defense-mcp-server 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +471 -0
- package/LICENSE +21 -0
- package/README.md +242 -0
- package/build/core/auto-installer.d.ts +102 -0
- package/build/core/auto-installer.d.ts.map +1 -0
- package/build/core/auto-installer.js +833 -0
- package/build/core/backup-manager.d.ts +63 -0
- package/build/core/backup-manager.d.ts.map +1 -0
- package/build/core/backup-manager.js +189 -0
- package/build/core/changelog.d.ts +75 -0
- package/build/core/changelog.d.ts.map +1 -0
- package/build/core/changelog.js +123 -0
- package/build/core/command-allowlist.d.ts +129 -0
- package/build/core/command-allowlist.d.ts.map +1 -0
- package/build/core/command-allowlist.js +849 -0
- package/build/core/config.d.ts +79 -0
- package/build/core/config.d.ts.map +1 -0
- package/build/core/config.js +193 -0
- package/build/core/dependency-validator.d.ts +106 -0
- package/build/core/dependency-validator.d.ts.map +1 -0
- package/build/core/dependency-validator.js +405 -0
- package/build/core/distro-adapter.d.ts +177 -0
- package/build/core/distro-adapter.d.ts.map +1 -0
- package/build/core/distro-adapter.js +481 -0
- package/build/core/distro.d.ts +68 -0
- package/build/core/distro.d.ts.map +1 -0
- package/build/core/distro.js +457 -0
- package/build/core/encrypted-state.d.ts +76 -0
- package/build/core/encrypted-state.d.ts.map +1 -0
- package/build/core/encrypted-state.js +209 -0
- package/build/core/executor.d.ts +56 -0
- package/build/core/executor.d.ts.map +1 -0
- package/build/core/executor.js +350 -0
- package/build/core/installer.d.ts +92 -0
- package/build/core/installer.d.ts.map +1 -0
- package/build/core/installer.js +1072 -0
- package/build/core/logger.d.ts +102 -0
- package/build/core/logger.d.ts.map +1 -0
- package/build/core/logger.js +132 -0
- package/build/core/parsers.d.ts +151 -0
- package/build/core/parsers.d.ts.map +1 -0
- package/build/core/parsers.js +479 -0
- package/build/core/policy-engine.d.ts +170 -0
- package/build/core/policy-engine.d.ts.map +1 -0
- package/build/core/policy-engine.js +656 -0
- package/build/core/preflight.d.ts +157 -0
- package/build/core/preflight.d.ts.map +1 -0
- package/build/core/preflight.js +638 -0
- package/build/core/privilege-manager.d.ts +108 -0
- package/build/core/privilege-manager.d.ts.map +1 -0
- package/build/core/privilege-manager.js +363 -0
- package/build/core/rate-limiter.d.ts +67 -0
- package/build/core/rate-limiter.d.ts.map +1 -0
- package/build/core/rate-limiter.js +129 -0
- package/build/core/rollback.d.ts +73 -0
- package/build/core/rollback.d.ts.map +1 -0
- package/build/core/rollback.js +278 -0
- package/build/core/safeguards.d.ts +58 -0
- package/build/core/safeguards.d.ts.map +1 -0
- package/build/core/safeguards.js +448 -0
- package/build/core/sanitizer.d.ts +118 -0
- package/build/core/sanitizer.d.ts.map +1 -0
- package/build/core/sanitizer.js +459 -0
- package/build/core/secure-fs.d.ts +67 -0
- package/build/core/secure-fs.d.ts.map +1 -0
- package/build/core/secure-fs.js +143 -0
- package/build/core/spawn-safe.d.ts +55 -0
- package/build/core/spawn-safe.d.ts.map +1 -0
- package/build/core/spawn-safe.js +146 -0
- package/build/core/sudo-guard.d.ts +145 -0
- package/build/core/sudo-guard.d.ts.map +1 -0
- package/build/core/sudo-guard.js +349 -0
- package/build/core/sudo-session.d.ts +100 -0
- package/build/core/sudo-session.d.ts.map +1 -0
- package/build/core/sudo-session.js +319 -0
- package/build/core/tool-dependencies.d.ts +61 -0
- package/build/core/tool-dependencies.d.ts.map +1 -0
- package/build/core/tool-dependencies.js +571 -0
- package/build/core/tool-registry.d.ts +111 -0
- package/build/core/tool-registry.d.ts.map +1 -0
- package/build/core/tool-registry.js +656 -0
