defense-mcp-server 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (186) hide show
  1. package/CHANGELOG.md +471 -0
  2. package/LICENSE +21 -0
  3. package/README.md +242 -0
  4. package/build/core/auto-installer.d.ts +102 -0
  5. package/build/core/auto-installer.d.ts.map +1 -0
  6. package/build/core/auto-installer.js +833 -0
  7. package/build/core/backup-manager.d.ts +63 -0
  8. package/build/core/backup-manager.d.ts.map +1 -0
  9. package/build/core/backup-manager.js +189 -0
  10. package/build/core/changelog.d.ts +75 -0
  11. package/build/core/changelog.d.ts.map +1 -0
  12. package/build/core/changelog.js +123 -0
  13. package/build/core/command-allowlist.d.ts +129 -0
  14. package/build/core/command-allowlist.d.ts.map +1 -0
  15. package/build/core/command-allowlist.js +849 -0
  16. package/build/core/config.d.ts +79 -0
  17. package/build/core/config.d.ts.map +1 -0
  18. package/build/core/config.js +193 -0
  19. package/build/core/dependency-validator.d.ts +106 -0
  20. package/build/core/dependency-validator.d.ts.map +1 -0
  21. package/build/core/dependency-validator.js +405 -0
  22. package/build/core/distro-adapter.d.ts +177 -0
  23. package/build/core/distro-adapter.d.ts.map +1 -0
  24. package/build/core/distro-adapter.js +481 -0
  25. package/build/core/distro.d.ts +68 -0
  26. package/build/core/distro.d.ts.map +1 -0
  27. package/build/core/distro.js +457 -0
  28. package/build/core/encrypted-state.d.ts +76 -0
  29. package/build/core/encrypted-state.d.ts.map +1 -0
  30. package/build/core/encrypted-state.js +209 -0
  31. package/build/core/executor.d.ts +56 -0
  32. package/build/core/executor.d.ts.map +1 -0
  33. package/build/core/executor.js +350 -0
  34. package/build/core/installer.d.ts +92 -0
  35. package/build/core/installer.d.ts.map +1 -0
  36. package/build/core/installer.js +1072 -0
  37. package/build/core/logger.d.ts +102 -0
  38. package/build/core/logger.d.ts.map +1 -0
  39. package/build/core/logger.js +132 -0
  40. package/build/core/parsers.d.ts +151 -0
  41. package/build/core/parsers.d.ts.map +1 -0
  42. package/build/core/parsers.js +479 -0
  43. package/build/core/policy-engine.d.ts +170 -0
  44. package/build/core/policy-engine.d.ts.map +1 -0
  45. package/build/core/policy-engine.js +656 -0
  46. package/build/core/preflight.d.ts +157 -0
  47. package/build/core/preflight.d.ts.map +1 -0
  48. package/build/core/preflight.js +638 -0
  49. package/build/core/privilege-manager.d.ts +108 -0
  50. package/build/core/privilege-manager.d.ts.map +1 -0
  51. package/build/core/privilege-manager.js +363 -0
  52. package/build/core/rate-limiter.d.ts +67 -0
  53. package/build/core/rate-limiter.d.ts.map +1 -0
  54. package/build/core/rate-limiter.js +129 -0
  55. package/build/core/rollback.d.ts +73 -0
  56. package/build/core/rollback.d.ts.map +1 -0
  57. package/build/core/rollback.js +278 -0
  58. package/build/core/safeguards.d.ts +58 -0
  59. package/build/core/safeguards.d.ts.map +1 -0
  60. package/build/core/safeguards.js +448 -0
  61. package/build/core/sanitizer.d.ts +118 -0
  62. package/build/core/sanitizer.d.ts.map +1 -0
  63. package/build/core/sanitizer.js +459 -0
  64. package/build/core/secure-fs.d.ts +67 -0
  65. package/build/core/secure-fs.d.ts.map +1 -0
  66. package/build/core/secure-fs.js +143 -0
  67. package/build/core/spawn-safe.d.ts +55 -0
  68. package/build/core/spawn-safe.d.ts.map +1 -0
