean;
+    warnings: string[];
+    errors: string[];
+}
+/**
+ * Default CSP directives for MCP server
+ */
+export declare const DEFAULT_CSP_DIRECTIVES: CspDirectives;
+/**
+ * Strict CSP directives for maximum security
+ */
+export declare const STRICT_CSP_DIRECTIVES: CspDirectives;
+/**
+ * Generates a cryptographically secure nonce for CSP
+ * @returns A 32-character base64 nonce
+ */
+export declare function generateNonce(): string;
+/**
+ * Converts CSP directives object to a CSP header string
+ * @param directives - The CSP directives to convert
+ * @param nonce - Optional nonce to add to script-src and style-src
+ * @returns The CSP header value
+ */
+export declare function buildCspHeader(directives: CspDirectives, nonce?: string): string;
+/**
+ * Validates a CSP header string
+ * @param csp - The CSP header string to validate
+ * @returns true if valid, false otherwise
+ */
+export declare function validateCspHeader(csp: string): boolean;
+/**
+ * Validates a CSP header string with detailed results
+ * @param csp - The CSP header string to validate
+ * @returns Detailed validation result with warnings and errors
+ */
+export declare function validateCspHeaderDetailed(csp: string): CspValidationResult;
+/**
+ * HTTP middleware function for adding CSP headers
+ * This can be used if the MCP server adds HTTP transport in the future
+ */
+export declare function cspMiddleware(directives?: CspDirectives): (req: any, res: any, next: () => void) => void;
+/**
+ * Gets CSP configuration for different environments
+ *
+ * NOTE: Test environment uses relaxed CSP for testing purposes.
+ * Production code should always use STRICT_CSP_DIRECTIVES.
+ *
+ * @param env - The environment (development, production, test)
+ * @returns The appropriate CSP directives
+ */
+export declare function getCspForEnvironment(env?: string): CspDirectives;
+//# sourceMappingURL=csp.d.ts.map

package/dist/src/middleware/csp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.d.ts","sourceRoot":"","sources":["../../../src/middleware/csp.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAA;IACpB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;IACrB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC5B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;IACrB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAA;IACtC,2BAA2B,CAAC,EAAE,OAAO,CAAA;IACrC,yBAAyB,CAAC,EAAE,OAAO,CAAA;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,OAAO,CAAA;IACd,QAAQ,EAAE,MAAM,EAAE,CAAA;IAClB,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,aAgBpC,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,qBAAqB,EAAE,aAkBnC,CAAA;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAGtC;AAaD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,aAAa,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CA+BhF;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAGtD;AA6BD;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,MAAM,GAAG,mBAAmB,CAiG1E;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,UAAU,GAAE,aAAsC,IACtE,KAAK,GAAG,EAAE,KAAK,GAAG,EAAE,MAAM,MAAM,IAAI,UAe7C;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,GAAE,MAAqB,GAAG,aAAa,CA2B9E"}

package/dist/src/middleware/csp.js

@@ -0,0 +1,273 @@
+/**
+ * Content Security Policy middleware and utilities for MCP server
+ *
+ * While the MCP server currently uses stdio transport, these utilities
+ * provide CSP support for potential HTTP transport scenarios.
