defense-mcp-server 0.9.3 → 0.9.5

package/build/index.js

@@ -104,10 +104,6 @@ process.on("unhandledRejection", (reason) => {
 });
 // ── Main entry point ─────────────────────────────────────────────────────────
 async function main() {
-    const server = new McpServer({
-        name: "defense-mcp-server",
-        version: VERSION,
-    });
     // ── Phase 1: Dependency Validation & Auto-Install ────────────────────────
     //
     // Before registering tools, validate that all required system binaries
@@ -216,66 +212,79 @@ async function main() {
     catch {
         // Non-fatal — third-party check failure must not block startup
     }
-    // Wrap server with pre-flight middleware
-    const wrappedServer = createPreflightServer(server);
-    // ── Phase 2: Register all defensive tool modules (with error isolation) ──
-    let registered = 0;
-    let failed = 0;
-    const failedModules = [];
-    function safeRegister(name, fn) {
-        try {
-            fn(wrappedServer);
-            registered++;
-        }
-        catch (err) {
-            failed++;
-            failedModules.push(name);
-            console.error(`[startup] ⚠ Failed to register ${name} tools: ${err instanceof Error ? err.message : err}`);
+    // ── Phase 2: Tool registration ────────────────────────────────────────────
+    //
+    // registerAllTools() creates a fresh McpServer, wraps it with pre-flight
+    // middleware, and registers every tool module. For stdio we call it once;
+    // for HTTP we call it per session so each client gets its own instance
+    // (the MCP SDK only allows one transport per McpServer).
+    function registerAllTools() {
+        const srv = new McpServer({
+            name: "defense-mcp-server",
+            version: VERSION,
+        });
+        const wrapped = createPreflightServer(srv);
+        let registered = 0;
+        let failed = 0;
+        const failedModules = [];
+        function safeRegister(name, fn) {
+            try {
+                fn(wrapped);
+                registered++;
+            }
+            catch (err) {
+                failed++;
+                failedModules.push(name);
+                console.error(`[startup] ⚠ Failed to register ${name} tools: ${err instanceof Error ? err.message : err}`);
+            }
         }
+        // Sudo privilege management (must be registered first — prerequisite for other tools)
+        safeRegister("sudo-management", registerSudoManagementTools);
+        // Original tool modules
+        safeRegister("firewall", registerFirewallTools);
+        safeRegister("hardening", registerHardeningTools);
+        safeRegister("integrity", registerIntegrityTools);
+        safeRegister("logging", registerLoggingTools);
+        safeRegister("network-defense", registerNetworkDefenseTools);
+        safeRegister("compliance", registerComplianceTools);
+        safeRegister("malware", registerMalwareTools);
+        safeRegister("backup", registerBackupTools);
+        safeRegister("access-control", registerAccessControlTools);
+        safeRegister("encryption", registerEncryptionTools);
+        safeRegister("container-security", registerContainerSecurityTools);
+        safeRegister("meta", registerMetaTools);
+        safeRegister("patch-management", registerPatchManagementTools);
+        safeRegister("secrets", registerSecretsTools);
+        safeRegister("incident-response", registerIncidentResponseTools);
+        // New tool modules
+        safeRegister("supply-chain-security", registerSupplyChainSecurityTools);
+        safeRegister("zero-trust-network", registerZeroTrustNetworkTools);
+        safeRegister("ebpf-security", registerEbpfSecurityTools);
+        safeRegister("app-hardening", registerAppHardeningTools);
+        // v0.6.0 tool modules
+        safeRegister("api-security", registerApiSecurityTools);
+        safeRegister("cloud-security", registerCloudSecurityTools);
+        safeRegister("deception", registerDeceptionTools);
+        safeRegister("dns-security", registerDnsSecurityTools);
+        safeRegister("process-security", registerProcessSecurityTools);
+        safeRegister("threat-intel", registerThreatIntelTools);
+        safeRegister("vulnerability-management", registerVulnerabilityManagementTools);
+        safeRegister("waf", registerWafTools);
