@vibekiln/cutline-mcp-cli 0.1.0

package/dist/servers/chunk-OP4EO6FV.js

@@ -0,0 +1,454 @@
+// ../mcp/dist/mcp/src/shared/sanitize.js
+var NULL_AND_CONTROL_RE = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
+var HTML_TAG_RE = /<\/?[a-z][^>]*>/gi;
+var SCRIPT_RE = /<script[\s>][\s\S]*?<\/script>/gi;
+var EVENT_HANDLER_RE = /\s+on\w+\s*=\s*["'][^"']*["']/gi;
+function stripControlChars(input) {
+  return input.replace(NULL_AND_CONTROL_RE, "");
+}
+function stripHtmlTags(input) {
+  return input.replace(SCRIPT_RE, "").replace(EVENT_HANDLER_RE, "").replace(HTML_TAG_RE, "");
+}
+var DEFAULT_MAX_LENGTH = 5e4;
+function sanitizeText(input, options = {}) {
+  const { maxLength = DEFAULT_MAX_LENGTH, stripHtml = true } = options;
+  let result = stripControlChars(input);
+  if (stripHtml) {
+    result = stripHtmlTags(result);
+  }
+  result = result.trim();
+  if (result.length > maxLength) {
+    result = result.slice(0, maxLength);
+  }
+  return result;
+}
+function sanitizeArgs(value, options = {}) {
+  if (typeof value === "string") {
+    return sanitizeText(value, options);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => sanitizeArgs(item, options));
+  }
+  if (value !== null && typeof value === "object" && !(value instanceof Date)) {
+    const result = {};
+    for (const [key, val] of Object.entries(value)) {
+      result[key] = sanitizeArgs(val, options);
+    }
+    return result;
+  }
+  return value;
+}
+
+// ../mcp/dist/mcp/src/shared/pii-scanner.js
+var patterns = [
+  // ── Secrets ──────────────────────────────────────────────────────────────
+  {
+    type: "aws_key",
+    pattern: /AKIA[0-9A-Z]{16}/g,
+    severity: "critical",
+    description: "AWS Access Key ID",
+    validate: (m) => m.length === 20
+  },
+  {
+    type: "aws_secret",
+    pattern: /(?:aws_secret_access_key|secret_access_key|aws_secret)\s*[=:]\s*[A-Za-z0-9/+=]{40}/g,
+    severity: "critical",
+    description: "AWS Secret Access Key"
+  },
+  {
+    type: "stripe_key",
+    pattern: /[sr]k_(live|test)_[0-9a-zA-Z]{24,}/g,
+    severity: "critical",
+    description: "Stripe API key"
+  },
+  {
+    type: "stripe_key",
+    pattern: /pk_(live|test)_[0-9a-zA-Z]{24,}/g,
+    severity: "critical",
+    description: "Stripe publishable key"
+  },
+  {
+    type: "github_token",
+    pattern: /gh[ps]_[A-Za-z0-9]{36,}/g,
+    severity: "critical",
+    description: "GitHub personal access token"
+  },
+  {
+    type: "github_token",
+    pattern: /github_pat_[A-Za-z0-9_]{20,}/g,
+    severity: "critical",
+    description: "GitHub fine-grained personal access token"
+  },
+  {
+    type: "bearer_token",
+    pattern: /Bearer\s+[A-Za-z0-9\-._~+/]+=*/g,
+    severity: "critical",
+    description: "Bearer authorization token"
+  },
+  {
+    type: "generic_api_key",
+    pattern: /(?:api[_-]?key|apikey|api[_-]?secret|secret[_-]?key)\s*[=:"']\s*["']?([A-Za-z0-9\-._~+/]{20,})["']?/gi,
+    severity: "warning",
+    description: "Generic API key/secret assignment"
+  },
+  // ── PII ──────────────────────────────────────────────────────────────────
+  {
+    type: "credit_card",
+    pattern: /\b(?:4[0-9]{3}|5[1-5][0-9]{2}|3[47][0-9]{2}|6(?:011|5[0-9]{2}))[- ]?[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}\b/g,
+    severity: "critical",
+    description: "Credit card number (Visa, MC, Amex, Discover)"
+  },
+  {
+    type: "ssn",
+    pattern: /(?:ssn|social\s*security(?:\s*number)?|ss#)\s*(?:number\s*)?[:\s]?\s*(\d{3})-?(\d{2})-?(\d{4})/gi,
+    severity: "critical",
+    description: "US Social Security Number (context-required)",
+    validate: (_m, _full, _idx) => true
+  },
+  {
+    type: "phone_number",
+    pattern: /(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}/g,
+    severity: "warning",
+    description: "US phone number"
+  },
+  {
+    type: "email",
+    pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+    severity: "info",
+    description: "Email address"
+  }
+];
+var DEFAULT_PATTERNS = Object.freeze(patterns.map((p) => ({ ...p })));
+var REDACT_LABELS = {
+  aws_key: "[AWS_KEY]",
+  aws_secret: "[AWS_SECRET]",
+  stripe_key: "[STRIPE_KEY]",
+  github_token: "[GITHUB_TOKEN]",
+  bearer_token: "[BEARER_TOKEN]",
+  generic_api_key: "[API_KEY]",
+  credit_card: "[CREDIT_CARD]",
+  ssn: "[SSN]",
+  phone_number: "[PHONE]",
+  email: "[EMAIL]"
+};
+function scanForPii(input) {
+  return runScan(input, patterns);
+}
+function runScan(input, defs) {
+  if (!input) {
+    return { matches: [], flags_by_type: {}, scanned_chars: 0, redacted: "" };
+  }
+  const allMatches = [];
+  for (const def of defs) {
+    const re = new RegExp(def.pattern.source, def.pattern.flags);
+    let m;
+    while ((m = re.exec(input)) !== null) {
+      const text = m[0];
+      const start = m.index;
+      const end = start + text.length;
+      if (def.validate && !def.validate(text, input, start)) {
+        continue;
+      }
+      allMatches.push({
+        type: def.type,
+        text,
+        start,
+        end,
+        severity: def.severity
+      });
+    }
+  }
+  allMatches.sort((a, b) => a.start - b.start);
+  const deduped = deduplicateOverlaps(allMatches);
+  const flags_by_type = {};
+  for (const match of deduped) {
+    flags_by_type[match.type] = (flags_by_type[match.type] || 0) + 1;
+  }
+  const redacted = buildRedacted(input, deduped);
+  return {
+    matches: deduped,
+    flags_by_type,
+    scanned_chars: input.length,
+    redacted
+  };
+}
+function deduplicateOverlaps(sorted) {
+  if (sorted.length <= 1)
+    return sorted;
+  const severityRank = {
+    critical: 3,
+    warning: 2,
+    info: 1
+  };
+  const result = [sorted[0]];
+  for (let i = 1; i < sorted.length; i++) {
+    const prev = result[result.length - 1];
+    const curr = sorted[i];
+    if (curr.start < prev.end) {
+      const prevRank = severityRank[prev.severity];
+      const currRank = severityRank[curr.severity];
+      if (currRank > prevRank || currRank === prevRank && curr.end - curr.start > prev.end - prev.start) {
+        result[result.length - 1] = curr;
+      }
+    } else {
+      result.push(curr);
+    }
+  }
+  return result;
+}
+function buildRedacted(input, matches) {
+  if (matches.length === 0)
+    return input;
+  const parts = [];
+  let cursor = 0;
+  for (const match of matches) {
+    if (match.start > cursor) {
+      parts.push(input.slice(cursor, match.start));
+    }
+    parts.push(REDACT_LABELS[match.type] || `[${match.type.toUpperCase()}]`);
+    cursor = match.end;
+  }
+  if (cursor < input.length) {
+    parts.push(input.slice(cursor));
+  }
+  return parts.join("");
+}
+
+// ../mcp/dist/mcp/src/shared/boundary-guard.js
+var DEFAULT_OPTS = { stripHtml: false, maxLength: 1e5 };
+function guardBoundary(toolName, rawArgs, opts = DEFAULT_OPTS) {
+  const args = sanitizeArgs(rawArgs, opts);
+  const piiResults = [];
+  for (const [key, val] of Object.entries(args)) {
+    if (typeof val === "string" && val.length > 0) {
+      const scan = scanForPii(val);
