@solongate/proxy 0.47.7 → 0.48.1

package/dist/policy-engine/policy-store.d.ts

@@ -0,0 +1,66 @@
+import type { PolicySet, PolicyRule } from '../core/index.js';
+/**
+ * A versioned snapshot of a policy set.
+ * Immutable once created - modifications create new versions.
+ */
+export interface PolicyVersion {
+    readonly version: number;
+    readonly policySet: PolicySet;
+    readonly hash: string;
+    readonly reason: string;
+    readonly createdBy: string;
+    readonly createdAt: string;
+}
+/**
+ * Diff between two policy versions.
+ */
+export interface PolicyDiff {
+    readonly added: readonly PolicyRule[];
+    readonly removed: readonly PolicyRule[];
+    readonly modified: readonly {
+        readonly old: PolicyRule;
+        readonly new: PolicyRule;
+    }[];
+}
+/**
+ * In-memory versioned policy store.
+ * Stores complete history of policy changes with cryptographic hashes.
+ *
+ * Security properties:
+ * - Immutable versions: once saved, a version cannot be modified
+ * - Hash chain: each version includes SHA256 of the policy content
+ * - Full history: no version is ever deleted
+ */
+export declare class PolicyStore {
+    private readonly versions;
+    /**
+     * Saves a new version of a policy set.
+     * The version number auto-increments.
+     */
+    saveVersion(policySet: PolicySet, reason: string, createdBy: string): PolicyVersion;
+    /**
+     * Gets a specific version of a policy set.
+     */
+    getVersion(id: string, version: number): PolicyVersion | null;
+    /**
+     * Gets the latest version of a policy set.
+     */
+    getLatest(id: string): PolicyVersion | null;
+    /**
+     * Gets the full version history of a policy set.
+     */
+    getHistory(id: string): readonly PolicyVersion[];
+    /**
+     * Rolls back to a previous version by creating a new version
+     * with the same content as the target version.
+     */
+    rollback(id: string, toVersion: number): PolicyVersion;
+    /**
+     * Computes a diff between two policy versions.
+     */
+    diff(v1: PolicyVersion, v2: PolicyVersion): PolicyDiff;
+    /**
+     * Computes SHA256 hash of a policy set for integrity verification.
+     */
+    computeHash(policySet: PolicySet): string;
+}

package/dist/policy-engine/url-matcher.d.ts

@@ -0,0 +1,29 @@
+import type { PolicyRule } from '../core/index.js';
+type UrlConstraints = NonNullable<PolicyRule['urlConstraints']>;
+/**
+ * Extracts URL arguments from tool call arguments.
+ * Scans ALL string values — not just known field names.
+ * Any string containing http:// or https:// is treated as a URL.
+ */
+export declare function extractUrlArguments(args: Readonly<Record<string, unknown>>): string[];
+/**
+ * Glob-style URL pattern matching.
+ * Normalizes both URL and pattern to lowercase for comparison.
+ *
+ * Patterns:
+ *   '*instagram.com*' → URL contains instagram.com
+ *   'https://api.example.com/*' → URL starts with prefix
+ *   '*.onion' → URL ends with .onion
+ *   '*' → matches everything
+ */
+export declare function matchUrlPattern(url: string, pattern: string): boolean;
+/**
+ * Checks if a URL is allowed by the given constraints.
+ *
+ * Evaluation order:
+ * 1. If denied list exists, URL must NOT match any denied pattern
+ * 2. If allowed list exists, URL must match at least one allowed pattern
+ * 3. If neither list exists, URL is allowed
+ */
+export declare function isUrlAllowed(url: string, constraints: UrlConstraints): boolean;
+export {};

package/dist/policy-engine/validator.d.ts

@@ -0,0 +1,7 @@
+export interface ValidationResult {
+    readonly valid: boolean;
+    readonly errors: readonly string[];
+    readonly warnings: readonly string[];
+}
+export declare function validatePolicyRule(input: unknown): ValidationResult;
+export declare function validatePolicySet(input: unknown): ValidationResult;

