defense-mcp-server 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (186) hide show
  1. package/CHANGELOG.md +471 -0
  2. package/LICENSE +21 -0
  3. package/README.md +242 -0
  4. package/build/core/auto-installer.d.ts +102 -0
  5. package/build/core/auto-installer.d.ts.map +1 -0
  6. package/build/core/auto-installer.js +833 -0
  7. package/build/core/backup-manager.d.ts +63 -0
  8. package/build/core/backup-manager.d.ts.map +1 -0
  9. package/build/core/backup-manager.js +189 -0
  10. package/build/core/changelog.d.ts +75 -0
  11. package/build/core/changelog.d.ts.map +1 -0
  12. package/build/core/changelog.js +123 -0
  13. package/build/core/command-allowlist.d.ts +129 -0
  14. package/build/core/command-allowlist.d.ts.map +1 -0
  15. package/build/core/command-allowlist.js +849 -0
  16. package/build/core/config.d.ts +79 -0
  17. package/build/core/config.d.ts.map +1 -0
  18. package/build/core/config.js +193 -0
  19. package/build/core/dependency-validator.d.ts +106 -0
  20. package/build/core/dependency-validator.d.ts.map +1 -0
  21. package/build/core/dependency-validator.js +405 -0
  22. package/build/core/distro-adapter.d.ts +177 -0
  23. package/build/core/distro-adapter.d.ts.map +1 -0
  24. package/build/core/distro-adapter.js +481 -0
  25. package/build/core/distro.d.ts +68 -0
  26. package/build/core/distro.d.ts.map +1 -0
  27. package/build/core/distro.js +457 -0
  28. package/build/core/encrypted-state.d.ts +76 -0
  29. package/build/core/encrypted-state.d.ts.map +1 -0
  30. package/build/core/encrypted-state.js +209 -0
  31. package/build/core/executor.d.ts +56 -0
  32. package/build/core/executor.d.ts.map +1 -0
  33. package/build/core/executor.js +350 -0
  34. package/build/core/installer.d.ts +92 -0
  35. package/build/core/installer.d.ts.map +1 -0
  36. package/build/core/installer.js +1072 -0
  37. package/build/core/logger.d.ts +102 -0
  38. package/build/core/logger.d.ts.map +1 -0
  39. package/build/core/logger.js +132 -0
  40. package/build/core/parsers.d.ts +151 -0
  41. package/build/core/parsers.d.ts.map +1 -0
  42. package/build/core/parsers.js +479 -0
  43. package/build/core/policy-engine.d.ts +170 -0
  44. package/build/core/policy-engine.d.ts.map +1 -0
  45. package/build/core/policy-engine.js +656 -0
  46. package/build/core/preflight.d.ts +157 -0
  47. package/build/core/preflight.d.ts.map +1 -0
  48. package/build/core/preflight.js +638 -0
  49. package/build/core/privilege-manager.d.ts +108 -0
  50. package/build/core/privilege-manager.d.ts.map +1 -0
  51. package/build/core/privilege-manager.js +363 -0
  52. package/build/core/rate-limiter.d.ts +67 -0
  53. package/build/core/rate-limiter.d.ts.map +1 -0
  54. package/build/core/rate-limiter.js +129 -0
  55. package/build/core/rollback.d.ts +73 -0
  56. package/build/core/rollback.d.ts.map +1 -0
  57. package/build/core/rollback.js +278 -0
  58. package/build/core/safeguards.d.ts +58 -0
  59. package/build/core/safeguards.d.ts.map +1 -0
  60. package/build/core/safeguards.js +448 -0
  61. package/build/core/sanitizer.d.ts +118 -0
  62. package/build/core/sanitizer.d.ts.map +1 -0
  63. package/build/core/sanitizer.js +459 -0
  64. package/build/core/secure-fs.d.ts +67 -0
  65. package/build/core/secure-fs.d.ts.map +1 -0
  66. package/build/core/secure-fs.js +143 -0