- package/build/core/tool-wrapper.d.ts +73 -0
- package/build/core/tool-wrapper.d.ts.map +1 -0
- package/build/core/tool-wrapper.js +296 -0
- package/build/index.d.ts +3 -0
- package/build/index.d.ts.map +1 -0
- package/build/index.js +247 -0
- package/build/tools/access-control.d.ts +9 -0
- package/build/tools/access-control.d.ts.map +1 -0
- package/build/tools/access-control.js +1818 -0
- package/build/tools/api-security.d.ts +12 -0
- package/build/tools/api-security.d.ts.map +1 -0
- package/build/tools/api-security.js +901 -0
- package/build/tools/app-hardening.d.ts +11 -0
- package/build/tools/app-hardening.d.ts.map +1 -0
- package/build/tools/app-hardening.js +768 -0
- package/build/tools/backup.d.ts +8 -0
- package/build/tools/backup.d.ts.map +1 -0
- package/build/tools/backup.js +381 -0
- package/build/tools/cloud-security.d.ts +17 -0
- package/build/tools/cloud-security.d.ts.map +1 -0
- package/build/tools/cloud-security.js +739 -0
- package/build/tools/compliance.d.ts +10 -0
- package/build/tools/compliance.d.ts.map +1 -0
- package/build/tools/compliance.js +1225 -0
- package/build/tools/container-security.d.ts +14 -0
- package/build/tools/container-security.d.ts.map +1 -0
- package/build/tools/container-security.js +788 -0
- package/build/tools/deception.d.ts +13 -0
- package/build/tools/deception.d.ts.map +1 -0
- package/build/tools/deception.js +763 -0
- package/build/tools/dns-security.d.ts +93 -0
- package/build/tools/dns-security.d.ts.map +1 -0
- package/build/tools/dns-security.js +745 -0
- package/build/tools/drift-detection.d.ts +8 -0
- package/build/tools/drift-detection.d.ts.map +1 -0
- package/build/tools/drift-detection.js +326 -0
- package/build/tools/ebpf-security.d.ts +15 -0
- package/build/tools/ebpf-security.d.ts.map +1 -0
- package/build/tools/ebpf-security.js +294 -0
- package/build/tools/encryption.d.ts +9 -0
- package/build/tools/encryption.d.ts.map +1 -0
- package/build/tools/encryption.js +1667 -0
- package/build/tools/firewall.d.ts +9 -0
- package/build/tools/firewall.d.ts.map +1 -0
- package/build/tools/firewall.js +1398 -0
- package/build/tools/hardening.d.ts +10 -0
- package/build/tools/hardening.d.ts.map +1 -0
- package/build/tools/hardening.js +2654 -0
- package/build/tools/ids.d.ts +9 -0
- package/build/tools/ids.d.ts.map +1 -0
- package/build/tools/ids.js +624 -0
- package/build/tools/incident-response.d.ts +10 -0
- package/build/tools/incident-response.d.ts.map +1 -0
- package/build/tools/incident-response.js +1180 -0
- package/build/tools/logging.d.ts +12 -0
- package/build/tools/logging.d.ts.map +1 -0
- package/build/tools/logging.js +454 -0
- package/build/tools/malware.d.ts +10 -0
- package/build/tools/malware.d.ts.map +1 -0
- package/build/tools/malware.js +532 -0
- package/build/tools/meta.d.ts +11 -0
- package/build/tools/meta.d.ts.map +1 -0
- package/build/tools/meta.js +2278 -0
- package/build/tools/network-defense.d.ts +12 -0
- package/build/tools/network-defense.d.ts.map +1 -0
- package/build/tools/network-defense.js +760 -0
- package/build/tools/patch-management.d.ts +3 -0
- package/build/tools/patch-management.d.ts.map +1 -0
- package/build/tools/patch-management.js +708 -0
- package/build/tools/process-security.d.ts +12 -0
- package/build/tools/process-security.d.ts.map +1 -0
- package/build/tools/process-security.js +784 -0
- package/build/tools/reporting.d.ts +11 -0
- package/build/tools/reporting.d.ts.map +1 -0
- package/build/tools/reporting.js +559 -0
- package/build/tools/secrets.d.ts +9 -0
- package/build/tools/secrets.d.ts.map +1 -0
- package/build/tools/secrets.js +596 -0
- package/build/tools/siem-integration.d.ts +18 -0
- package/build/tools/siem-integration.d.ts.map +1 -0
- package/build/tools/siem-integration.js +754 -0
