@vengtoo/mcp-gateway 0.1.0

package/dist/gateway.js

@@ -0,0 +1,173 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startGateway = void 0;
+const index_js_1 = require("@modelcontextprotocol/sdk/server/index.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const index_js_2 = require("@modelcontextprotocol/sdk/client/index.js");
+const stdio_js_2 = require("@modelcontextprotocol/sdk/client/stdio.js");
+const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
+const authorize_1 = require("./authorize");
+const audit_1 = require("./audit");
+const sync_1 = require("./sync");
+async function startGateway(config) {
+    process.on("unhandledRejection", (err) => {
+        console.error("[vengtoo-gateway] unhandled rejection:", err);
+    });
+    const downstreams = await spawnDownstreams(config.servers);
+    const toolIndex = buildToolIndex(downstreams);
+    const audit = new audit_1.AuditForwarder(config);
+    let blockedTools = new Set();
+    (0, sync_1.syncAllServers)(config, downstreams)
+        .then((blocked) => { blockedTools = blocked; })
+        .catch((err) => console.error("[vengtoo-gateway] tool sync warning:", err instanceof Error ? err.message : err));
+    const shutdown = async () => {
+        for (const ds of downstreams) {
+            try {
+                await ds.transport.close();
+            }
+            catch { /* best effort */ }
+        }
+        await audit.shutdown();
+        process.exit(0);
+    };
+    process.on("SIGINT", shutdown);
+    process.on("SIGTERM", shutdown);
+    const server = new index_js_1.Server({ name: "vengtoo-mcp-gateway", version: "0.1.0" }, { capabilities: { tools: {} } });
+    server.setRequestHandler(types_js_1.ListToolsRequestSchema, async () => {
+        const tools = [];
+        for (const ds of downstreams) {
+            for (const tool of ds.tools) {
+                tools.push({
+                    name: qualifiedName(ds.name, tool.name),
+                    description: `[${ds.name}] ${tool.description ?? ""}`.trim(),
+                    inputSchema: tool.inputSchema,
+                });
+            }
+        }
+        return { tools };
+    });
+    server.setRequestHandler(types_js_1.CallToolRequestSchema, async (request) => {
+        const fullName = request.params.name;
+        const args = (request.params.arguments ?? {});
+        const requestId = (0, audit_1.generateRequestId)();
+        const entry = toolIndex.get(fullName);
+        if (!entry) {
+            return {
+                content: [{ type: "text", text: `Unknown tool: ${fullName}` }],
+                isError: true,
+            };
+        }
+        if (blockedTools.has(fullName)) {
+            audit.record({
+                requestId,
+                subject: config.subject,
+                tool: fullName,
+                args,
+                allowed: false,
+                reason: "schema drift detected — tool blocked until admin re-approves",
+                latencyMs: 0,
+                timestamp: new Date().toISOString(),
+            });
+            return {
+                content: [{ type: "text", text: `[Vengtoo] Tool "${fullName}" is blocked — schema drift detected. An admin must re-approve this tool in the Vengtoo console.` }],
+                isError: true,
+            };
+        }
+        const start = performance.now();
+        const result = await (0, authorize_1.authorize)(config, config.subject, fullName, args);
+        const latencyMs = Math.round(performance.now() - start);
+        if (!result.allowed) {
+            const reason = result.reason ?? "denied by policy";
+            audit.record({
+                requestId,
+                subject: config.subject,
+                tool: fullName,
+                args,
+                allowed: false,
+                reason,
+                latencyMs,
+                timestamp: new Date().toISOString(),
+            });
+            return {
+                content: [{ type: "text", text: `[Vengtoo] Access denied: tool "${fullName}" was blocked by Vengtoo authorization policy. Reason: ${reason}` }],
+                isError: true,
+            };
+        }
+        try {
+            const result = await entry.downstream.client.callTool({
+                name: entry.originalName,
+                arguments: args,
+            });
+            audit.record({
+                requestId,
+                subject: config.subject,
+                tool: fullName,
+                args,
+                allowed: true,
+                latencyMs,
+                timestamp: new Date().toISOString(),
+            });
+            return result;
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            audit.record({
+                requestId,
+                subject: config.subject,
+                tool: fullName,
+                args,
+                allowed: true,
+                reason: `downstream error: ${message}`,
+                latencyMs,
+                timestamp: new Date().toISOString(),
+            });
+            return {
+                content: [{ type: "text", text: `Downstream server error for "${fullName}": ${message}` }],
+                isError: true,
+            };
+        }
+    });
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+    console.error(`[vengtoo-gateway] running — ${downstreams.length} server(s), ${toolIndex.size} tool(s)`);
+}
+exports.startGateway = startGateway;
+async function spawnDownstreams(servers) {
+    const results = [];
+    for (const [name, cfg] of Object.entries(servers)) {
+        console.error(`[vengtoo-gateway] connecting to ${name}: ${cfg.command} ${(cfg.args ?? []).join(" ")}`);
+        const transport = new stdio_js_2.StdioClientTransport({
+            command: cfg.command,
+            args: cfg.args,
+            env: { ...process.env, ...(cfg.env ?? {}) },
+        });
+        const client = new index_js_2.Client({ name: `vengtoo-gateway/${name}`, version: "0.1.0" }, { capabilities: {} });
+        await client.connect(transport);
+        const { tools } = await client.listTools();
+        console.error(`[vengtoo-gateway] ${name}: ${tools.length} tool(s) registered`);
+        results.push({
+            name,
+            client,
+            transport,
+            tools: tools.map((t) => ({
+                name: t.name,
+                description: t.description,
+                inputSchema: t.inputSchema,
+            })),
+        });
+    }
+    return results;
+}
+function buildToolIndex(downstreams) {
+    const index = new Map();
+    for (const ds of downstreams) {
+        for (const tool of ds.tools) {
+            const qn = qualifiedName(ds.name, tool.name);
+            index.set(qn, { downstream: ds, originalName: tool.name });
+        }
+    }
+    return index;
+}
+function qualifiedName(serverName, toolName) {
+    return `${serverName}__${toolName}`;
+}

