@solongate/core 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,698 @@
+import { z, ZodTypeAny } from 'zod';
+
+/**
+ * Trust levels in the SolonGate security model.
+ *
+ * Core threat model principle: LLMs are UNTRUSTED by default.
+ * Trust is never assumed - it must be explicitly granted and is
+ * always scoped to specific capabilities.
+ *
+ * UNTRUSTED: Default for all LLM-originated requests. No permissions.
+ * VERIFIED: Passed schema validation and policy evaluation. May execute within granted scope.
+ * TRUSTED: System-internal only. NEVER assignable to LLM-originated requests.
+ */
+declare const TrustLevel: {
+    readonly UNTRUSTED: "UNTRUSTED";
+    readonly VERIFIED: "VERIFIED";
+    readonly TRUSTED: "TRUSTED";
+};
+type TrustLevel = (typeof TrustLevel)[keyof typeof TrustLevel];
+/**
+ * Validates that a trust level is a legitimate enum value.
+ * Prevents type confusion attacks where a string bypasses checks.
+ */
+declare function isValidTrustLevel(value: unknown): value is TrustLevel;
+/**
+ * Asserts that a trust level transition is valid.
+ * UNTRUSTED -> VERIFIED (via policy evaluation) is the only escalation path.
+ * TRUSTED is never reachable from external requests.
+ */
+declare function assertValidTransition(from: TrustLevel, to: TrustLevel): void;
+
+/**
+ * Permission types are ALWAYS evaluated independently.
+ * Having READ does NOT imply WRITE or EXECUTE.
+ */
+declare const Permission: {
+    readonly READ: "READ";
+    readonly WRITE: "WRITE";
+    readonly EXECUTE: "EXECUTE";
+};
+type Permission = (typeof Permission)[keyof typeof Permission];
+declare const PermissionSchema: z.ZodEnum<["READ", "WRITE", "EXECUTE"]>;
+/** Immutable set of permissions granted to a specific scope. */
+type PermissionSet = ReadonlySet<Permission>;
+/** Creates an immutable permission set from an array. */
+declare function createPermissionSet(permissions: Permission[]): PermissionSet;
+/** Empty permission set - the default for all new tools (default-deny). */
+declare const NO_PERMISSIONS: PermissionSet;
+/** Read-only permission set - the maximum default for new tools. */
+declare const READ_ONLY: PermissionSet;
+declare function hasPermission(permissions: PermissionSet, required: Permission): boolean;
+declare function hasAllPermissions(permissions: PermissionSet, required: Permission[]): boolean;
+/** Maps MCP protocol methods to SolonGate permission types. */
+declare function permissionForMethod(method: string): Permission;
+
+/**
+ * Policy effect: the only two outcomes of policy evaluation.
+ * No "MAYBE" or "CONDITIONAL" - binary security decisions only.
+ */
+declare const PolicyEffect: {
+    readonly ALLOW: "ALLOW";
+    readonly DENY: "DENY";
+};
+type PolicyEffect = (typeof PolicyEffect)[keyof typeof PolicyEffect];
+/**
+ * A single policy rule that matches against execution requests.
+ * Rules are evaluated by priority order. First matching rule wins.
+ * If NO rule matches, the result is DENY (default-deny).
+ */
+interface PolicyRule {
+    readonly id: string;
+    readonly description: string;
+    readonly effect: PolicyEffect;
+    readonly priority: number;
+    readonly toolPattern: string;
+    readonly permission: Permission;
+    readonly minimumTrustLevel: TrustLevel;
+    readonly argumentConstraints?: Record<string, unknown>;
+    readonly pathConstraints?: {
+        readonly allowed?: readonly string[];
+        readonly denied?: readonly string[];
+        readonly rootDirectory?: string;
+        readonly allowSymlinks?: boolean;
+    };
+    readonly commandConstraints?: {
+        readonly allowed?: readonly string[];
+        readonly denied?: readonly string[];
+    };
+    readonly enabled: boolean;
+    readonly createdAt: string;
+    readonly updatedAt: string;
+}
+/**
+ * A versioned, ordered set of policy rules.
+ * Modifications create new sets (immutable by convention).