- package/build/tools/sudo-management.d.ts +18 -0
- package/build/tools/sudo-management.d.ts.map +1 -0
- package/build/tools/sudo-management.js +737 -0
- package/build/tools/supply-chain-security.d.ts +8 -0
- package/build/tools/supply-chain-security.d.ts.map +1 -0
- package/build/tools/supply-chain-security.js +256 -0
- package/build/tools/threat-intel.d.ts +22 -0
- package/build/tools/threat-intel.d.ts.map +1 -0
- package/build/tools/threat-intel.js +749 -0
- package/build/tools/vulnerability-management.d.ts +11 -0
- package/build/tools/vulnerability-management.d.ts.map +1 -0
- package/build/tools/vulnerability-management.js +667 -0
- package/build/tools/waf.d.ts +12 -0
- package/build/tools/waf.d.ts.map +1 -0
- package/build/tools/waf.js +843 -0
- package/build/tools/wireless-security.d.ts +19 -0
- package/build/tools/wireless-security.d.ts.map +1 -0
- package/build/tools/wireless-security.js +826 -0
- package/build/tools/zero-trust-network.d.ts +8 -0
- package/build/tools/zero-trust-network.d.ts.map +1 -0
- package/build/tools/zero-trust-network.js +367 -0
- package/docs/SAFEGUARDS.md +518 -0
- package/docs/TOOLS-REFERENCE.md +665 -0
- package/package.json +87 -0
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Known defensive tools that support per-tool timeout overrides
|
|
3
|
+
* via KALI_DEFENSE_TIMEOUT_<TOOL> environment variables.
|
|
4
|
+
*/
|
|
5
|
+
export declare const KNOWN_TOOLS: readonly ["lynis", "aide", "clamav", "oscap", "snort", "suricata", "rkhunter", "chkrootkit", "tcpdump", "auditd", "nmap", "fail2ban-client", "debsums", "yara"];
|
|
6
|
+
export type KnownTool = (typeof KNOWN_TOOLS)[number];
|
|
7
|
+
/**
|
|
8
|
+
* Configuration interface for the Kali Defense MCP Server.
|
|
9
|
+
* All values are derived from environment variables with sensible defaults.
|
|
10
|
+
*/
|
|
11
|
+
export interface DefenseConfig {
|
|
12
|
+
/** Default command timeout in milliseconds */
|
|
13
|
+
defaultTimeout: number;
|
|
14
|
+
/** Maximum output buffer size in bytes */
|
|
15
|
+
maxBuffer: number;
|
|
16
|
+
/** Directories allowed for file operations */
|
|
17
|
+
allowedDirs: string[];
|
|
18
|
+
/** Logging level */
|
|
19
|
+
logLevel: "debug" | "info" | "warn" | "error";
|
|
20
|
+
/**
|
|
21
|
+
* SECURITY (CICD-014): Dry-run mode — when true, modifying operations preview
|
|
22
|
+
* commands without executing them. Defaults to `true` so the server operates
|
|
23
|
+
* in a safe, read-only mode until explicitly opted out via
|
|
24
|
+
* KALI_DEFENSE_DRY_RUN=false. This prevents accidental system modifications.
|
|
25
|
+
*/
|
|
26
|
+
dryRun: boolean;
|
|
27
|
+
/** Path to the changelog JSON file */
|
|
28
|
+
changelogPath: string;
|
|
29
|
+
/** Directory for file backups */
|
|
30
|
+
backupDir: string;
|
|
31
|
+
/**
|
|
32
|
+
* SECURITY (CICD-014): Whether to create backups before modifying files.
|
|
33
|
+
* Defaults to `true` — every file modification is backed up first so that
|
|
34
|
+
* changes can be rolled back if needed. Disable only in CI/test environments
|
|
35
|
+
* via KALI_DEFENSE_BACKUP_ENABLED=false.
|
|
36
|
+
*/
|
|
37
|
+
backupEnabled: boolean;
|
|
38
|
+
/** Whether to auto-install missing tools */
|
|
39
|
+
autoInstall: boolean;
|
|
40
|
+
/** Paths protected from modification */
|
|
41
|
+
protectedPaths: string[];
|
|
42
|
+
/**
|
|
43
|
+
* SECURITY (CICD-014): Whether to require confirmation for destructive
|
|
44
|
+
* actions. Defaults to `true` — the server will request explicit confirmation
|
|
45
|
+
* before executing operations that modify system state. Disable only when
|
|
46
|
+
* running automated/unattended workflows via
|
|
47
|
+
* KALI_DEFENSE_REQUIRE_CONFIRMATION=false.