package/dist/generate-policy.d.ts

@@ -0,0 +1,2 @@
+import type { GatewayConfig } from "./types";
+export declare function generatePolicy(config: GatewayConfig, outputPath: string): Promise<void>;

package/dist/generate-policy.js

@@ -0,0 +1,123 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generatePolicy = void 0;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const utils_1 = require("./utils");
+const classify_1 = require("./classify");
+async function generatePolicy(config, outputPath) {
+    const tools = [];
+    for (const [name, cfg] of Object.entries(config.servers)) {
+        try {
+            const { tools: discovered, transport } = await (0, utils_1.discoverTools)(name, cfg);
+            for (const t of discovered) {
+                tools.push({
+                    ...t,
+                    trust: (0, classify_1.classifyTool)(t.qualifiedName),
+                });
+            }
+            await transport.close();
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`[!] Failed to connect to "${name}": ${message}`);
+        }
+    }
+    if (tools.length === 0) {
+        console.error("No tools discovered — cannot generate policy.");
+        process.exit(1);
+    }
+    const rego = buildRego(tools);
+    const dest = (0, path_1.resolve)(outputPath);
+    (0, fs_1.writeFileSync)(dest, rego, "utf-8");
+    const low = tools.filter((t) => t.trust === "low").length;
+    const med = tools.filter((t) => t.trust === "medium").length;
+    const high = tools.filter((t) => t.trust === "high").length;
+    console.log(`Generated trust-classified policy with ${tools.length} tool(s) → ${dest}`);
+    console.log(`  LOW: ${low}  MEDIUM: ${med}  HIGH: ${high}`);
+    console.log(`\nEdit the file to customize which tools to allow or block.`);
+    console.log(`Then start the agent:\n`);
+    console.log(`  vengtoo-agent --policy ${outputPath}\n`);
+    process.exit(0);
+}
+exports.generatePolicy = generatePolicy;
+function buildRego(tools) {
+    const servers = [...new Set(tools.map((t) => t.server))];
+    const lines = [];
+    const now = new Date().toISOString();
+    const total = tools.length;
+    lines.push("# Auto-generated by Vengtoo MCP Gateway");
+    lines.push(`# ${servers.length} server(s), ${total} tool(s) discovered`);
+    lines.push(`# Generated: ${now}`);
+    lines.push("#");
+    lines.push("# Trust levels:");
+    lines.push("#   LOW    — read-only operations, allowed by default");
+    lines.push("#   MEDIUM — write/execute operations, requires explicit subject approval");
+    lines.push("#   HIGH   — destructive operations, blocked by default");
+    lines.push("#");
+    lines.push("# Edit this file to customize your policy.");
+    lines.push("# Run: vengtoo-agent --policy ./policy.rego");
+    lines.push("");
+    lines.push("package vengtoo.mcp");
+    lines.push("");
+    lines.push("default allow := false");
+    const low = tools.filter((t) => t.trust === "low").sort(byName);
+    const medium = tools.filter((t) => t.trust === "medium").sort(byName);
+    const high = tools.filter((t) => t.trust === "high").sort(byName);
+    if (low.length > 0) {
+        lines.push("");
+        lines.push("# ── LOW trust (allowed for all approved agents) ──────────────");
+        lines.push("");
+        for (const t of low) {
+            const warning = toolWarning(t);
+            if (warning)
+                lines.push(`# ${warning}`);
+            lines.push(`allow if {`);
+            lines.push(`    input.resource.name == "${t.qualifiedName}"`);
+            lines.push(`}`);
+            lines.push("");
+        }
+    }
+    if (medium.length > 0) {
+        lines.push("# ── MEDIUM trust (allowed for specific agents) ───────────────");
+        lines.push("# Replace subject values with your actual agent identities");
+        lines.push("");
+        for (const t of medium) {
+            const warning = toolWarning(t);
+            if (warning)
+                lines.push(`# ${warning}`);
+            lines.push(`allow if {`);
+            lines.push(`    input.resource.name == "${t.qualifiedName}"`);
+            lines.push(`    input.subject.id in {"agent:cursor", "agent:claude"}`);
+            lines.push(`}`);
+            lines.push("");
+        }
+    }
+    if (high.length > 0) {
+        lines.push("# ── HIGH trust (blocked by default — uncomment to allow) ─────");
+        lines.push("# DANGER: these are destructive operations.");
+        lines.push("# Uncomment and specify exact subjects before enabling.");
+        lines.push("");
+        for (const t of high) {
+            lines.push(`# allow if {`);
+            lines.push(`#     input.resource.name == "${t.qualifiedName}"`);
+            lines.push(`#     input.subject.id == "agent:claude"  # be explicit`);
+            lines.push(`# }`);
+            lines.push("");
+        }
+    }
+    return lines.join("\n");
+}
+function byName(a, b) {
+    return a.qualifiedName.localeCompare(b.qualifiedName);
+}
+function toolWarning(t) {
+    const name = t.qualifiedName.toLowerCase();
+    if (/execute/.test(name)) {
+        return `WARNING: ${t.qualifiedName} can run destructive operations — review carefully`;
+    }
+    if (/query/.test(name)) {
+        return `WARNING: ${t.qualifiedName} — raw queries can be destructive, consider moving to MEDIUM`;
+    }
+    return null;
+}

package/dist/hash.d.ts

@@ -0,0 +1,7 @@
+export declare function computeToolsHash(tools: Array<{
+    name: string;
+    description?: string;
+    inputSchema: unknown;
+}>): string;
+export declare function hasChanged(serverName: string, currentHash: string): boolean;
+export declare function saveHash(serverName: string, hash: string): void;