package/dist/policy-engine/warnings.d.ts

@@ -0,0 +1,10 @@
+import type { PolicySet } from '../core/index.js';
+export interface SecurityWarning {
+    readonly level: 'WARNING' | 'CRITICAL';
+    readonly code: string;
+    readonly message: string;
+    readonly ruleId?: string;
+    readonly recommendation: string;
+}
+/** Analyzes a policy set and returns security warnings. Pure function. */
+export declare function analyzeSecurityWarnings(policySet: PolicySet): readonly SecurityWarning[];

package/dist/proxy.d.ts

@@ -0,0 +1,89 @@
+import type { ProxyConfig } from './config.js';
+/**
+ * SolonGate MCP Proxy.
+ *
+ * Sits between an MCP client (Claude) and an upstream MCP server.
+ * Intercepts all tool calls through the SolonGate security pipeline.
+ *
+ * Architecture:
+ *   Claude ──(stdio|http)──> Proxy Server ──(stdio|sse|http)──> Upstream MCP Server
+ *                                │
+ *                           [SolonGate]
+ *                           rate limit
+ *                           policy eval
+ *                           audit log
+ */
+export declare class SolonGateProxy {
+    private config;
+    private readonly gate;
+    private client;
+    private server;
+    private readonly toolMutexes;
+    private syncManager;
+    private upstreamTools;
+    /** Agent identity for trust map — resolved from CLI flag, HTTP headers, or MCP clientInfo */
+    private agentId;
+    private agentName;
+    /** Per-session agent info for HTTP mode (keyed by session ID) */
+    private httpAgentInfo;
+    /** Per-request sub-agent info from HTTP headers (transient, overwritten per request) */
+    private httpSubAgent;
+    constructor(config: ProxyConfig);
+    /** Normalize well-known MCP client names to display-friendly agent identities */
+    private normalizeAgentName;
+    /** Extract sub-agent identity from MCP _meta field */
+    private extractSubAgent;
+    /**
+     * Start the proxy: connect to upstream, then serve downstream.
+     */
+    start(): Promise<void>;
+    /**
+     * Connect to the upstream MCP server.
+     * Supports stdio (child process), SSE, and StreamableHTTP transports.
+     */
+    private connectUpstream;
+    /**
+     * Discover tools from the upstream server.
+     */
+    private discoverTools;
+    /**
+     * Create the downstream MCP server with proxied handlers.
+     */
+    private createServer;
+    /**
+     * Register discovered tools to the SolonGate Cloud API.
+     * This makes tools visible on the Dashboard (/tools page).
+     */
+    private registerToolsToCloud;
+    /**
+     * Guess tool permissions from tool name.
+     */
+    private guessPermissions;
+    /**
+     * Register the upstream MCP server to the SolonGate Cloud API.
+     * This makes it visible on the Dashboard MCP Servers page.
+     */
+    private registerServerToCloud;
+    /**
+     * Start bidirectional policy sync between local JSON file and cloud dashboard.
+     *
+     * - Watches local policy.json for changes → pushes to cloud API
+     * - Polls cloud API for dashboard changes → writes to local policy.json
+     * - Version number determines which is newer (higher wins, cloud wins on tie)
+     */
+    /**
+     * Extract protected filenames from policy DENY rules (filenameConstraints.denied).
+     */
+    private extractProtectedFiles;
+    /**
+     * Extract protected paths from policy DENY rules (pathConstraints.denied).
+     */
+    private extractProtectedPaths;
+    private startPolicySync;
+    /**
+     * Start serving downstream.
+     * If --port is set, serves via StreamableHTTP on that port.
+     * Otherwise, serves on stdio (default for Claude Code / etc).
+     */
+    private serve;
+}