+        safeRegister("wireless-security", registerWirelessSecurityTools);
+        return { server: srv, registered, failed, failedModules };
     }
-    // Sudo privilege management (must be registered first — prerequisite for other tools)
-    safeRegister("sudo-management", registerSudoManagementTools);
-    // Original tool modules
-    safeRegister("firewall", registerFirewallTools);
-    safeRegister("hardening", registerHardeningTools);
-    safeRegister("integrity", registerIntegrityTools);
-    safeRegister("logging", registerLoggingTools);
-    safeRegister("network-defense", registerNetworkDefenseTools);
-    safeRegister("compliance", registerComplianceTools);
-    safeRegister("malware", registerMalwareTools);
-    safeRegister("backup", registerBackupTools);
-    safeRegister("access-control", registerAccessControlTools);
-    safeRegister("encryption", registerEncryptionTools);
-    safeRegister("container-security", registerContainerSecurityTools);
-    safeRegister("meta", registerMetaTools);
-    safeRegister("patch-management", registerPatchManagementTools);
-    safeRegister("secrets", registerSecretsTools);
-    safeRegister("incident-response", registerIncidentResponseTools);
-    // New tool modules
-    safeRegister("supply-chain-security", registerSupplyChainSecurityTools);
-    safeRegister("zero-trust-network", registerZeroTrustNetworkTools);
-    safeRegister("ebpf-security", registerEbpfSecurityTools);
-    safeRegister("app-hardening", registerAppHardeningTools);
-    // v0.6.0 tool modules
-    safeRegister("api-security", registerApiSecurityTools);
-    safeRegister("cloud-security", registerCloudSecurityTools);
-    safeRegister("deception", registerDeceptionTools);
-    safeRegister("dns-security", registerDnsSecurityTools);
-    safeRegister("process-security", registerProcessSecurityTools);
-    safeRegister("threat-intel", registerThreatIntelTools);
-    safeRegister("vulnerability-management", registerVulnerabilityManagementTools);
-    safeRegister("waf", registerWafTools);
-    safeRegister("wireless-security", registerWirelessSecurityTools);
-    // Fail hard if no modules loaded at all
-    if (registered === 0) {
+    // Validate that tool registration works (fail-fast on startup)
+    const initial = registerAllTools();
+    if (initial.registered === 0) {
         throw new Error("No tool modules loaded — server cannot start");
     }
     // ── Phase 3: Connect transport ───────────────────────────────────────────
     const transportMode = process.env.MCP_TRANSPORT ?? "stdio";
-    const registrationMsg = `Registered ${registered} tool modules with consolidated defensive security tools` +
-        `${failed > 0 ? ` (${failed} failed: ${failedModules.join(", ")})` : ""}`;
+    const registrationMsg = `Registered ${initial.registered} tool modules with consolidated defensive security tools` +
+        `${initial.failed > 0 ? ` (${initial.failed} failed: ${initial.failedModules.join(", ")})` : ""}`;
     if (transportMode === "http") {
         const port = parseInt(process.env.MCP_PORT ?? "3100", 10);
+        const apiKey = process.env.MCP_API_KEY ?? "";
         // Server card for Smithery discovery
         const serverCard = {
             serverInfo: {
@@ -283,7 +292,7 @@ async function main() {
                 version: VERSION,
                 description: "31 defensive security tools (250+ actions) for Linux system hardening, compliance, and threat detection",
             },
-            authentication: { required: false },
+            authentication: { required: !!apiKey },
             tools: [
                 { name: "access_control", description: "Access control: SSH, PAM, sudo, user audit, password policy, shell restriction" },
                 { name: "api_security", description: "API security: local API discovery, auth audit, rate limiting, TLS verify, CORS check" },
@@ -320,63 +329,74 @@ async function main() {
             resources: [],
             prompts: [],
         };
-        // Track active transports by session ID
+        // Track active sessions: each gets its own McpServer + transport pair
         const sessions = new Map();
         const httpServer = createServer(async (req, res) => {
             const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