package/dist/hash.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.saveHash = exports.hasChanged = exports.computeToolsHash = void 0;
+const crypto_1 = require("crypto");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const HASH_DIR = (0, path_1.join)(process.cwd(), ".vengtoo", "hashes");
+function computeToolsHash(tools) {
+    const sorted = [...tools].sort((a, b) => a.name.localeCompare(b.name));
+    const payload = sorted.map((t) => ({
+        name: t.name,
+        description: t.description ?? "",
+        inputSchema: t.inputSchema,
+    }));
+    return (0, crypto_1.createHash)("sha256").update(JSON.stringify(payload)).digest("hex");
+}
+exports.computeToolsHash = computeToolsHash;
+function hasChanged(serverName, currentHash) {
+    const path = hashPath(serverName);
+    if (!(0, fs_1.existsSync)(path))
+        return true;
+    try {
+        return (0, fs_1.readFileSync)(path, "utf-8").trim() !== currentHash;
+    }
+    catch {
+        return true;
+    }
+}
+exports.hasChanged = hasChanged;
+function saveHash(serverName, hash) {
+    if (!(0, fs_1.existsSync)(HASH_DIR)) {
+        (0, fs_1.mkdirSync)(HASH_DIR, { recursive: true });
+    }
+    (0, fs_1.writeFileSync)(hashPath(serverName), hash, "utf-8");
+}
+exports.saveHash = saveHash;
+function hashPath(serverName) {
+    return (0, path_1.join)(HASH_DIR, `${serverName}.hash`);
+}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export { startGateway } from "./gateway";
+export { AuditForwarder } from "./audit";
+export type { GatewayConfig, ServerConfig, AuthorizeResult } from "./types";

package/dist/index.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditForwarder = exports.startGateway = void 0;
+var gateway_1 = require("./gateway");
+Object.defineProperty(exports, "startGateway", { enumerable: true, get: function () { return gateway_1.startGateway; } });
+var audit_1 = require("./audit");
+Object.defineProperty(exports, "AuditForwarder", { enumerable: true, get: function () { return audit_1.AuditForwarder; } });

package/dist/list-tools.d.ts

@@ -0,0 +1,2 @@
+import type { GatewayConfig } from "./types";
+export declare function listTools(config: GatewayConfig): Promise<void>;

package/dist/list-tools.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.listTools = void 0;
+const utils_1 = require("./utils");
+async function listTools(config) {
+    const entries = [];
+    for (const [name, cfg] of Object.entries(config.servers)) {
+        try {
+            const { tools, transport } = await (0, utils_1.discoverTools)(name, cfg);
+            entries.push(...tools);
+            await transport.close();
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`[!] Failed to connect to "${name}": ${message}`);
+        }
+    }
+    if (entries.length === 0) {
+        console.log("No tools discovered from downstream servers.");
+        process.exit(0);
+    }
+    console.log(`\nDiscovered ${entries.length} tool(s) across ${Object.keys(config.servers).length} server(s):\n`);
+    console.log("─".repeat(70));
+    let currentServer = "";
+    for (const e of entries) {
+        if (e.server !== currentServer) {
+            currentServer = e.server;
+            console.log(`\n  Server: ${currentServer}`);
+            console.log("  " + "─".repeat(40));
+        }
+        console.log(`\n    ${e.qualifiedName}`);
+        if (e.description) {
+            console.log(`      ${e.description}`);
+        }
+        if (e.inputFields.length > 0) {
+            console.log(`      inputs: ${e.inputFields.join(", ")}`);
+        }
+    }
+    console.log("\n" + "─".repeat(70));
+    console.log("\nUse these qualified names in your Rego policy. Example:\n");
+    console.log("  allow if {");
+    console.log(`      input.resource.name == "${entries[0].qualifiedName}"`);
+    console.log("  }");
+    if (entries[0].inputFields.length > 0) {
+        const field = entries[0].inputFields[0];
+        console.log(`\n  # Access tool arguments via input.resource.attributes.${field}`);
+    }
+    console.log("");
+    process.exit(0);
+}
+exports.listTools = listTools;

package/dist/snapshot.d.ts

@@ -0,0 +1,3 @@
+import type { ServerSnapshot, ToolSnapshot } from "./types";
+export declare function saveSnapshot(serverName: string, tools: ToolSnapshot[], hash: string): void;
+export declare function loadSnapshot(serverName: string): ServerSnapshot | null;