package/dist/pull-push.d.ts

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+/**
+ * solongate-proxy pull  — Pull a policy from dashboard to local file
+ * solongate-proxy push  — Push a local policy file to dashboard
+ * solongate-proxy list  — List all policies with details
+ *
+ * Usage:
+ *   solongate-proxy list
+ *   solongate-proxy list --policy-id <ID>
+ *   solongate-proxy pull --policy-id <ID>
+ *   solongate-proxy push --policy-id <ID>
+ *   solongate-proxy pull --policy-id <ID> --file my-policy.json
+ *
+ * The --policy-id flag determines WHICH cloud policy to work with.
+ * API key is read from .env file (SOLONGATE_API_KEY) or environment variable.
+ */
+export {};

package/dist/sdk/config.d.ts

@@ -0,0 +1,26 @@
+import type { PolicySet } from '../core/index.js';
+/**
+ * Configuration for the SolonGate SDK.
+ * All fields have secure defaults. Weakening requires explicit opt-in.
+ */
+export interface SolonGateConfig {
+    readonly policySet?: PolicySet;
+    readonly validateSchemas: boolean;
+    readonly enableLogging: boolean;
+    readonly logLevel: 'debug' | 'info' | 'warn' | 'error';
+    readonly evaluationTimeoutMs: number;
+    readonly verboseErrors: boolean;
+    readonly globalRateLimitPerMinute: number;
+    readonly rateLimitPerTool: number;
+    readonly tokenSecret?: string;
+    readonly tokenTtlSeconds: number;
+    readonly tokenIssuer?: string;
+    readonly gatewaySecret?: string;
+    readonly enableVersionedPolicies: boolean;
+    readonly apiUrl?: string;
+}
+export declare const DEFAULT_CONFIG: Readonly<SolonGateConfig>;
+export declare function resolveConfig(userConfig?: Partial<SolonGateConfig>): {
+    config: SolonGateConfig;
+    warnings: string[];
+};

package/dist/sdk/expiring-set.d.ts

@@ -0,0 +1,18 @@
+/**
+ * A Set that automatically evicts entries after a configurable TTL.
+ * Prevents unbounded memory growth in long-running processes.
+ *
+ * Uses a sweep-on-access strategy: expired entries are purged every
+ * `sweepIntervalMs` when add() is called, keeping overhead minimal.
+ */
+export declare class ExpiringSet {
+    private readonly entries;
+    private readonly ttlMs;
+    private readonly sweepIntervalMs;
+    private lastSweep;
+    constructor(ttlMs: number, sweepIntervalMs?: number);
+    add(value: string): void;
+    has(value: string): boolean;
+    get size(): number;
+    private maybeSweep;
+}

package/dist/sdk/index.d.ts

@@ -0,0 +1,10 @@
+export { SolonGate, LicenseError } from './solongate.js';
+export { SecureMcpServer, type SecureMcpServerOptions } from './secure-server.js';
+export { interceptToolCall, ExfiltrationChainTracker, type InterceptorOptions } from './interceptor.js';
+export { resolveConfig, DEFAULT_CONFIG, type SolonGateConfig } from './config.js';
+export { SecurityLogger } from './logger.js';
+export { TokenIssuer } from './token-issuer.js';
+export { ServerVerifier, type SignedMcpRequest, type SignatureValidationResult } from './server-verifier.js';
+export { RateLimiter, type RateLimitResult } from './rate-limiter.js';
+export { TrustLevel, Permission, PolicyEffect, type PolicyRule, type PolicySet, type PolicyDecision, type SecurityContext, type ExecutionRequest, type ExecutionResult, type ToolCapability, type McpCallToolParams, type McpCallToolResult, type CapabilityToken, type TokenConfig, type InputGuardConfig, type ThreatType, type DetectedThreat, type SanitizationResult, SolonGateError, PolicyDeniedError, SchemaValidationError, RateLimitError as CoreRateLimitError, InputGuardError, NetworkError, createSecurityContext, createDeniedToolResult, validateToolInput, sanitizeInput, detectPathTraversal, detectShellInjection, detectWildcardAbuse, detectSSRF, detectSQLInjection, detectExfiltration, detectBoundaryEscape, checkLengthLimits, checkEntropyLimits, scanResponse, RESPONSE_WARNING_MARKER, BOUNDARY_PREFIX, BOUNDARY_SUFFIX, tagUserInput, stripBoundaryTags, type ResponseScanConfig, type ResponseThreatType, type ResponseThreat, type ResponseScanResult, type TaggedArguments, } from '../core/index.js';
+export { PolicyEngine, PolicyStore, type PolicyVersion, type PolicyDiff, createDefaultDenyPolicySet, createPermissivePolicySet, createReadOnlyPolicySet, } from '../policy-engine/index.js';

