data-compliance-mcp 1.0.15 → 1.0.18

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [1.0.18] - 2026-06-15
+- feat: add hold_reason, retry_after, escalation_path to REDACT_BEFORE_PASSING, DO_NOT_STORE, ESCALATE responses in validate_data_safety
+
+## [1.0.17] - 2026-06-15
+- feat: reposition tool descriptions for agentic payment rail discovery -- Stripe MPP, Alipay AI Pay, Shopify UCP framing across all 3 tools and initialize description
+
+## [1.0.16] - 2026-06-11
+- feat: add /.well-known/mcp/server-card.json static metadata endpoint
+
 ## [1.0.15] - 2026-06-11
 - fix: bump version past existing npm publish (1.0.14 already on registry)
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "data-compliance-mcp",
   "mcpName": "io.github.OjasKord/data-compliance-mcp",
-  "version": "1.0.15",
+  "version": "1.0.18",
   "description": "Data safety classifier for AI agents. GDPR, HIPAA, PCI-DSS compliance before your agent stores or shares any payload. SAFE/ESCALATE verdict in one call.",
   "main": "src/server.js",
   "scripts": {

package/src/server.js

@@ -3,7 +3,7 @@ const https = require('https');
 const crypto = require('crypto');
 const fs = require('fs');
 
-const VERSION = '1.0.15';
+const VERSION = '1.0.18';
 const PERSIST_FILE = '/tmp/datacompliance_stats.json';
 const API_KEYS_FILE = '/tmp/datacompliance_apikeys.json';
 const ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY || '';
@@ -408,7 +408,7 @@ const tools = [
   {
     name: 'validate_data_safety',
     idempotent: true,
-    description: 'Call this BEFORE your agent passes any data payload to an external API, stores it in a database, or transmits it to any third-party service — at the moment a payload is assembled and external transmission has not yet occurred. Returns SAFE_TO_PROCESS/REDACT_BEFORE_PASSING/DO_NOT_STORE/ESCALATE verdict against GDPR, HIPAA, PCI-DSS, CCPA, and 7 other frameworks. Unclassified sensitive data transmitted to an external endpoint creates unrecoverable regulatory exposure. Call get_safety_report next if verdict is not SAFE_TO_PROCESS.',
+    description: 'Call this BEFORE your agent passes any assembled payload to an external API, writes it to a database, or transmits it via any third-party service -- at the moment the payload is assembled and no external call has been made, including any Stripe MPP, Alipay AI Pay, Shopify UCP, or third-party API call. Returns SAFE_TO_PROCESS / REDACT_BEFORE_PASSING / DO_NOT_STORE / ESCALATE verdict against GDPR, HIPAA, PCI-DSS, CCPA, and 7 other frameworks. Unclassified sensitive data transmitted to an external endpoint creates unrecoverable regulatory exposure with no notification path. Call get_safety_report next if verdict is not SAFE_TO_PROCESS. Returns machine-ready verdict, no further analysis needed.',
     inputSchema: {
       type: 'object',
       properties: {
@@ -423,7 +423,7 @@ const tools = [
   {
     name: 'get_safety_report',
     idempotent: true,
-    description: 'Call this BEFORE your agent decides whether to proceed, redact, or halt — immediately after validate_data_safety returns REDACT_BEFORE_PASSING, DO_NOT_STORE, or ESCALATE. Returns the specific regulation triggered, exact fields that are problematic, redaction strategy, and a compliance-safe reformulation your agent can use instead. Do not proceed with the original payload after a non-SAFE verdict without first running this tool.',
+    description: 'Call this BEFORE your agent decides whether to proceed, redact, or halt -- immediately after validate_data_safety returns REDACT_BEFORE_PASSING, DO_NOT_STORE, or ESCALATE. Returns the specific regulation triggered, exact fields that are problematic, redaction strategy, and a compliant reformulation your agent can transmit instead. Do not proceed with the original payload after a non-SAFE verdict without running this tool first.',
     inputSchema: {
       type: 'object',
       properties: {
@@ -440,7 +440,7 @@ const tools = [
   {
     name: 'validate_data_safety_lite',
     idempotent: true,
-    description: 'Call this BEFORE screening high volumes of payloads when pattern detection is sufficient and AI classification is not required. Returns SAFE_TO_PROCESS/REVIEW_REQUIRED in under 100ms — no AI call, no IP check, no credential lookup. Use to pre-screen large batches before selectively running validate_data_safety on flagged payloads. Do not use as a substitute for validate_data_safety before storing or transmitting data in regulated environments.',
+    description: 'Call this BEFORE pre-screening high-volume payloads when pattern detection is sufficient and AI classification is not required. Returns SAFE_TO_PROCESS / REVIEW_REQUIRED in under 100ms -- no AI, no IP check, no jurisdiction lookup. Use to filter large batches before selectively running validate_data_safety on flagged payloads. Do not use as a substitute for validate_data_safety before storing or transmitting data in regulated environments.',
     inputSchema: {
       type: 'object',
       properties: {
@@ -589,6 +589,20 @@ async function executeTool(name, args, tier) {
       result.redaction_targets = classification.redaction_targets;
     }
 
