defense-mcp-server 0.9.3 → 0.9.4

package/build/core/parsers.d.ts

@@ -1,191 +0,0 @@
-/**
- * Output parsing utilities for defensive security tool output.
- * Converts raw command output into structured data for MCP responses.
- */
-/** MCP text content type */
-export interface McpTextContent {
-    type: "text";
-    text: string;
-    [key: string]: unknown;
-}
-/**
- * Maximum output size constant (retained for backward compatibility in tests).
- * No longer applied globally in formatToolOutput() — tools are responsible for
- * controlling their own output size via truncateWithMetadata() or similar.
- */
-export declare const MAX_OUTPUT_SIZE: number;
-/** Default max items for truncateWithMetadata() */
-export declare const DEFAULT_MAX_ITEMS = 1000;
-/** Metadata added when an array is truncated */
-export interface TruncationMetadata {
-    truncated: boolean;
-    total_count: number;
-    showing: number;
-}
-/**
- * Truncates an array to `maxItems` and returns the slice plus truncation metadata.
- * Use this in tools to cap findings/results arrays while preserving actionable data
- * and informing the consumer about what was omitted.
- *
- * @example
- * const { items, meta } = truncateWithMetadata(allFindings, 1000);
- * return { findings: items, ...meta };
- */
-export declare function truncateWithMetadata<T>(items: T[], maxItems?: number): {
-    items: T[];
-    meta: TruncationMetadata;
-};
-/**
- * Parses key:value pair output into a Record.
- * Lines without the separator are skipped.
- */
-export declare function parseKeyValue(output: string, separator?: string): Record<string, string>;
-/**
- * Parses whitespace-delimited table output into an array of Records.
- * First non-empty line is treated as the header row.
- */
-export declare function parseTable(output: string): Record<string, string>[];
-/**
- * Safely parses JSON text. Returns null on parse failure.
- */
-export declare function parseJsonSafe(text: string): unknown | null;
-/**
- * Formats any data into MCP text content.
- * Objects are JSON-stringified with indentation.
- *
- * NOTE: Global truncation was removed in favor of per-tool smart truncation
- * via truncateWithMetadata(). Tools are responsible for capping their own
- * arrays/findings before calling this function. This preserves complete
- * structured data (findings, results) while avoiding mid-JSON truncation
- * that broke parsing for consumers.
- */
-export declare function formatToolOutput(data: unknown): McpTextContent;
-/**
- * Creates a simple MCP text content object.
- */
-export declare function createTextContent(text: string): McpTextContent;
-/**
- * Creates an MCP text content object with an error prefix.
- */
-export declare function createErrorContent(msg: string): McpTextContent;
-/** Structured iptables rule */
-export interface IptablesRule {
-    chain: string;
-    policy?: string;
-    packets: string;
-    bytes: string;
-    target: string;
-    protocol: string;
-    opt: string;
-    in: string;
-    out: string;
-    source: string;
-    destination: string;
-    extra: string;
-}
-/**
- * Parses `iptables -L -n -v` output into structured rules.
- */
-export declare function parseIptablesOutput(output: string): IptablesRule[];
-/**
- * Parses `nft list ruleset` output into structured sections.
- */
-export declare function parseNftOutput(output: string): Record<string, string[]>;
-/** Structured sysctl entry */
-export interface SysctlEntry {
-    key: string;
-    value: string;
-}
-/**
- * Parses `sysctl -a` output into structured entries.
- */
-export declare function parseSysctlOutput(output: string): SysctlEntry[];
-/** Structured audit log entry */
-export interface AuditEntry {
-    type: string;
-    timestamp: string;
-    fields: Record<string, string>;
-}
-/**
- * Parses `ausearch` output into structured audit entries.
- */
-export declare function parseAuditdOutput(output: string): AuditEntry[];
-/** Lynis finding */
-export interface LynisFinding {
-    severity: string;
-    testId: string;
-    description: string;
-}
-/**
- * Parses Lynis audit output for findings/warnings/suggestions.
- */
-export declare function parseLynisOutput(output: string): LynisFinding[];
-/** OpenSCAP result entry */
-export interface OscapResult {
-    ruleId: string;
-    result: string;
-    severity: string;
-    title: string;
-}
-/**
- * Parses OpenSCAP text/XML results output.
- * Handles the common text report format.