             const pathname = url.pathname;
-            // CORS for Smithery Gateway
+            // CORS headers
             res.setHeader("Access-Control-Allow-Origin", "*");
             res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
-            res.setHeader("Access-Control-Allow-Headers", "Content-Type, mcp-session-id, smithery-*");
+            res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, mcp-session-id, smithery-*");
             res.setHeader("Access-Control-Expose-Headers", "mcp-session-id");
             if (req.method === "OPTIONS") {
                 res.writeHead(204).end();
                 return;
             }
-            // Health check
+            // Health check (unauthenticated)
             if (req.method === "GET" && pathname === "/health") {
                 res.writeHead(200, { "Content-Type": "application/json" });
-                res.end(JSON.stringify({ status: "ok", version: VERSION, tools: registered }));
+                res.end(JSON.stringify({ status: "ok", version: VERSION, tools: initial.registered }));
                 return;
             }
-            // Smithery server card
+            // Smithery server card (unauthenticated)
             if (req.method === "GET" && pathname === "/.well-known/mcp/server-card.json") {
                 res.writeHead(200, { "Content-Type": "application/json" });
                 res.end(JSON.stringify(serverCard));
                 return;
             }
+            // API key authentication (when MCP_API_KEY is set)
+            if (apiKey) {
+                const authHeader = req.headers["authorization"] ?? "";
+                const provided = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : "";
+                if (provided !== apiKey) {
+                    res.writeHead(401, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: "Unauthorized", message: "Valid Bearer token required" }));
+                    return;
+                }
+            }
             // MCP Streamable HTTP endpoint
             if (pathname === "/mcp" || pathname === "/") {
                 const sessionId = req.headers["mcp-session-id"];
                 if (req.method === "GET" || req.method === "POST") {
-                    // Reuse existing session or create new one
-                    let transport = sessionId ? sessions.get(sessionId) : undefined;
-                    if (!transport) {
-                        transport = new StreamableHTTPServerTransport({
+                    // Reuse existing session or create a new McpServer + transport pair
+                    let session = sessionId ? sessions.get(sessionId) : undefined;
+                    if (!session) {
+                        const { server: sessionServer } = registerAllTools();
+                        const transport = new StreamableHTTPServerTransport({
                             sessionIdGenerator: () => crypto.randomUUID(),
                         });
-                        await server.connect(transport);
-                        // Store session after first request so we can retrieve it by ID
+                        await sessionServer.connect(transport);
+                        session = { server: sessionServer, transport };
                         transport.onclose = () => {
-                            const sid = [...sessions.entries()].find(([, t]) => t === transport)?.[0];
+                            const sid = [...sessions.entries()].find(([, s]) => s.transport === transport)?.[0];
                             if (sid)
                                 sessions.delete(sid);
                         };
                     }
-                    await transport.handleRequest(req, res);
+                    await session.transport.handleRequest(req, res);
                     // Capture session ID from response headers if new session
                     if (!sessionId) {
                         const newSid = res.getHeader("mcp-session-id");
-                        if (newSid && transport)
-                            sessions.set(newSid, transport);
+                        if (newSid && session)
+                            sessions.set(newSid, session);
                     }
                     return;
                 }
                 if (req.method === "DELETE") {
