cbrowser 18.3.9 → 18.3.11

package/dist/security/tool-pinning.js

@@ -0,0 +1,302 @@
+/**
+ * CBrowser - Cognitive Browser Automation
+ * Copyright 2026 Alexandria Eden alexandria.shai.eden@gmail.com
+ * Learn more at https://cbrowser.ai - MIT License
+ */
+/**
+ * Tool Definition Pinning for CBrowser MCP Server
+ *
+ * Provides hash verification for MCP tool definitions to detect tampering.
+ * Creates a manifest of tool hashes on first use and verifies against it
+ * on subsequent uses.
+ *
+ * Security Model:
+ * - Tool definitions (name, description, schema) are hashed on registration
+ * - Hashes are stored in ~/.cbrowser/tool-manifest.json
+ * - On each startup, hashes are verified against the manifest
+ * - Changes are detected and reported (warn-only mode for now)
+ *
+ * Usage:
+ *   import { verifyToolDefinitions } from "./security/tool-pinning.js";
+ *
+ *   const tools = collectToolDefinitions(server);
+ *   const result = verifyToolDefinitions(tools);
+ *   if (result.status === "changed") {
+ *     console.warn("Tool definitions changed:", result.message);
+ *   }
+ */
+import { createHash } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { getDataDir } from "../config.js";
+import { VERSION } from "../version.js";
+// ============================================================================
+// Core Functions
+// ============================================================================
+/**
+ * Get the path to the tool manifest file.
+ * Uses ~/.cbrowser/tool-manifest.json by default.
+ */
+export function getManifestPath() {
+    const dataDir = getDataDir();
+    return join(dataDir, "tool-manifest.json");
+}
+/**
+ * Create a SHA-256 hash of a tool definition.
+ *
+ * The hash includes:
+ * - Tool name
+ * - Tool description
+ * - JSON-stringified schema (sorted keys for consistency)
+ *
+ * @param name - Tool name
+ * @param description - Tool description
+ * @param schema - Tool schema object
+ * @returns 64-character hex SHA-256 hash
+ */
+export function hashToolDefinition(name, description, schema) {
+    // Use sorted JSON for consistent hashing
+    const payload = JSON.stringify({
+        name,
+        description,
+        schema: sortObjectKeys(schema),
+    });
+    return createHash("sha256").update(payload).digest("hex");
+}
+/**
+ * Recursively sort object keys for consistent JSON stringification.
+ */
+function sortObjectKeys(obj) {
+    if (obj === null || typeof obj !== "object") {
+        return obj;
+    }
+    if (Array.isArray(obj)) {
+        return obj.map(sortObjectKeys);
+    }
+    const sorted = {};
+    const keys = Object.keys(obj).sort();
+    for (const key of keys) {
+        sorted[key] = sortObjectKeys(obj[key]);
+    }
+    return sorted;
+}
+/**
+ * Count the number of parameters in a schema.
+ * Assumes top-level keys are parameters.
+ */
+function countParameters(schema) {
+    if (schema === null || typeof schema !== "object") {
+        return 0;
+    }
+    return Object.keys(schema).length;
+}
+/**
+ * Create a new tool manifest from a list of tool definitions.
+ *
+ * @param tools - Array of tool definitions
+ * @returns Complete manifest ready for saving
+ */
+export function createToolManifest(tools) {
+    const now = new Date().toISOString();
+    const toolEntries = {};
+    for (const tool of tools) {
+        toolEntries[tool.name] = {
+            hash: hashToolDefinition(tool.name, tool.description, tool.schema),
+            descriptionLength: tool.description.length,
+            parameterCount: countParameters(tool.schema),
+            pinnedAt: now,
+        };
+    }
+    return {
+        server: "cbrowser",
+        version: VERSION,
+        pinnedAt: now,
+        tools: toolEntries,
+    };
+}
+/**
+ * Load the tool manifest from disk.
+ *
+ * @returns Manifest if it exists and is valid, null otherwise
+ */
+export function loadToolManifest() {
+    const path = getManifestPath();
+    if (!existsSync(path)) {
+        return null;
+    }
+    try {
+        const content = readFileSync(path, "utf-8");
+        const manifest = JSON.parse(content);
+        // Basic validation
+        if (!manifest.server || !manifest.tools) {
+            console.error("[Tool Pinning] Invalid manifest structure");
+            return null;
+        }
+        return manifest;
+    }
+    catch (error) {
+        console.error("[Tool Pinning] Failed to load manifest:", error.message);
+        return null;
+    }
+}
+/**
+ * Save a tool manifest to disk.
+ * Creates the directory if it doesn't exist.
