npm - contextguard - Versions diffs - 0.1.6 → 0.1.8 - Mend

contextguard 0.1.6 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +18 -18
package/SECURITY.md +1 -1
package/dist/mcp-security-wrapper.js +41 -14
package/examples/config/config.json +10 -3
package/package.json +3 -2
package/src/mcp-security-wrapper.ts +56 -20

package/README.md CHANGED Viewed

@@ -5,7 +5,8 @@
 [![npm version](https://badge.fury.io/js/contextguard.svg)](https://www.npmjs.com/package/contextguard)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![npm downloads](https://img.shields.io/npm/dm/contextguard.svg)](https://www.npmjs.com/package/contextguard)
-[![Build Status](https://github.com/amironi/contextguard/workflows/CI/badge.svg)](https://github.com/amironi/contextguard/actions)
+<!-- [![Build Status](https://github.com/amironi/contextguard/workflows/CI/badge.svg)](https://github.com/amironi/contextguard/actions) -->
 ⭐ **Star us on GitHub if you find this useful!** ⭐
@@ -33,19 +34,19 @@
 ## 🚀 Quick Start
-### Installation (CLI - optional)
+### Installation
 ```bash
 npm install -g contextguard
 ```
-### Basic Usage
+### Basic Usage (CLI - optional)
 ```bash
 contextguard --server "node your-mcp-server.js"
 ```
-## Claude Desktop Integration
+### Basic Usage (Claude Desktop)
 Update your Claude Desktop config (`~/Library/Application Support/Claude/claude_desktop_config.json`):
@@ -53,8 +54,13 @@ Update your Claude Desktop config (`~/Library/Application Support/Claude/claude_
 {
   "mcpServers": {
     "secured-server": {
-      "command": "npx",
-      "args": ["contextguard", "--server", "node /path/to/your-server.js"]
+      "command": "contextguard",
+      "args": [
+        "--server",
+        "node /path/to/your-server.js",
+        "--config",
+        "/path/to/config.json"
+      ]
     }
   }
 }
@@ -62,7 +68,7 @@ Update your Claude Desktop config (`~/Library/Application Support/Claude/claude_
 **That's it!** Your MCP server is now protected. 🛡️
----
+#### [See Example below: Testing ContextGuard](#-example-testing-contextguard)
 ## ✨ Features
@@ -126,7 +132,7 @@ Create `config.json` for advanced settings:
   "enablePathTraversalPrevention": true,
   "allowedFilePaths": ["/home/user/safe-directory"],
   "logLevel": "info",
-  "logPath": "/var/log/mcp_security.log"
+  "logPath": "/tmp/mcp_security.log"
 }
 ```
@@ -161,7 +167,9 @@ All security events are logged in JSON format:
 }
 ```
-## 🧪 Testing ContextGuard
+---
+## 🧪 Example: Testing ContextGuard
 Want to see the protection in action? Try these tests:
@@ -198,6 +206,7 @@ Create `config.json`:
   "enablePromptInjectionDetection": true,
   "enableSensitiveDataDetection": true,
   "enablePathTraversalPrevention": true,
+  "logPath": "/tmp/mcp_security.log",
   "allowedFilePaths": ["/tmp/safe-directory"],
   "logLevel": "debug"
 }
@@ -285,15 +294,6 @@ We welcome contributions! Here's how to get started:
 6. **Push:** `git push origin feature/amazing-feature`
 7. **Open a Pull Request**
-### Development Setup
-```bash
-git clone https://github.com/amironi/contextguard.git
-cd contextguard
-npm install
-npm run dev
-```
 ---
 ## 📄 License & Support