package/dist/snapshot.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadSnapshot = exports.saveSnapshot = void 0;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const SNAPSHOT_DIR = (0, path_1.join)(process.cwd(), ".vengtoo", "snapshots");
+function saveSnapshot(serverName, tools, hash) {
+    if (!(0, fs_1.existsSync)(SNAPSHOT_DIR)) {
+        (0, fs_1.mkdirSync)(SNAPSHOT_DIR, { recursive: true });
+    }
+    const snapshot = {
+        server: serverName,
+        hash,
+        tools: [...tools].sort((a, b) => a.name.localeCompare(b.name)),
+        capturedAt: new Date().toISOString(),
+    };
+    (0, fs_1.writeFileSync)(snapshotPath(serverName), JSON.stringify(snapshot, null, 2), "utf-8");
+}
+exports.saveSnapshot = saveSnapshot;
+function loadSnapshot(serverName) {
+    const path = snapshotPath(serverName);
+    if (!(0, fs_1.existsSync)(path))
+        return null;
+    try {
+        return JSON.parse((0, fs_1.readFileSync)(path, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+exports.loadSnapshot = loadSnapshot;
+function snapshotPath(serverName) {
+    return (0, path_1.join)(SNAPSHOT_DIR, `${serverName}.json`);
+}

package/dist/sync.d.ts

@@ -0,0 +1,11 @@
+import type { GatewayConfig } from "./types";
+interface DownstreamLike {
+    name: string;
+    tools: Array<{
+        name: string;
+        description?: string;
+        inputSchema: unknown;
+    }>;
+}
+export declare function syncAllServers(config: GatewayConfig, downstreams: DownstreamLike[]): Promise<Set<string>>;
+export {};

package/dist/sync.js

@@ -0,0 +1,140 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.syncAllServers = void 0;
+const classify_1 = require("./classify");
+const hash_1 = require("./hash");
+const snapshot_1 = require("./snapshot");
+const drift_1 = require("./drift");
+const gateway_id_1 = require("./gateway-id");
+const SYNC_TIMEOUT_MS = 10_000;
+const DEFAULT_CLOUD_BASE = "https://api.vengtoo.com";
+async function syncAllServers(config, downstreams) {
+    const gatewayId = (0, gateway_id_1.getOrCreateGatewayId)();
+    const blockedTools = new Set();
+    console.error(`[vengtoo-gateway] gateway id: ${gatewayId}`);
+    for (const ds of downstreams) {
+        const hash = (0, hash_1.computeToolsHash)(ds.tools);
+        const toolSnapshots = ds.tools.map((t) => ({
+            name: t.name,
+            description: t.description ?? "",
+            inputSchema: t.inputSchema,
+        }));
+        let driftEvents = [];
+        const oldSnapshot = (0, snapshot_1.loadSnapshot)(ds.name);
+        if (oldSnapshot && (0, hash_1.hasChanged)(ds.name, hash)) {
+            driftEvents = (0, drift_1.detectDrift)(ds.name, oldSnapshot, toolSnapshots);
+            if (driftEvents.length > 0) {
+                (0, drift_1.logDriftEvents)(driftEvents);
+            }
+        }
+        if (!(0, hash_1.hasChanged)(ds.name, hash) && oldSnapshot) {
+            console.error(`[vengtoo-gateway] tools unchanged for '${ds.name}' — skipping sync`);
+            continue;
+        }
+        const schemas = new Map();
+        const discovered = ds.tools.map((t) => {
+            const qn = `${ds.name}__${t.name}`;
+            schemas.set(qn, t.inputSchema);
+            return {
+                qualifiedName: qn,
+                server: ds.name,
+                originalName: t.name,
+                description: t.description ?? "",
+                inputFields: [],
+            };
+        });
+        const classified = (0, classify_1.classifyTools)(discovered, schemas);
+        if (config.vengtoo.apiKey) {
+            try {
