mcp-rce-guard 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Matthias Meyer (StudioMeyer)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,155 @@
+# mcp-rce-guard
+
+Policy-synthesis + behavioral CVE-replay + canary-tracking library for MCP servers. Foundation Pillar 9.
+
+## v0.1 Scope: Policy-Synthesizer, Not Kernel-Level Sandbox
+
+**Be precise about what this is and is not.** v0.1 is a building-block library that synthesizes isolation **policy descriptors** (landlock JSON profiles, sandbox-exec `.sb` scheme files, cgroups-v2 spec maps) and provides **behavioral predicates** that scan subprocess commands for known RCE-vulnerability shapes. It does **not** apply those policies to a running process. The host spawning the subprocess is responsible for translating a descriptor into the platform-specific syscall (Linux landlock, macOS sandbox-exec, cgroups-v2 fs write).
+
+**Native enforcement** (NAPI-RS landlock binding, sandbox-exec execa wrap, cgroups-v2 file writes with cleanup-on-exit, cross-platform integration tests) is the **v0.2 tranche** and is not bundled with v0.1. Layered defense relies on the host wiring policy emission to actual enforcement; this library does the first half cleanly.
+
+Use this library if you want:
+- A typed, validated way to describe what an MCP subprocess is allowed to read, write, spawn, and talk to.
+- A reproducible scanner for known RCE-vulnerability classes in subprocess commands (MCP-SDK-RCE-2026-04-22, CVE-2026-27124, Nginx-MCP RCE 9.8) plus 5 shell-injection + 3 fullwidth-unicode payload patterns from the simulate_attacker_input corpus.
+- An append-only NDJSON audit log of every isolation decision. Verified tamper-evident signing (Acra-pattern key derivation + rotation + integrated verifier) is on the v0.2 roadmap; v0.1 ships the log unsigned and treats signing as a v0.2 deliverable.
+
+Do **not** use v0.1 if you need a sandbox that actually contains a hostile subprocess at the kernel boundary. For that, the v0.1 descriptor needs to be paired with an enforcement helper. v0.2 ships that helper.
+
+## What it does (v0.1)
+
+- **Process isolation policy synthesis** — emits landlock (Linux >=5.13) policy descriptors, sandbox-exec (macOS) Scheme profiles, cgroups-v2 specs (memory.max, pids.max, cpu.max). Descriptors only; no syscalls are made.
+- **Network egress allowlist** — default-deny policy with wildcard / exact / suffix / port:* matching. Descriptors only; no nftables / packet-filter integration.
+- **CVE replay suite** — behavioral predicates for known MCP-server RCE vectors. Not exploit payloads — predicates that scan a target command for the vulnerable shape.
+- **Cross-server canary tokens** — issue tokens, scan downstream stdout / fs-write / network-egress streams for leaks (MCPHunt arXiv 2604.27819 pattern).
+- **NDJSON append-only audit log** — every tool call appended at `$MCP_RCE_GUARD_HOME/audit.log`. 100MB rotation with max 10 backups. v0.1 ships unsigned (no in-process verifier); v0.2 adds Acra-pattern HMAC chain with key derivation, rotation safety and an integrated verifier.
+- **NFKC + zero-width strip + Bidi-block** normalization shared with Pillar 8 (mcp-stdio-shellguard).
+
+## Install
+
+```bash
+npm install -g mcp-rce-guard
+```
+
+Or run via npx:
+
+```bash
+npx -y mcp-rce-guard serve
+```
+
+## Tools (MCP, Spec 2025-06-18)
+
+| Tool | Purpose | readOnly | destructive |
+|------|---------|----------|-------------|
+| `register_subprocess` | Register a child MCP server with isolation profile, get back a handle + fingerprint + policy descriptor | yes | no |
+| `audit_subprocess` | Verify requested args match registered allowlist (post-NFKC, smell-test for invisibles) | yes | no |
+| `scan_cve_replay` | Run behavioral predicates against a target server command | yes | no |
+| `track_canary` | Issue a canary token + scan downstream servers for leaks | yes | no |
+| `inject_egress_policy` | Emit network-egress allowlist descriptor for a registered subprocess (v0.1 descriptor-only) | yes | no |
+| `get_audit_log` | Read NDJSON audit log entries with filters | yes | no |
+
+> **v0.1 Honesty Note:** all six tools are `readOnlyHint=true, destructiveHint=false` in v0.1 because they emit policy descriptors + append to the audit log but do not modify subprocess state. v0.2 will flip `inject_egress_policy` to `destructiveHint=true` when native enforcement is wired in.