+ */
+import { randomBytes } from 'node:crypto';
+/**
+ * Default CSP directives for MCP server
+ */
+export const DEFAULT_CSP_DIRECTIVES = {
+    'default-src': ["'self'"],
+    'script-src': ["'self'"],
+    'style-src': ["'self'"],
+    'img-src': ["'self'", 'data:', 'https:'],
+    'font-src': ["'self'"],
+    'connect-src': ["'self'"],
+    'media-src': ["'self'"],
+    'object-src': ["'none'"],
+    'frame-src': ["'none'"],
+    'worker-src': ["'self'"],
+    'form-action': ["'self'"],
+    'frame-ancestors': ["'none'"],
+    'base-uri': ["'self'"],
+    'upgrade-insecure-requests': true,
+    'block-all-mixed-content': true,
+};
+/**
+ * Strict CSP directives for maximum security
+ */
+export const STRICT_CSP_DIRECTIVES = {
+    'default-src': ["'none'"],
+    'script-src': ["'self'"],
+    'style-src': ["'self'"],
+    'img-src': ["'self'", 'data:'],
+    'font-src': ["'self'"],
+    'connect-src': ["'self'"],
+    'media-src': ["'none'"],
+    'object-src': ["'none'"],
+    'frame-src': ["'none'"],
+    'worker-src': ["'none'"],
+    'form-action': ["'none'"],
+    'frame-ancestors': ["'none'"],
+    'base-uri': ["'none'"],
+    'manifest-src': ["'self'"],
+    'require-trusted-types-for': ["'script'"],
+    'upgrade-insecure-requests': true,
+    'block-all-mixed-content': true,
+};
+/**
+ * Generates a cryptographically secure nonce for CSP
+ * @returns A 32-character base64 nonce
+ */
+export function generateNonce() {
+    // Use Node.js crypto.randomBytes for cryptographically secure random bytes
+    return randomBytes(16).toString('base64');
+}
+/**
+ * Sanitize a CSP source value to prevent directive injection
+ * @param source - The source value to sanitize
+ * @returns Sanitized source value
+ */
+function sanitizeCspSource(source) {
+    // Remove characters that could be used for injection
+    // CSP sources should not contain ; (directive separator) or newlines
+    return source.replace(/[;\r\n]/g, '');
+}
+/**
+ * Converts CSP directives object to a CSP header string
+ * @param directives - The CSP directives to convert
+ * @param nonce - Optional nonce to add to script-src and style-src
+ * @returns The CSP header value
+ */
+export function buildCspHeader(directives, nonce) {
+    const parts = [];
+    for (const [directive, value] of Object.entries(directives)) {
+        // Sanitize directive name (should be alphanumeric with hyphens only)
+        const sanitizedDirective = directive.replace(/[^a-zA-Z0-9-]/g, '');
+        if (typeof value === 'boolean') {
+            if (value) {
+                parts.push(sanitizedDirective);
+            }
+        }
+        else if (typeof value === 'string') {
+            // Handle string directives like report-to
+            const sanitizedValue = sanitizeCspSource(value);
+            parts.push(`${sanitizedDirective} ${sanitizedValue}`);
+        }
+        else if (Array.isArray(value)) {
+            const sources = value.map(sanitizeCspSource);
+            // Add nonce to script-src and style-src if provided
+            if (nonce && (directive === 'script-src' || directive === 'style-src')) {
+                // Validate nonce format (base64)
+                if (/^[A-Za-z0-9+/=]+$/.test(nonce)) {
+                    sources.push(`'nonce-${nonce}'`);
+                }
+            }
+            parts.push(`${sanitizedDirective} ${sources.join(' ')}`);
+        }
+    }
+    return parts.join('; ');
+}
+/**
+ * Validates a CSP header string
+ * @param csp - The CSP header string to validate
+ * @returns true if valid, false otherwise
+ */
+export function validateCspHeader(csp) {
+    const result = validateCspHeaderDetailed(csp);
+    return result.valid;
+}
+/**
+ * Parse CSP header into directives map
+ * @param csp - The CSP header string
+ * @returns Map of directive name to values
+ */
+function parseCspDirectives(csp) {
+    const directives = new Map();
+    const parts = csp
+        .split(';')
+        .map((p) => p.trim())
+        .filter((p) => p.length > 0);
+    for (const part of parts) {
+        const spaceIndex = part.indexOf(' ');
+        if (spaceIndex === -1) {
+            // Directive without value (e.g., upgrade-insecure-requests)
+            directives.set(part.toLowerCase(), '');
+        }
+        else {
+            const name = part.substring(0, spaceIndex).toLowerCase();
+            const value = part.substring(spaceIndex + 1);
+            directives.set(name, value);
+        }
+    }
+    return directives;
+}
+/**
+ * Validates a CSP header string with detailed results
+ * @param csp - The CSP header string to validate
+ * @returns Detailed validation result with warnings and errors
+ */
+export function validateCspHeaderDetailed(csp) {