package/dist/sdk/interceptor.d.ts

@@ -0,0 +1,45 @@
+import type { ExecutionResult, McpCallToolParams, McpCallToolResult, ResponseScanConfig } from '../core/index.js';
+import type { PolicyEngine } from '../policy-engine/index.js';
+import type { TokenIssuer } from './token-issuer.js';
+import type { ServerVerifier } from './server-verifier.js';
+import type { RateLimiter } from './rate-limiter.js';
+export declare class ExfiltrationChainTracker {
+    private readonly recentCalls;
+    private writeIndex;
+    private count;
+    record(toolName: string): void;
+    /**
+     * Check if a data sink tool call follows a recent data source tool call,
+     * which may indicate a read-then-exfiltrate chain.
+     */
+    detectChain(currentTool: string): boolean;
+}
+export interface InterceptorOptions {
+    readonly policyEngine: PolicyEngine;
+    readonly validateSchemas: boolean;
+    readonly verboseErrors: boolean;
+    readonly onDecision?: (result: ExecutionResult) => void;
+    readonly tokenIssuer?: TokenIssuer;
+    readonly serverVerifier?: ServerVerifier;
+    readonly rateLimiter?: RateLimiter;
+    readonly rateLimitPerTool?: number;
+    readonly globalRateLimitPerMinute?: number;
+    readonly exfiltrationTracker?: ExfiltrationChainTracker;
+    readonly responseScanConfig?: ResponseScanConfig;
+    readonly blockUnsafeResponses?: boolean;
+}
+/**
+ * Intercepts an MCP tool call and runs the full security pipeline:
+ *
+ * 1. Rate limit check → RateLimitError if exceeded
+ * 2. Exfiltration chain check → deny if data-source → data-sink pattern
+ * 3. Policy evaluation (path + command constraints) → PolicyDeniedError if denied
+ * 4. Issue capability token (if TokenIssuer configured)
+ * 5. Sign request (if ServerVerifier configured)
+ * 6. Call upstream
+ * 7. Scan response for indirect prompt injection
+ * 8. Record rate limit usage
+ * 9. Log to audit trail
+ * 10. Return result
+ */
+export declare function interceptToolCall(params: McpCallToolParams, upstreamCall: (params: McpCallToolParams) => Promise<McpCallToolResult>, options: InterceptorOptions): Promise<McpCallToolResult>;

package/dist/sdk/logger.d.ts

@@ -0,0 +1,16 @@
+import type { ExecutionResult } from '../core/index.js';
+export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
+/**
+ * Structured security event logger.
+ * Outputs JSON-formatted log entries for machine consumption.
+ */
+export declare class SecurityLogger {
+    private readonly minLevel;
+    private readonly enabled;
+    constructor(options: {
+        level: LogLevel;
+        enabled: boolean;
+    });
+    logDecision(result: ExecutionResult): void;
+    private log;
+}