|
|
48
|
+
*/
|
|
49
|
+
requireConfirmation: boolean;
|
|
50
|
+
/** Directory for quarantined files */
|
|
51
|
+
quarantineDir: string;
|
|
52
|
+
/** Directory for policy files */
|
|
53
|
+
policyDir: string;
|
|
54
|
+
/** Per-tool timeout overrides in milliseconds */
|
|
55
|
+
toolTimeouts: Partial<Record<KnownTool, number>>;
|
|
56
|
+
/** Sudo session timeout in milliseconds (default: 15 minutes) */
|
|
57
|
+
sudoSessionTimeout: number;
|
|
58
|
+
/** Command execution timeout in ms (falls back to defaultTimeout; env: KALI_DEFENSE_COMMAND_TIMEOUT) */
|
|
59
|
+
commandTimeout: number;
|
|
60
|
+
/** Network operation timeout in ms (default: 30s; env: KALI_DEFENSE_NETWORK_TIMEOUT) */
|
|
61
|
+
networkTimeout: number;
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Returns the current configuration by reading environment variables.
|
|
65
|
+
* Results are cached for 5 seconds to avoid redundant env-var parsing
|
|
66
|
+
* across the 3–5 calls per tool invocation.
|
|
67
|
+
*/
|
|
68
|
+
export declare function getConfig(): DefenseConfig;
|
|
69
|
+
/**
|
|
70
|
+
* Invalidate the config cache, forcing the next `getConfig()` call to
|
|
71
|
+
* re-read environment variables. Useful for tests.
|
|
72
|
+
*/
|
|
73
|
+
export declare function invalidateConfigCache(): void;
|
|
74
|
+
/**
|
|
75
|
+
* Returns the effective timeout for a given tool in milliseconds.
|
|
76
|
+
* Checks per-tool overrides first, then falls back to the default timeout.
|
|
77
|
+
*/
|
|
78
|
+
export declare function getToolTimeout(toolName: string, config?: DefenseConfig): number;
|
|
79
|
+
//# sourceMappingURL=config.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,eAAO,MAAM,WAAW,iKAed,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC;AAErD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,8CAA8C;IAC9C,cAAc,EAAE,MAAM,CAAC;IACvB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,oBAAoB;IACpB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C;;;;;OAKG;IACH,MAAM,EAAE,OAAO,CAAC;IAChB,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;OAKG;IACH,aAAa,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,WAAW,EAAE,OAAO,CAAC;IACrB,wCAAwC;IACxC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,mBAAmB,EAAE,OAAO,CAAC;IAC7B,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,iEAAiE;IACjE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,wGAAwG;IACxG,cAAc,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,cAAc,EAAE,MAAM,CAAC;CACxB;AAmGD;;;;GAIG;AACH,wBAAgB,SAAS,IAAI,aAAa,CAQzC;AAwFD;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CAG5C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,CAIR"}
|
|
@@ -0,0 +1,193 @@
|
|
|
1
|
+
import { homedir } from "node:os";
|
|
2
|
+
import { join } from "node:path";
|
|
3
|
+
/**
|
|
4
|
+
* Known defensive tools that support per-tool timeout overrides
|
|
5
|
+
* via KALI_DEFENSE_TIMEOUT_<TOOL> environment variables.
|
|
6
|
+
*/
|
|
7
|
+
export const KNOWN_TOOLS = [
|
|
8
|
+
"lynis",
|
|
9
|
+
"aide",
|
|
10
|
+
"clamav",
|
|
11
|
+
"oscap",
|
|
12
|
+
"snort",
|
|
13
|
+
"suricata",
|
|
14
|
+
"rkhunter",
|
|
15
|
+
"chkrootkit",
|
|
16
|
+
"tcpdump",
|
|
17
|
+
"auditd",
|
|
18
|
+
"nmap",
|
|
19
|
+
"fail2ban-client",
|
|
20
|
+
"debsums",
|
|
21
|
+
"yara",
|
|
22
|
+
];
|
|
23
|
+
/**
|
|
24
|
+
* Resolves `~` prefix to the user's home directory.
|
|
25
|
+
*/
|
|
26
|
+
function expandHome(p) {
|
|
27
|
+
if (p.startsWith("~/") || p === "~") {
|
|
28
|
+
return join(homedir(), p.slice(1));
|
|
29
|
+
}
|
|
30
|
+
return p;
|
|
31
|
+
}
|
|
32
|
+
/**
|
|
33
|
+
* Parses a comma-separated list of paths from an environment variable.