  69. package/build/core/spawn-safe.js +146 -0
  70. package/build/core/sudo-guard.d.ts +145 -0
  71. package/build/core/sudo-guard.d.ts.map +1 -0
  72. package/build/core/sudo-guard.js +349 -0
  73. package/build/core/sudo-session.d.ts +100 -0
  74. package/build/core/sudo-session.d.ts.map +1 -0
  75. package/build/core/sudo-session.js +319 -0
  76. package/build/core/tool-dependencies.d.ts +61 -0
  77. package/build/core/tool-dependencies.d.ts.map +1 -0
  78. package/build/core/tool-dependencies.js +571 -0
  79. package/build/core/tool-registry.d.ts +111 -0
  80. package/build/core/tool-registry.d.ts.map +1 -0
  81. package/build/core/tool-registry.js +656 -0
  82. package/build/core/tool-wrapper.d.ts +73 -0
  83. package/build/core/tool-wrapper.d.ts.map +1 -0
  84. package/build/core/tool-wrapper.js +296 -0
  85. package/build/index.d.ts +3 -0
  86. package/build/index.d.ts.map +1 -0
  87. package/build/index.js +247 -0
  88. package/build/tools/access-control.d.ts +9 -0
  89. package/build/tools/access-control.d.ts.map +1 -0
  90. package/build/tools/access-control.js +1818 -0
  91. package/build/tools/api-security.d.ts +12 -0
  92. package/build/tools/api-security.d.ts.map +1 -0
  93. package/build/tools/api-security.js +901 -0
  94. package/build/tools/app-hardening.d.ts +11 -0
  95. package/build/tools/app-hardening.d.ts.map +1 -0
  96. package/build/tools/app-hardening.js +768 -0
  97. package/build/tools/backup.d.ts +8 -0
  98. package/build/tools/backup.d.ts.map +1 -0
  99. package/build/tools/backup.js +381 -0
  100. package/build/tools/cloud-security.d.ts +17 -0
  101. package/build/tools/cloud-security.d.ts.map +1 -0
  102. package/build/tools/cloud-security.js +739 -0
  103. package/build/tools/compliance.d.ts +10 -0
  104. package/build/tools/compliance.d.ts.map +1 -0
  105. package/build/tools/compliance.js +1225 -0
  106. package/build/tools/container-security.d.ts +14 -0
  107. package/build/tools/container-security.d.ts.map +1 -0
  108. package/build/tools/container-security.js +788 -0
  109. package/build/tools/deception.d.ts +13 -0
  110. package/build/tools/deception.d.ts.map +1 -0
  111. package/build/tools/deception.js +763 -0
  112. package/build/tools/dns-security.d.ts +93 -0
  113. package/build/tools/dns-security.d.ts.map +1 -0
  114. package/build/tools/dns-security.js +745 -0
  115. package/build/tools/drift-detection.d.ts +8 -0
  116. package/build/tools/drift-detection.d.ts.map +1 -0
  117. package/build/tools/drift-detection.js +326 -0
  118. package/build/tools/ebpf-security.d.ts +15 -0
  119. package/build/tools/ebpf-security.d.ts.map +1 -0
  120. package/build/tools/ebpf-security.js +294 -0
  121. package/build/tools/encryption.d.ts +9 -0
  122. package/build/tools/encryption.d.ts.map +1 -0
  123. package/build/tools/encryption.js +1667 -0
  124. package/build/tools/firewall.d.ts +9 -0
  125. package/build/tools/firewall.d.ts.map +1 -0
  126. package/build/tools/firewall.js +1398 -0
  127. package/build/tools/hardening.d.ts +10 -0
  128. package/build/tools/hardening.d.ts.map +1 -0
  129. package/build/tools/hardening.js +2654 -0
  130. package/build/tools/ids.d.ts +9 -0
  131. package/build/tools/ids.d.ts.map +1 -0
  132. package/build/tools/ids.js +624 -0
  133. package/build/tools/incident-response.d.ts +10 -0
  134. package/build/tools/incident-response.d.ts.map +1 -0
  135. package/build/tools/incident-response.js +1180 -0