                     if (sessionId && sessions.has(sessionId)) {
-                        const transport = sessions.get(sessionId);
-                        await transport.handleRequest(req, res);
+                        const session = sessions.get(sessionId);
+                        await session.transport.handleRequest(req, res);
                         sessions.delete(sessionId);
                     }
                     else {
@@ -390,14 +410,16 @@ async function main() {
         httpServer.listen(port, () => {
             console.error(`Defense MCP Server v${VERSION} running on HTTP port ${port}`);
             console.error(registrationMsg);
+            console.error(`[startup] Authentication: ${apiKey ? "ENABLED (MCP_API_KEY)" : "DISABLED — set MCP_API_KEY to require Bearer auth"}`);
             console.error("[startup] MCP endpoint: http://0.0.0.0:" + port + "/mcp");
             console.error("[startup] Health check: http://0.0.0.0:" + port + "/health");
             console.error("[startup] Server card: http://0.0.0.0:" + port + "/.well-known/mcp/server-card.json");
         });
     }
     else {
+        // stdio mode: single server instance, single transport
         const transport = new StdioServerTransport();
-        await server.connect(transport);
+        await initial.server.connect(transport);
         console.error(`Defense MCP Server v${VERSION} running on stdio`);
         console.error(registrationMsg);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defense-mcp-server",
-  "version": "0.9.3",
+  "version": "0.9.5",
   "description": "Defense MCP Server — 31 defensive security tools with 250+ actions for system hardening, compliance, and threat detection on Linux",
   "type": "module",
   "main": "build/index.js",
@@ -8,7 +8,7 @@
     "defense-mcp-server": "build/index.js"
   },
   "files": [
-    "build/",
+    "build/**/*.js",
     "README.md",
     "CHANGELOG.md",
     "LICENSE",

package/build/core/auto-installer.d.ts

@@ -1,102 +0,0 @@
-/**
- * AutoInstaller — multi-package-manager automatic dependency resolver.
- *
- * Handles installation of missing dependencies across system package managers
- * (apt, dnf, yum, pacman, apk, zypper, brew), pip, and npm.  This module is
- * part of the pre-flight validation pipeline and is invoked when
- * `DEFENSE_MCP_AUTO_INSTALL=true`.
- *
- * Design constraints:
- *   - Uses `execFileSafe` from `spawn-safe.ts` (NOT the executor) to avoid
- *     circular dependencies with `sudo-session`. spawn-safe enforces the
- *     command allowlist and `shell: false` automatically.
- *   - Every `execFileSafe` call is wrapped in try/catch — install failures
- *     must NEVER crash the server.
- *   - Logs exclusively to stderr (`console.error`) because the MCP server
- *     uses stdio for JSON-RPC transport.
- *
- * @module auto-installer
- */
-import type { ToolManifest } from "./tool-registry.js";
-export interface InstallAttempt {
-    dependency: string;
-    type: "binary" | "python-module" | "npm-package" | "library" | "file";
-    method: "system-package" | "pip" | "npm" | "cargo" | "go-install" | "binary-download" | "build-from-source" | "vendored" | "skipped";
-    success: boolean;
-    message: string;
-    duration?: number;
-}
-export interface AutoInstallResult {
-    attempted: InstallAttempt[];
-    allResolved: boolean;
-    unresolvedDependencies: string[];
-}
-/**
- * Validate that a package name contains only safe characters.
- * Allowed: alphanumeric, hyphens, dots, plus signs, colons (for arch qualifiers).
- * No shell metacharacters, no path separators, no spaces.
- * Max length: 128 characters.
- */
-export declare function validatePackageName(name: string): boolean;
-export declare class AutoInstaller {
-    private static _instance;
-    private distroCache;
-    /** Get or create the singleton instance. */
-    static instance(): AutoInstaller;
-    /**
-     * Reset the singleton (for testing).
-     * @internal
-     */
-    static resetInstance(): void;
-    /** Check if auto-install is enabled via config. */
-    isEnabled(): boolean;
-    /**
-     * Resolve all missing dependencies for a tool manifest.
-     *
-     * If auto-install is disabled, returns all dependencies as unresolved
-     * with method `'skipped'`.
-     */
-    resolveAll(manifest: ToolManifest, missingBinaries: string[], missingPython?: string[], missingNpm?: string[], missingLibraries?: string[]): Promise<AutoInstallResult>;
-    /**
-     * Install a system binary via the detected package manager.
-     *
-     * 1. Look up binary in DEFENSIVE_TOOLS for distro-specific package name
-     * 2. If not found, try binary name directly as package name
-     * 3. Verify with `which <binary>` after install
-     */
-    installBinary(binary: string): Promise<InstallAttempt>;
-    /**
-     * Install a Python module via pip.
-     *
-     * 1. Check if pip3 or pip exists
-     * 2. Try user-site install first (no sudo)
-     * 3. If that fails, try with sudo
-     * 4. Verify with `python3 -c "import <module>"`
-     */
-    installPythonModule(module: string): Promise<InstallAttempt>;
-    /**
-     * Install an npm package globally.
-     *
-     * 1. Check if npm exists
-     * 2. Run `npm install -g <package>` with sudo if needed
-     * 3. Verify by checking if the package provides an expected binary
-     */
-    installNpmPackage(pkg: string): Promise<InstallAttempt>;
-    /**
-     * Install a system library (development headers).
-     *
-     * 1. Determine dev package name based on distro family
-     * 2. Try installing the first candidate that works
-     * 3. Verify with `ldconfig -p | grep <lib>` or `pkg-config --exists <lib>`
-     */
-    installLibrary(lib: string): Promise<InstallAttempt>;
-    /**
-     * Get (and cache) the detected distro info.
-     */
-    private getDistro;
-    /**
-     * Verify a library is available via ldconfig or pkg-config.
-     */
-    private verifyLibrary;
-}
-//# sourceMappingURL=auto-installer.d.ts.map

package/build/core/auto-installer.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auto-installer.d.ts","sourceRoot":"","sources":["../../src/core/auto-installer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AASH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AASvD,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,QAAQ,GAAG,eAAe,GAAG,aAAa,GAAG,SAAS,GAAG,MAAM,CAAC;IACtE,MAAM,EACF,gBAAgB,GAChB,KAAK,GACL,KAAK,GACL,OAAO,GACP,YAAY,GACZ,iBAAiB,GACjB,mBAAmB,GACnB,UAAU,GACV,SAAS,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,cAAc,EAAE,CAAC;IAC5B,WAAW,EAAE,OAAO,CAAC;IACrB,sBAAsB,EAAE,MAAM,EAAE,CAAC;CAClC;AA0FD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEzD;AAoOD,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAC,SAAS,CAA8B;IACtD,OAAO,CAAC,WAAW,CAA2B;IAE9C,4CAA4C;IAC5C,MAAM,CAAC,QAAQ,IAAI,aAAa;IAahC;;;OAGG;IACH,MAAM,CAAC,aAAa,IAAI,IAAI;IAI5B,mDAAmD;IACnD,SAAS,IAAI,OAAO;IAIpB;;;;;OAKG;IACG,UAAU,CACd,QAAQ,EAAE,YAAY,EACtB,eAAe,EAAE,MAAM,EAAE,EACzB,aAAa,CAAC,EAAE,MAAM,EAAE,EACxB,UAAU,CAAC,EAAE,MAAM,EAAE,EACrB,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAC1B,OAAO,CAAC,iBAAiB,CAAC;IA6G7B;;;;;;OAMG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAsP5D;;;;;;;OAOG;IACG,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAgHlE;;;;;;OAMG;IACG,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IA8G7D;;;;;;OAMG;IACG,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAwG1D;;OAEG;YACW,SAAS;IAOvB;;OAEG;IACH,OAAO,CAAC,aAAa;CAmBtB"}

package/build/core/backup-manager.d.ts

@@ -1,63 +0,0 @@
-/**
- * BackupManager — manages file backups with manifest tracking.
- *
- * Backups are stored under ~/.defense-mcp/backups/ with timestamped filenames.
- * A manifest.json tracks all backups for listing and restore operations.
- */
-export interface BackupEntry {
-    id: string;
-    originalPath: string;
-    backupPath: string;
-    timestamp: string;
-    sizeBytes: number;
-}
-export interface BackupManifest {
-    version: 1;
-    backups: BackupEntry[];
-}
-/**
- * Validate that a backup path is safe:
- * 1. No `..` traversal sequences
- * 2. Normalized via path.resolve()
- * 3. Resolved path is within the backup base directory
- * 4. Not a symlink (prevent symlink attacks)
- *
- * @param filePath The path to validate
- * @param baseDir The backup base directory that paths must stay within
- * @throws {Error} If the path fails validation
- */
-export declare function validateBackupPath(filePath: string, baseDir: string): void;
-export declare class BackupManager {
-    private readonly backupDir;
-    private readonly manifestPath;
-    constructor(backupDir?: string);
-    /** Ensure backup directory exists. */
-    private ensureDir;
-    /** Read manifest from disk with migration from old format. */
-    private readManifest;
-    /** Write manifest to disk. */
-    private writeManifest;
-    /**
-     * Create a backup of a file (synchronous).
-     * @returns The BackupEntry with id and backupPath.
-     */
-    backupSync(filePath: string): BackupEntry;
-    /**
-     * Create a backup of a file.
-     * @returns The backup ID.
-     */
-    backup(filePath: string): Promise<string>;
-    /**
-     * Restore a file from backup by ID.
-     */
-    restore(backupId: string): Promise<void>;
-    /**
-     * List all backup entries.
-     */
-    listBackups(): Promise<BackupEntry[]>;
-    /**
-     * Remove backups older than the specified number of days.
-     */
-    pruneOldBackups(daysOld: number): Promise<void>;
-}
-//# sourceMappingURL=backup-manager.d.ts.map

package/build/core/backup-manager.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"backup-manager.d.ts","sourceRoot":"","sources":["../../src/core/backup-manager.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgBH,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,WAAW,EAAE,CAAC;CACxB;AAUD;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAiC1E;AAID,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;gBAE1B,SAAS,CAAC,EAAE,MAAM;IAK9B,sCAAsC;IACtC,OAAO,CAAC,SAAS;IAIjB,8DAA8D;IAC9D,OAAO,CAAC,YAAY;IAepB,8BAA8B;IAC9B,OAAO,CAAC,aAAa;IAKrB;;;OAGG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW;IAyCzC;;;OAGG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK/C;;OAEG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAyB9C;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;IAO3C;;OAEG;IACG,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAiCtD"}

package/build/core/changelog.d.ts

@@ -1,119 +0,0 @@
-/**
- * A single changelog entry recording a defensive action taken.
- */
-export interface ChangeEntry {
-    /** Unique identifier (UUID v4) */
-    id: string;
-    /** ISO 8601 timestamp */
-    timestamp: string;
-    /** Tool that performed the action */
-    tool: string;
-    /** Description of the action */
-    action: string;
-    /** Target of the action (file, service, etc.) */
-    target: string;
-    /** State before the change */
-    before?: string;
-    /** State after the change */
-    after?: string;
-    /** Path to backup file if one was created */
-    backupPath?: string;
-    /** Whether this was a dry-run (no actual changes) */
-    dryRun: boolean;
-    /** Whether the action succeeded */
-    success: boolean;
-    /** Error message if the action failed */
-    error?: string;
-    /** Command to undo this change */
-    rollbackCommand?: string;
-    /** OS username who made the change (auto-populated) */
-    user?: string;
-    /** MCP session identifier (if available) */
-    sessionId?: string;
-    /**
-     * SHA-256 hash-chain value.
-     *
-     * For the first entry: SHA-256 of the entry's core fields with previousHash="genesis".