package/dist/sdk/rate-limiter.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Result of a rate limit check.
+ */
+export interface RateLimitResult {
+    readonly allowed: boolean;
+    readonly remaining: number;
+    readonly resetAt: number;
+}
+/**
+ * Sliding window rate limiter for tool calls.
+ *
+ * Uses circular buffers for O(1) push and O(log n) count operations
+ * instead of array filtering. Window size defaults to 1 minute.
+ */
+export declare class RateLimiter {
+    private readonly windowMs;
+    private readonly maxEntries;
+    private readonly buffers;
+    private globalBuffer;
+    constructor(options?: {
+        windowMs?: number;
+        maxEntries?: number;
+    });
+    /**
+     * Checks if a tool call is within the rate limit.
+     * Does NOT record the call - use recordCall() after successful execution.
+     */
+    checkLimit(toolName: string, limitPerWindow: number): RateLimitResult;
+    /**
+     * Checks the global rate limit across all tools.
+     */
+    checkGlobalLimit(limitPerWindow: number): RateLimitResult;
+    /**
+     * Atomically checks and records a tool call.
+     * Prevents TOCTOU race conditions between check and record.
+     * Returns the rate limit result; if allowed, the call is already recorded.
+     */
+    checkAndRecord(toolName: string, limitPerWindow: number, globalLimit?: number): RateLimitResult;
+    /**
+     * Records a tool call for rate limiting.
+     * Call this after successful execution.
+     */
+    recordCall(toolName: string): void;
+    /**
+     * Gets usage stats for a tool.
+     */
+    getUsage(toolName: string): {
+        count: number;
+        windowStart: number;
+    };
+    /**
+     * Resets rate tracking for a specific tool.
+     */
+    resetTool(toolName: string): void;
+    /**
+     * Resets all rate tracking.
+     */
+    resetAll(): void;
+}

package/dist/sdk/secure-server.d.ts

@@ -0,0 +1,68 @@
+/**
+ * SecureMcpServer — Drop-in replacement for McpServer with SolonGate protection.
+ *
+ * Extends the standard McpServer and automatically wraps every tool handler
+ * with SolonGate's security pipeline (rate limiting, input guard, policy eval,
+ * audit logging). No manual wrapping of individual tool handlers needed.
+ *
+ * Usage:
+ * ```typescript
+ * import { SecureMcpServer } from '@solongate/proxy';
+ *
+ * // Just replace `new McpServer(...)` with `new SecureMcpServer(...)`
+ * const server = new SecureMcpServer({
+ *   name: 'my-server',
+ *   version: '1.0.0',
+ * });
+ *
+ * // Register tools as normal — they're automatically protected
+ * server.tool('file_read', { path: z.string() }, async ({ path }) => {
+ *   return { content: [{ type: 'text', text: readFileSync(path, 'utf-8') }] };
+ * });
+ *
+ * // API key comes from env: SOLONGATE_API_KEY=sg_live_xxx
+ * ```
+ */
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { Implementation } from '@modelcontextprotocol/sdk/types.js';
+import type { PolicySet } from '../core/index.js';
+import { SolonGate } from './solongate.js';
+import type { SolonGateConfig } from './config.js';
+/**
+ * Options for SecureMcpServer that control SolonGate behavior.
+ */
+export interface SecureMcpServerOptions {
+    /** SolonGate Cloud API key. Defaults to process.env.SOLONGATE_API_KEY */
+    apiKey?: string;
+    /** Policy set to enforce. If omitted, uses cloud policy or default. */
+    policySet?: PolicySet;
+    /** SolonGate configuration overrides. */
+    config?: Partial<SolonGateConfig>;
+}
+export declare class SecureMcpServer extends McpServer {
+    private readonly gate;
+    /**
+     * Create a secure MCP server.
+     *
+     * @param serverInfo - MCP server info (name, version)
+     * @param solongateOptions - SolonGate security options
+     * @param mcpOptions - Standard McpServer options (capabilities, etc.)
+     */
+    constructor(serverInfo: Implementation, solongateOptions?: SecureMcpServerOptions, mcpOptions?: ConstructorParameters<typeof McpServer>[1]);
+    /**
+     * Override tool() to auto-wrap handlers with SolonGate security pipeline.
+     *
+     * Supports all McpServer.tool() overloads — the handler (always the last
+     * argument) is transparently wrapped. Tool name, description, schema, and
+     * annotations pass through unchanged.
+     */
+    tool(name: string, ...rest: unknown[]): ReturnType<McpServer['tool']>;
+    /**
+     * Override registerTool() to auto-wrap handlers with SolonGate security pipeline.
+     *
+     * This is the modern (non-deprecated) API for registering tools.
+     */
+    registerTool(name: string, config: Parameters<McpServer['registerTool']>[1], cb: unknown): ReturnType<McpServer['registerTool']>;
+    /** Get the underlying SolonGate instance for direct access. */
+    getSolonGate(): SolonGate;
+}

