contextguard 0.1.7 ā†’ 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/mcp-security-wrapper.js +39 -7
  2. package/package.json +3 -2
  3. package/src/mcp-security-wrapper.ts +54 -13
package/dist/mcp-security-wrapper.js CHANGED
@@ -319,20 +319,48 @@ class MCPSecurityWrapper {
319
319
  }
320
320
  }
321
321
  handleServerOutput(output) {
322
- // Forward output immediately
323
- process.stdout.write(output);
324
- // Buffer and parse for logging
322
+ // Buffer and parse for security scanning
325
323
  this.serverMessageBuffer += output;
326
324
  const lines = this.serverMessageBuffer.split("\n");
327
325
  this.serverMessageBuffer = lines.pop() || "";
328
326
  for (const line of lines) {
329
327
  if (line.trim()) {
328
+ let shouldForward = true;
330
329
  try {
331
330
  const message = JSON.parse(line);
332
- this.logger.logEvent("SERVER_RESPONSE", "LOW", {
333
- id: message.id,
334
- hasError: !!message.error,
335
- }, this.sessionId);
331
+ // Check for sensitive data in response
332
+ const violations = [];
333
+ const responseStr = JSON.stringify(message.result || message);
334
+ const sensitiveViolations = this.policy.checkSensitiveData(responseStr);
335
+ violations.push(...sensitiveViolations);
336
+ if (violations.length > 0) {
337
+ this.logger.logEvent("SENSITIVE_DATA_LEAK", "CRITICAL", {
338
+ violations,
339
+ responseId: message.id,
340
+ }, this.sessionId);
341
+ console.error(`\nšŸšØ SENSITIVE DATA DETECTED IN RESPONSE:\n${violations.join("\n")}\n`);
342
+ console.error("šŸš« RESPONSE BLOCKED\n");
343
+ // Send sanitized error response instead
344
+ if (message.id !== undefined) {
345
+ const errorResponse = {
346
+ jsonrpc: message.jsonrpc,
347
+ id: message.id,
348
+ error: {
349
+ code: -32001,
350
+ message: "Security violation: Response contains sensitive data",
351
+ data: { violations },
352
+ },
353
+ };
354
+ process.stdout.write(JSON.stringify(errorResponse) + "\n");
355
+ }
356
+ shouldForward = false;
357
+ }
358
+ else {
359
+ this.logger.logEvent("SERVER_RESPONSE", "LOW", {
360
+ id: message.id,
361
+ hasError: !!message.error,
362
+ }, this.sessionId);
363
+ }
336
364
  }
337
365
  catch (err) {
338
366
  // Log parse errors for server output
@@ -341,6 +369,10 @@ class MCPSecurityWrapper {
341
369
  line: line.substring(0, 100),
342
370
  }, this.sessionId);
343
371
  }
372
+ // Forward the line if not blocked
373
+ if (shouldForward) {
374
+ process.stdout.write(line + "\n");
375
+ }
344
376
  }
345
377
  }
346
378
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "contextguard",
3
- "version": "0.1.7",
3
+ "version": "0.1.8",
4
4
  "description": "Security monitoring wrapper for MCP servers",
5
5
  "main": "dist/mcp-security-wrapper.js",
6
6
  "types": "dist/mcp-security-wrapper.d.ts",
@@ -15,7 +15,8 @@
15
15
  "start": "node dist/server.js",
16
16
  "dev": "ts-node src/mcp-security-wrapper.ts",
17
17
  "test": "jest",
18
- "lint": "eslint ."
18
+ "lint": "eslint .",
19
+ "release": "npm publish & npm install -g contextguard"
19
20
  },
20
21
  "keywords": [
21
22
  "mcp",
package/src/mcp-security-wrapper.ts CHANGED
@@ -427,27 +427,63 @@ class MCPSecurityWrapper {
427
427
  }
428
428
 
429
429
  private handleServerOutput(output: string): void {
430
- // Forward output immediately
431
- process.stdout.write(output);
432
-
433
- // Buffer and parse for logging
430
+ // Buffer and parse for security scanning
434
431
  this.serverMessageBuffer += output;
435
432
  const lines = this.serverMessageBuffer.split("\n");
436
433
  this.serverMessageBuffer = lines.pop() || "";
437
434
 
438
435
  for (const line of lines) {
439
436
  if (line.trim()) {
437
+ let shouldForward = true;
440
438
  try {
441
439
  const message: MCPMessage = JSON.parse(line);
442
- this.logger.logEvent(
443
- "SERVER_RESPONSE",
444
- "LOW",
445
- {
446
- id: message.id,
447
- hasError: !!message.error,
448
- },
449
- this.sessionId
450
- );
440
+
441
+ // Check for sensitive data in response
442
+ const violations: string[] = [];
443
+ const responseStr = JSON.stringify(message.result || message);
444
+ const sensitiveViolations = this.policy.checkSensitiveData(responseStr);
445
+ violations.push(...sensitiveViolations);
446
+
447
+ if (violations.length > 0) {
448
+ this.logger.logEvent(
449
+ "SENSITIVE_DATA_LEAK",
450
+ "CRITICAL",
451
+ {
452
+ violations,
453
+ responseId: message.id,
454
+ },
455
+ this.sessionId
456
+ );
457
+ console.error(
458
+ `\nšŸšØ SENSITIVE DATA DETECTED IN RESPONSE:\n${violations.join("\n")}\n`
459
+ );
460
+ console.error("šŸš« RESPONSE BLOCKED\n");
461
+
462
+ // Send sanitized error response instead
463
+ if (message.id !== undefined) {
464
+ const errorResponse: MCPMessage = {
465
+ jsonrpc: message.jsonrpc,
466
+ id: message.id,
467
+ error: {
468
+ code: -32001,
469
+ message: "Security violation: Response contains sensitive data",
470
+ data: { violations },
471
+ },
472
+ };
473
+ process.stdout.write(JSON.stringify(errorResponse) + "\n");
474
+ }
475
+ shouldForward = false;
476
+ } else {
477
+ this.logger.logEvent(
478
+ "SERVER_RESPONSE",
479
+ "LOW",
480
+ {
481
+ id: message.id,
482
+ hasError: !!message.error,
483
+ },
484
+ this.sessionId
485
+ );
486
+ }
451
487
  } catch (err) {
452
488
  // Log parse errors for server output
453
489
  this.logger.logEvent(
@@ -460,6 +496,11 @@ class MCPSecurityWrapper {
460
496
  this.sessionId
461
497
  );
462
498
  }
499
+
500
+ // Forward the line if not blocked
501
+ if (shouldForward) {
502
+ process.stdout.write(line + "\n");
503
+ }
463
504
  }
464
505
  }
465
506
  }