+ */
+interface PolicySet {
+    readonly id: string;
+    readonly name: string;
+    readonly description: string;
+    readonly version: number;
+    readonly rules: readonly PolicyRule[];
+    readonly createdAt: string;
+    readonly updatedAt: string;
+}
+declare const PolicyRuleSchema: z.ZodObject<{
+    id: z.ZodString;
+    description: z.ZodString;
+    effect: z.ZodEnum<["ALLOW", "DENY"]>;
+    priority: z.ZodDefault<z.ZodNumber>;
+    toolPattern: z.ZodString;
+    permission: z.ZodEnum<["READ", "WRITE", "EXECUTE"]>;
+    minimumTrustLevel: z.ZodEnum<["UNTRUSTED", "VERIFIED", "TRUSTED"]>;
+    argumentConstraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    pathConstraints: z.ZodOptional<z.ZodObject<{
+        allowed: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        denied: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        rootDirectory: z.ZodOptional<z.ZodString>;
+        allowSymlinks: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        allowed?: string[] | undefined;
+        denied?: string[] | undefined;
+        rootDirectory?: string | undefined;
+        allowSymlinks?: boolean | undefined;
+    }, {
+        allowed?: string[] | undefined;
+        denied?: string[] | undefined;
+        rootDirectory?: string | undefined;
+        allowSymlinks?: boolean | undefined;
+    }>>;
+    commandConstraints: z.ZodOptional<z.ZodObject<{
+        allowed: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        denied: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        allowed?: string[] | undefined;
+        denied?: string[] | undefined;
+    }, {
+        allowed?: string[] | undefined;
+        denied?: string[] | undefined;
+    }>>;
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    createdAt: z.ZodString;
+    updatedAt: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    id: string;
+    description: string;
+    effect: "ALLOW" | "DENY";
+    priority: number;
+    toolPattern: string;
+    permission: "READ" | "WRITE" | "EXECUTE";
+    minimumTrustLevel: "UNTRUSTED" | "VERIFIED" | "TRUSTED";
+    enabled: boolean;
+    createdAt: string;
+    updatedAt: string;
+    argumentConstraints?: Record<string, unknown> | undefined;
+    pathConstraints?: {
+        allowed?: string[] | undefined;
+        denied?: string[] | undefined;
+        rootDirectory?: string | undefined;
+        allowSymlinks?: boolean | undefined;
+    } | undefined;
+    commandConstraints?: {
+        allowed?: string[] | undefined;
+        denied?: string[] | undefined;
+    } | undefined;
+}, {
+    id: string;
+    description: string;
+    effect: "ALLOW" | "DENY";
+    toolPattern: string;
+    permission: "READ" | "WRITE" | "EXECUTE";
+    minimumTrustLevel: "UNTRUSTED" | "VERIFIED" | "TRUSTED";
+    createdAt: string;
+    updatedAt: string;
+    priority?: number | undefined;
+    argumentConstraints?: Record<string, unknown> | undefined;
+    pathConstraints?: {
+        allowed?: string[] | undefined;
+        denied?: string[] | undefined;
+        rootDirectory?: string | undefined;
+        allowSymlinks?: boolean | undefined;
+    } | undefined;
+    commandConstraints?: {
+        allowed?: string[] | undefined;
+        denied?: string[] | undefined;
+    } | undefined;
+    enabled?: boolean | undefined;
+}>;
+declare const PolicySetSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    description: z.ZodString;
+    version: z.ZodNumber;
+    rules: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        description: z.ZodString;
+        effect: z.ZodEnum<["ALLOW", "DENY"]>;
+        priority: z.ZodDefault<z.ZodNumber>;
+        toolPattern: z.ZodString;
+        permission: z.ZodEnum<["READ", "WRITE", "EXECUTE"]>;
+        minimumTrustLevel: z.ZodEnum<["UNTRUSTED", "VERIFIED", "TRUSTED"]>;
+        argumentConstraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        pathConstraints: z.ZodOptional<z.ZodObject<{
+            allowed: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            denied: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            rootDirectory: z.ZodOptional<z.ZodString>;
+            allowSymlinks: z.ZodOptional<z.ZodBoolean>;
+        }, "strip", z.ZodTypeAny, {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+            rootDirectory?: string | undefined;
+            allowSymlinks?: boolean | undefined;
+        }, {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+            rootDirectory?: string | undefined;
+            allowSymlinks?: boolean | undefined;
+        }>>;