package/dist/sdk/server-verifier.d.ts

@@ -0,0 +1,53 @@
+import type { McpCallToolParams } from '../core/index.js';
+/**
+ * A signed MCP request that includes capability token and integrity signature.
+ * Requests without valid gateway signature should be rejected by MCP servers.
+ */
+export interface SignedMcpRequest {
+    readonly params: McpCallToolParams;
+    readonly capabilityToken: string;
+    readonly signature: string;
+    readonly timestamp: string;
+    readonly nonce: string;
+}
+/**
+ * Result of validating a signed request.
+ */
+export interface SignatureValidationResult {
+    readonly valid: boolean;
+    readonly reason?: string;
+}
+/**
+ * Signs and verifies MCP requests to ensure they originate from the gateway.
+ *
+ * Security properties:
+ * - HMAC-SHA256 signature of request params + token
+ * - Timestamp to prevent old request replays
+ * - Nonce for uniqueness
+ * - Configurable max age for timestamp validation
+ */
+export declare class ServerVerifier {
+    private readonly gatewaySecret;
+    private readonly maxAgeMs;
+    private readonly usedNonces;
+    constructor(config: {
+        gatewaySecret: string;
+        maxAgeMs?: number;
+    });
+    /**
+     * Computes HMAC signature for request data.
+     */
+    signRequest(params: McpCallToolParams, capabilityToken: string): string;
+    /**
+     * Verifies the HMAC signature of request data.
+     */
+    verifySignature(params: McpCallToolParams, capabilityToken: string, signature: string): boolean;
+    /**
+     * Creates a complete signed request including timestamp and nonce.
+     */
+    createSignedRequest(params: McpCallToolParams, capabilityToken: string): SignedMcpRequest;
+    /**
+     * Validates a complete signed request including timestamp, nonce, and signature.
+     */
+    validateSignedRequest(request: SignedMcpRequest): SignatureValidationResult;
+}