+ *
+ * @param manifest - The manifest to save
+ */
+export function saveToolManifest(manifest) {
+    const path = getManifestPath();
+    const dir = join(path, "..");
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+    const content = JSON.stringify(manifest, null, 2);
+    writeFileSync(path, content, "utf-8");
+}
+/**
+ * Verify tool definitions against the pinned manifest.
+ *
+ * Behavior:
+ * - If no manifest exists: Creates one and returns status "created"
+ * - If all hashes match: Returns status "verified"
+ * - If any differences: Returns status "changed" with details
+ *
+ * @param tools - Current tool definitions from MCP server
+ * @returns Verification result
+ */
+export function verifyToolDefinitions(tools) {
+    const existingManifest = loadToolManifest();
+    // No manifest exists - create one
+    if (!existingManifest) {
+        const manifest = createToolManifest(tools);
+        saveToolManifest(manifest);
+        return {
+            status: "created",
+            message: `Tool manifest created with ${tools.length} tools`,
+        };
+    }
+    // Compare current tools against manifest
+    const currentToolNames = new Set(tools.map((t) => t.name));
+    const pinnedToolNames = new Set(Object.keys(existingManifest.tools));
+    const changedTools = [];
+    const newTools = [];
+    const removedTools = [];
+    // Check each current tool
+    for (const tool of tools) {
+        const pinEntry = existingManifest.tools[tool.name];
+        if (!pinEntry) {
+            // Tool exists in current but not in manifest
+            newTools.push(tool.name);
+        }
+        else {
+            // Tool exists in both - verify hash
+            const currentHash = hashToolDefinition(tool.name, tool.description, tool.schema);
+            if (currentHash !== pinEntry.hash) {
+                changedTools.push(tool.name);
+            }
+        }
+    }
+    // Check for removed tools
+    for (const pinnedName of pinnedToolNames) {
+        if (!currentToolNames.has(pinnedName)) {
+            removedTools.push(pinnedName);
+        }
+    }
+    // Determine overall status
+    const hasChanges = changedTools.length > 0 || newTools.length > 0 || removedTools.length > 0;
+    if (!hasChanges) {
+        return {
+            status: "verified",
+            message: `All ${tools.length} tool definitions verified successfully`,
+        };
+    }
+    // Build change message
+    const parts = [];
+    if (changedTools.length > 0) {
+        parts.push(`${changedTools.length} modified: ${changedTools.join(", ")}`);
+    }
+    if (newTools.length > 0) {
+        parts.push(`${newTools.length} new: ${newTools.join(", ")}`);
+    }
+    if (removedTools.length > 0) {
+        parts.push(`${removedTools.length} removed: ${removedTools.join(", ")}`);
+    }
+    return {
+        status: "changed",
+        changedTools: changedTools.length > 0 ? changedTools : undefined,
+        newTools: newTools.length > 0 ? newTools : undefined,
+        removedTools: removedTools.length > 0 ? removedTools : undefined,
+        message: `Tool definition changes detected: ${parts.join("; ")}`,
+    };
+}
+/**
+ * Approve a tool change by updating its hash in the manifest.
+ * Used to re-approve a tool after intentional modification.
+ *
+ * @param toolName - Name of the tool to approve
+ * @param tool - Current tool definition
+ * @throws Error if no manifest exists
+ */
+export function approveToolChange(toolName, tool) {
+    const manifest = loadToolManifest();
+    if (!manifest) {
+        throw new Error("Cannot approve tool change: no manifest exists");
+    }
+    const now = new Date().toISOString();
+    manifest.tools[toolName] = {
+        hash: hashToolDefinition(tool.name, tool.description, tool.schema),
+        descriptionLength: tool.description.length,
+        parameterCount: countParameters(tool.schema),
+        pinnedAt: now,
+    };
+    saveToolManifest(manifest);
+}
+/**
+ * Remove a tool from the manifest.
+ * Used when a tool is intentionally removed.
+ *
+ * @param toolName - Name of the tool to remove
+ * @throws Error if no manifest exists
+ */
+export function removeToolFromManifest(toolName) {
+    const manifest = loadToolManifest();
+    if (!manifest) {
+        throw new Error("Cannot remove tool: no manifest exists");
+    }
+    if (manifest.tools[toolName]) {
+        delete manifest.tools[toolName];
+        saveToolManifest(manifest);
+    }
+}
+/**
+ * Approve all current tools, replacing the entire manifest.
+ * Use with caution - this trusts the current state completely.
+ *
+ * @param tools - Current tool definitions
+ */
+export function approveAllTools(tools) {
+    const manifest = createToolManifest(tools);
+    saveToolManifest(manifest);
+}
+/**
+ * Get a summary of the current manifest for status display.
+ */
+export function getManifestSummary() {
+    const manifest = loadToolManifest();
+    if (!manifest) {
+        return {
+            exists: false,
+            toolCount: 0,
+            version: null,
+            pinnedAt: null,
+        };
+    }
+    return {
+        exists: true,
+        toolCount: Object.keys(manifest.tools).length,
+        version: manifest.version,
+        pinnedAt: manifest.pinnedAt,
+    };
+}
+//# sourceMappingURL=tool-pinning.js.map

package/dist/security/tool-pinning.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-pinning.js","sourceRoot":"","sources":["../../src/security/tool-pinning.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AA+DxC,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;IAC7B,OAAO,IAAI,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;AAC7C,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAAY,EACZ,WAAmB,EACnB,MAAe;IAEf,yCAAyC;IACzC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;QAC7B,IAAI;QACJ,WAAW;QACX,MAAM,EAAE,cAAc,CAAC,MAAM,CAAC;KAC/B,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,GAAY;IAClC,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC,CAAC,IAAI,EAAE,CAAC;IAChE,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,CAAC,GAAG,cAAc,CAAE,GAA+B,CAAC,GAAG,CAAC,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CAAC,MAAe;IACtC,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAClD,OAAO,CAAC,CAAC;IACX,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAiC,CAAC,CAAC,MAAM,CAAC;AAC/D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAuB;IACxD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,WAAW,GAAiC,EAAE,CAAC;IAErD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;YACvB,IAAI,EAAE,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC;YAClE,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM;YAC1C,cAAc,EAAE,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC;YAC5C,QAAQ,EAAE,GAAG;SACd,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE,GAAG;QACb,KAAK,EAAE,WAAW;KACnB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC;IAE/B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAiB,CAAC;QAErD,mBAAmB;QACnB,IAAI,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACxC,OAAO,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;QACnF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAsB;IACrD,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC;IAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAE7B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAClD,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AACxC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAuB;IAC3D,MAAM,gBAAgB,GAAG,gBAAgB,EAAE,CAAC;IAE5C,kCAAkC;IAClC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC3C,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC3B,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,8BAA8B,KAAK,CAAC,MAAM,QAAQ;SAC5D,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC;IAErE,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,YAAY,GAAa,EAAE,CAAC;IAElC,0BAA0B;IAC1B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEnD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,6CAA6C;YAC7C,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,oCAAoC;YACpC,MAAM,WAAW,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YACjF,IAAI,WAAW,KAAK,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAClC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,KAAK,MAAM,UAAU,IAAI,eAAe,EAAE,CAAC;QACzC,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YACtC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,MAAM,UAAU,GACd,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;IAE5E,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO;YACL,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,OAAO,KAAK,CAAC,MAAM,yCAAyC;SACtE,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,cAAc,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC5E,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,SAAS,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,aAAa,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,OAAO;QACL,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;QAChE,QAAQ,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QACpD,YAAY,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;QAChE,OAAO,EAAE,qCAAqC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;KACjE,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,IAAoB;IACtE,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IAEpC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG;QACzB,IAAI,EAAE,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC;QAClE,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM;QAC1C,cAAc,EAAE,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC;QAC5C,QAAQ,EAAE,GAAG;KACd,CAAC;IAEF,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAAgB;IACrD,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IAEpC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAChC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,KAAuB;IACrD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC3C,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAMhC,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IAEpC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,MAAM,EAAE,KAAK;YACb,SAAS,EAAE,CAAC;YACZ,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,IAAI;SACf,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,IAAI;QACZ,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,MAAM;QAC7C,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;KAC5B,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -1681,6 +1681,32 @@ export interface AuditEntry {
     persona?: string;
     duration?: number;
 }
+/**
+ * Tool invocation audit entry for MCP tool call logging.
+ * Captures tool name, parameters, timing, and results for security auditing.
+ */
+export interface ToolInvocationEntry {
+    /** ISO timestamp of when the tool was invoked */
+    timestamp: string;
+    /** Current MCP session ID */
+    sessionId: string;
+    /** Unique request ID for this invocation */
+    requestId: string;
+    /** Name of the tool that was invoked */
+    tool: string;
+    /** Parameters passed to the tool (sensitive values redacted) */
+    parameters: Record<string, unknown>;
+    /** Security zone of this action */
+    zone: ActionZone;
+    /** Result status of the invocation */
+    result: "success" | "failure" | "blocked";
+    /** Duration of the tool execution in milliseconds */
+    duration: number;
+    /** Error message if result is failure */
+    error?: string;
+    /** IDs of AuditEntry records triggered by this tool invocation */
+    actionsTriggered: string[];
+}
 export interface StoredCredential {
     site: string;
     username: string;