+    const result = {
+        valid: true,
+        warnings: [],
+        errors: [],
+    };
+    if (!csp || typeof csp !== 'string') {
+        result.valid = false;
+        result.errors.push('CSP header must be a non-empty string');
+        return result;
+    }
+    // Parse directives for per-directive analysis
+    const directives = parseCspDirectives(csp);
+    const lowercaseCsp = csp.toLowerCase();
+    // Check for unsafe-eval in script-src or default-src (per-directive check)
+    const scriptSrc = directives.get('script-src') || '';
+    const defaultSrc = directives.get('default-src') || '';
+    if (scriptSrc.includes("'unsafe-eval'") || defaultSrc.includes("'unsafe-eval'")) {
+        result.warnings.push('unsafe-eval detected in script-src or default-src - allows arbitrary code execution');
+        console.warn('[CSP] Warning: unsafe-eval detected in CSP policy');
+    }
+    // Check for unsafe-inline WITHOUT nonce in the SAME directive (per-directive check)
+    // This is the correct check - unsafe-inline in script-src is only mitigated by nonce in script-src
+    if (scriptSrc.includes("'unsafe-inline'") && !scriptSrc.includes("'nonce-")) {
+        result.warnings.push('unsafe-inline without nonce in script-src - vulnerable to XSS');
+        console.warn('[CSP] Warning: unsafe-inline without nonce detected in script-src');
+    }
+    const styleSrc = directives.get('style-src') || '';
+    if (styleSrc.includes("'unsafe-inline'") && !styleSrc.includes("'nonce-")) {
+        result.warnings.push('unsafe-inline without nonce in style-src - vulnerable to CSS injection');
+        console.warn('[CSP] Warning: unsafe-inline without nonce detected in style-src');
+    }
+    // Check for wildcard sources in sensitive directives
+    const sensitiveDirectives = ['script-src', 'style-src', 'object-src', 'base-uri'];
+    for (const directive of sensitiveDirectives) {
+        const directiveValue = directives.get(directive) || '';
+        // Check for standalone wildcard (not part of *.example.com)
+        if (/(?:^|\s)\*(?:\s|$)/.test(directiveValue)) {
+            result.warnings.push(`Wildcard (*) in ${directive} is overly permissive`);
+        }
+    }
+    // Check for data: URI in script-src (XSS risk)
+    if (scriptSrc.includes('data:')) {
+        result.warnings.push('data: URI in script-src allows XSS attacks');
+    }
+    // Check for blob: and filesystem: in script-src (XSS risk)
+    if (scriptSrc.includes('blob:')) {
+        result.warnings.push('blob: URI in script-src can be used for XSS');
+    }
+    if (scriptSrc.includes('filesystem:')) {
+        result.warnings.push('filesystem: URI in script-src can be used for XSS');
+    }
+    // Verify object-src is properly restricted (Flash/plugin attacks)
+    const objectSrc = directives.get('object-src') || '';
+    if (directives.has('object-src')) {
+        if (!objectSrc.includes("'none'") && !objectSrc.includes("'self'")) {
+            // Check if it has potentially dangerous values
+            if (objectSrc.includes('*') || objectSrc.includes('data:') || objectSrc.includes('blob:')) {
+                result.warnings.push('object-src has permissive values - vulnerable to plugin-based attacks');
+            }
+            else if (objectSrc.trim() !== '') {
+                result.warnings.push('object-src should be restricted to prevent plugin-based attacks');
+            }
+        }
+    }
+    // Check for missing default-src (fallback for other directives)
+    if (!directives.has('default-src')) {
+        result.warnings.push('Missing default-src - other directives may fall back to permissive defaults');
+    }
+    // Should have at least one directive
+    if (!csp.includes('-src') &&
+        !csp.includes('upgrade-insecure-requests') &&
+        !csp.includes('sandbox')) {
+        result.valid = false;
+        result.errors.push('CSP must contain at least one valid directive');
+    }
+    return result;
+}
+/**
+ * HTTP middleware function for adding CSP headers
+ * This can be used if the MCP server adds HTTP transport in the future
+ */
+export function cspMiddleware(directives = DEFAULT_CSP_DIRECTIVES) {
+    return (req, res, next) => {
+        const nonce = generateNonce();
+        const cspHeader = buildCspHeader(directives, nonce);
+        // Set CSP header
+        res.setHeader('Content-Security-Policy', cspHeader);
+        // Add nonce to response locals for use in templates
+        if (!res.locals) {
+            res.locals = {};
+        }
+        res.locals.cspNonce = nonce;
+        next();
+    };
+}
+/**
+ * Gets CSP configuration for different environments
+ *
+ * NOTE: Test environment uses relaxed CSP for testing purposes.
+ * Production code should always use STRICT_CSP_DIRECTIVES.
+ *
+ * @param env - The environment (development, production, test)
+ * @returns The appropriate CSP directives
+ */
+export function getCspForEnvironment(env = 'production') {
+    switch (env) {
+        case 'development':
+            // Slightly relaxed for development - only unsafe-eval for dev tools
+            // Still maintains object-src: 'none' for plugin protection
+            return {
+                ...DEFAULT_CSP_DIRECTIVES,
+                'script-src': ["'self'", "'unsafe-eval'"], // Allow eval for dev tools
+                'object-src': ["'none'"], // Always restrict plugins
+            };
+        case 'test':
+            // More permissive for testing, but maintain critical security restrictions
+            // Note: Tests requiring unsafe-inline should use nonces instead for better security testing
+            return {
+                ...DEFAULT_CSP_DIRECTIVES,
+                'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+                'style-src': ["'self'", "'unsafe-inline'"],
+                'object-src': ["'none'"], // Always restrict plugins even in test
+                'frame-ancestors': ["'none'"], // Prevent clickjacking even in test
+            };
+        case 'production':
+        default:
+            // Strict for production
+            return STRICT_CSP_DIRECTIVES;
+    }
+}
+//# sourceMappingURL=csp.js.map

package/dist/src/middleware/csp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.js","sourceRoot":"","sources":["../../../src/middleware/csp.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAqCzC;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAkB;IACnD,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,WAAW,EAAE,CAAC,QAAQ,CAAC;IACvB,SAAS,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC;IACxC,UAAU,EAAE,CAAC,QAAQ,CAAC;IACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,WAAW,EAAE,CAAC,QAAQ,CAAC;IACvB,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,WAAW,EAAE,CAAC,QAAQ,CAAC;IACvB,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,iBAAiB,EAAE,CAAC,QAAQ,CAAC;IAC7B,UAAU,EAAE,CAAC,QAAQ,CAAC;IACtB,2BAA2B,EAAE,IAAI;IACjC,yBAAyB,EAAE,IAAI;CAChC,CAAA;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAkB;IAClD,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,WAAW,EAAE,CAAC,QAAQ,CAAC;IACvB,SAAS,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC9B,UAAU,EAAE,CAAC,QAAQ,CAAC;IACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,WAAW,EAAE,CAAC,QAAQ,CAAC;IACvB,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,WAAW,EAAE,CAAC,QAAQ,CAAC;IACvB,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,aAAa,EAAE,CAAC,QAAQ,CAAC;IACzB,iBAAiB,EAAE,CAAC,QAAQ,CAAC;IAC7B,UAAU,EAAE,CAAC,QAAQ,CAAC;IACtB,cAAc,EAAE,CAAC,QAAQ,CAAC;IAC1B,2BAA2B,EAAE,CAAC,UAAU,CAAC;IACzC,2BAA2B,EAAE,IAAI;IACjC,yBAAyB,EAAE,IAAI;CAChC,CAAA;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa;IAC3B,2EAA2E;IAC3E,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AAC3C,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,MAAc;IACvC,qDAAqD;IACrD,qEAAqE;IACrE,OAAO,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAA;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,UAAyB,EAAE,KAAc;IACtE,MAAM,KAAK,GAAa,EAAE,CAAA;IAE1B,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5D,qEAAqE;QACrE,MAAM,kBAAkB,GAAG,SAAS,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAA;QAElE,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;YAC/B,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAA;YAChC,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrC,0CAA0C;YAC1C,MAAM,cAAc,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAA;YAC/C,KAAK,CAAC,IAAI,CAAC,GAAG,kBAAkB,IAAI,cAAc,EAAE,CAAC,CAAA;QACvD,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;YAE5C,oDAAoD;YACpD,IAAI,KAAK,IAAI,CAAC,SAAS,KAAK,YAAY,IAAI,SAAS,KAAK,WAAW,CAAC,EAAE,CAAC;gBACvE,iCAAiC;gBACjC,IAAI,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBACpC,OAAO,CAAC,IAAI,CAAC,UAAU,KAAK,GAAG,CAAC,CAAA;gBAClC,CAAC;YACH,CAAC;YAED,KAAK,CAAC,IAAI,CAAC,GAAG,kBAAkB,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QAC1D,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACzB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,MAAM,MAAM,GAAG,yBAAyB,CAAC,GAAG,CAAC,CAAA;IAC7C,OAAO,MAAM,CAAC,KAAK,CAAA;AACrB,CAAC;AAED;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,GAAW;IACrC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAA;IAC5C,MAAM,KAAK,GAAG,GAAG;SACd,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAE9B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QACpC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;YACtB,4DAA4D;YAC5D,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC,CAAA;QACxC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,WAAW,EAAE,CAAA;YACxD,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,GAAG,CAAC,CAAC,CAAA;YAC5C,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAA;AACnB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB,CAAC,GAAW;IACnD,MAAM,MAAM,GAAwB;QAClC,KAAK,EAAE,IAAI;QACX,QAAQ,EAAE,EAAE;QACZ,MAAM,EAAE,EAAE;KACX,CAAA;IAED,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,CAAC,KAAK,GAAG,KAAK,CAAA;QACpB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAA;QAC3D,OAAO,MAAM,CAAA;IACf,CAAC;IAED,8CAA8C;IAC9C,MAAM,UAAU,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,YAAY,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;IAEtC,2EAA2E;IAC3E,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAA;IACpD,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,CAAA;IAEtD,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QAChF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,qFAAqF,CACtF,CAAA;QACD,OAAO,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAA;IACnE,CAAC;IAED,oFAAoF;IACpF,mGAAmG;IACnG,IAAI,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAA;QACrF,OAAO,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAA;IACnF,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,CAAA;IAClD,IAAI,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,wEAAwE,CAAC,CAAA;QAC9F,OAAO,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAA;IAClF,CAAC;IAED,qDAAqD;IACrD,MAAM,mBAAmB,GAAG,CAAC,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,CAAC,CAAA;IACjF,KAAK,MAAM,SAAS,IAAI,mBAAmB,EAAE,CAAC;QAC5C,MAAM,cAAc,GAAG,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAA;QACtD,4DAA4D;QAC5D,IAAI,oBAAoB,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;YAC9C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,SAAS,uBAAuB,CAAC,CAAA;QAC3E,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAA;IACpE,CAAC;IAED,2DAA2D;IAC3D,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAA;IACrE,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACtC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAA;IAC3E,CAAC;IAED,kEAAkE;IAClE,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAA;IACpD,IAAI,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnE,+CAA+C;YAC/C,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1F,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,uEAAuE,CACxE,CAAA;YACH,CAAC;iBAAM,IAAI,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAA;YACzF,CAAC;QACH,CAAC;IACH,CAAC;IAED,gEAAgE;IAChE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,6EAA6E,CAC9E,CAAA;IACH,CAAC;IAED,qCAAqC;IACrC,IACE,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;QACrB,CAAC,GAAG,CAAC,QAAQ,CAAC,2BAA2B,CAAC;QAC1C,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,EACxB,CAAC;QACD,MAAM,CAAC,KAAK,GAAG,KAAK,CAAA;QACpB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAA;IACrE,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,aAA4B,sBAAsB;IAC9E,OAAO,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAgB,EAAE,EAAE;QAC9C,MAAM,KAAK,GAAG,aAAa,EAAE,CAAA;QAC7B,MAAM,SAAS,GAAG,cAAc,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;QAEnD,iBAAiB;QACjB,GAAG,CAAC,SAAS,CAAC,yBAAyB,EAAE,SAAS,CAAC,CAAA;QAEnD,oDAAoD;QACpD,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;YAChB,GAAG,CAAC,MAAM,GAAG,EAAE,CAAA;QACjB,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAA;QAE3B,IAAI,EAAE,CAAA;IACR,CAAC,CAAA;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc,YAAY;IAC7D,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,aAAa;YAChB,oEAAoE;YACpE,2DAA2D;YAC3D,OAAO;gBACL,GAAG,sBAAsB;gBACzB,YAAY,EAAE,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,2BAA2B;gBACtE,YAAY,EAAE,CAAC,QAAQ,CAAC,EAAE,0BAA0B;aACrD,CAAA;QAEH,KAAK,MAAM;YACT,2EAA2E;YAC3E,4FAA4F;YAC5F,OAAO;gBACL,GAAG,sBAAsB;gBACzB,YAAY,EAAE,CAAC,QAAQ,EAAE,iBAAiB,EAAE,eAAe,CAAC;gBAC5D,WAAW,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;gBAC1C,YAAY,EAAE,CAAC,QAAQ,CAAC,EAAE,uCAAuC;gBACjE,iBAAiB,EAAE,CAAC,QAAQ,CAAC,EAAE,oCAAoC;aACpE,CAAA;QAEH,KAAK,YAAY,CAAC;QAClB;YACE,wBAAwB;YACxB,OAAO,qBAAqB,CAAA;IAChC,CAAC;AACH,CAAC"}

package/dist/src/middleware/degradation.d.ts

@@ -0,0 +1,99 @@
+/**
+ * SMI-1060: Graceful Degradation Middleware
+ *
+ * Middleware that wraps tool handlers with graceful degradation,
+ * returning helpful messages instead of hard errors when features
+ * are unavailable.
+ */
+import { type LicenseMiddleware } from './license.js';
+import { type FeatureFlag } from './toolFeatureMapping.js';
+/**
+ * MCP tool request structure
+ */
+export interface McpToolRequest {
+    name: string;
+    arguments: Record<string, unknown>;
+}
+/**
+ * MCP tool response structure
+ */
+export interface McpToolResponse {
+    content: Array<{
+        type: 'text';
+        text: string;
+    }>;
+    isError?: boolean;
+    _meta?: Record<string, unknown>;
+}
+/**
+ * Tool handler function type
+ */
+export type ToolHandler<T = unknown> = (request: McpToolRequest) => Promise<T>;
+/**
+ * Degradation event for logging
+ */
+export interface DegradationLogEvent {
+    timestamp: string;
+    toolName: string;
+    feature: FeatureFlag | null;
+    tier: 'community' | 'team' | 'enterprise';
+    action: 'allowed' | 'degraded' | 'error';
+    message?: string;
+}
+/**
+ * Degradation logger interface
+ */
+export interface DegradationLogger {
+    log(event: DegradationLogEvent): void;
+}
+/**
+ * Degradation middleware options
+ */
+export interface DegradationMiddlewareOptions {
+    /** License middleware instance */
+    licenseMiddleware?: LicenseMiddleware;
+    /** Logger for degradation events */
+    logger?: DegradationLogger;
+    /** Enable verbose logging */
+    verbose?: boolean;
+    /** Custom upgrade URL base */
+    upgradeUrlBase?: string;
+}
+/**
+ * Console logger for degradation events
+ */
+export declare const consoleDegradationLogger: DegradationLogger;
+/**
+ * Get tier comparison message
+ */
+export declare function getTierComparisonMessage(): string;
+/**
+ * Create the degradation middleware
+ *
+ * This middleware wraps tool handlers to provide graceful degradation
+ * when features are unavailable due to license restrictions.
+ *
+ * @param options - Middleware configuration options
+ * @returns Middleware wrapper function
+ *
+ * @example
+ * ```typescript
+ * const middleware = createDegradationMiddleware({
+ *   logger: consoleDegradationLogger,
+ *   verbose: true,
+ * });
+ *
+ * const wrappedHandler = middleware.wrapHandler('audit_query', originalHandler);
+ * ```
+ */
+export declare function createDegradationMiddleware(options?: DegradationMiddlewareOptions): {
+    wrapHandler: <T>(toolName: string, handler: ToolHandler<T>, request: McpToolRequest) => Promise<T | McpToolResponse>;
+    createWrappedHandler: <T>(toolName: string, handler: ToolHandler<T>) => (request: McpToolRequest) => Promise<T | McpToolResponse>;
+    wouldDegrade: (toolName: string) => Promise<boolean>;
+    getDegradationStatus: () => Promise<Map<string, boolean>>;
+    getUpgradePrompt: (toolName: string) => Promise<string | null>;
+    getTierComparisonMessage: typeof getTierComparisonMessage;
+    licenseMiddleware: LicenseMiddleware;
+};
+export type DegradationMiddleware = ReturnType<typeof createDegradationMiddleware>;
+//# sourceMappingURL=degradation.d.ts.map

package/dist/src/middleware/degradation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"degradation.d.ts","sourceRoot":"","sources":["../../../src/middleware/degradation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,KAAK,iBAAiB,EAIvB,MAAM,cAAc,CAAA;AACrB,OAAO,EAIL,KAAK,WAAW,EACjB,MAAM,yBAAyB,CAAA;AA0ChC;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC9C,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAChC;AAED;;GAEG;AACH,MAAM,MAAM,WAAW,CAAC,CAAC,GAAG,OAAO,IAAI,CAAC,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC,CAAC,CAAC,CAAA;AAE9E;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAA;IACjB,QAAQ,EAAE,MAAM,CAAA;IAChB,OAAO,EAAE,WAAW,GAAG,IAAI,CAAA;IAC3B,IAAI,EAAE,WAAW,GAAG,MAAM,GAAG,YAAY,CAAA;IACzC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,OAAO,CAAA;IACxC,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,GAAG,CAAC,KAAK,EAAE,mBAAmB,GAAG,IAAI,CAAA;CACtC;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,kCAAkC;IAClC,iBAAiB,CAAC,EAAE,iBAAiB,CAAA;IACrC,oCAAoC;IACpC,MAAM,CAAC,EAAE,iBAAiB,CAAA;IAC1B,6BAA6B;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,8BAA8B;IAC9B,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAaD;;GAEG;AACH,eAAO,MAAM,wBAAwB,EAAE,iBAMtC,CAAA;AA8CD;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAyBjD;AAyFD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,2BAA2B,CAAC,OAAO,GAAE,4BAAiC;kBAOzD,CAAC,YAChB,MAAM,WACP,WAAW,CAAC,CAAC,CAAC,WACd,cAAc,KACtB,OAAO,CAAC,CAAC,GAAG,eAAe,CAAC;2BAyDD,CAAC,YACnB,MAAM,WACP,WAAW,CAAC,CAAC,CAAC,KACtB,CAAC,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC,CAAC,GAAG,eAAe,CAAC;6BAStB,MAAM,KAAG,OAAO,CAAC,OAAO,CAAC;gCAYxB,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;iCAa1B,MAAM,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;;;EAqB1E;AAMD,MAAM,MAAM,qBAAqB,GAAG,UAAU,CAAC,OAAO,2BAA2B,CAAC,CAAA"}