package/dist/sdk/solongate.d.ts

@@ -0,0 +1,105 @@
+import type { PolicySet, McpCallToolParams, McpCallToolResult } from '../core/index.js';
+import { PolicyEngine } from '../policy-engine/index.js';
+import { type SolonGateConfig } from './config.js';
+import { TokenIssuer } from './token-issuer.js';
+import { RateLimiter } from './rate-limiter.js';
+/**
+ * Error thrown when a valid SolonGate license (API key) is missing or invalid.
+ */
+export declare class LicenseError extends Error {
+    constructor(message: string);
+}
+/**
+ * SolonGate - Security Gateway for MCP Tool Servers.
+ *
+ * Requires a valid API key. Get one at https://solongate.com
+ *
+ * Usage:
+ * ```typescript
+ * const gate = new SolonGate({ name: 'my-gateway', apiKey: 'sg_live_xxx' });
+ *
+ * // Intercept a tool call
+ * const result = await gate.executeToolCall(
+ *   { name: 'file.read', arguments: { path: '/etc/passwd' } },
+ *   async (params) => upstreamMcpServer.callTool(params),
+ * );
+ * ```
+ *
+ * Architecture:
+ *   [LLM] -> [SolonGate.executeToolCall] -> [Security Pipeline] -> [Upstream MCP Server]
+ *
+ * Pipeline:
+ *   Rate Limit → Policy Eval (path + command constraints) → Token Issue → Sign → Call → Audit
+ */
+export declare class SolonGate {
+    private readonly policyEngine;
+    private readonly config;
+    private readonly logger;
+    private readonly configWarnings;
+    private readonly tokenIssuer;
+    private readonly serverVerifier;
+    private readonly rateLimiter;
+    private readonly exfiltrationTracker;
+    private readonly apiKey;
+    private licenseValidated;
+    private pollingTimer;
+    constructor(options: {
+        name: string;
+        version?: string;
+        apiKey?: string;
+        config?: Partial<SolonGateConfig>;
+        policySet?: PolicySet;
+    });
+    /**
+     * Validate the API key against the SolonGate cloud API.
+     * Called once on first executeToolCall. Throws LicenseError if invalid.
+     * Test keys (sg_test_) skip online validation.
+     */
+    private validateLicense;
+    /**
+     * Fetch policy from SolonGate Cloud API (fire once, non-blocking).
+     * TODO: extract cloud policy parsing to shared module with packages/proxy/src/config.ts
+     */
+    private fetchCloudPolicyOnce;
+    /**
+     * Fetch the compiled OPA WASM bundle for a policy and load it into the engine.
+     * The proxy does not compile policies itself — the cloud API compiles every
+     * policy version to WASM on save and serves it from /policies/:id/wasm.
+     */
+    private loadCloudWasm;
+    /**
+     * Poll for policy updates from dashboard every 60 seconds.
+     */
+    private startPolicyPolling;
+    /**
+     * Send audit log to SolonGate Cloud API (fire-and-forget).
+     */
+    private sendAuditLog;
+    /**
+     * Intercept and evaluate a tool call against the full security pipeline.
+     * If denied at any stage, returns an error result without calling upstream.
+     * If allowed, calls upstream and returns the result.
+     */
+    executeToolCall(params: McpCallToolParams, upstreamCall: (params: McpCallToolParams) => Promise<McpCallToolResult>): Promise<McpCallToolResult>;
+    /** Load a new policy set at runtime. */
+    loadPolicy(policySet: PolicySet, options?: {
+        reason?: string;
+        createdBy?: string;
+    }): import("../policy-engine/validator.js").ValidationResult;
+    /**
+     * Load a pre-compiled OPA WASM bundle for evaluation. OPA WASM is the sole
+     * evaluation backend — until a bundle is loaded, evaluate() fails closed
+     * (default DENY). The bundle is fetched from the cloud /policies/:id/wasm.
+     */
+    loadWasmBundle(wasmBundle: BufferSource): Promise<void>;
+    /** Get current security warnings. */
+    getWarnings(): readonly string[];
+    /** Get the policy engine for direct access. */
+    getPolicyEngine(): PolicyEngine;
+    /** Get the rate limiter for direct access. */
+    getRateLimiter(): RateLimiter;
+    /** Get the token issuer (null if not configured). */
+    getTokenIssuer(): TokenIssuer | null;
+    /** Stop policy polling and release resources. */
+    destroy(): void;
+}

package/dist/sdk/token-issuer.d.ts

@@ -0,0 +1,37 @@
+import type { TokenConfig, TokenVerificationResult, Permission } from '../core/index.js';
+/**
+ * Issues and verifies capability tokens using HMAC-SHA256.
+ *
+ * Security properties:
+ * - Short-lived TTL (default 30 seconds)
+ * - Single-use nonces (replay prevention)
+ * - Revocation support
+ * - No external JWT library dependency
+ */
+export declare class TokenIssuer {
+    private readonly secret;
+    private readonly ttlSeconds;
+    private readonly issuer;
+    private readonly usedNonces;
+    private readonly revokedTokens;
+    constructor(config: TokenConfig);
+    /**
+     * Issues a signed capability token.
+     */
+    issue(requestId: string, permissions: readonly Permission[], toolScope: readonly string[], serverScope?: readonly string[], pathScope?: readonly string[]): string;
+    /**
+     * Verifies a capability token and consumes the nonce (single-use).
+     */
+    verify(token: string): TokenVerificationResult;
+    /**
+     * Revokes a token by its ID.
+     */
+    revoke(jti: string): void;
+    /**
+     * Checks if a token ID has been revoked.
+     */
+    isRevoked(jti: string): boolean;
+    private sign;
+    private parseAndVerify;
+    private computeSignature;
+}