  136. package/build/tools/logging.d.ts +12 -0
  137. package/build/tools/logging.d.ts.map +1 -0
  138. package/build/tools/logging.js +454 -0
  139. package/build/tools/malware.d.ts +10 -0
  140. package/build/tools/malware.d.ts.map +1 -0
  141. package/build/tools/malware.js +532 -0
  142. package/build/tools/meta.d.ts +11 -0
  143. package/build/tools/meta.d.ts.map +1 -0
  144. package/build/tools/meta.js +2278 -0
  145. package/build/tools/network-defense.d.ts +12 -0
  146. package/build/tools/network-defense.d.ts.map +1 -0
  147. package/build/tools/network-defense.js +760 -0
  148. package/build/tools/patch-management.d.ts +3 -0
  149. package/build/tools/patch-management.d.ts.map +1 -0
  150. package/build/tools/patch-management.js +708 -0
  151. package/build/tools/process-security.d.ts +12 -0
  152. package/build/tools/process-security.d.ts.map +1 -0
  153. package/build/tools/process-security.js +784 -0
  154. package/build/tools/reporting.d.ts +11 -0
  155. package/build/tools/reporting.d.ts.map +1 -0
  156. package/build/tools/reporting.js +559 -0
  157. package/build/tools/secrets.d.ts +9 -0
  158. package/build/tools/secrets.d.ts.map +1 -0
  159. package/build/tools/secrets.js +596 -0
  160. package/build/tools/siem-integration.d.ts +18 -0
  161. package/build/tools/siem-integration.d.ts.map +1 -0
  162. package/build/tools/siem-integration.js +754 -0
  163. package/build/tools/sudo-management.d.ts +18 -0
  164. package/build/tools/sudo-management.d.ts.map +1 -0
  165. package/build/tools/sudo-management.js +737 -0
  166. package/build/tools/supply-chain-security.d.ts +8 -0
  167. package/build/tools/supply-chain-security.d.ts.map +1 -0
  168. package/build/tools/supply-chain-security.js +256 -0
  169. package/build/tools/threat-intel.d.ts +22 -0
  170. package/build/tools/threat-intel.d.ts.map +1 -0
  171. package/build/tools/threat-intel.js +749 -0
  172. package/build/tools/vulnerability-management.d.ts +11 -0
  173. package/build/tools/vulnerability-management.d.ts.map +1 -0
  174. package/build/tools/vulnerability-management.js +667 -0
  175. package/build/tools/waf.d.ts +12 -0
  176. package/build/tools/waf.d.ts.map +1 -0
  177. package/build/tools/waf.js +843 -0
  178. package/build/tools/wireless-security.d.ts +19 -0
  179. package/build/tools/wireless-security.d.ts.map +1 -0
  180. package/build/tools/wireless-security.js +826 -0
  181. package/build/tools/zero-trust-network.d.ts +8 -0
  182. package/build/tools/zero-trust-network.d.ts.map +1 -0
  183. package/build/tools/zero-trust-network.js +367 -0
  184. package/docs/SAFEGUARDS.md +518 -0
  185. package/docs/TOOLS-REFERENCE.md +665 -0
  186. package/package.json +87 -0
@@ -0,0 +1,157 @@
1
+ /**
2
+ * Pre-flight Validation Engine — orchestrates the complete pre-flight
3
+ * validation pipeline for MCP tools.
4
+ *
5
+ * Before each tool invocation this module:
6
+ * 1. Resolves the tool's manifest from the {@link ToolRegistry}
7
+ * 2. Checks binary, Python, npm, library, and file dependencies
8
+ * 3. Attempts auto-installation of missing deps when enabled
9
+ * 4. Validates privilege requirements via {@link PrivilegeManager}
10
+ * 5. Returns a structured {@link PreflightResult} with pass/fail, actionable
11
+ * messages, and a human-readable summary
12
+ *
13
+ * Results are cached for 60 seconds to avoid redundant checks when multiple
14
+ * tools from the same category are invoked in sequence.