  67. package/build/core/spawn-safe.d.ts +55 -0
  68. package/build/core/spawn-safe.d.ts.map +1 -0
  69. package/build/core/spawn-safe.js +146 -0
  70. package/build/core/sudo-guard.d.ts +145 -0
  71. package/build/core/sudo-guard.d.ts.map +1 -0
  72. package/build/core/sudo-guard.js +349 -0
  73. package/build/core/sudo-session.d.ts +100 -0
  74. package/build/core/sudo-session.d.ts.map +1 -0
  75. package/build/core/sudo-session.js +319 -0
  76. package/build/core/tool-dependencies.d.ts +61 -0
  77. package/build/core/tool-dependencies.d.ts.map +1 -0
  78. package/build/core/tool-dependencies.js +571 -0
  79. package/build/core/tool-registry.d.ts +111 -0
  80. package/build/core/tool-registry.d.ts.map +1 -0
  81. package/build/core/tool-registry.js +656 -0
  82. package/build/core/tool-wrapper.d.ts +73 -0
  83. package/build/core/tool-wrapper.d.ts.map +1 -0
  84. package/build/core/tool-wrapper.js +296 -0
  85. package/build/index.d.ts +3 -0
  86. package/build/index.d.ts.map +1 -0
  87. package/build/index.js +247 -0
  88. package/build/tools/access-control.d.ts +9 -0
  89. package/build/tools/access-control.d.ts.map +1 -0
  90. package/build/tools/access-control.js +1818 -0
  91. package/build/tools/api-security.d.ts +12 -0
  92. package/build/tools/api-security.d.ts.map +1 -0
  93. package/build/tools/api-security.js +901 -0
  94. package/build/tools/app-hardening.d.ts +11 -0
  95. package/build/tools/app-hardening.d.ts.map +1 -0
  96. package/build/tools/app-hardening.js +768 -0
  97. package/build/tools/backup.d.ts +8 -0
  98. package/build/tools/backup.d.ts.map +1 -0
  99. package/build/tools/backup.js +381 -0
  100. package/build/tools/cloud-security.d.ts +17 -0
  101. package/build/tools/cloud-security.d.ts.map +1 -0
  102. package/build/tools/cloud-security.js +739 -0
  103. package/build/tools/compliance.d.ts +10 -0
  104. package/build/tools/compliance.d.ts.map +1 -0
  105. package/build/tools/compliance.js +1225 -0
  106. package/build/tools/container-security.d.ts +14 -0
  107. package/build/tools/container-security.d.ts.map +1 -0
  108. package/build/tools/container-security.js +788 -0
  109. package/build/tools/deception.d.ts +13 -0
  110. package/build/tools/deception.d.ts.map +1 -0
  111. package/build/tools/deception.js +763 -0
  112. package/build/tools/dns-security.d.ts +93 -0
  113. package/build/tools/dns-security.d.ts.map +1 -0
  114. package/build/tools/dns-security.js +745 -0
  115. package/build/tools/drift-detection.d.ts +8 -0
  116. package/build/tools/drift-detection.d.ts.map +1 -0
  117. package/build/tools/drift-detection.js +326 -0
  118. package/build/tools/ebpf-security.d.ts +15 -0
  119. package/build/tools/ebpf-security.d.ts.map +1 -0
  120. package/build/tools/ebpf-security.js +294 -0
  121. package/build/tools/encryption.d.ts +9 -0
  122. package/build/tools/encryption.d.ts.map +1 -0
  123. package/build/tools/encryption.js +1667 -0
  124. package/build/tools/firewall.d.ts +9 -0
  125. package/build/tools/firewall.d.ts.map +1 -0
  126. package/build/tools/firewall.js +1398 -0
  127. package/build/tools/hardening.d.ts +10 -0
  128. package/build/tools/hardening.d.ts.map +1 -0
  129. package/build/tools/hardening.js +2654 -0
  130. package/build/tools/ids.d.ts +9 -0
  131. package/build/tools/ids.d.ts.map +1 -0
  132. package/build/tools/ids.js +624 -0