+      if (scan.matches.length > 0) {
+        piiResults.push({ field: key, result: scan });
+        auditLog("pii_detected", "tool_call", toolName, {
+          field: key,
+          flags_by_type: scan.flags_by_type,
+          match_count: scan.matches.length,
+          scanned_chars: scan.scanned_chars
+        });
+      }
+    }
+  }
+  return {
+    args,
+    piiDetected: piiResults.length > 0,
+    piiResults
+  };
+}
+function guardOutput(toolName, response) {
+  let totalRedactions = 0;
+  const content = response.content.map((block) => {
+    if (block.type !== "text" || !block.text)
+      return block;
+    const scan = scanForPii(block.text);
+    if (scan.matches.length === 0)
+      return block;
+    totalRedactions += scan.matches.length;
+    return { ...block, text: scan.redacted };
+  });
+  if (totalRedactions > 0) {
+    auditLog("secret_in_output", "tool_response", toolName, {
+      redaction_count: totalRedactions
+    });
+  }
+  return {
+    ...response,
+    content,
+    _secretsRedacted: totalRedactions > 0,
+    _redactionCount: totalRedactions
+  };
+}
+function auditLog(eventType, resourceType, resourceId, data) {
+  console.error(JSON.stringify({
+    audit: true,
+    severity: "INFO",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    eventType,
+    resourceType,
+    resourceId,
+    data
+  }));
+}
+
+// ../mcp/dist/mcp/src/shared/perf-tracker.js
+var PerfTracker = class {
+  entries = /* @__PURE__ */ new Map();
+  windowMs;
+  failureAlertThreshold;
+  onFailureAlert;
+  latencyThresholds;
+  maxEntriesPerTool;
+  startedAt = Date.now();
+  alertActive = false;
+  constructor(options = {}) {
+    this.windowMs = options.windowMs ?? 5 * 60 * 1e3;
+    this.failureAlertThreshold = options.failureAlertThreshold ?? 0.05;
+    this.onFailureAlert = options.onFailureAlert;
+    this.latencyThresholds = options.latencyThresholds ?? [];
+    this.maxEntriesPerTool = options.maxEntriesPerTool ?? 1e4;
+  }
+  record(tool, latencyMs, success) {
+    if (!this.entries.has(tool)) {
+      this.entries.set(tool, []);
+    }
+    const bucket = this.entries.get(tool);
+    bucket.push({ timestamp: Date.now(), latencyMs, success });
+    if (bucket.length > this.maxEntriesPerTool) {
+      bucket.splice(0, bucket.length - this.maxEntriesPerTool);
+    }
+    this.checkFailureAlert();
+  }
+  getToolMetrics(tool) {
+    const active = this.getActiveEntries(tool);
+    if (!active || active.length === 0)
+      return void 0;
+    return this.computeMetrics(active);
+  }
+  getSnapshot() {
+    const tools = {};
+    let totalCalls = 0;
+    let totalFailures = 0;
+    for (const tool of this.entries.keys()) {
+      const active = this.getActiveEntries(tool);
+      if (active.length === 0)
+        continue;
+      const metrics = this.computeMetrics(active);
+      tools[tool] = metrics;
+      totalCalls += metrics.totalCalls;
+      totalFailures += metrics.failureCount;
+    }
+    return {
+      tools,
+      totalCalls,
+      globalFailureRate: totalCalls > 0 ? totalFailures / totalCalls : 0,
+      uptimeMs: Date.now() - this.startedAt,
+      windowMs: this.windowMs
+    };
+  }
+  getThresholdBreaches() {
+    const breaches = [];
+    for (const threshold of this.latencyThresholds) {
+      const metrics = this.getToolMetrics(threshold.tool);
+      if (!metrics)
+        continue;
+      const actual = metrics[threshold.percentile];
+      if (actual > threshold.maxMs) {
+        breaches.push({ ...threshold, actual });
+      }
+    }
+    return breaches;
+  }
+  // ═════════════════════════════════════════════════════════════════════════════
+  // INTERNALS
+  // ═════════════════════════════════════════════════════════════════════════════
+  getActiveEntries(tool) {
+    const bucket = this.entries.get(tool);
+    if (!bucket)
+      return [];
+    const cutoff = Date.now() - this.windowMs;
+    const active = bucket.filter((e) => e.timestamp >= cutoff);
+    this.entries.set(tool, active);
+    return active;
+  }
+  computeMetrics(entries) {
+    const latencies = entries.map((e) => e.latencyMs).sort((a, b) => a - b);
+    const successCount = entries.filter((e) => e.success).length;
+    const failureCount = entries.length - successCount;
+    const sum = latencies.reduce((a, b) => a + b, 0);
+    return {
+      totalCalls: entries.length,
+      successCount,
+      failureCount,
+      failureRate: entries.length > 0 ? failureCount / entries.length : 0,
+      p50: percentile(latencies, 0.5),
+      p95: percentile(latencies, 0.95),
+      p99: percentile(latencies, 0.99),
+      avgMs: Math.round(sum / entries.length),
+      minMs: latencies[0],
+      maxMs: latencies[latencies.length - 1]
+    };
+  }
+  checkFailureAlert() {
+    const snap = this.getSnapshot();
+    if (snap.totalCalls === 0)
+      return;
+    if (snap.globalFailureRate > this.failureAlertThreshold) {
+      if (!this.alertActive) {
+        this.alertActive = true;
+        auditLog2("perf_failure_alert", snap);
+        this.onFailureAlert?.(snap);
+      }
+    } else {
+      this.alertActive = false;
+    }
+  }
+};
+function percentile(sorted, p) {
+  if (sorted.length === 0)
+    return 0;
+  if (sorted.length === 1)
+    return sorted[0];
+  const idx = (sorted.length - 1) * p;
+  const lo = Math.floor(idx);
+  const hi = Math.ceil(idx);
+  if (lo === hi)
+    return sorted[lo];
+  return sorted[lo] + (sorted[hi] - sorted[lo]) * (idx - lo);
+}
+function auditLog2(eventType, snapshot) {
+  const toolSummary = {};
+  for (const [tool, m] of Object.entries(snapshot.tools)) {
+    toolSummary[tool] = { calls: m.totalCalls, failRate: m.failureRate, p95: m.p95 };
+  }
+  console.error(JSON.stringify({
+    audit: true,
+    severity: "ERROR",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    eventType,
+    resourceType: "mcp_perf",
+    data: {
+      globalFailureRate: snapshot.globalFailureRate,
+      totalCalls: snapshot.totalCalls,
+      tools: toolSummary
+    }
+  }));
+}
+
+// ../mcp/dist/mcp/src/shared/perf-tracker-instance.js
+var LATENCY_THRESHOLDS = [
+  { tool: "exploration_start", percentile: "p99", maxMs: 500 },
+  { tool: "discovery_start", percentile: "p99", maxMs: 500 },
+  { tool: "constraints_query", percentile: "p95", maxMs: 800 },
+  { tool: "constraints_semantic_query", percentile: "p95", maxMs: 800 },
+  { tool: "template_discover", percentile: "p95", maxMs: 500 },
+  { tool: "template_list", percentile: "p95", maxMs: 500 }
+];
+var perfTracker = new PerfTracker({
+  windowMs: 5 * 60 * 1e3,
+  failureAlertThreshold: 0.05,
+  latencyThresholds: LATENCY_THRESHOLDS,
+  maxEntriesPerTool: 5e3
+});
+async function withPerfTracking(toolName, fn) {
+  const start = Date.now();
+  let success = true;
+  try {
+    return await fn();
+  } catch (err) {
+    success = false;
+    throw err;
+  } finally {
+    perfTracker.record(toolName, Date.now() - start, success);
+  }
+}
+
+export {
+  guardBoundary,
+  guardOutput,
+  perfTracker,
+  withPerfTracking
+};