+                const result = await syncToolsToCloud(config, gatewayId, ds.name, classified, hash, driftEvents);
+                if (result) {
+                    (0, hash_1.saveHash)(ds.name, hash);
+                    (0, snapshot_1.saveSnapshot)(ds.name, toolSnapshots, hash);
+                    console.error(`[vengtoo-gateway] synced ${result.synced} tools for '${ds.name}' (${result.created} created, ${result.updated} updated, ${result.unchanged} unchanged)`);
+                    if (result.drifted_count && result.drifted_count > 0) {
+                        console.error(`[vengtoo-gateway] ${result.drifted_count} tool(s) drifted from approved baseline for '${ds.name}'`);
+                    }
+                    if (result.blocked_tools) {
+                        for (const tool of result.blocked_tools) {
+                            blockedTools.add(`${ds.name}__${tool}`);
+                        }
+                    }
+                }
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                console.error(`[vengtoo-gateway] cloud sync failed for '${ds.name}' — ${msg}`);
+            }
+        }
+        else {
+            (0, hash_1.saveHash)(ds.name, hash);
+            (0, snapshot_1.saveSnapshot)(ds.name, toolSnapshots, hash);
+            if (config.vengtoo.blockOnDrift && driftEvents.length > 0) {
+                for (const e of driftEvents) {
+                    if (e.severity === "CRITICAL") {
+                        blockedTools.add(`${ds.name}__${e.toolName}`);
+                    }
+                }
+                console.error(`[vengtoo-gateway] blockOnDrift enabled — ${blockedTools.size} tool(s) blocked locally`);
+            }
+        }
+    }
+    return blockedTools;
+}
+exports.syncAllServers = syncAllServers;
+async function syncToolsToCloud(config, gatewayId, serverName, tools, hash, driftEvents) {
+    const baseUrl = resolveBaseUrl(config);
+    const url = `${baseUrl}/v1/gateways/${gatewayId}/tools/sync`;
+    const body = {
+        server: serverName,
+        tools: tools.map((t) => ({
+            name: t.originalName,
+            trust: t.trust,
+            description: t.description,
+            schema: t.schema,
+        })),
+        hash,
+        drift_events: driftEvents.length > 0 ? driftEvents : undefined,
+    };
+    const headers = {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+    };
+    const auth = resolveAuth(config);
+    if (auth)
+        headers["Authorization"] = auth;
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), SYNC_TIMEOUT_MS);
+    try {
+        const res = await fetch(url, {
+            method: "POST",
+            headers,
+            body: JSON.stringify(body),
+            signal: controller.signal,
+        });
+        if (!res.ok) {
+            const text = await res.text().catch(() => "");
+            console.error(`[vengtoo-gateway] sync returned ${res.status}: ${text}`);
+            return null;
+        }
+        return (await res.json());
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+function resolveBaseUrl(config) {
+    if (config.vengtoo.cloudUrl) {
+        const url = new URL(config.vengtoo.cloudUrl);
+        return `${url.protocol}//${url.host}`;
+    }
+    return DEFAULT_CLOUD_BASE;
+}
+function resolveAuth(config) {
+    if (config.vengtoo.apiKey)
+        return `Bearer ${config.vengtoo.apiKey}`;
+    if (config.vengtoo.clientId && config.vengtoo.clientSecret) {
+        return `Basic ${Buffer.from(`${config.vengtoo.clientId}:${config.vengtoo.clientSecret}`).toString("base64")}`;
+    }
+    return undefined;
+}