  133. package/build/tools/incident-response.d.ts +10 -0
  134. package/build/tools/incident-response.d.ts.map +1 -0
  135. package/build/tools/incident-response.js +1180 -0
  136. package/build/tools/logging.d.ts +12 -0
  137. package/build/tools/logging.d.ts.map +1 -0
  138. package/build/tools/logging.js +454 -0
  139. package/build/tools/malware.d.ts +10 -0
  140. package/build/tools/malware.d.ts.map +1 -0
  141. package/build/tools/malware.js +532 -0
  142. package/build/tools/meta.d.ts +11 -0
  143. package/build/tools/meta.d.ts.map +1 -0
  144. package/build/tools/meta.js +2278 -0
  145. package/build/tools/network-defense.d.ts +12 -0
  146. package/build/tools/network-defense.d.ts.map +1 -0
  147. package/build/tools/network-defense.js +760 -0
  148. package/build/tools/patch-management.d.ts +3 -0
  149. package/build/tools/patch-management.d.ts.map +1 -0
  150. package/build/tools/patch-management.js +708 -0
  151. package/build/tools/process-security.d.ts +12 -0
  152. package/build/tools/process-security.d.ts.map +1 -0
  153. package/build/tools/process-security.js +784 -0
  154. package/build/tools/reporting.d.ts +11 -0
  155. package/build/tools/reporting.d.ts.map +1 -0
  156. package/build/tools/reporting.js +559 -0
  157. package/build/tools/secrets.d.ts +9 -0
  158. package/build/tools/secrets.d.ts.map +1 -0
  159. package/build/tools/secrets.js +596 -0
  160. package/build/tools/siem-integration.d.ts +18 -0
  161. package/build/tools/siem-integration.d.ts.map +1 -0
  162. package/build/tools/siem-integration.js +754 -0
  163. package/build/tools/sudo-management.d.ts +18 -0
  164. package/build/tools/sudo-management.d.ts.map +1 -0
  165. package/build/tools/sudo-management.js +737 -0
  166. package/build/tools/supply-chain-security.d.ts +8 -0
  167. package/build/tools/supply-chain-security.d.ts.map +1 -0
  168. package/build/tools/supply-chain-security.js +256 -0
  169. package/build/tools/threat-intel.d.ts +22 -0
  170. package/build/tools/threat-intel.d.ts.map +1 -0
  171. package/build/tools/threat-intel.js +749 -0
  172. package/build/tools/vulnerability-management.d.ts +11 -0
  173. package/build/tools/vulnerability-management.d.ts.map +1 -0
  174. package/build/tools/vulnerability-management.js +667 -0
  175. package/build/tools/waf.d.ts +12 -0
  176. package/build/tools/waf.d.ts.map +1 -0
  177. package/build/tools/waf.js +843 -0
  178. package/build/tools/wireless-security.d.ts +19 -0
  179. package/build/tools/wireless-security.d.ts.map +1 -0
  180. package/build/tools/wireless-security.js +826 -0
  181. package/build/tools/zero-trust-network.d.ts +8 -0
  182. package/build/tools/zero-trust-network.d.ts.map +1 -0
  183. package/build/tools/zero-trust-network.js +367 -0
  184. package/docs/SAFEGUARDS.md +518 -0
  185. package/docs/TOOLS-REFERENCE.md +665 -0
  186. package/package.json +87 -0
@@ -0,0 +1,79 @@
1
+ /**
2
+ * Known defensive tools that support per-tool timeout overrides
3
+ * via KALI_DEFENSE_TIMEOUT_<TOOL> environment variables.
4
+ */
5
+ export declare const KNOWN_TOOLS: readonly ["lynis", "aide", "clamav", "oscap", "snort", "suricata", "rkhunter", "chkrootkit", "tcpdump", "auditd", "nmap", "fail2ban-client", "debsums", "yara"];
6
+ export type KnownTool = (typeof KNOWN_TOOLS)[number];
7
+ /**
8
+ * Configuration interface for the Kali Defense MCP Server.