+        commandConstraints: z.ZodOptional<z.ZodObject<{
+            allowed: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            denied: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        }, "strip", z.ZodTypeAny, {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+        }, {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+        }>>;
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        createdAt: z.ZodString;
+        updatedAt: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        id: string;
+        description: string;
+        effect: "ALLOW" | "DENY";
+        priority: number;
+        toolPattern: string;
+        permission: "READ" | "WRITE" | "EXECUTE";
+        minimumTrustLevel: "UNTRUSTED" | "VERIFIED" | "TRUSTED";
+        enabled: boolean;
+        createdAt: string;
+        updatedAt: string;
+        argumentConstraints?: Record<string, unknown> | undefined;
+        pathConstraints?: {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+            rootDirectory?: string | undefined;
+            allowSymlinks?: boolean | undefined;
+        } | undefined;
+        commandConstraints?: {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+        } | undefined;
+    }, {
+        id: string;
+        description: string;
+        effect: "ALLOW" | "DENY";
+        toolPattern: string;
+        permission: "READ" | "WRITE" | "EXECUTE";
+        minimumTrustLevel: "UNTRUSTED" | "VERIFIED" | "TRUSTED";
+        createdAt: string;
+        updatedAt: string;
+        priority?: number | undefined;
+        argumentConstraints?: Record<string, unknown> | undefined;
+        pathConstraints?: {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+            rootDirectory?: string | undefined;
+            allowSymlinks?: boolean | undefined;
+        } | undefined;
+        commandConstraints?: {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+        } | undefined;
+        enabled?: boolean | undefined;
+    }>, "many">;
+    createdAt: z.ZodString;
+    updatedAt: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+    id: string;
+    description: string;
+    createdAt: string;
+    updatedAt: string;
+    version: number;
+    rules: {
+        id: string;
+        description: string;
+        effect: "ALLOW" | "DENY";
+        priority: number;
+        toolPattern: string;
+        permission: "READ" | "WRITE" | "EXECUTE";
+        minimumTrustLevel: "UNTRUSTED" | "VERIFIED" | "TRUSTED";
+        enabled: boolean;
+        createdAt: string;
+        updatedAt: string;
+        argumentConstraints?: Record<string, unknown> | undefined;
+        pathConstraints?: {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+            rootDirectory?: string | undefined;
+            allowSymlinks?: boolean | undefined;
+        } | undefined;
+        commandConstraints?: {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+        } | undefined;
+    }[];
+}, {
+    name: string;
+    id: string;
+    description: string;
+    createdAt: string;
+    updatedAt: string;
+    version: number;
+    rules: {
+        id: string;
+        description: string;
+        effect: "ALLOW" | "DENY";
+        toolPattern: string;
+        permission: "READ" | "WRITE" | "EXECUTE";
+        minimumTrustLevel: "UNTRUSTED" | "VERIFIED" | "TRUSTED";
+        createdAt: string;
+        updatedAt: string;
+        priority?: number | undefined;
+        argumentConstraints?: Record<string, unknown> | undefined;
+        pathConstraints?: {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+            rootDirectory?: string | undefined;
+            allowSymlinks?: boolean | undefined;
+        } | undefined;
+        commandConstraints?: {
+            allowed?: string[] | undefined;
+            denied?: string[] | undefined;
+        } | undefined;
+        enabled?: boolean | undefined;
+    }[];
+}>;
+/** The result of evaluating a policy against a request. */
+interface PolicyDecision {
+    readonly effect: PolicyEffect;
+    readonly matchedRule: PolicyRule | null;
+    readonly reason: string;
+    readonly timestamp: string;
+    readonly evaluationTimeMs: number;
+    readonly metadata?: {
+        readonly evaluatedRules: number;
+        readonly ruleIds: readonly string[];
+        readonly requestContext: {
+            readonly tool: string;
+            readonly arguments: readonly string[];
+        };
+    };
+}
+
+/**
+ * Declares a tool's capabilities and security requirements.
+ * Wraps MCP tool definitions with SolonGate-specific metadata.