package/dist/types.d.ts

@@ -0,0 +1,51 @@
+export interface GatewayConfig {
+    vengtoo: {
+        agentUrl?: string;
+        cloudUrl?: string;
+        apiKey?: string;
+        clientId?: string;
+        clientSecret?: string;
+        timeoutMs?: number;
+        blockOnDrift?: boolean;
+    };
+    subject: string;
+    subjectType?: string;
+    resourceType?: string;
+    servers: Record<string, ServerConfig>;
+    audit?: {
+        forwardUrl?: string;
+        tenantId?: string;
+    };
+}
+export interface ServerConfig {
+    command: string;
+    args?: string[];
+    env?: Record<string, string>;
+}
+export interface AuthorizeResult {
+    allowed: boolean;
+    reason?: string;
+}
+export type DriftSeverity = "CRITICAL" | "WARNING" | "INFO";
+export type DriftChangeType = "tool_removed" | "tool_added" | "parameter_removed" | "parameter_added" | "type_changed" | "description_changed";
+export interface DriftEvent {
+    toolName: string;
+    serverName: string;
+    severity: DriftSeverity;
+    changeType: DriftChangeType;
+    field?: string;
+    oldValue?: unknown;
+    newValue?: unknown;
+    message: string;
+}
+export interface ToolSnapshot {
+    name: string;
+    description: string;
+    inputSchema: unknown;
+}
+export interface ServerSnapshot {
+    server: string;
+    hash: string;
+    tools: ToolSnapshot[];
+    capturedAt: string;
+}

package/dist/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });