defense-mcp-server 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +471 -0
- package/LICENSE +21 -0
- package/README.md +242 -0
- package/build/core/auto-installer.d.ts +102 -0
- package/build/core/auto-installer.d.ts.map +1 -0
- package/build/core/auto-installer.js +833 -0
- package/build/core/backup-manager.d.ts +63 -0
- package/build/core/backup-manager.d.ts.map +1 -0
- package/build/core/backup-manager.js +189 -0
- package/build/core/changelog.d.ts +75 -0
- package/build/core/changelog.d.ts.map +1 -0
- package/build/core/changelog.js +123 -0
- package/build/core/command-allowlist.d.ts +129 -0
- package/build/core/command-allowlist.d.ts.map +1 -0
- package/build/core/command-allowlist.js +849 -0
- package/build/core/config.d.ts +79 -0
- package/build/core/config.d.ts.map +1 -0
- package/build/core/config.js +193 -0
- package/build/core/dependency-validator.d.ts +106 -0
- package/build/core/dependency-validator.d.ts.map +1 -0
- package/build/core/dependency-validator.js +405 -0
- package/build/core/distro-adapter.d.ts +177 -0
- package/build/core/distro-adapter.d.ts.map +1 -0
- package/build/core/distro-adapter.js +481 -0
- package/build/core/distro.d.ts +68 -0
- package/build/core/distro.d.ts.map +1 -0
- package/build/core/distro.js +457 -0
- package/build/core/encrypted-state.d.ts +76 -0
- package/build/core/encrypted-state.d.ts.map +1 -0
- package/build/core/encrypted-state.js +209 -0
- package/build/core/executor.d.ts +56 -0
- package/build/core/executor.d.ts.map +1 -0
- package/build/core/executor.js +350 -0
- package/build/core/installer.d.ts +92 -0
- package/build/core/installer.d.ts.map +1 -0
- package/build/core/installer.js +1072 -0
- package/build/core/logger.d.ts +102 -0
- package/build/core/logger.d.ts.map +1 -0
- package/build/core/logger.js +132 -0
- package/build/core/parsers.d.ts +151 -0
- package/build/core/parsers.d.ts.map +1 -0
- package/build/core/parsers.js +479 -0
- package/build/core/policy-engine.d.ts +170 -0
- package/build/core/policy-engine.d.ts.map +1 -0
- package/build/core/policy-engine.js +656 -0
- package/build/core/preflight.d.ts +157 -0
- package/build/core/preflight.d.ts.map +1 -0
- package/build/core/preflight.js +638 -0
- package/build/core/privilege-manager.d.ts +108 -0
- package/build/core/privilege-manager.d.ts.map +1 -0
- package/build/core/privilege-manager.js +363 -0
- package/build/core/rate-limiter.d.ts +67 -0
- package/build/core/rate-limiter.d.ts.map +1 -0
- package/build/core/rate-limiter.js +129 -0
- package/build/core/rollback.d.ts +73 -0
- package/build/core/rollback.d.ts.map +1 -0
- package/build/core/rollback.js +278 -0
- package/build/core/safeguards.d.ts +58 -0
- package/build/core/safeguards.d.ts.map +1 -0
- package/build/core/safeguards.js +448 -0
- package/build/core/sanitizer.d.ts +118 -0
- package/build/core/sanitizer.d.ts.map +1 -0
- package/build/core/sanitizer.js +459 -0
- package/build/core/secure-fs.d.ts +67 -0
- package/build/core/secure-fs.d.ts.map +1 -0
- package/build/core/secure-fs.js +143 -0
- package/build/core/spawn-safe.d.ts +55 -0
- package/build/core/spawn-safe.d.ts.map +1 -0
- package/build/core/spawn-safe.js +146 -0
- package/build/core/sudo-guard.d.ts +145 -0
- package/build/core/sudo-guard.d.ts.map +1 -0
- package/build/core/sudo-guard.js +349 -0
- package/build/core/sudo-session.d.ts +100 -0
- package/build/core/sudo-session.d.ts.map +1 -0
- package/build/core/sudo-session.js +319 -0
- package/build/core/tool-dependencies.d.ts +61 -0
- package/build/core/tool-dependencies.d.ts.map +1 -0
- package/build/core/tool-dependencies.js +571 -0
- package/build/core/tool-registry.d.ts +111 -0
- package/build/core/tool-registry.d.ts.map +1 -0
- package/build/core/tool-registry.js +656 -0
- package/build/core/tool-wrapper.d.ts +73 -0
- package/build/core/tool-wrapper.d.ts.map +1 -0
- package/build/core/tool-wrapper.js +296 -0
- package/build/index.d.ts +3 -0
- package/build/index.d.ts.map +1 -0
- package/build/index.js +247 -0
- package/build/tools/access-control.d.ts +9 -0
- package/build/tools/access-control.d.ts.map +1 -0
- package/build/tools/access-control.js +1818 -0
- package/build/tools/api-security.d.ts +12 -0
- package/build/tools/api-security.d.ts.map +1 -0
- package/build/tools/api-security.js +901 -0
- package/build/tools/app-hardening.d.ts +11 -0
- package/build/tools/app-hardening.d.ts.map +1 -0
- package/build/tools/app-hardening.js +768 -0
- package/build/tools/backup.d.ts +8 -0
- package/build/tools/backup.d.ts.map +1 -0
- package/build/tools/backup.js +381 -0
- package/build/tools/cloud-security.d.ts +17 -0
- package/build/tools/cloud-security.d.ts.map +1 -0
- package/build/tools/cloud-security.js +739 -0
- package/build/tools/compliance.d.ts +10 -0
- package/build/tools/compliance.d.ts.map +1 -0
- package/build/tools/compliance.js +1225 -0
- package/build/tools/container-security.d.ts +14 -0
- package/build/tools/container-security.d.ts.map +1 -0
- package/build/tools/container-security.js +788 -0
- package/build/tools/deception.d.ts +13 -0
- package/build/tools/deception.d.ts.map +1 -0
- package/build/tools/deception.js +763 -0
- package/build/tools/dns-security.d.ts +93 -0
- package/build/tools/dns-security.d.ts.map +1 -0
- package/build/tools/dns-security.js +745 -0
- package/build/tools/drift-detection.d.ts +8 -0
- package/build/tools/drift-detection.d.ts.map +1 -0
- package/build/tools/drift-detection.js +326 -0
- package/build/tools/ebpf-security.d.ts +15 -0
- package/build/tools/ebpf-security.d.ts.map +1 -0
- package/build/tools/ebpf-security.js +294 -0
- package/build/tools/encryption.d.ts +9 -0
- package/build/tools/encryption.d.ts.map +1 -0
- package/build/tools/encryption.js +1667 -0
- package/build/tools/firewall.d.ts +9 -0
- package/build/tools/firewall.d.ts.map +1 -0
- package/build/tools/firewall.js +1398 -0
- package/build/tools/hardening.d.ts +10 -0
- package/build/tools/hardening.d.ts.map +1 -0
- package/build/tools/hardening.js +2654 -0
- package/build/tools/ids.d.ts +9 -0
- package/build/tools/ids.d.ts.map +1 -0
- package/build/tools/ids.js +624 -0
- package/build/tools/incident-response.d.ts +10 -0
- package/build/tools/incident-response.d.ts.map +1 -0
- package/build/tools/incident-response.js +1180 -0
- package/build/tools/logging.d.ts +12 -0
- package/build/tools/logging.d.ts.map +1 -0
- package/build/tools/logging.js +454 -0
- package/build/tools/malware.d.ts +10 -0
- package/build/tools/malware.d.ts.map +1 -0
- package/build/tools/malware.js +532 -0
- package/build/tools/meta.d.ts +11 -0
- package/build/tools/meta.d.ts.map +1 -0
- package/build/tools/meta.js +2278 -0
- package/build/tools/network-defense.d.ts +12 -0
- package/build/tools/network-defense.d.ts.map +1 -0
- package/build/tools/network-defense.js +760 -0
- package/build/tools/patch-management.d.ts +3 -0
- package/build/tools/patch-management.d.ts.map +1 -0
- package/build/tools/patch-management.js +708 -0
- package/build/tools/process-security.d.ts +12 -0
- package/build/tools/process-security.d.ts.map +1 -0
- package/build/tools/process-security.js +784 -0
- package/build/tools/reporting.d.ts +11 -0
- package/build/tools/reporting.d.ts.map +1 -0
- package/build/tools/reporting.js +559 -0
- package/build/tools/secrets.d.ts +9 -0
- package/build/tools/secrets.d.ts.map +1 -0
- package/build/tools/secrets.js +596 -0
- package/build/tools/siem-integration.d.ts +18 -0
- package/build/tools/siem-integration.d.ts.map +1 -0
- package/build/tools/siem-integration.js +754 -0
- package/build/tools/sudo-management.d.ts +18 -0
- package/build/tools/sudo-management.d.ts.map +1 -0
- package/build/tools/sudo-management.js +737 -0
- package/build/tools/supply-chain-security.d.ts +8 -0
- package/build/tools/supply-chain-security.d.ts.map +1 -0
- package/build/tools/supply-chain-security.js +256 -0
- package/build/tools/threat-intel.d.ts +22 -0
- package/build/tools/threat-intel.d.ts.map +1 -0
- package/build/tools/threat-intel.js +749 -0
- package/build/tools/vulnerability-management.d.ts +11 -0
- package/build/tools/vulnerability-management.d.ts.map +1 -0
- package/build/tools/vulnerability-management.js +667 -0
- package/build/tools/waf.d.ts +12 -0
- package/build/tools/waf.d.ts.map +1 -0
- package/build/tools/waf.js +843 -0
- package/build/tools/wireless-security.d.ts +19 -0
- package/build/tools/wireless-security.d.ts.map +1 -0
- package/build/tools/wireless-security.js +826 -0
- package/build/tools/zero-trust-network.d.ts +8 -0
- package/build/tools/zero-trust-network.d.ts.map +1 -0
- package/build/tools/zero-trust-network.js +367 -0
- package/docs/SAFEGUARDS.md +518 -0
- package/docs/TOOLS-REFERENCE.md +665 -0
- package/package.json +87 -0
|
@@ -0,0 +1,157 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pre-flight Validation Engine — orchestrates the complete pre-flight
|
|
3
|
+
* validation pipeline for MCP tools.
|
|
4
|
+
*
|
|
5
|
+
* Before each tool invocation this module:
|
|
6
|
+
* 1. Resolves the tool's manifest from the {@link ToolRegistry}
|
|
7
|
+
* 2. Checks binary, Python, npm, library, and file dependencies
|
|
8
|
+
* 3. Attempts auto-installation of missing deps when enabled
|
|
9
|
+
* 4. Validates privilege requirements via {@link PrivilegeManager}
|
|
10
|
+
* 5. Returns a structured {@link PreflightResult} with pass/fail, actionable
|
|
11
|
+
* messages, and a human-readable summary
|
|
12
|
+
*
|
|
13
|
+
* Results are cached for 60 seconds to avoid redundant checks when multiple
|
|
14
|
+
* tools from the same category are invoked in sequence.
|
|
15
|
+
*
|
|
16
|
+
* @module preflight
|
|
17
|
+
*/
|
|
18
|
+
import { type ToolManifest } from "./tool-registry.js";
|
|
19
|
+
import { type PrivilegeIssue } from "./privilege-manager.js";
|
|
20
|
+
export interface PreflightResult {
|
|
21
|
+
toolName: string;
|
|
22
|
+
/** Overall pass/fail */
|
|
23
|
+
passed: boolean;
|
|
24
|
+
timestamp: number;
|
|
25
|
+
/** Total pre-flight time in ms */
|
|
26
|
+
duration: number;
|
|
27
|
+
dependencies: {
|
|
28
|
+
/** Everything that was checked */
|
|
29
|
+
checked: DependencyCheck[];
|
|
30
|
+
/** Still missing after install attempts */
|
|
31
|
+
missing: DependencyCheck[];
|
|
32
|
+
/** Successfully auto-installed */
|
|
33
|
+
installed: DependencyCheck[];
|
|
34
|
+
/** Non-fatal dependency issues */
|
|
35
|
+
warnings: string[];
|
|
36
|
+
};
|
|
37
|
+
privileges: {
|
|
38
|
+
satisfied: boolean;
|
|
39
|
+
issues: PrivilegeIssue[];
|
|
40
|
+
recommendations: string[];
|
|
41
|
+
};
|
|
42
|
+
safeguards?: {
|
|
43
|
+
/** Whether the operation is safe */
|
|
44
|
+
safe: boolean;
|
|
45
|
+
/** Blocking safety issues (prevent execution) */
|
|
46
|
+
blockers: string[];
|
|
47
|
+
/** Non-blocking safety warnings */
|
|
48
|
+
warnings: string[];
|
|
49
|
+
/** Applications impacted by the operation */
|
|
50
|
+
impactedApps: string[];
|
|
51
|
+
};
|
|
52
|
+
/** Human-readable summary */
|
|
53
|
+
summary: string;
|
|
54
|
+
/** Fatal blocking errors */
|
|
55
|
+
errors: string[];
|
|
56
|
+
/** Non-fatal warnings */
|
|
57
|
+
warnings: string[];
|
|
58
|
+
}
|
|
59
|
+
export interface DependencyCheck {
|
|
60
|
+
name: string;
|
|
61
|
+
type: "binary" | "python-module" | "npm-package" | "library" | "file";
|
|
62
|
+
/** true = required, false = optional */
|
|
63
|
+
required: boolean;
|
|
64
|
+
found: boolean;
|
|
65
|
+
autoInstalled?: boolean;
|
|
66
|
+
installMessage?: string;
|
|
67
|
+
}
|
|
68
|
+
/**
|
|
69
|
+
* Central orchestration engine for the pre-flight validation pipeline.
|
|
70
|
+
*
|
|
71
|
+
* Singleton — obtain via {@link PreflightEngine.instance}.
|
|
72
|
+
*
|
|
73
|
+
* The main entry point is {@link runPreflight}, which executes the full
|
|
74
|
+
* dependency → auto-install → privilege check pipeline and returns a
|
|
75
|
+
* structured {@link PreflightResult}.
|
|
76
|
+
*/
|
|
77
|
+
export declare class PreflightEngine {
|
|
78
|
+
private registry;
|
|
79
|
+
private privilegeManager;
|
|
80
|
+
private autoInstaller;
|
|
81
|
+
/**
|
|
82
|
+
* Dependency cache — keyed by tool name only, 60s TTL.
|
|
83
|
+
* Covers: binary existence, privilege checks, auto-install results.
|
|
84
|
+
* Cached regardless of params (dependency results don't depend on runtime params).
|
|
85
|
+
*/
|
|
86
|
+
private resultCache;
|
|
87
|
+
private static readonly CACHE_TTL;
|
|
88
|
+
private static _instance;
|
|
89
|
+
private constructor();
|
|
90
|
+
/** Get or create the singleton instance. */
|
|
91
|
+
static instance(): PreflightEngine;
|
|
92
|
+
/**
|
|
93
|
+
* Run the full pre-flight validation pipeline for a tool.
|
|
94
|
+
*
|
|
95
|
+
* 1. Check cache — return early for valid passing results
|
|
96
|
+
* 2. Resolve the tool's manifest from the registry
|
|
97
|
+
* 3. Check all dependency types (binary, Python, npm, library, file)
|
|
98
|
+
* 4. Auto-install missing required deps when enabled
|
|
99
|
+
* 5. Validate privilege requirements (sudo, capabilities)
|
|
100
|
+
* 6. Determine overall pass/fail and generate summary
|
|
101
|
+
* 7. Cache and return the result
|
|
102
|
+
*/
|
|
103
|
+
runPreflight(toolName: string, params?: Record<string, unknown>): Promise<PreflightResult>;
|
|
104
|
+
/**
|
|
105
|
+
* Check all dependency types for a tool manifest.
|
|
106
|
+
*
|
|
107
|
+
* Checks binaries, Python modules, npm packages, system libraries,
|
|
108
|
+
* and required files. If any required dependency is missing and
|
|
109
|
+
* auto-install is enabled, attempts installation via {@link AutoInstaller}.
|
|
110
|
+
*/
|
|
111
|
+
checkDependencies(manifest: ToolManifest): Promise<PreflightResult["dependencies"]>;
|
|
112
|
+
/**
|
|
113
|
+
* Check privilege requirements for a tool manifest.
|
|
114
|
+
* Delegates to {@link PrivilegeManager.checkForTool}.
|
|
115
|
+
*/
|
|
116
|
+
checkPrivileges(manifest: ToolManifest): Promise<PreflightResult["privileges"]>;
|
|
117
|
+
/**
|
|
118
|
+
* Generate a human-readable summary of the pre-flight result.
|
|
119
|
+
*
|
|
120
|
+
* @example Passing
|
|
121
|
+
* ```
|
|
122
|
+
* ✅ Pre-flight passed for 'firewall_iptables_list'
|
|
123
|
+
* Dependencies: 2/2 available (iptables, ip6tables)
|
|
124
|
+
* Privileges: sudo session active
|
|
125
|
+
* Ready to execute.
|
|
126
|
+
* ```
|
|
127
|
+
*
|
|
128
|
+
* @example Failing
|
|
129
|
+
* ```
|
|
130
|
+
* ❌ Pre-flight FAILED for 'compliance_oscap_scan'
|
|
131
|
+
* Missing dependencies:
|
|
132
|
+
* • oscap (binary) — Install with: sudo apt-get install -y libopenscap8
|
|
133
|
+
* Privilege issues:
|
|
134
|
+
* • Root access required for OpenSCAP scanning
|
|
135
|
+
* → Run 'sudo_elevate' tool first to provide credentials
|
|
136
|
+
* Cannot proceed until issues are resolved.
|
|
137
|
+
* ```
|
|
138
|
+
*/
|
|
139
|
+
formatSummary(result: PreflightResult): string;
|
|
140
|
+
/**
|
|
141
|
+
* Generate a shorter status message for prepending to tool output.
|
|
142
|
+
*
|
|
143
|
+
* - Passed (no issues): `"[pre-flight ✓] All checks passed (2 deps, sudo active)"`
|
|
144
|
+
* - Passed (warnings): `"[pre-flight ✓] Passed with warnings: optional dep 'nmap' not found"`
|
|
145
|
+
* - Failed: returns the full error summary from {@link formatSummary}
|
|
146
|
+
*/
|
|
147
|
+
formatStatusMessage(result: PreflightResult): string;
|
|
148
|
+
/**
|
|
149
|
+
* Clear the result cache.
|
|
150
|
+
* Call after installs, privilege changes, or any event that invalidates
|
|
151
|
+
* previous pre-flight results.
|
|
152
|
+
*/
|
|
153
|
+
clearCache(): void;
|
|
154
|
+
/** Store a result in the cache with TTL. */
|
|
155
|
+
private cacheResult;
|
|
156
|
+
}
|
|
157
|
+
//# sourceMappingURL=preflight.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"preflight.d.ts","sourceRoot":"","sources":["../../src/core/preflight.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAGL,KAAK,YAAY,EAClB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAEL,KAAK,cAAc,EACpB,MAAM,wBAAwB,CAAC;AAehC,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IAGjB,YAAY,EAAE;QACZ,kCAAkC;QAClC,OAAO,EAAE,eAAe,EAAE,CAAC;QAC3B,2CAA2C;QAC3C,OAAO,EAAE,eAAe,EAAE,CAAC;QAC3B,kCAAkC;QAClC,SAAS,EAAE,eAAe,EAAE,CAAC;QAC7B,kCAAkC;QAClC,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;IAGF,UAAU,EAAE;QACV,SAAS,EAAE,OAAO,CAAC;QACnB,MAAM,EAAE,cAAc,EAAE,CAAC;QACzB,eAAe,EAAE,MAAM,EAAE,CAAC;KAC3B,CAAC;IAGF,UAAU,CAAC,EAAE;QACX,oCAAoC;QACpC,IAAI,EAAE,OAAO,CAAC;QACd,iDAAiD;QACjD,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,mCAAmC;QACnC,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,6CAA6C;QAC7C,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IAEF,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,4BAA4B;IAC5B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,QAAQ,GAAG,eAAe,GAAG,aAAa,GAAG,SAAS,GAAG,MAAM,CAAC;IACtE,wCAAwC;IACxC,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,EAAE,OAAO,CAAC;IACf,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AA6ID;;;;;;;;GAQG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,aAAa,CAAgB;IAErC;;;;OAIG;IACH,OAAO,CAAC,WAAW,CAA2D;IAC9E,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAU;IAE3C,OAAO,CAAC,MAAM,CAAC,SAAS,CAAgC;IAExD,OAAO;IAOP,4CAA4C;IAC5C,MAAM,CAAC,QAAQ,IAAI,eAAe;IASlC;;;;;;;;;;OAUG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,eAAe,CAAC;IAmM3B;;;;;;OAMG;IACG,iBAAiB,CACrB,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IA0J3C;;;OAGG;IACG,eAAe,CACnB,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;IAWzC;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,aAAa,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM;IAoG9C;;;;;;OAMG;IACH,mBAAmB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM;IAiCpD;;;;OAIG;IACH,UAAU,IAAI,IAAI;IAMlB,4CAA4C;IAC5C,OAAO,CAAC,WAAW;CAMpB"}
|