- */
-export declare function parseOscapOutput(output: string): OscapResult[];
-/** ClamAV scan result */
-export interface ClamavResult {
-    file: string;
-    status: "OK" | "FOUND" | "ERROR";
-    virus?: string;
-}
-/**
- * Parses `clamscan` output into structured results.
- */
-export declare function parseClamavOutput(output: string): ClamavResult[];
-/**
- * Extracts ClamAV's summary section from raw stdout output.
- * ClamAV prints a "----------- SCAN SUMMARY -----------" block at the end.
- * Returns the summary block (max ~500 chars) instead of the full per-file output.
- * Falls back to a generated summary if the summary block isn't found.
- */
-export declare function extractClamavSummary(stdout: string): string;
-/** Structured socket entry from ss */
-export interface SsEntry {
-    state: string;
-    recv: string;
-    send: string;
-    local: string;
-    peer: string;
-    process: string;
-}
-/**
- * Parses `ss -tulnp` output into structured entries.
- */
-export declare function parseSsOutput(output: string): SsEntry[];
-/** Structured fail2ban jail status */
-export interface Fail2banJail {
-    name: string;
-    status: string;
-    currentlyFailed: number;
-    totalFailed: number;
-    currentlyBanned: number;
-    totalBanned: number;
-    bannedIPs: string[];
-}
-/**
- * Parses `fail2ban-client status` output.
- */
-export declare function parseFail2banOutput(output: string): Fail2banJail[];
-/** Structured systemctl unit entry */
-export interface SystemctlUnit {
-    unit: string;
-    load: string;
-    active: string;
-    sub: string;
-    description: string;
-}
-/**
- * Parses `systemctl list-units` output into structured entries.
- */
-export declare function parseSystemctlOutput(output: string): SystemctlUnit[];
-//# sourceMappingURL=parsers.d.ts.map

package/build/core/parsers.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"parsers.d.ts","sourceRoot":"","sources":["../../src/core/parsers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,4BAA4B;AAC5B,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;GAIG;AACH,eAAO,MAAM,eAAe,QAAa,CAAC;AAE1C,mDAAmD;AACnD,eAAO,MAAM,iBAAiB,OAAO,CAAC;AAEtC,gDAAgD;AAChD,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,OAAO,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,EACpC,KAAK,EAAE,CAAC,EAAE,EACV,QAAQ,GAAE,MAA0B,GACnC;IAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAAC,IAAI,EAAE,kBAAkB,CAAA;CAAE,CAY1C;AAID;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,MAAM,EACd,SAAS,GAAE,MAAY,GACtB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAgBxB;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CA4BnE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CAM1D;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,OAAO,GAAG,cAAc,CAS9D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,CAE9D;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,CAE9D;AAID,+BAA+B;AAC/B,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,EAAE,CAmDlE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,MAAM,GACb,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAyB1B;AAID,8BAA8B;AAC9B,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW,EAAE,CAgB/D;AAID,iCAAiC;AACjC,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,EAAE,CAiC9D;AAID,oBAAoB;AACpB,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,EAAE,CA0C/D;AAED,4BAA4B;AAC5B,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW,EAAE,CAmD9D;AAID,yBAAyB;AACzB,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,IAAI,GAAG,OAAO,GAAG,OAAO,CAAC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,EAAE,CAsChE;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAc3D;AAID,sCAAsC;AACtC,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,EAAE,CAyBvD;AAID,sCAAsC;AACtC,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,EAAE,CAoFlE;AAED,sCAAsC;AACtC,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,EAAE,CAoCpE"}

package/build/core/policy-engine.d.ts

@@ -1,170 +0,0 @@
-/**
- * Severity levels for policy rules, aligned with common security frameworks.
- */
-export type PolicySeverity = "critical" | "high" | "medium" | "low" | "info";
-/**
- * A single compliance policy rule defining a check and optional remediation.
- */
-export interface PolicyRule {
-    /** Unique rule identifier (e.g., "CIS-1.1.1") */
-    id: string;
-    /** Human-readable title */
-    title: string;
-    /** Detailed description of what this rule checks */
-    description: string;
-    /** Severity of non-compliance */
-    severity: PolicySeverity;
-    /** Category (e.g., "filesystem", "network", "authentication") */
-    category: string;
-    /** Command to run to check compliance (array: [command, ...args]) */
-    check: string[];
-    /** Expected output pattern (regex string or exact match) */
-    expectedOutput?: string;
-    /** Command to remediate non-compliance (array: [command, ...args]) */
-    remediation?: string[];
-    /** Reference IDs (e.g., CIS benchmark, NIST control IDs) */
-    references?: string[];
-}
-/**
- * Result of evaluating a single policy rule.
- */
-export interface PolicyResult {
-    /** The rule that was evaluated */
-    rule: PolicyRule;
-    /** Whether the system passed this check */
-    passed: boolean;
-    /** Actual output from the check command */
-    actual: string;
-    /** Human-readable result message */
-    message: string;
-}
-/**
- * A collection of policy rules forming a compliance policy set.
- */
-export interface PolicySet {
-    /** Policy set name (e.g., "CIS Level 1 - Server") */
-    name: string;
-    /** Version of this policy set */
-    version: string;
-    /** Description of the policy set */
-    description: string;
-    /** Array of policy rules */
-    rules: PolicyRule[];
-}
-/**
- * Summary of a policy evaluation.
- */
-export interface PolicyEvaluationSummary {
-    /** Policy set that was evaluated */
-    policyName: string;
-    /** Total number of rules */
-    totalRules: number;
-    /** Number of rules that passed */
-    passed: number;
-    /** Number of rules that failed */
-    failed: number;
-    /** Number of rules with errors */
-    errors: number;
-    /** Compliance percentage (0-100) */
-    compliancePercent: number;
-    /** Individual rule results */
-    results: PolicyResult[];
-}
-/**
- * Validates a policy rule's check (or remediation) command array.
- *
- * Security controls:
- * 1. Command (check[0]) must be in the security allowlist
- * 2. Shell interpreters are explicitly blocked (even if allowlisted)
- * 3. Arguments are checked for null bytes and control characters
- *
- * Note: Shell metacharacters (|, &, $, etc.) in arguments are NOT blocked
- * because policy rules use execFile (no shell), making these characters
- * harmless literal values. Policy rules legitimately need regex
- * metacharacters as arguments to grep/awk/sed.
- *
- * @param check The command array [command, ...args]
- * @param label Human-readable label for error messages (e.g., "check", "remediation")
- * @throws {Error} If validation fails
- */
-export declare function validateRuleCheck(check: string[], label?: string): void;
-/**
- * SECURITY (CORE-009): ReDoS (Regular Expression Denial of Service) protection.
- *
- * Safely tests a regex pattern against input with multiple layers of defense
- * against catastrophic backtracking:
- *
- * 1. **Length limit**: Patterns longer than 200 characters are rejected to reduce
- *    the attack surface for complex regex injection.
- * 2. **Nested quantifier detection**: Patterns like `(a+)+`, `(a*)*`, `(a+)*`
- *    are rejected because they cause exponential backtracking on non-matching
- *    input. The check uses two heuristics:
- *    - Repeated quantifiers: `a++`, `a**`, `{n,m}{` (possessive-like syntax
- *      that JavaScript doesn't support, indicating malformed patterns)
- *    - Group-level nesting: `([...]+)+` or `([...]*)*` where a quantified
- *      group is itself quantified
- * 3. **try-catch**: Invalid regex syntax is caught and reported clearly.
- *
- * These checks are applied to user-supplied `expectedOutput` regex patterns
- * in policy rules before they are compiled or executed.
- *
- * @param pattern The regex pattern string
- * @param input The string to test against
- * @returns Whether the pattern matches the input
- * @throws {Error} If the pattern is dangerous, invalid, or too long
- */
-export declare function safeRegexTest(pattern: string, input: string): boolean;
-/**
- * Evaluates a single policy rule by executing its check command
- * and comparing the output against the expected pattern.
- *
- * Before execution, the check command is validated against the
- * security allowlist and shell interpreters are blocked.
- *
- * @param rule The policy rule to evaluate
- * @returns The evaluation result
- */
-export declare function evaluateRule(rule: PolicyRule): Promise<PolicyResult>;
-/**
- * Evaluates all rules in a policy set and returns a summary.
- *
- * @param policySet The policy set to evaluate
- * @returns Evaluation summary with individual results
- */
-export declare function evaluatePolicy(policySet: PolicySet): Promise<PolicyEvaluationSummary>;
-/**
- * Loads a policy set from a JSON file with strict schema validation.
- *
- * Validates:
- * 1. JSON structure via Zod schema (field types, lengths, required fields)
- * 2. All check commands against the security allowlist
- * 3. All remediation commands against the security allowlist
- *
- * @param path Absolute or relative path to the policy JSON file
- * @returns The loaded and validated policy set
- * @throws If the file cannot be read, parsed, or fails validation
- */
-export declare function loadPolicy(path: string): PolicySet;
-/**
- * Saves a policy set to a JSON file with secure permissions.
- * Creates parent directories with owner-only permissions (0o700).
- * Files are written with owner-only permissions (0o600).
- *
- * @param path Path to save the policy file
- * @param policy The policy set to save
- */
-export declare function savePolicy(path: string, policy: PolicySet): void;
-/**
- * Returns a list of built-in policy file names from the policy directory.
- * Returns empty array if the directory doesn't exist or is empty.
- */
-export declare function getBuiltinPolicies(): string[];
-/**
- * Built-in policy rule templates for common hardening checks.
- * These can be used as a starting point for custom policies.
- *
- * SECURITY: All check commands use direct binary invocation (no shell).
- * Shell interpreters (sh, bash, etc.) are never used in check or remediation arrays.
- */
-export declare const BUILTIN_RULE_TEMPLATES: PolicyRule[];
-//# sourceMappingURL=policy-engine.d.ts.map

package/build/core/policy-engine.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"policy-engine.d.ts","sourceRoot":"","sources":["../../src/core/policy-engine.ts"],"names":[],"mappings":"AAQA;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAE7E;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,iDAAiD;IACjD,EAAE,EAAE,MAAM,CAAC;IACX,2BAA2B;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,oDAAoD;IACpD,WAAW,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,QAAQ,EAAE,cAAc,CAAC;IACzB,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,qEAAqE;IACrE,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,4DAA4D;IAC5D,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sEAAsE;IACtE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,4DAA4D;IAC5D,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,kCAAkC;IAClC,IAAI,EAAE,UAAU,CAAC;IACjB,2CAA2C;IAC3C,MAAM,EAAE,OAAO,CAAC;IAChB,2CAA2C;IAC3C,MAAM,EAAE,MAAM,CAAC;IACf,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,qDAAqD;IACrD,IAAI,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,4BAA4B;IAC5B,KAAK,EAAE,UAAU,EAAE,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,4BAA4B;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,oCAAoC;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,8BAA8B;IAC9B,OAAO,EAAE,YAAY,EAAE,CAAC;CACzB;AA4ED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,KAAK,SAAU,GAAG,IAAI,CA0CxE;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CA0BrE;AAID;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,CA2E1E;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,SAAS,GACnB,OAAO,CAAC,uBAAuB,CAAC,CAwClC;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,CAwBlD;AAED;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,IAAI,CAQhE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,EAAE,CAY7C;AAED;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,EAAE,UAAU,EAwT9C,CAAC"}

package/build/core/preflight.d.ts

@@ -1,157 +0,0 @@
-/**
- * Pre-flight Validation Engine — orchestrates the complete pre-flight
- * validation pipeline for MCP tools.
- *
- * Before each tool invocation this module:
- * 1. Resolves the tool's manifest from the {@link ToolRegistry}
- * 2. Checks binary, Python, npm, library, and file dependencies
- * 3. Attempts auto-installation of missing deps when enabled
- * 4. Validates privilege requirements via {@link PrivilegeManager}
- * 5. Returns a structured {@link PreflightResult} with pass/fail, actionable
- *    messages, and a human-readable summary
- *
- * Results are cached for 60 seconds to avoid redundant checks when multiple
- * tools from the same category are invoked in sequence.
- *
- * @module preflight
- */
-import { type ToolManifest } from "./tool-registry.js";
-import { type PrivilegeIssue } from "./privilege-manager.js";
-export interface PreflightResult {
-    toolName: string;
-    /** Overall pass/fail */
-    passed: boolean;
-    timestamp: number;
-    /** Total pre-flight time in ms */
-    duration: number;
-    dependencies: {
-        /** Everything that was checked */
-        checked: DependencyCheck[];
-        /** Still missing after install attempts */
-        missing: DependencyCheck[];
-        /** Successfully auto-installed */
-        installed: DependencyCheck[];
-        /** Non-fatal dependency issues */
-        warnings: string[];
-    };
-    privileges: {
-        satisfied: boolean;
-        issues: PrivilegeIssue[];
-        recommendations: string[];
-    };
-    safeguards?: {
-        /** Whether the operation is safe */
-        safe: boolean;
-        /** Blocking safety issues (prevent execution) */
-        blockers: string[];
-        /** Non-blocking safety warnings */
-        warnings: string[];
-        /** Applications impacted by the operation */
-        impactedApps: string[];
-    };
-    /** Human-readable summary */
-    summary: string;
-    /** Fatal blocking errors */
-    errors: string[];
-    /** Non-fatal warnings */
-    warnings: string[];
-}
-export interface DependencyCheck {
-    name: string;
-    type: "binary" | "python-module" | "npm-package" | "library" | "file";
-    /** true = required, false = optional */
-    required: boolean;
-    found: boolean;
-    autoInstalled?: boolean;
-    installMessage?: string;
-}
-/**
- * Central orchestration engine for the pre-flight validation pipeline.
- *
- * Singleton — obtain via {@link PreflightEngine.instance}.
- *
- * The main entry point is {@link runPreflight}, which executes the full
- * dependency → auto-install → privilege check pipeline and returns a
- * structured {@link PreflightResult}.
- */
-export declare class PreflightEngine {
-    private registry;
-    private privilegeManager;
-    private autoInstaller;
-    /**
-     * Dependency cache — keyed by tool name only, 60s TTL.
-     * Covers: binary existence, privilege checks, auto-install results.
-     * Cached regardless of params (dependency results don't depend on runtime params).
-     */
-    private resultCache;
-    private static readonly CACHE_TTL;
-    private static _instance;
-    private constructor();
-    /** Get or create the singleton instance. */
-    static instance(): PreflightEngine;
-    /**
-     * Run the full pre-flight validation pipeline for a tool.
-     *
-     * 1. Check cache — return early for valid passing results
-     * 2. Resolve the tool's manifest from the registry
-     * 3. Check all dependency types (binary, Python, npm, library, file)
-     * 4. Auto-install missing required deps when enabled
-     * 5. Validate privilege requirements (sudo, capabilities)
-     * 6. Determine overall pass/fail and generate summary
-     * 7. Cache and return the result
-     */
-    runPreflight(toolName: string, params?: Record<string, unknown>): Promise<PreflightResult>;
-    /**
-     * Check all dependency types for a tool manifest.
-     *
-     * Checks binaries, Python modules, npm packages, system libraries,
-     * and required files. If any required dependency is missing and
-     * auto-install is enabled, attempts installation via {@link AutoInstaller}.
-     */
-    checkDependencies(manifest: ToolManifest): Promise<PreflightResult["dependencies"]>;
-    /**
-     * Check privilege requirements for a tool manifest.
-     * Delegates to {@link PrivilegeManager.checkForTool}.
-     */
-    checkPrivileges(manifest: ToolManifest): Promise<PreflightResult["privileges"]>;
-    /**
-     * Generate a human-readable summary of the pre-flight result.
-     *
-     * @example Passing
-     * ```
-     * PASS: Pre-flight passed for 'firewall_iptables_list'
-     *   Dependencies: 2/2 available (iptables, ip6tables)
-     *   Privileges: sudo session active
-     *   Ready to execute.
-     * ```
-     *
-     * @example Failing
-     * ```
-     * Pre-flight FAILED for 'compliance_oscap_scan'
-     *   Missing dependencies:
-     *     • oscap (binary) — Install with: sudo apt-get install -y libopenscap8
-     *   Privilege issues:
-     *     • Root access required for OpenSCAP scanning
-     *     → Run 'sudo_elevate' tool first to provide credentials
-     *   Cannot proceed until issues are resolved.
-     * ```
-     */
-    formatSummary(result: PreflightResult): string;
-    /**
-     * Generate a shorter status message for prepending to tool output.
-     *
-     * - Passed (no issues): `"[pre-flight OK] All checks passed (2 deps, sudo active)"`
-     * - Passed (warnings): `"[pre-flight OK] Passed with warnings: optional dep 'nmap' not found"`
-     * - Failed: returns the full error summary from {@link formatSummary}
-     */
-    formatStatusMessage(result: PreflightResult): string;
-    /**
-     * Clear the result cache.
-     * Call after installs, privilege changes, or any event that invalidates
-     * previous pre-flight results.
-     */
-    clearCache(): void;
-    /** Store a result in the cache with TTL. */
-    private cacheResult;
-}
-//# sourceMappingURL=preflight.d.ts.map

package/build/core/preflight.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"preflight.d.ts","sourceRoot":"","sources":["../../src/core/preflight.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAGL,KAAK,YAAY,EAClB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAEL,KAAK,cAAc,EACpB,MAAM,wBAAwB,CAAC;AAchC,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IAGjB,YAAY,EAAE;QACZ,kCAAkC;QAClC,OAAO,EAAE,eAAe,EAAE,CAAC;QAC3B,2CAA2C;QAC3C,OAAO,EAAE,eAAe,EAAE,CAAC;QAC3B,kCAAkC;QAClC,SAAS,EAAE,eAAe,EAAE,CAAC;QAC7B,kCAAkC;QAClC,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;IAGF,UAAU,EAAE;QACV,SAAS,EAAE,OAAO,CAAC;QACnB,MAAM,EAAE,cAAc,EAAE,CAAC;QACzB,eAAe,EAAE,MAAM,EAAE,CAAC;KAC3B,CAAC;IAGF,UAAU,CAAC,EAAE;QACX,oCAAoC;QACpC,IAAI,EAAE,OAAO,CAAC;QACd,iDAAiD;QACjD,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,mCAAmC;QACnC,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,6CAA6C;QAC7C,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IAEF,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,4BAA4B;IAC5B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,QAAQ,GAAG,eAAe,GAAG,aAAa,GAAG,SAAS,GAAG,MAAM,CAAC;IACtE,wCAAwC;IACxC,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,EAAE,OAAO,CAAC;IACf,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AA6ID;;;;;;;;GAQG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,aAAa,CAAgB;IAErC;;;;OAIG;IACH,OAAO,CAAC,WAAW,CAA2D;IAC9E,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAU;IAE3C,OAAO,CAAC,MAAM,CAAC,SAAS,CAAgC;IAExD,OAAO;IAOP,4CAA4C;IAC5C,MAAM,CAAC,QAAQ,IAAI,eAAe;IASlC;;;;;;;;;;OAUG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,eAAe,CAAC;IAmM3B;;;;;;OAMG;IACG,iBAAiB,CACrB,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IA0J3C;;;OAGG;IACG,eAAe,CACnB,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;IAWzC;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,aAAa,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM;IAoG9C;;;;;;OAMG;IACH,mBAAmB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM;IAiCpD;;;;OAIG;IACH,UAAU,IAAI,IAAI;IAMlB,4CAA4C;IAC5C,OAAO,CAAC,WAAW;CAMpB"}

package/build/core/privilege-manager.d.ts

@@ -1,108 +0,0 @@
-/**
- * PrivilegeManager — detects the current privilege level and checks whether
- * a tool's privilege requirements are satisfied.
- *
- * This module is part of the pre-flight validation system. It queries:
- *   - UID / EUID via `process.getuid()` / `process.geteuid()`
- *   - Linux capabilities via `/proc/self/status` CapEff bitmask
- *   - Passwordless sudo via `sudo -n true`
- *   - Active sudo session via `SudoSession.getInstance().isElevated()`
- *   - User groups via `id -Gn`
- *
- * Child process spawning goes through spawn-safe.ts which enforces the
- * command allowlist and shell: false without creating circular dependencies.
- *
- * @module privilege-manager
- */
-import type { ToolManifest } from "./tool-registry.js";
-export interface PrivilegeStatus {
-    /** Current real user ID */
-    uid: number;
-    /** Current effective user ID */
-    euid: number;
-    /** Whether running as root (euid === 0) */
-    isRoot: boolean;
-    /** Whether `sudo` binary is available on PATH */
-    sudoAvailable: boolean;
-    /** Whether passwordless sudo works (`sudo -n true`) */
-    passwordlessSudo: boolean;
-    /** Whether SudoSession has cached credentials */
-    sudoSessionActive: boolean;
-    /** Currently held Linux capabilities (from CapEff) */
-    capabilities: Set<string>;
-    /** User's group memberships */
-    groups: string[];
-}
-export interface PrivilegeCheckResult {
-    /** All privilege requirements met */
-    satisfied: boolean;
-    /** Problems found */
-    issues: PrivilegeIssue[];
-    /** How to fix any issues */
-    recommendations: string[];
-}
-export interface PrivilegeIssue {
-    type: "sudo-required" | "capability-missing" | "sudo-unavailable" | "session-expired";
-    /** Human-readable description of the issue */
-    description: string;
-    /** Which tool/operation needs this privilege */
-    operation: string;
-    /** How to resolve the issue */
-    resolution: string;
-}
-export declare class PrivilegeManager {
-    private cachedStatus;
-    private cacheExpiry;
-    private static readonly CACHE_TTL;
-    private static _instance;
-    private constructor();
-    /** Get or create the singleton instance. */
-    static instance(): PrivilegeManager;
-    /**
-     * Detect current privilege level.
-     * Results are cached for {@link CACHE_TTL} ms to avoid repeated
-     * subprocess spawns on rapid sequential tool calls.
-     */
-    getStatus(): Promise<PrivilegeStatus>;
-    /**
-     * Check whether a specific tool's privilege requirements are met.
-     *
-     * Evaluates the tool's `sudo` level and `capabilities` list against
-     * the current {@link PrivilegeStatus} and returns actionable issues.
-     */
-    checkForTool(manifest: ToolManifest): Promise<PrivilegeCheckResult>;
-    /**
-     * Check if a specific Linux capability is in the current effective set.
-     */
-    hasCapability(cap: string): Promise<boolean>;
-    /**
-     * Parse the effective capability set from `/proc/self/status`.
-     *
-     * Reads the `CapEff` line which contains a hex-encoded bitmask,
-     * then maps set bits to capability names using the kernel-defined
-     * bit positions.
-     */
-    getCurrentCapabilities(): Promise<Set<string>>;
-    /**
-     * Test whether passwordless sudo works by running `sudo -n true`.
-     * The `-n` (non-interactive) flag causes sudo to fail immediately
-     * rather than prompting if a password is required.
-     */
-    testPasswordlessSudo(): Promise<boolean>;
-    /**
-     * Check whether the `sudo` binary exists on PATH.
-     */
-    isSudoAvailable(): Promise<boolean>;
-    /**
-     * Invalidate the cached status.
-     * Should be called after events that change privilege state,
-     * e.g., after `sudo_elevate` or `sudo_drop`.
-     */
-    clearCache(): void;
-    /**
-     * Get user group memberships via `id -Gn`.
-     * Returns an empty array on failure.
-     */
-    private getGroups;
-}
-//# sourceMappingURL=privilege-manager.d.ts.map

package/build/core/privilege-manager.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"privilege-manager.d.ts","sourceRoot":"","sources":["../../src/core/privilege-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAyEvD,MAAM,WAAW,eAAe;IAC9B,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,gCAAgC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,2CAA2C;IAC3C,MAAM,EAAE,OAAO,CAAC;IAChB,iDAAiD;IACjD,aAAa,EAAE,OAAO,CAAC;IACvB,uDAAuD;IACvD,gBAAgB,EAAE,OAAO,CAAC;IAC1B,iDAAiD;IACjD,iBAAiB,EAAE,OAAO,CAAC;IAC3B,sDAAsD;IACtD,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1B,+BAA+B;IAC/B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,oBAAoB;IACnC,qCAAqC;IACrC,SAAS,EAAE,OAAO,CAAC;IACnB,qBAAqB;IACrB,MAAM,EAAE,cAAc,EAAE,CAAC;IACzB,4BAA4B;IAC5B,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EACA,eAAe,GACf,oBAAoB,GACpB,kBAAkB,GAClB,iBAAiB,CAAC;IACtB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;CACpB;AA+ED,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,YAAY,CAAgC;IACpD,OAAO,CAAC,WAAW,CAAa;IAChC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAU;IAE3C,OAAO,CAAC,MAAM,CAAC,SAAS,CAAiC;IAEzD,OAAO;IAIP,4CAA4C;IAC5C,MAAM,CAAC,QAAQ,IAAI,gBAAgB;IASnC;;;;OAIG;IACG,SAAS,IAAI,OAAO,CAAC,eAAe,CAAC;IAoC3C;;;;;OAKG;IACG,YAAY,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAkGzE;;OAEG;IACG,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKlD;;;;;;OAMG;IACG,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAkCpD;;;;OAIG;IACG,oBAAoB,IAAI,OAAO,CAAC,OAAO,CAAC;IAM9C;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC;IAKzC;;;;OAIG;IACH,UAAU,IAAI,IAAI;IAOlB;;;OAGG;IACH,OAAO,CAAC,SAAS;CAUlB"}