9
+ * All values are derived from environment variables with sensible defaults.
10
+ */
11
+ export interface DefenseConfig {
12
+ /** Default command timeout in milliseconds */
13
+ defaultTimeout: number;
14
+ /** Maximum output buffer size in bytes */
15
+ maxBuffer: number;
16
+ /** Directories allowed for file operations */
17
+ allowedDirs: string[];
18
+ /** Logging level */
19
+ logLevel: "debug" | "info" | "warn" | "error";
20
+ /**
21
+ * SECURITY (CICD-014): Dry-run mode — when true, modifying operations preview
22
+ * commands without executing them. Defaults to `true` so the server operates
23
+ * in a safe, read-only mode until explicitly opted out via
24
+ * KALI_DEFENSE_DRY_RUN=false. This prevents accidental system modifications.
25
+ */
26
+ dryRun: boolean;
27
+ /** Path to the changelog JSON file */
28
+ changelogPath: string;
29
+ /** Directory for file backups */
30
+ backupDir: string;
31
+ /**
32
+ * SECURITY (CICD-014): Whether to create backups before modifying files.
33
+ * Defaults to `true` — every file modification is backed up first so that
34
+ * changes can be rolled back if needed. Disable only in CI/test environments
35
+ * via KALI_DEFENSE_BACKUP_ENABLED=false.
36
+ */
37
+ backupEnabled: boolean;
38
+ /** Whether to auto-install missing tools */
39
+ autoInstall: boolean;
40
+ /** Paths protected from modification */
41
+ protectedPaths: string[];
42
+ /**
43
+ * SECURITY (CICD-014): Whether to require confirmation for destructive
44
+ * actions. Defaults to `true` — the server will request explicit confirmation
45
+ * before executing operations that modify system state. Disable only when
46
+ * running automated/unattended workflows via
47
+ * KALI_DEFENSE_REQUIRE_CONFIRMATION=false.
48
+ */
49
+ requireConfirmation: boolean;
50
+ /** Directory for quarantined files */
51
+ quarantineDir: string;
52
+ /** Directory for policy files */
53
+ policyDir: string;
54
+ /** Per-tool timeout overrides in milliseconds */
55
+ toolTimeouts: Partial<Record<KnownTool, number>>;
56
+ /** Sudo session timeout in milliseconds (default: 15 minutes) */
57
+ sudoSessionTimeout: number;
58
+ /** Command execution timeout in ms (falls back to defaultTimeout; env: KALI_DEFENSE_COMMAND_TIMEOUT) */
59
+ commandTimeout: number;
60
+ /** Network operation timeout in ms (default: 30s; env: KALI_DEFENSE_NETWORK_TIMEOUT) */
61
+ networkTimeout: number;
62
+ }
63
+ /**
64
+ * Returns the current configuration by reading environment variables.
65
+ * Results are cached for 5 seconds to avoid redundant env-var parsing
66
+ * across the 3–5 calls per tool invocation.
67
+ */
68
+ export declare function getConfig(): DefenseConfig;
69
+ /**
70
+ * Invalidate the config cache, forcing the next `getConfig()` call to
71
+ * re-read environment variables. Useful for tests.
72
+ */
73
+ export declare function invalidateConfigCache(): void;
74
+ /**
75
+ * Returns the effective timeout for a given tool in milliseconds.
76
+ * Checks per-tool overrides first, then falls back to the default timeout.