|
|
34
|
+
*/
|
|
35
|
+
/**
|
|
36
|
+
* SECURITY (CORE-012): Directories that are too broad to be allowed.
|
|
37
|
+
* These grant access to the entire filesystem or critical root-level trees.
|
|
38
|
+
*/
|
|
39
|
+
const REJECTED_DIRS = new Set(["/"]);
|
|
40
|
+
/** Directories that are very broad and deserve a warning. */
|
|
41
|
+
const BROAD_DIRS = new Set(["/usr", "/var", "/etc", "/opt", "/lib", "/lib64", "/sbin", "/bin"]);
|
|
42
|
+
function parsePaths(value, defaultValue) {
|
|
43
|
+
const raw = value ?? defaultValue;
|
|
44
|
+
const paths = raw
|
|
45
|
+
.split(",")
|
|
46
|
+
.map((s) => s.trim())
|
|
47
|
+
.filter((s) => s.length > 0)
|
|
48
|
+
.map(expandHome);
|
|
49
|
+
// SECURITY (CORE-012): Validate allowedDirs to reject overly broad paths
|
|
50
|
+
return paths.filter((p) => {
|
|
51
|
+
// Reject root directory and single-character root-level paths (e.g. "/")
|
|
52
|
+
if (REJECTED_DIRS.has(p) || (p.startsWith("/") && p.length <= 2 && p !== "/" + p.slice(1).replace(/\//g, ""))) {
|
|
53
|
+
console.error(`[KALI-DEFENSE] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
|
|
54
|
+
`granting access to the entire filesystem is not permitted.`);
|
|
55
|
+
return false;
|
|
56
|
+
}
|
|
57
|
+
// Reject any single-character root-level path like "/x"
|
|
58
|
+
if (/^\/[^/]$/.test(p)) {
|
|
59
|
+
console.error(`[KALI-DEFENSE] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
|
|
60
|
+
`single-character root-level paths are not permitted.`);
|
|
61
|
+
return false;
|
|
62
|
+
}
|
|
63
|
+
// Warn about broad directories
|
|
64
|
+
if (BROAD_DIRS.has(p)) {
|
|
65
|
+
console.error(`[KALI-DEFENSE] WARNING: allowedDir '${p}' is very broad. ` +
|
|
66
|
+
`Consider using a more specific subdirectory.`);
|
|
67
|
+
}
|
|
68
|
+
return true;
|
|
69
|
+
});
|
|
70
|
+
}
|
|
71
|
+
/**
|
|
72
|
+
* Parses a log level string, falling back to "info" if invalid.
|
|
73
|
+
*/
|
|
74
|
+
function parseLogLevel(value) {
|
|
75
|
+
const valid = ["debug", "info", "warn", "error"];
|
|
76
|
+
const lower = (value ?? "info").toLowerCase();
|
|
77
|
+
return valid.includes(lower)
|
|
78
|
+
? lower
|
|
79
|
+
: "info";
|
|
80
|
+
}
|
|
81
|
+
/**
|
|
82
|
+
* Reads per-tool timeout overrides from environment variables.
|
|
83
|
+
* Format: KALI_DEFENSE_TIMEOUT_<TOOL> (value in seconds, stored as ms).
|
|
84
|
+
*/
|
|
85
|
+
function parseToolTimeouts() {
|
|
86
|
+
const timeouts = {};
|
|
87
|
+
for (const tool of KNOWN_TOOLS) {
|
|
88
|
+
const envKey = `KALI_DEFENSE_TIMEOUT_${tool.toUpperCase()}`;
|
|
89
|
+
const value = process.env[envKey];
|
|
90
|
+
if (value !== undefined) {
|
|
91
|
+
const seconds = parseInt(value, 10);
|
|
92
|
+
if (!isNaN(seconds) && seconds > 0) {
|
|
93
|
+
timeouts[tool] = seconds * 1000;
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
return timeouts;
|
|
98
|
+
}
|
|
99
|
+
// ── Config cache (avoids re-parsing 15+ env vars on every call) ──────────────
|
|
100
|
+
let _configCache = null;
|
|
101
|
+
let _configCacheTimestamp = 0;
|
|
102
|
+
const CONFIG_CACHE_TTL = 5_000; // 5 seconds
|
|
103
|
+
/**
|
|
104
|
+
* Returns the current configuration by reading environment variables.
|
|
105
|
+
* Results are cached for 5 seconds to avoid redundant env-var parsing
|
|
106
|
+
* across the 3–5 calls per tool invocation.