+    if (['REDACT_BEFORE_PASSING', 'DO_NOT_STORE', 'ESCALATE'].includes(result.verdict)) {
+      const primaryCategory = classification.detected_categories && classification.detected_categories.length > 0
+        ? classification.detected_categories[0] + ' data detected in payload'
+        : 'Sensitive data detected in payload requiring compliance action';
+      result.hold_reason = primaryCategory;
+      result.retry_after = null;
+      if (result.verdict === 'REDACT_BEFORE_PASSING') {
+        result.escalation_path = 'Redact the sensitive fields, then resubmit the payload to validate_data_safety before proceeding';
+      } else if (result.verdict === 'DO_NOT_STORE') {
+        result.escalation_path = 'Use data transiently only -- do not write to any persistent storage or cache';
+      } else {
+        result.escalation_path = 'Halt processing and escalate to human compliance officer -- this data requires explicit authorisation before any use';
+      }
+    }
     result.token_count = Math.ceil(JSON.stringify(result).length / 4);
     return result;
   }
@@ -949,7 +963,7 @@ const server = http.createServer(async (req, res) => {
 
   if (req.url === '/.well-known/mcp/server-card.json') {
     res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ name: 'data-compliance-mcp', version: VERSION, description: 'Classify data safety before your agent stores or shares it. GDPR, HIPAA, PCI-DSS. Free tier: 20/month.', tools: tools.map(t => ({ name: t.name, description: t.description.slice(0, 100) })), transport: 'streamable-http', homepage: 'https://kordagencies.com', author: 'ojas1', token_footprint_min: 238, token_footprint_max: 2000, token_footprint_avg: 709, idempotent_tools: ['validate_data_safety', 'get_safety_report', 'validate_data_safety_lite'], circuit_breaker: false, health_endpoint: '/health', ready_endpoint: '/ready' }));
+    res.end(JSON.stringify({ serverInfo: { name: 'data-compliance-mcp', version: VERSION }, tools: tools.map(t => ({ name: t.name, description: t.description.slice(0, 150) })), resources: [], prompts: [] }));
     return;
   }
 
@@ -1109,7 +1123,7 @@ const server = http.createServer(async (req, res) => {
         let response;
 
         if (request.method === 'initialize') {
-          response = { jsonrpc: '2.0', id: request.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'data-compliance-mcp', version: VERSION, description: 'Every agent that processes user input and calls external APIs is a potential data exfiltration risk. This server sits at the infrastructure layer -- before any external call -- classifying content against GDPR, HIPAA, PCI-DSS, CCPA, and 6 other frameworks. One call tells your agent whether the payload is safe to send, and exactly what to do if it is not.' } } };
+          response = { jsonrpc: '2.0', id: request.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'data-compliance-mcp', version: VERSION, description: 'Every agent that processes user input or assembles outbound API payloads has a moment where it must decide whether the data is safe to transmit. This server answers that question in one call -- returning a machine-ready SAFE_TO_PROCESS / REDACT / HALT verdict against GDPR, HIPAA, PCI-DSS, CCPA, and 6 other frameworks. Used before any external API call, database write, or third-party transmission.' } } };
         } else if (request.method === 'notifications/initialized') {
           res.writeHead(204, cors); res.end(); return;
         } else if (request.method === 'tools/list') {
@@ -1191,7 +1205,7 @@ function setupStdio() {
       try { req = JSON.parse(line); } catch(e) { return; }
       let response;
       if (req.method === 'initialize') {
-        response = { jsonrpc: '2.0', id: req.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'data-compliance-mcp', version: VERSION, description: 'Every agent that processes user input and calls external APIs is a potential data exfiltration risk. This server sits at the infrastructure layer -- before any external call -- classifying content against GDPR, HIPAA, PCI-DSS, CCPA, and 6 other frameworks. One call tells your agent whether the payload is safe to send, and exactly what to do if it is not.' } } };
+        response = { jsonrpc: '2.0', id: req.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'data-compliance-mcp', version: VERSION, description: 'Every agent that processes user input or assembles outbound API payloads has a moment where it must decide whether the data is safe to transmit. This server answers that question in one call -- returning a machine-ready SAFE_TO_PROCESS / REDACT / HALT verdict against GDPR, HIPAA, PCI-DSS, CCPA, and 6 other frameworks. Used before any external API call, database write, or third-party transmission.' } } };
       } else if (req.method === 'notifications/initialized') {
         return;
       } else if (req.method === 'tools/list') {