77
+ */
78
+ export declare function getToolTimeout(toolName: string, config?: DefenseConfig): number;
79
+ //# sourceMappingURL=config.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,eAAO,MAAM,WAAW,iKAed,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC;AAErD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,8CAA8C;IAC9C,cAAc,EAAE,MAAM,CAAC;IACvB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,oBAAoB;IACpB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C;;;;;OAKG;IACH,MAAM,EAAE,OAAO,CAAC;IAChB,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;OAKG;IACH,aAAa,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,WAAW,EAAE,OAAO,CAAC;IACrB,wCAAwC;IACxC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,mBAAmB,EAAE,OAAO,CAAC;IAC7B,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,iEAAiE;IACjE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,wGAAwG;IACxG,cAAc,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,cAAc,EAAE,MAAM,CAAC;CACxB;AAmGD;;;;GAIG;AACH,wBAAgB,SAAS,IAAI,aAAa,CAQzC;AAwFD;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CAG5C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,CAIR"}
@@ -0,0 +1,193 @@
1
+ import { homedir } from "node:os";
2
+ import { join } from "node:path";
3
+ /**
4
+ * Known defensive tools that support per-tool timeout overrides
5
+ * via KALI_DEFENSE_TIMEOUT_<TOOL> environment variables.
6
+ */
7
+ export const KNOWN_TOOLS = [
8
+ "lynis",
9
+ "aide",
10
+ "clamav",
11
+ "oscap",
12
+ "snort",
13
+ "suricata",
14
+ "rkhunter",
15
+ "chkrootkit",
16
+ "tcpdump",
17
+ "auditd",
18
+ "nmap",
19
+ "fail2ban-client",
20
+ "debsums",
21
+ "yara",
22
+ ];
23
+ /**
24
+ * Resolves `~` prefix to the user's home directory.
25
+ */
26
+ function expandHome(p) {
27
+ if (p.startsWith("~/") || p === "~") {
28
+ return join(homedir(), p.slice(1));
29
+ }
30
+ return p;
31
+ }
32
+ /**
33
+ * Parses a comma-separated list of paths from an environment variable.
34
+ */
35
+ /**
36
+ * SECURITY (CORE-012): Directories that are too broad to be allowed.
37
+ * These grant access to the entire filesystem or critical root-level trees.
38
+ */
39
+ const REJECTED_DIRS = new Set(["/"]);
40
+ /** Directories that are very broad and deserve a warning. */
41
+ const BROAD_DIRS = new Set(["/usr", "/var", "/etc", "/opt", "/lib", "/lib64", "/sbin", "/bin"]);
42
+ function parsePaths(value, defaultValue) {
43
+ const raw = value ?? defaultValue;
44
+ const paths = raw
45
+ .split(",")
46
+ .map((s) => s.trim())
47
+ .filter((s) => s.length > 0)
48
+ .map(expandHome);
49
+ // SECURITY (CORE-012): Validate allowedDirs to reject overly broad paths
50
+ return paths.filter((p) => {
51
+ // Reject root directory and single-character root-level paths (e.g. "/")
52
+ if (REJECTED_DIRS.has(p) || (p.startsWith("/") && p.length <= 2 && p !== "/" + p.slice(1).replace(/\//g, ""))) {
53
+ console.error(`[KALI-DEFENSE] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
54
+ `granting access to the entire filesystem is not permitted.`);
55
+ return false;
56
+ }
57
+ // Reject any single-character root-level path like "/x"
58
+ if (/^\/[^/]$/.test(p)) {
59
+ console.error(`[KALI-DEFENSE] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
60
+ `single-character root-level paths are not permitted.`);
61
+ return false;
62
+ }
63
+ // Warn about broad directories
64
+ if (BROAD_DIRS.has(p)) {
65
+ console.error(`[KALI-DEFENSE] WARNING: allowedDir '${p}' is very broad. ` +
66
+ `Consider using a more specific subdirectory.`);
67
+ }
68
+ return true;
69
+ });
70
+ }
71
+ /**
72
+ * Parses a log level string, falling back to "info" if invalid.
73
+ */
74
+ function parseLogLevel(value) {
75
+ const valid = ["debug", "info", "warn", "error"];
76
+ const lower = (value ?? "info").toLowerCase();
77
+ return valid.includes(lower)
78
+ ? lower
79
+ : "info";
80
+ }
81
+ /**
82
+ * Reads per-tool timeout overrides from environment variables.