|
|
107
|
+
*/
|
|
108
|
+
export function getConfig() {
|
|
109
|
+
const now = Date.now();
|
|
110
|
+
if (_configCache && (now - _configCacheTimestamp) < CONFIG_CACHE_TTL) {
|
|
111
|
+
return _configCache;
|
|
112
|
+
}
|
|
113
|
+
_configCache = buildConfigFromEnv();
|
|
114
|
+
_configCacheTimestamp = now;
|
|
115
|
+
return _configCache;
|
|
116
|
+
}
|
|
117
|
+
/**
|
|
118
|
+
* Build the configuration object by reading all environment variables.
|
|
119
|
+
* This is the actual parsing logic, called by the cached `getConfig()` wrapper.
|
|
120
|
+
*/
|
|
121
|
+
function buildConfigFromEnv() {
|
|
122
|
+
const defaultTimeoutSec = parseInt(process.env.KALI_DEFENSE_TIMEOUT_DEFAULT ?? "120", 10);
|
|
123
|
+
const maxBufferBytes = parseInt(process.env.KALI_DEFENSE_MAX_OUTPUT_SIZE ?? String(10 * 1024 * 1024), 10);
|
|
124
|
+
const config = {
|
|
125
|
+
defaultTimeout: isNaN(defaultTimeoutSec) || defaultTimeoutSec <= 0
|
|
126
|
+
? 120_000
|
|
127
|
+
: defaultTimeoutSec * 1000,
|
|
128
|
+
maxBuffer: isNaN(maxBufferBytes) || maxBufferBytes <= 0
|
|
129
|
+
? 10 * 1024 * 1024
|
|
130
|
+
: maxBufferBytes,
|
|
131
|
+
// SECURITY (CICD-013): /etc is excluded from default allowedDirs because it
|
|
132
|
+
// contains sensitive system configuration files (shadow, sudoers, ssh configs).
|
|
133
|
+
// Granting default read/write access to /etc is too permissive. Tools that
|
|
134
|
+
// need /etc access should require explicit configuration via
|
|
135
|
+
// KALI_DEFENSE_ALLOWED_DIRS=/tmp,/home,/var/log,/etc
|
|
136
|
+
allowedDirs: parsePaths(process.env.KALI_DEFENSE_ALLOWED_DIRS, "/tmp,/home,/var/log"),
|
|
137
|
+
logLevel: parseLogLevel(process.env.KALI_DEFENSE_LOG_LEVEL),
|
|
138
|
+
// SECURITY (CICD-014): Default to dry-run=true (safe preview mode)
|
|
139
|
+
// Set KALI_DEFENSE_DRY_RUN=false to enable live system modifications
|
|
140
|
+
dryRun: process.env.KALI_DEFENSE_DRY_RUN !== "false",
|
|
141
|
+
changelogPath: expandHome(process.env.KALI_DEFENSE_CHANGELOG_PATH ??
|
|
142
|
+
"~/.kali-defense/changelog.json"),
|
|
143
|
+
backupDir: expandHome(process.env.KALI_DEFENSE_BACKUP_DIR ?? "~/.kali-defense/backups"),
|
|
144
|
+
// SECURITY (CICD-014): Backup before modify — enabled by default
|
|
145
|
+
// Set KALI_DEFENSE_BACKUP_ENABLED=false only in CI/test environments
|
|
146
|
+
backupEnabled: process.env.KALI_DEFENSE_BACKUP_ENABLED !== "false",
|
|
147
|
+
autoInstall: process.env.KALI_DEFENSE_AUTO_INSTALL === "true",
|
|
148
|
+
protectedPaths: parsePaths(process.env.KALI_DEFENSE_PROTECTED_PATHS, "/boot,/usr/lib/systemd,/usr/bin,/usr/sbin"),
|
|
149
|
+
requireConfirmation: process.env.KALI_DEFENSE_REQUIRE_CONFIRMATION !== "false",
|
|
150
|
+
quarantineDir: expandHome(process.env.KALI_DEFENSE_QUARANTINE_DIR ?? "~/.kali-defense/quarantine"),
|
|
151
|
+
policyDir: expandHome(process.env.KALI_DEFENSE_POLICY_DIR ?? "~/.kali-defense/policies"),
|
|
152
|
+
toolTimeouts: parseToolTimeouts(),
|
|
153
|
+
sudoSessionTimeout: (() => {
|
|
154
|
+
const envVal = process.env.KALI_DEFENSE_SUDO_TIMEOUT;
|
|
155
|
+
if (envVal) {
|
|
156
|
+
const minutes = parseInt(envVal, 10);
|
|
157
|
+
if (!isNaN(minutes) && minutes > 0)
|
|
158
|
+
return minutes * 60 * 1000;
|
|
159
|
+
}
|
|
160
|
+