+ */
+interface ToolCapability {
+    readonly name: string;
+    readonly description: string;
+    readonly serverName: string;
+    /** Maximum permissions this tool CAN request (capability ceiling). */
+    readonly maxPermissions: readonly Permission[];
+    /** Default permissions when no explicit policy exists. Must be empty in Phase 0 (default-deny). */
+    readonly defaultPermissions: readonly Permission[];
+    readonly inputSchema: Record<string, unknown>;
+    /** Tools with side effects cannot be READ-only. */
+    readonly hasSideEffects: boolean;
+    /** Sensitive data access affects audit log redaction behavior. */
+    readonly accessesSensitiveData: boolean;
+    /** Max calls per minute. 0 = unlimited. */
+    readonly rateLimitPerMinute: number;
+}
+/** Creates a ToolCapability with the most restrictive secure defaults. */
+declare function createToolCapability(params: Pick<ToolCapability, 'name' | 'description' | 'serverName' | 'inputSchema'> & Partial<Omit<ToolCapability, 'name' | 'description' | 'serverName' | 'inputSchema'>>): ToolCapability;
+
+/**
+ * SecurityContext represents the security state of a single request.
+ * Created fresh for each MCP request and NEVER reused.
+ * All fields are readonly - state transitions create new contexts.
+ */
+interface SecurityContext {
+    readonly requestId: string;
+    readonly trustLevel: TrustLevel;
+    readonly grantedPermissions: PermissionSet;
+    readonly sessionId: string | null;
+    readonly createdAt: string;
+    readonly metadata: Readonly<Record<string, unknown>>;
+    readonly capabilityToken?: string;
+}
+/** Extends SecurityContext with tool-specific execution information. */
+interface ExecutionContext extends SecurityContext {
+    readonly toolName: string;
+    readonly serverName: string;
+    readonly arguments: Readonly<Record<string, unknown>>;
+}
+/** Creates a new SecurityContext with default-deny settings. */
+declare function createSecurityContext(params: Pick<SecurityContext, 'requestId'> & Partial<Omit<SecurityContext, 'requestId' | 'createdAt' | 'trustLevel' | 'grantedPermissions'>>): SecurityContext;
+
+/**
+ * Base error class for all SolonGate security errors.
+ * Every error includes a machine-readable code for programmatic handling.
+ */
+declare class SolonGateError extends Error {
+    readonly code: string;
+    readonly timestamp: string;
+    readonly details: Record<string, unknown>;
+    constructor(message: string, code: string, details?: Record<string, unknown>);
+    /**
+     * Serializable representation for logging and API responses.
+     * Never includes stack traces (information leakage prevention).
+     */
+    toJSON(): Record<string, unknown>;
+}
+/** Thrown when a tool call is denied by policy. */
+declare class PolicyDeniedError extends SolonGateError {
+    constructor(toolName: string, reason: string, details?: Record<string, unknown>);
+}
+/** Thrown when a trust level escalation is attempted illegally. */
+declare class TrustEscalationError extends SolonGateError {
+    constructor(message: string);
+}
+/** Thrown when tool input fails schema validation. */
+declare class SchemaValidationError extends SolonGateError {
+    constructor(toolName: string, validationErrors: readonly string[]);
+}
+/** Thrown when a tool exceeds its rate limit. */
+declare class RateLimitError extends SolonGateError {
+    constructor(toolName: string, limitPerMinute: number);
+}
+/** Thrown when a tool is not found in the registry. */
+declare class ToolNotFoundError extends SolonGateError {
+    constructor(toolName: string, serverName: string);
+}
+/** Thrown when an unsafe configuration is detected. */
+declare class UnsafeConfigurationError extends SolonGateError {
+    constructor(message: string, field: string);
+}
+/** Thrown when input guard detects dangerous patterns. */
+declare class InputGuardError extends SolonGateError {
+    constructor(toolName: string, threats: readonly {
+        type: string;
+        field: string;
+        description: string;
+    }[]);
+}
+/** Thrown when a network operation fails (API calls, cloud sync, etc.). */
+declare class NetworkError extends SolonGateError {
+    constructor(operation: string, statusCode?: number, details?: Record<string, unknown>);
+}
+
+/** An execution request represents a tool call that needs security evaluation. */
+interface ExecutionRequest {
+    readonly context: SecurityContext;
+    readonly toolName: string;
+    readonly serverName: string;
+    readonly arguments: Readonly<Record<string, unknown>>;
+    readonly requiredPermission: Permission;
+    readonly timestamp: string;
+}
+/** Discriminated union on `status` for exhaustive matching. */
+type ExecutionResult = ExecutionResultAllowed | ExecutionResultDenied | ExecutionResultError;
+interface ExecutionResultAllowed {
+    readonly status: 'ALLOWED';
+    readonly request: ExecutionRequest;
+    readonly decision: PolicyDecision;
+    readonly toolResult: unknown;
+    readonly durationMs: number;
+    readonly timestamp: string;
+}
+interface ExecutionResultDenied {
+    readonly status: 'DENIED';
+    readonly request: ExecutionRequest;
+    readonly decision: PolicyDecision;
+    readonly timestamp: string;
+}
+interface ExecutionResultError {
+    readonly status: 'ERROR';
+    readonly request: ExecutionRequest;
+    readonly error: SolonGateError;
+    readonly timestamp: string;
+}
+
+/** Default policy effect when no rule matches: DENY */
+declare const DEFAULT_POLICY_EFFECT: "DENY";
+/** Maximum number of rules in a single PolicySet */
+declare const MAX_RULES_PER_POLICY_SET = 1000;
+/** Maximum depth for nested argument validation */
+declare const MAX_ARGUMENT_DEPTH = 10;
+/** Maximum size of tool arguments in bytes */
+declare const MAX_ARGUMENTS_SIZE_BYTES = 1048576;
+/** Maximum length of a tool name */
+declare const MAX_TOOL_NAME_LENGTH = 256;
+/** Maximum length of a server name */
+declare const MAX_SERVER_NAME_LENGTH = 256;
+/** Default rate limit per tool per minute */
+declare const DEFAULT_RATE_LIMIT_PER_MINUTE = 60;
+/** Maximum rate limit per tool per minute */
+declare const MAX_RATE_LIMIT_PER_MINUTE = 10000;
+/** Security context timeout in milliseconds (5 minutes) */
+declare const SECURITY_CONTEXT_TIMEOUT_MS: number;
+/** Policy evaluation timeout in milliseconds (100ms) */
+declare const POLICY_EVALUATION_TIMEOUT_MS = 100;
+/** Default maximum length per string argument */
+declare const INPUT_GUARD_MAX_LENGTH = 4096;
+/** Shannon entropy threshold for encoded payload detection */
+declare const INPUT_GUARD_ENTROPY_THRESHOLD = 4.5;
+/** Minimum string length before entropy check applies */
+declare const INPUT_GUARD_MIN_ENTROPY_LENGTH = 32;
+/** Maximum wildcards allowed per value */
+declare const INPUT_GUARD_MAX_WILDCARDS = 3;
+/** Default capability token TTL in seconds */
+declare const TOKEN_DEFAULT_TTL_SECONDS = 30;
+/** Minimum secret key length for HMAC signing */
+declare const TOKEN_MIN_SECRET_LENGTH = 32;
+/** Maximum token age before forced expiry (5 minutes) */
+declare const TOKEN_MAX_AGE_SECONDS = 300;
+/** Default sliding window size in milliseconds (1 minute) */
+declare const RATE_LIMIT_WINDOW_MS = 60000;
+/** Maximum entries to keep per tool before cleanup */
+declare const RATE_LIMIT_MAX_ENTRIES = 10000;
+/** Warning messages for unsafe configurations. */
+declare const UNSAFE_CONFIGURATION_WARNINGS: {
+    readonly WILDCARD_ALLOW: "Wildcard ALLOW rules grant permission to ALL tools. This bypasses the default-deny model.";
+    readonly TRUSTED_LEVEL_EXTERNAL: "Setting trust level to TRUSTED for external requests bypasses all security checks.";
+    readonly WRITE_WITHOUT_READ: "Granting WRITE without READ is unusual and may indicate a misconfiguration.";
+    readonly EXECUTE_WITHOUT_REVIEW: "EXECUTE permission allows tools to perform arbitrary actions. Review carefully.";
+    readonly RATE_LIMIT_ZERO: "A rate limit of 0 means unlimited calls. This removes protection against runaway loops.";
+    readonly DISABLED_VALIDATION: "Disabling schema validation removes input sanitization protections.";
+};
+
+/**
+ * Types that bridge between the MCP protocol and SolonGate's type system.
+ * Adapts MCP SDK types without creating a hard dependency.