-     * For subsequent entries: SHA-256 of the entry's core fields concatenated with
-     * the previous entry's hash. This creates a tamper-evident chain — modifying or
-     * deleting any entry breaks the chain, which is detectable via `verifyChangelog()`.
-     *
-     * Auto-populated by `logChange()`. Not present in legacy entries.
-     */
-    hash?: string;
-}
-/**
- * Versioned changelog state file format.
- * Old files stored a bare array; new files use this envelope.
- */
-export interface ChangelogState {
-    version: 1;
-    entries: ChangeEntry[];
-}
-/**
- * Compute the SHA-256 hash-chain value for a changelog entry.
- *
- * The hash is computed over the entry's immutable fields (id, timestamp, tool,
- * action, target, dryRun, success) concatenated with the previous entry's hash.
- * This creates a tamper-evident chain.
- *
- * @param entry - The entry to hash (hash field is excluded from the computation)
- * @param previousHash - Hash of the previous entry, or "genesis" for the first entry
- * @returns SHA-256 hex digest
- */
-export declare function computeEntryHash(entry: ChangeEntry, previousHash: string): string;
-/**
- * Verify the integrity of the changelog hash chain.
- *
- * Walks all entries with `hash` fields and checks that each hash matches
- * the recomputed value from the previous entry's hash. Legacy entries
- * without `hash` fields are skipped.
- *
- * @returns Object with `valid` boolean and details of any broken links
- */
-export declare function verifyChangelog(): {
-    valid: boolean;
-    totalEntries: number;
-    hashedEntries: number;
-    brokenLinks: Array<{
-        index: number;
-        entryId: string;
-        expected: string;
-        actual: string;
-    }>;
-};
-/**
- * Creates a new ChangeEntry with auto-generated id and timestamp.
- */
-export declare function createChangeEntry(partial: Omit<ChangeEntry, "id" | "timestamp" | "user">): ChangeEntry;
-/**
- * Appends a change entry to the changelog JSON file.
- * Creates the file and parent directories if they don't exist.
- * Rotates old entries when the file exceeds MAX_CHANGELOG_ENTRIES.
- * Computes and attaches a hash-chain value for tamper evidence.
- * Fails silently (logs to stderr) to avoid disrupting tool execution.
- */
-export declare function logChange(entry: ChangeEntry): void;
-/**
- * Reads changelog entries, newest first.
- * Returns empty array on any error.
- *
- * @param limit Maximum number of entries to return (default: all)
- */
-export declare function getChangelog(limit?: number): ChangeEntry[];
-/**
- * Creates a backup copy of a file using the unified BackupManager.
- * The backup is tracked in the manifest at ~/.defense-mcp/backups/manifest.json.
- *
- * @param filePath Absolute path to the file to back up
- * @returns Path to the backup file
- */
-export declare function backupFile(filePath: string): string;
-/**
- * Restores a file from a backup.
- *
- * @param backupPath Path to the backup file
- * @param originalPath Path to restore the file to
- */
-export declare function restoreFile(backupPath: string, originalPath: string): void;
-//# sourceMappingURL=changelog.d.ts.map

package/build/core/changelog.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"changelog.d.ts","sourceRoot":"","sources":["../../src/core/changelog.ts"],"names":[],"mappings":"AAQA;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,kCAAkC;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,8BAA8B;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6BAA6B;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6CAA6C;IAC7C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,MAAM,EAAE,OAAO,CAAC;IAChB,mCAAmC;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kCAAkC;IAClC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,uDAAuD;IACvD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;;;;;OASG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,WAAW,EAAE,CAAC;CACxB;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM,CAcjF;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,IAAI;IACjC,KAAK,EAAE,OAAO,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC1F,CAuCA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,GAAG,WAAW,GAAG,MAAM,CAAC,GACtD,WAAW,CAOb;AA2BD;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAiClD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,WAAW,EAAE,CAmB1D;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAKnD;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,CAU1E"}