83
+ * Format: KALI_DEFENSE_TIMEOUT_<TOOL> (value in seconds, stored as ms).
84
+ */
85
+ function parseToolTimeouts() {
86
+ const timeouts = {};
87
+ for (const tool of KNOWN_TOOLS) {
88
+ const envKey = `KALI_DEFENSE_TIMEOUT_${tool.toUpperCase()}`;
89
+ const value = process.env[envKey];
90
+ if (value !== undefined) {
91
+ const seconds = parseInt(value, 10);
92
+ if (!isNaN(seconds) && seconds > 0) {
93
+ timeouts[tool] = seconds * 1000;
94
+ }
95
+ }
96
+ }
97
+ return timeouts;
98
+ }
99
+ // ── Config cache (avoids re-parsing 15+ env vars on every call) ──────────────
100
+ let _configCache = null;
101
+ let _configCacheTimestamp = 0;
102
+ const CONFIG_CACHE_TTL = 5_000; // 5 seconds
103
+ /**
104
+ * Returns the current configuration by reading environment variables.
105
+ * Results are cached for 5 seconds to avoid redundant env-var parsing
106
+ * across the 3–5 calls per tool invocation.
107
+ */
108
+ export function getConfig() {
109
+ const now = Date.now();
110
+ if (_configCache && (now - _configCacheTimestamp) < CONFIG_CACHE_TTL) {
111
+ return _configCache;
112
+ }
113
+ _configCache = buildConfigFromEnv();
114
+ _configCacheTimestamp = now;
115
+ return _configCache;
116
+ }
117
+ /**
118
+ * Build the configuration object by reading all environment variables.
119
+ * This is the actual parsing logic, called by the cached `getConfig()` wrapper.
120
+ */
121
+ function buildConfigFromEnv() {
122
+ const defaultTimeoutSec = parseInt(process.env.KALI_DEFENSE_TIMEOUT_DEFAULT ?? "120", 10);
123
+ const maxBufferBytes = parseInt(process.env.KALI_DEFENSE_MAX_OUTPUT_SIZE ?? String(10 * 1024 * 1024), 10);
124
+ const config = {
125
+ defaultTimeout: isNaN(defaultTimeoutSec) || defaultTimeoutSec <= 0
126
+ ? 120_000
127
+ : defaultTimeoutSec * 1000,
128
+ maxBuffer: isNaN(maxBufferBytes) || maxBufferBytes <= 0
129
+ ? 10 * 1024 * 1024
130
+ : maxBufferBytes,
131
+ // SECURITY (CICD-013): /etc is excluded from default allowedDirs because it
132
+ // contains sensitive system configuration files (shadow, sudoers, ssh configs).
133
+ // Granting default read/write access to /etc is too permissive. Tools that
134
+ // need /etc access should require explicit configuration via
135
+ // KALI_DEFENSE_ALLOWED_DIRS=/tmp,/home,/var/log,/etc
136
+ allowedDirs: parsePaths(process.env.KALI_DEFENSE_ALLOWED_DIRS, "/tmp,/home,/var/log"),
137
+ logLevel: parseLogLevel(process.env.KALI_DEFENSE_LOG_LEVEL),
138
+ // SECURITY (CICD-014): Default to dry-run=true (safe preview mode)
139
+ // Set KALI_DEFENSE_DRY_RUN=false to enable live system modifications
140
+ dryRun: process.env.KALI_DEFENSE_DRY_RUN !== "false",
141
+ changelogPath: expandHome(process.env.KALI_DEFENSE_CHANGELOG_PATH ??