15
+ *
16
+ * @module preflight
17
+ */
18
+ import { type ToolManifest } from "./tool-registry.js";
19
+ import { type PrivilegeIssue } from "./privilege-manager.js";
20
+ export interface PreflightResult {
21
+ toolName: string;
22
+ /** Overall pass/fail */
23
+ passed: boolean;
24
+ timestamp: number;
25
+ /** Total pre-flight time in ms */
26
+ duration: number;
27
+ dependencies: {
28
+ /** Everything that was checked */
29
+ checked: DependencyCheck[];
30
+ /** Still missing after install attempts */
31
+ missing: DependencyCheck[];
32
+ /** Successfully auto-installed */
33
+ installed: DependencyCheck[];
34
+ /** Non-fatal dependency issues */
35
+ warnings: string[];
36
+ };
37
+ privileges: {
38
+ satisfied: boolean;
39
+ issues: PrivilegeIssue[];
40
+ recommendations: string[];
41
+ };
42
+ safeguards?: {
43
+ /** Whether the operation is safe */
44
+ safe: boolean;
45
+ /** Blocking safety issues (prevent execution) */
46
+ blockers: string[];
47
+ /** Non-blocking safety warnings */
48
+ warnings: string[];
49
+ /** Applications impacted by the operation */
50
+ impactedApps: string[];
51
+ };
52
+ /** Human-readable summary */
53
+ summary: string;
54
+ /** Fatal blocking errors */
55
+ errors: string[];
56
+ /** Non-fatal warnings */
57
+ warnings: string[];
58
+ }
59
+ export interface DependencyCheck {
60
+ name: string;
61
+ type: "binary" | "python-module" | "npm-package" | "library" | "file";
62
+ /** true = required, false = optional */
63
+ required: boolean;
64
+ found: boolean;
65
+ autoInstalled?: boolean;
66
+ installMessage?: string;
67
+ }
68
+ /**
69
+ * Central orchestration engine for the pre-flight validation pipeline.
70
+ *
71
+ * Singleton — obtain via {@link PreflightEngine.instance}.
72
+ *
73
+ * The main entry point is {@link runPreflight}, which executes the full
74
+ * dependency → auto-install → privilege check pipeline and returns a
75
+ * structured {@link PreflightResult}.
76
+ */
77
+ export declare class PreflightEngine {
78
+ private registry;
79
+ private privilegeManager;
80
+ private autoInstaller;
81
+ /**
82
+ * Dependency cache — keyed by tool name only, 60s TTL.
83
+ * Covers: binary existence, privilege checks, auto-install results.
84
+ * Cached regardless of params (dependency results don't depend on runtime params).
85
+ */
86
+ private resultCache;
87
+ private static readonly CACHE_TTL;
88
+ private static _instance;
89
+ private constructor();
90
+ /** Get or create the singleton instance. */
91
+ static instance(): PreflightEngine;
92
+ /**
93
+ * Run the full pre-flight validation pipeline for a tool.
94
+ *
95
+ * 1. Check cache — return early for valid passing results
96
+ * 2. Resolve the tool's manifest from the registry
97
+ * 3. Check all dependency types (binary, Python, npm, library, file)
98
+ * 4. Auto-install missing required deps when enabled
99
+ * 5. Validate privilege requirements (sudo, capabilities)
100
+ * 6. Determine overall pass/fail and generate summary
101
+ * 7. Cache and return the result
102
+ */
103
+ runPreflight(toolName: string, params?: Record<string, unknown>): Promise<PreflightResult>;
104
+ /**
105
+ * Check all dependency types for a tool manifest.
106
+ *
107
+ * Checks binaries, Python modules, npm packages, system libraries,
108
+ * and required files. If any required dependency is missing and
109
+ * auto-install is enabled, attempts installation via {@link AutoInstaller}.
110
+ */
111
+ checkDependencies(manifest: ToolManifest): Promise<PreflightResult["dependencies"]>;
112
+ /**
113
+ * Check privilege requirements for a tool manifest.
114
+ * Delegates to {@link PrivilegeManager.checkForTool}.
115
+ */
116
+ checkPrivileges(manifest: ToolManifest): Promise<PreflightResult["privileges"]>;
117
+ /**
118
+ * Generate a human-readable summary of the pre-flight result.
119
+ *
120
+ * @example Passing
121
+ * ```
122
+ * ✅ Pre-flight passed for 'firewall_iptables_list'
123
+ * Dependencies: 2/2 available (iptables, ip6tables)
124
+ * Privileges: sudo session active
125
+ * Ready to execute.
126
+ * ```
127
+ *
128
+ * @example Failing
129
+ * ```
130
+ * ❌ Pre-flight FAILED for 'compliance_oscap_scan'
131
+ * Missing dependencies:
132
+ * • oscap (binary) — Install with: sudo apt-get install -y libopenscap8
133
+ * Privilege issues:
134
+ * • Root access required for OpenSCAP scanning
135
+ * → Run 'sudo_elevate' tool first to provide credentials
136
+ * Cannot proceed until issues are resolved.
137
+ * ```
138
+ */
139
+ formatSummary(result: PreflightResult): string;
140
+ /**
141
+ * Generate a shorter status message for prepending to tool output.
142
+ *
143
+ * - Passed (no issues): `"[pre-flight ✓] All checks passed (2 deps, sudo active)"`
144
+ * - Passed (warnings): `"[pre-flight ✓] Passed with warnings: optional dep 'nmap' not found"`
145
+ * - Failed: returns the full error summary from {@link formatSummary}
146
+ */
147
+ formatStatusMessage(result: PreflightResult): string;
148
+ /**
149
+ * Clear the result cache.
150
+ * Call after installs, privilege changes, or any event that invalidates
151
+ * previous pre-flight results.
152
+ */
153
+ clearCache(): void;
154
+ /** Store a result in the cache with TTL. */
155
+ private cacheResult;
156
+ }
157
+ //# sourceMappingURL=preflight.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"preflight.d.ts","sourceRoot":"","sources":["../../src/core/preflight.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAGL,KAAK,YAAY,EAClB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAEL,KAAK,cAAc,EACpB,MAAM,wBAAwB,CAAC;AAehC,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IAGjB,YAAY,EAAE;QACZ,kCAAkC;QAClC,OAAO,EAAE,eAAe,EAAE,CAAC;QAC3B,2CAA2C;QAC3C,OAAO,EAAE,eAAe,EAAE,CAAC;QAC3B,kCAAkC;QAClC,SAAS,EAAE,eAAe,EAAE,CAAC;QAC7B,kCAAkC;QAClC,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;IAGF,UAAU,EAAE;QACV,SAAS,EAAE,OAAO,CAAC;QACnB,MAAM,EAAE,cAAc,EAAE,CAAC;QACzB,eAAe,EAAE,MAAM,EAAE,CAAC;KAC3B,CAAC;IAGF,UAAU,CAAC,EAAE;QACX,oCAAoC;QACpC,IAAI,EAAE,OAAO,CAAC;QACd,iDAAiD;QACjD,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,mCAAmC;QACnC,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,6CAA6C;QAC7C,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IAEF,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,4BAA4B;IAC5B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,QAAQ,GAAG,eAAe,GAAG,aAAa,GAAG,SAAS,GAAG,MAAM,CAAC;IACtE,wCAAwC;IACxC,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,EAAE,OAAO,CAAC;IACf,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AA6ID;;;;;;;;GAQG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,aAAa,CAAgB;IAErC;;;;OAIG;IACH,OAAO,CAAC,WAAW,CAA2D;IAC9E,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAU;IAE3C,OAAO,CAAC,MAAM,CAAC,SAAS,CAAgC;IAExD,OAAO;IAOP,4CAA4C;IAC5C,MAAM,CAAC,QAAQ,IAAI,eAAe;IASlC;;;;;;;;;;OAUG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,eAAe,CAAC;IAmM3B;;;;;;OAMG;IACG,iBAAiB,CACrB,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IA0J3C;;;OAGG;IACG,eAAe,CACnB,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;IAWzC;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,aAAa,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM;IAoG9C;;;;;;OAMG;IACH,mBAAmB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM;IAiCpD;;;;OAIG;IACH,UAAU,IAAI,IAAI;IAMlB,4CAA4C;IAC5C,OAAO,CAAC,WAAW;CAMpB"}