+ */
+interface McpToolDefinition {
+    readonly name: string;
+    readonly description?: string;
+    readonly inputSchema: {
+        readonly type: 'object';
+        readonly properties?: Record<string, unknown>;
+        readonly required?: readonly string[];
+    };
+}
+interface McpCallToolParams {
+    readonly name: string;
+    readonly arguments?: Record<string, unknown>;
+}
+interface McpCallToolResult {
+    readonly content: readonly McpToolResultContent[];
+    readonly isError?: boolean;
+    readonly structuredContent?: unknown;
+}
+type McpToolResultContent = {
+    readonly type: 'text';
+    readonly text: string;
+} | {
+    readonly type: 'image';
+    readonly data: string;
+    readonly mimeType: string;
+} | {
+    readonly type: 'resource';
+    readonly resource: unknown;
+};
+/** Wraps denied tool calls in MCP error responses. */
+declare function createDeniedToolResult(reason: string): McpCallToolResult;
+
+/**
+ * Result of schema validation.
+ * Always includes structured errors for programmatic handling.
+ */
+interface SchemaValidationResult {
+    readonly valid: boolean;
+    readonly errors: readonly string[];
+    readonly sanitized: Readonly<Record<string, unknown>> | null;
+}
+/**
+ * Options for schema validation behavior.
+ */
+interface SchemaValidatorOptions {
+    readonly maxDepth?: number;
+    readonly maxSizeBytes?: number;
+    readonly stripUnknown?: boolean;
+}
+/**
+ * Validates tool input against a Zod schema with strict security enforcement.
+ *
+ * - Unknown fields are REJECTED (no additionalProperties)
+ * - Type mismatches are REJECTED
+ * - Required fields are ENFORCED
+ * - Recursive depth is limited
+ * - Argument size is limited
+ */
+declare function validateToolInput(schema: ZodTypeAny, input: unknown, options?: SchemaValidatorOptions): SchemaValidationResult;
+/**
+ * Creates a strict Zod object schema that rejects unknown fields.
+ * Wraps z.object().strict() for convenience.
+ */
+declare function createStrictSchema(shape: Record<string, ZodTypeAny>): z.ZodObject<Record<string, ZodTypeAny>, 'strict'>;
+
+/**
+ * Input Guard: detects and blocks dangerous patterns in tool arguments.
+ *
+ * Prevents physical execution of injected instructions by checking for:
+ * - Path traversal attacks (../, ..\, encoded variants)
+ * - Shell injection (;, |, &, `, $(), etc.)
+ * - Wildcard abuse (**, recursive globs)
+ * - Excessive length
+ * - High-entropy payloads (potential encoded exploits)
+ */
+/** Threat type detected by input guard. */
+type ThreatType = 'PATH_TRAVERSAL' | 'SHELL_INJECTION' | 'WILDCARD_ABUSE' | 'LENGTH_EXCEEDED' | 'HIGH_ENTROPY' | 'SSRF' | 'SQL_INJECTION';
+/** A detected threat with details. */
+interface DetectedThreat {
+    readonly type: ThreatType;
+    readonly field: string;
+    readonly value: string;
+    readonly description: string;
+}
+/** Result of sanitization check. */
+interface SanitizationResult {
+    readonly safe: boolean;
+    readonly threats: readonly DetectedThreat[];
+}
+/** Configuration for input guard checks. */
+interface InputGuardConfig {
+    readonly pathTraversal: boolean;
+    readonly shellInjection: boolean;
+    readonly wildcardAbuse: boolean;
+    readonly lengthLimit: number;
+    readonly entropyLimit: boolean;
+    readonly ssrf: boolean;
+    readonly sqlInjection: boolean;
+}
+declare const DEFAULT_INPUT_GUARD_CONFIG: Readonly<InputGuardConfig>;
+declare function detectPathTraversal(value: string): boolean;
+declare function detectShellInjection(value: string): boolean;
+declare function detectWildcardAbuse(value: string): boolean;
+declare function detectSSRF(value: string): boolean;
+declare function detectSQLInjection(value: string): boolean;
+declare function checkLengthLimits(value: string, maxLength?: number): boolean;
+declare function checkEntropyLimits(value: string): boolean;
+/**
+ * Runs all input guard checks on a value.