142
+ "~/.kali-defense/changelog.json"),
143
+ backupDir: expandHome(process.env.KALI_DEFENSE_BACKUP_DIR ?? "~/.kali-defense/backups"),
144
+ // SECURITY (CICD-014): Backup before modify — enabled by default
145
+ // Set KALI_DEFENSE_BACKUP_ENABLED=false only in CI/test environments
146
+ backupEnabled: process.env.KALI_DEFENSE_BACKUP_ENABLED !== "false",
147
+ autoInstall: process.env.KALI_DEFENSE_AUTO_INSTALL === "true",
148
+ protectedPaths: parsePaths(process.env.KALI_DEFENSE_PROTECTED_PATHS, "/boot,/usr/lib/systemd,/usr/bin,/usr/sbin"),
149
+ requireConfirmation: process.env.KALI_DEFENSE_REQUIRE_CONFIRMATION !== "false",
150
+ quarantineDir: expandHome(process.env.KALI_DEFENSE_QUARANTINE_DIR ?? "~/.kali-defense/quarantine"),
151
+ policyDir: expandHome(process.env.KALI_DEFENSE_POLICY_DIR ?? "~/.kali-defense/policies"),
152
+ toolTimeouts: parseToolTimeouts(),
153
+ sudoSessionTimeout: (() => {
154
+ const envVal = process.env.KALI_DEFENSE_SUDO_TIMEOUT;
155
+ if (envVal) {
156
+ const minutes = parseInt(envVal, 10);
157
+ if (!isNaN(minutes) && minutes > 0)
158
+ return minutes * 60 * 1000;
159
+ }
160
+ return 15 * 60 * 1000; // default: 15 minutes
161
+ })(),
162
+ commandTimeout: (() => {
163
+ const sec = parseInt(process.env.KALI_DEFENSE_COMMAND_TIMEOUT ?? "120", 10);
164
+ return isNaN(sec) || sec <= 0 ? 120_000 : sec * 1000;
165
+ })(),
166
+ networkTimeout: (() => {
167
+ const sec = parseInt(process.env.KALI_DEFENSE_NETWORK_TIMEOUT ?? "30", 10);
168
+ return isNaN(sec) || sec <= 0 ? 30_000 : sec * 1000;
169
+ })(),
170
+ };
171
+ // Warn when dry-run is active so operators know no changes will be applied
172
+ if (config.dryRun) {
173
+ console.error("[KALI-DEFENSE] DRY_RUN mode is ACTIVE — no changes will be applied");
174
+ }
175
+ return config;
176
+ }
177
+ /**
178
+ * Invalidate the config cache, forcing the next `getConfig()` call to
179
+ * re-read environment variables. Useful for tests.
180
+ */
181
+ export function invalidateConfigCache() {
182
+ _configCache = null;
183
+ _configCacheTimestamp = 0;
184
+ }
185
+ /**
186
+ * Returns the effective timeout for a given tool in milliseconds.
187
+ * Checks per-tool overrides first, then falls back to the default timeout.
188
+ */
189
+ export function getToolTimeout(toolName, config) {
190
+ const cfg = config ?? getConfig();
191
+ const lowerName = toolName.toLowerCase();
192
+ return cfg.toolTimeouts[lowerName] ?? cfg.defaultTimeout;
193
+ }
@@ -0,0 +1,106 @@
1
+ /**
2
+ * Dependency Validator for Kali Defense MCP Server.
3
+ *
4
+ * Provides three key capabilities:
5
+ * 1. **Startup validation** — checks all tool dependencies when the server starts
6
+ * and auto-installs missing ones if KALI_DEFENSE_AUTO_INSTALL=true
7
+ * 2. **Runtime dependency check** — `ensureDependencies()` can be called before
8
+ * any tool execution to verify (and optionally install) required binaries
9
+ * 3. **Dependency status cache** — avoids redundant `which` calls by caching
10
+ * binary availability results with a configurable TTL
11
+ */
12
+ /**
13
+ * Result of a startup validation run.