package/SECURITY.md CHANGED Viewed

@@ -193,7 +193,7 @@ We plan to conduct regular security audits as the project matures.
     "confidential"
   ],
   "logLevel": "info",
-  "logFile": "/var/log/mcp_security.log",
+  "logFile": "/tmp/mcp_security.log",
   "alertWebhook": "https://your-monitoring-service.com/webhook"
 }
 ```

package/dist/mcp-security-wrapper.js CHANGED Viewed

@@ -60,7 +60,7 @@ class SecurityPolicy {
             /(?:password|secret|api[_-]?key|token)\s*[:=]\s*['"]?[\w\-.]+['"]?/gi,
             /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, // Email
             /\b\d{3}-\d{2}-\d{4}\b/g, // SSN
-            /sk-[a-zA-Z0-9]{48}/g, // OpenAI API keys
+            /sk-[a-zA-Z0-9]{20,}/g, // OpenAI API keys (20+ chars)
             /ghp_[a-zA-Z0-9]{36}/g, // GitHub tokens
             /AKIA[0-9A-Z]{16}/g, // AWS Access Keys
         ];
@@ -319,20 +319,48 @@ class MCPSecurityWrapper {
         }
     }
     handleServerOutput(output) {
-        // Forward output immediately
-        process.stdout.write(output);
-        // Buffer and parse for logging
+        // Buffer and parse for security scanning
         this.serverMessageBuffer += output;
         const lines = this.serverMessageBuffer.split("\n");
         this.serverMessageBuffer = lines.pop() || "";
         for (const line of lines) {
             if (line.trim()) {
+                let shouldForward = true;
                 try {
                     const message = JSON.parse(line);
-                    this.logger.logEvent("SERVER_RESPONSE", "LOW", {
-                        id: message.id,
-                        hasError: !!message.error,
-                    }, this.sessionId);
+                    // Check for sensitive data in response
+                    const violations = [];
+                    const responseStr = JSON.stringify(message.result || message);
+                    const sensitiveViolations = this.policy.checkSensitiveData(responseStr);
+                    violations.push(...sensitiveViolations);
+                    if (violations.length > 0) {
+                        this.logger.logEvent("SENSITIVE_DATA_LEAK", "CRITICAL", {
+                            violations,
+                            responseId: message.id,
+                        }, this.sessionId);
+                        console.error(`\n🚨 SENSITIVE DATA DETECTED IN RESPONSE:\n${violations.join("\n")}\n`);
+                        console.error("🚫 RESPONSE BLOCKED\n");
+                        // Send sanitized error response instead
+                        if (message.id !== undefined) {
+                            const errorResponse = {
+                                jsonrpc: message.jsonrpc,
+                                id: message.id,
+                                error: {
+                                    code: -32001,
+                                    message: "Security violation: Response contains sensitive data",
+                                    data: { violations },
+                                },
+                            };
+                            process.stdout.write(JSON.stringify(errorResponse) + "\n");
+                        }
+                        shouldForward = false;
+                    }
+                    else {
+                        this.logger.logEvent("SERVER_RESPONSE", "LOW", {
+                            id: message.id,
+                            hasError: !!message.error,
+                        }, this.sessionId);
+                    }
                 }
                 catch (err) {
                     // Log parse errors for server output
@@ -341,6 +369,10 @@ class MCPSecurityWrapper {
                         line: line.substring(0, 100),
                     }, this.sessionId);
                 }
+                // Forward the line if not blocked
+                if (shouldForward) {
+                    process.stdout.write(line + "\n");
+                }
             }
         }
     }
@@ -353,18 +385,13 @@ async function main() {
 MCP Security Wrapper - MVP
 Usage:
-  npx ts-node mcp-security-wrapper.ts --server "node server.js" [--config security.json]
+  contextguard --server "node server.js" --config config.json
 Options:
   --server <command>    Command to start the MCP server (required)
   --config <file>       Path to security config JSON file (optional)
   --help               Show this help message
-Config file options:
-  logPath: Custom path for security log file (default: ./mcp_security.log)
-Example:
-  npx ts-node mcp-security-wrapper.ts --server "node server.js" --config security.json
     `);
         process.exit(0);
     }

package/examples/config/config.json CHANGED Viewed

@@ -1,12 +1,19 @@
 {
   "maxToolCallsPerMinute": 30,
-  "blockedPatterns": [],
+  "blockedPatterns": [
+    "ignore previous instructions",