return 15 * 60 * 1000; // default: 15 minutes
|
|
161
|
+
})(),
|
|
162
|
+
commandTimeout: (() => {
|
|
163
|
+
const sec = parseInt(process.env.KALI_DEFENSE_COMMAND_TIMEOUT ?? "120", 10);
|
|
164
|
+
return isNaN(sec) || sec <= 0 ? 120_000 : sec * 1000;
|
|
165
|
+
})(),
|
|
166
|
+
networkTimeout: (() => {
|
|
167
|
+
const sec = parseInt(process.env.KALI_DEFENSE_NETWORK_TIMEOUT ?? "30", 10);
|
|
168
|
+
return isNaN(sec) || sec <= 0 ? 30_000 : sec * 1000;
|
|
169
|
+
})(),
|
|
170
|
+
};
|
|
171
|
+
// Warn when dry-run is active so operators know no changes will be applied
|
|
172
|
+
if (config.dryRun) {
|
|
173
|
+
console.error("[KALI-DEFENSE] DRY_RUN mode is ACTIVE — no changes will be applied");
|
|
174
|
+
}
|
|
175
|
+
return config;
|
|
176
|
+
}
|
|
177
|
+
/**
|
|
178
|
+
* Invalidate the config cache, forcing the next `getConfig()` call to
|
|
179
|
+
* re-read environment variables. Useful for tests.
|
|
180
|
+
*/
|
|
181
|
+
export function invalidateConfigCache() {
|
|
182
|
+
_configCache = null;
|
|
183
|
+
_configCacheTimestamp = 0;
|
|
184
|
+
}
|
|
185
|
+
/**
|
|
186
|
+
* Returns the effective timeout for a given tool in milliseconds.
|
|
187
|
+
* Checks per-tool overrides first, then falls back to the default timeout.
|
|
188
|
+
*/
|
|
189
|
+
export function getToolTimeout(toolName, config) {
|
|
190
|
+
const cfg = config ?? getConfig();
|
|
191
|
+
const lowerName = toolName.toLowerCase();
|
|
192
|
+
return cfg.toolTimeouts[lowerName] ?? cfg.defaultTimeout;
|
|
193
|
+
}
|
|
@@ -0,0 +1,106 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Dependency Validator for Kali Defense MCP Server.
|
|
3
|
+
*
|
|
4
|
+
* Provides three key capabilities:
|
|
5
|
+
* 1. **Startup validation** — checks all tool dependencies when the server starts
|
|
6
|
+
* and auto-installs missing ones if KALI_DEFENSE_AUTO_INSTALL=true
|
|
7
|
+
* 2. **Runtime dependency check** — `ensureDependencies()` can be called before
|
|
8
|
+
* any tool execution to verify (and optionally install) required binaries
|
|
9
|
+
* 3. **Dependency status cache** — avoids redundant `which` calls by caching
|
|
10
|
+
* binary availability results with a configurable TTL
|
|
11
|
+
*/
|
|
12
|
+
/**
|
|
13
|
+
* Result of a startup validation run.
|
|
14
|
+
*/
|
|
15
|
+
export interface ValidationReport {
|
|
16
|
+
/** Total unique binaries checked */
|
|
17
|
+
totalChecked: number;
|
|
18
|
+
/** Binaries that are available */
|
|
19
|
+
available: string[];
|
|
20
|
+
/** Binaries that are missing */
|
|
21
|
+
missing: string[];
|
|
22
|
+
/** Binaries that were auto-installed */
|
|
23
|
+
installed: string[];
|
|
24
|
+
/** Binaries that failed to install */
|
|
25
|
+
installFailed: Array<{
|
|
26
|
+
binary: string;
|
|
27
|
+
error: string;
|
|
28
|
+
}>;
|
|
29
|
+
/** Critical tools with missing dependencies */
|
|
30
|
+
criticalMissing: Array<{
|
|
31
|
+
toolName: string;
|
|
32
|
+
missingBinaries: string[];
|
|
33
|
+
}>;
|
|
34
|
+
/** Duration of the validation in milliseconds */
|
|
35
|
+
durationMs: number;
|
|
36
|
+
/** Whether auto-install was enabled */
|
|
37
|
+
autoInstallEnabled: boolean;
|
|
38
|
+
}
|
|
39
|
+
/**
|
|
40
|
+
* Result of ensuring dependencies for a specific tool.