14
+ */
15
+ export interface ValidationReport {
16
+ /** Total unique binaries checked */
17
+ totalChecked: number;
18
+ /** Binaries that are available */
19
+ available: string[];
20
+ /** Binaries that are missing */
21
+ missing: string[];
22
+ /** Binaries that were auto-installed */
23
+ installed: string[];
24
+ /** Binaries that failed to install */
25
+ installFailed: Array<{
26
+ binary: string;
27
+ error: string;
28
+ }>;
29
+ /** Critical tools with missing dependencies */
30
+ criticalMissing: Array<{
31
+ toolName: string;
32
+ missingBinaries: string[];
33
+ }>;
34
+ /** Duration of the validation in milliseconds */
35
+ durationMs: number;
36
+ /** Whether auto-install was enabled */
37
+ autoInstallEnabled: boolean;
38
+ }
39
+ /**
40
+ * Result of ensuring dependencies for a specific tool.
41
+ */
42
+ export interface EnsureResult {
43
+ /** Whether all required dependencies are satisfied */
44
+ satisfied: boolean;
45
+ /** Missing required binaries (empty if satisfied) */
46
+ missingRequired: string[];
47
+ /** Missing optional binaries */
48
+ missingOptional: string[];
49
+ /** Binaries that were auto-installed during this check */
50
+ autoInstalled: string[];
51
+ /** Errors from auto-install attempts */
52
+ installErrors: Array<{
53
+ binary: string;
54
+ error: string;
55
+ }>;
56
+ }
57
+ /**
58
+ * Clears the entire binary cache.
59
+ */
60
+ export declare function clearDependencyCache(): void;
61
+ /**
62
+ * Validates all tool dependencies at server startup.
63
+ *
64
+ * This function:
65
+ * 1. Collects all unique binaries required across all tools
66
+ * 2. Checks each binary's availability
67
+ * 3. If autoInstall is enabled, installs missing binaries
68
+ * 4. Reports critical tools with missing dependencies
69
+ *
70
+ * @returns A detailed validation report
71
+ */
72
+ export declare function validateAllDependencies(): Promise<ValidationReport>;
73
+ /**
74
+ * Ensures all dependencies for a specific MCP tool are satisfied.
75
+ *
76
+ * Call this at the start of any tool handler to verify its binaries are present.
77
+ * If autoInstall is enabled, missing binaries will be installed on-the-fly.
78
+ *
79
+ * @param toolName The MCP tool name (e.g. "ids_rkhunter_scan")
80
+ * @returns EnsureResult with satisfaction status and details
81
+ *
82
+ * @example
83
+ * ```ts
84
+ * const deps = await ensureDependencies("ids_rkhunter_scan");
85
+ * if (!deps.satisfied) {
86
+ * return {
87
+ * content: [createErrorContent(
88
+ * `Missing required tools: ${deps.missingRequired.join(", ")}. ` +
89
+ * `Install with: sudo apt install ${deps.missingRequired.join(" ")}`
90
+ * )],
91
+ * isError: true,
92
+ * };
93
+ * }
94
+ * ```
95
+ */
96
+ export declare function ensureDependencies(toolName: string): Promise<EnsureResult>;
97
+ /**
98
+ * Quick check if a single binary is available (cached).
99
+ * Does NOT auto-install. Use for lightweight pre-flight checks.
100
+ */
101
+ export declare function isBinaryInstalled(binary: string): Promise<boolean>;
102
+ /**
103
+ * Formats a ValidationReport into a human-readable string for logging.
104
+ */
105
+ export declare function formatValidationReport(report: ValidationReport): string;
106
+ //# sourceMappingURL=dependency-validator.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dependency-validator.d.ts","sourceRoot":"","sources":["../../src/core/dependency-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAgCH;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oCAAoC;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,kCAAkC;IAClC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gCAAgC;IAChC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,wCAAwC;IACxC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,sCAAsC;IACtC,aAAa,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACxD,+CAA+C;IAC/C,eAAe,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACxE,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,sDAAsD;IACtD,SAAS,EAAE,OAAO,CAAC;IACnB,qDAAqD;IACrD,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,gCAAgC;IAChC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,0DAA0D;IAC1D,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,wCAAwC;IACxC,aAAa,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACzD;AAsCD;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA+CD;;;;;;;;;;GAUG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAqJzE;AAID;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,YAAY,CAAC,CA0EvB;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAIxE;AAID;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAmDvE"}