+ * Returns structured result with all detected threats.
+ */
+declare function sanitizeInput(field: string, value: unknown, config?: InputGuardConfig): SanitizationResult;
+
+/**
+ * Capability Token: a signed, short-lived, single-use token
+ * that authorizes execution of specific tools within specific scopes.
+ *
+ * Security properties:
+ * - Short-lived: TTL defaults to 30 seconds
+ * - Single-use: nonce prevents replay attacks
+ * - Scoped: limited to specific tools and servers
+ * - Signed: HMAC-SHA256 prevents forgery
+ */
+interface CapabilityToken {
+    readonly jti: string;
+    readonly iss: string;
+    readonly sub: string;
+    readonly iat: number;
+    readonly exp: number;
+    readonly permissions: readonly Permission[];
+    readonly toolScope: readonly string[];
+    readonly serverScope: readonly string[];
+    readonly pathScope?: readonly string[];
+}
+/**
+ * Configuration for token issuance.
+ */
+interface TokenConfig {
+    readonly secret: string;
+    readonly ttlSeconds: number;
+    readonly algorithm: 'HS256';
+    readonly issuer: string;
+}
+/**
+ * Default token configuration.
+ * Secret must be provided - no default.
+ */
+declare const DEFAULT_TOKEN_TTL_SECONDS = 30;
+declare const TOKEN_ALGORITHM: "HS256";
+declare const MIN_SECRET_LENGTH = 32;
+/**
+ * Result of token verification.
+ */
+interface TokenVerificationResult {
+    readonly valid: boolean;
+    readonly payload?: CapabilityToken;
+    readonly reason?: string;
+}
+
+export { type CapabilityToken, DEFAULT_INPUT_GUARD_CONFIG, DEFAULT_POLICY_EFFECT, DEFAULT_RATE_LIMIT_PER_MINUTE, DEFAULT_TOKEN_TTL_SECONDS, type DetectedThreat, type ExecutionContext, type ExecutionRequest, type ExecutionResult, type ExecutionResultAllowed, type ExecutionResultDenied, type ExecutionResultError, INPUT_GUARD_ENTROPY_THRESHOLD, INPUT_GUARD_MAX_LENGTH, INPUT_GUARD_MAX_WILDCARDS, INPUT_GUARD_MIN_ENTROPY_LENGTH, type InputGuardConfig, InputGuardError, MAX_ARGUMENTS_SIZE_BYTES, MAX_ARGUMENT_DEPTH, MAX_RATE_LIMIT_PER_MINUTE, MAX_RULES_PER_POLICY_SET, MAX_SERVER_NAME_LENGTH, MAX_TOOL_NAME_LENGTH, MIN_SECRET_LENGTH, type McpCallToolParams, type McpCallToolResult, type McpToolDefinition, type McpToolResultContent, NO_PERMISSIONS, NetworkError, POLICY_EVALUATION_TIMEOUT_MS, Permission, PermissionSchema, type PermissionSet, type PolicyDecision, PolicyDeniedError, PolicyEffect, type PolicyRule, PolicyRuleSchema, type PolicySet, PolicySetSchema, RATE_LIMIT_MAX_ENTRIES, RATE_LIMIT_WINDOW_MS, READ_ONLY, RateLimitError, SECURITY_CONTEXT_TIMEOUT_MS, type SanitizationResult, SchemaValidationError, type SchemaValidationResult, type SchemaValidatorOptions, type SecurityContext, SolonGateError, TOKEN_ALGORITHM, TOKEN_DEFAULT_TTL_SECONDS, TOKEN_MAX_AGE_SECONDS, TOKEN_MIN_SECRET_LENGTH, type ThreatType, type TokenConfig, type TokenVerificationResult, type ToolCapability, ToolNotFoundError, TrustEscalationError, TrustLevel, UNSAFE_CONFIGURATION_WARNINGS, UnsafeConfigurationError, assertValidTransition, checkEntropyLimits, checkLengthLimits, createDeniedToolResult, createPermissionSet, createSecurityContext, createStrictSchema, createToolCapability, detectPathTraversal, detectSQLInjection, detectSSRF, detectShellInjection, detectWildcardAbuse, hasAllPermissions, hasPermission, isValidTrustLevel, permissionForMethod, sanitizeInput, validateToolInput };