|
|
41
|
+
*/
|
|
42
|
+
export interface EnsureResult {
|
|
43
|
+
/** Whether all required dependencies are satisfied */
|
|
44
|
+
satisfied: boolean;
|
|
45
|
+
/** Missing required binaries (empty if satisfied) */
|
|
46
|
+
missingRequired: string[];
|
|
47
|
+
/** Missing optional binaries */
|
|
48
|
+
missingOptional: string[];
|
|
49
|
+
/** Binaries that were auto-installed during this check */
|
|
50
|
+
autoInstalled: string[];
|
|
51
|
+
/** Errors from auto-install attempts */
|
|
52
|
+
installErrors: Array<{
|
|
53
|
+
binary: string;
|
|
54
|
+
error: string;
|
|
55
|
+
}>;
|
|
56
|
+
}
|
|
57
|
+
/**
|
|
58
|
+
* Clears the entire binary cache.
|
|
59
|
+
*/
|
|
60
|
+
export declare function clearDependencyCache(): void;
|
|
61
|
+
/**
|
|
62
|
+
* Validates all tool dependencies at server startup.
|
|
63
|
+
*
|
|
64
|
+
* This function:
|
|
65
|
+
* 1. Collects all unique binaries required across all tools
|
|
66
|
+
* 2. Checks each binary's availability
|
|
67
|
+
* 3. If autoInstall is enabled, installs missing binaries
|
|
68
|
+
* 4. Reports critical tools with missing dependencies
|
|
69
|
+
*
|
|
70
|
+
* @returns A detailed validation report
|
|
71
|
+
*/
|
|
72
|
+
export declare function validateAllDependencies(): Promise<ValidationReport>;
|
|
73
|
+
/**
|
|
74
|
+
* Ensures all dependencies for a specific MCP tool are satisfied.
|
|
75
|
+
*
|
|
76
|
+
* Call this at the start of any tool handler to verify its binaries are present.
|
|
77
|
+
* If autoInstall is enabled, missing binaries will be installed on-the-fly.
|
|
78
|
+
*
|
|
79
|
+
* @param toolName The MCP tool name (e.g. "ids_rkhunter_scan")
|
|
80
|
+
* @returns EnsureResult with satisfaction status and details
|
|
81
|
+
*
|
|
82
|
+
* @example
|
|
83
|
+
* ```ts
|
|
84
|
+
* const deps = await ensureDependencies("ids_rkhunter_scan");
|
|
85
|
+
* if (!deps.satisfied) {
|
|
86
|
+
* return {
|
|
87
|
+
* content: [createErrorContent(
|
|
88
|
+
* `Missing required tools: ${deps.missingRequired.join(", ")}. ` +
|
|
89
|
+
* `Install with: sudo apt install ${deps.missingRequired.join(" ")}`
|
|
90
|
+
* )],
|
|
91
|
+
* isError: true,
|
|
92
|
+
* };
|
|
93
|
+
* }
|
|
94
|
+
* ```
|
|
95
|
+
*/
|
|
96
|
+
export declare function ensureDependencies(toolName: string): Promise<EnsureResult>;
|
|
97
|
+
/**
|
|
98
|
+
* Quick check if a single binary is available (cached).
|
|
99
|
+
* Does NOT auto-install. Use for lightweight pre-flight checks.
|
|
100
|
+
*/
|
|
101
|
+
export declare function isBinaryInstalled(binary: string): Promise<boolean>;
|
|
102
|
+
/**
|
|
103
|
+
* Formats a ValidationReport into a human-readable string for logging.
|
|
104
|
+
*/
|
|
105
|
+
export declare function formatValidationReport(report: ValidationReport): string;
|
|
106
|
+
//# sourceMappingURL=dependency-validator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependency-validator.d.ts","sourceRoot":"","sources":["../../src/core/dependency-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAgCH;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oCAAoC;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,kCAAkC;IAClC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gCAAgC;IAChC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,wCAAwC;IACxC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,sCAAsC;IACtC,aAAa,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACxD,+CAA+C;IAC/C,eAAe,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACxE,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,sDAAsD;IACtD,SAAS,EAAE,OAAO,CAAC;IACnB,qDAAqD;IACrD,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,gCAAgC;IAChC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,0DAA0D;IAC1D,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,wCAAwC;IACxC,aAAa,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACzD;AAsCD;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA+CD;;;;;;;;;;GAUG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAqJzE;AAID;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,YAAY,CAAC,CA0EvB;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAIxE;AAID;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAmDvE"}
|