+    "system prompt",
+    "confidential"
+  ],
   "allowedFilePaths": [
-    ".",
-    "/tmp/"
+    "/var/app/data",
+    "/home/user/safe-directory"
   ],
   "alertThreshold": 5,
   "enablePromptInjectionDetection": true,
   "enableSensitiveDataDetection": true,
+  "enablePathTraversalPrevention": true,
+  "enableRateLimiting": true,
+  "logLevel": "debug",
   "logPath": "/tmp/mcp_security.log"
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "contextguard",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "Security monitoring wrapper for MCP servers",
   "main": "dist/mcp-security-wrapper.js",
   "types": "dist/mcp-security-wrapper.d.ts",
@@ -15,7 +15,8 @@
     "start": "node dist/server.js",
     "dev": "ts-node src/mcp-security-wrapper.ts",
     "test": "jest",
-    "lint": "eslint ."
+    "lint": "eslint .",
+    "release": "npm publish & npm install -g contextguard"
   },
   "keywords": [
     "mcp",

package/src/mcp-security-wrapper.ts CHANGED Viewed

@@ -65,7 +65,7 @@ class SecurityPolicy {
       /(?:password|secret|api[_-]?key|token)\s*[:=]\s*['"]?[\w\-.]+['"]?/gi,
       /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, // Email
       /\b\d{3}-\d{2}-\d{4}\b/g, // SSN
-      /sk-[a-zA-Z0-9]{48}/g, // OpenAI API keys
+      /sk-[a-zA-Z0-9]{20,}/g, // OpenAI API keys (20+ chars)
       /ghp_[a-zA-Z0-9]{36}/g, // GitHub tokens
       /AKIA[0-9A-Z]{16}/g, // AWS Access Keys
     ];
@@ -427,27 +427,63 @@ class MCPSecurityWrapper {
   }
   private handleServerOutput(output: string): void {
-    // Forward output immediately
-    process.stdout.write(output);
-    // Buffer and parse for logging
+    // Buffer and parse for security scanning
     this.serverMessageBuffer += output;
     const lines = this.serverMessageBuffer.split("\n");
     this.serverMessageBuffer = lines.pop() || "";
     for (const line of lines) {
       if (line.trim()) {
+        let shouldForward = true;
         try {
           const message: MCPMessage = JSON.parse(line);
-          this.logger.logEvent(
-            "SERVER_RESPONSE",
-            "LOW",
-            {
-              id: message.id,
-              hasError: !!message.error,
-            },
-            this.sessionId
-          );
+          // Check for sensitive data in response
+          const violations: string[] = [];
+          const responseStr = JSON.stringify(message.result || message);
+          const sensitiveViolations = this.policy.checkSensitiveData(responseStr);
+          violations.push(...sensitiveViolations);
+          if (violations.length > 0) {
+            this.logger.logEvent(
+              "SENSITIVE_DATA_LEAK",
+              "CRITICAL",
+              {
+                violations,
+                responseId: message.id,
+              },
+              this.sessionId
+            );
+            console.error(
+              `\n🚨 SENSITIVE DATA DETECTED IN RESPONSE:\n${violations.join("\n")}\n`
+            );
+            console.error("🚫 RESPONSE BLOCKED\n");
+            // Send sanitized error response instead
+            if (message.id !== undefined) {
+              const errorResponse: MCPMessage = {
+                jsonrpc: message.jsonrpc,
+                id: message.id,
+                error: {
+                  code: -32001,
+                  message: "Security violation: Response contains sensitive data",
+                  data: { violations },
+                },
+              };
+              process.stdout.write(JSON.stringify(errorResponse) + "\n");
+            }
+            shouldForward = false;
+          } else {
+            this.logger.logEvent(
+              "SERVER_RESPONSE",
+              "LOW",
+              {
+                id: message.id,
+                hasError: !!message.error,
+              },
+              this.sessionId
+            );
+          }
         } catch (err) {
           // Log parse errors for server output
           this.logger.logEvent(
@@ -460,6 +496,11 @@ class MCPSecurityWrapper {
             this.sessionId
           );
         }
+        // Forward the line if not blocked
+        if (shouldForward) {
+          process.stdout.write(line + "\n");
+        }
       }
     }
   }
@@ -472,18 +513,13 @@ async function main() {
 MCP Security Wrapper - MVP
 Usage:
-  npx ts-node mcp-security-wrapper.ts --server "node server.js" [--config security.json]
+  contextguard --server "node server.js" --config config.json
 Options:
   --server <command>    Command to start the MCP server (required)
   --config <file>       Path to security config JSON file (optional)
   --help               Show this help message
-Config file options:
-  logPath: Custom path for security log file (default: ./mcp_security.log)
-Example:
-  npx ts-node mcp-security-wrapper.ts --server "node server.js" --config security.json
     `);
     process.exit(0);
   }