+
+## CLI
+
+```bash
+mcp-rce-guard serve            # start MCP server on stdio
+mcp-rce-guard platform         # detect isolation backend (landlock/sandbox-exec/unsupported)
+mcp-rce-guard scan-cve <cmd>   # one-shot CVE replay against a command
+mcp-rce-guard audit-log        # tail the audit log
+mcp-rce-guard policy <profile.json>  # synthesize landlock+cgroups+sandbox-exec from JSON
+```
+
+## Compatibility matrix
+
+| Platform | Isolation backend | Network egress | cgroups |
+|----------|-------------------|----------------|---------|
+| Linux >= 5.13 | landlock | nftables hook (out-of-band) | cgroups-v2 |
+| Linux < 5.13 | unsupported | unsupported | unsupported |
+| macOS 11+ | sandbox-exec (.sb) | sandbox-exec network rules | n/a |
+| Windows | unsupported (planned: AppContainer) | n/a | n/a |
+
+## Layer architecture (v0.1)
+
+```
+Pillar 1 (mcp-protocol-conformance) — protocol input shape
+        ↓
+Pillar 8 (mcp-stdio-shellguard)     — argv allowlist + invisible-codepoint detection
+        ↓
+Pillar 9 (mcp-rce-guard, this lib)  — policy synthesis + CVE-replay scan + canary
+        ↓
+Host spawner (caller responsibility) — applies the policy descriptor via real syscalls
+```
+
+In v0.2 the bottom box collapses into Pillar 9 (NAPI-RS landlock binding, sandbox-exec exec wrap, cgroups-v2 fs writes with cleanup). Until then, the host has to bridge the descriptor to the platform.
+
+## Trust tiers
+
+| Tier | mem | pids | egress | use |
+|------|-----|------|--------|-----|
+| `LOW` | 256MB | 32 | none | untrusted MCP from registry |
+| `MEDIUM` | 512MB | 64 | api-only | known vendor with limited scope |
+| `HIGH` | 1024MB | 128 | broad | first-party MCP with reviewed source |
+| `CRITICAL` | 2048MB | 256 | unrestricted | local OS-integrated MCP, you own the source |
+
+## Audit log location
+
+```
+$MCP_RCE_GUARD_HOME/audit.log     # default: ~/.mcp-rce-guard/audit.log
+```
+
+Entries are written as one JSON document per line (NDJSON) and read back via
+`JSON.parse` per line, so arbitrary characters inside `args` strings (tabs,
+quotes, embedded escape sequences) round-trip safely. Rotation happens at
+100MB; up to 10 backups (`audit.log.1` .. `audit.log.10`) are kept.
+
+v0.1 does **not** sign entries. The previous `MCP_RCE_GUARD_SIGNING_KEY`
+HMAC-SHA256 path was removed pre-publish: there was no in-process verifier,
+no key-length validation, and no rotation strategy, which would have been
+security theatre. v0.2 ships a verified Acra-pattern chain (`KDF(master) →
+per-entry HMAC`, key rotation, an integrated `verify_audit_log` tool).
+
+## Notes
+
+- v0.1 emits **policy descriptors**. Actual landlock syscall application is the responsibility of the spawning helper (separation-of-concerns: policy synthesis is portable, syscall is platform-specific). A native bindings wrapper is planned for v0.2.
+- CVE fixtures are **behavioral predicates**, not runnable exploits. They check: "does the target command match the shape known to be exploitable?" Not "can we trigger the exploit?"
+- Canary tokens use crypto-random 64-hex bodies inside `__MCP_CANARY_<hex>__` markers. Pattern uniqueness is statistical, not crypto-guaranteed against an adversary that controls the generator.
+
+## Known Issues v0.1
+
+These are real but accepted limitations of the v0.1 line. They are tracked in
+the v0.2 roadmap below; if any of them blocks your use case, pin to a future
+v0.2.x release once it ships.
+
+- **Audit-log rotation has a TOCTOU window** (`src/audit/log.ts`
+  `rotateAuditLog`). The size check and the rename are not atomic. In
+  multi-process / high-concurrency setups two appenders may both observe
+  "needs rotation" and both attempt the rename; the loser's append lands in
+  the freshly-created empty active log. Workaround: serialize writes or run
+  one writer per process. v0.2 will gate rotation behind `proper-lockfile`.
+- **In-memory state lost on restart** (`src/state.ts`). Registered
+  subprocesses and canary chains live in process memory. A process restart
+  empties the registry; the operator has to re-register. v0.2 plans a
+  SQLite-backed store as an opt-in persistence layer.
+- **`mcp-protocol-validator` CI step is not a hard gate**
+  (`.github/workflows/ci.yml`). The validator runs with
+  `continue-on-error: true` because the upstream tool is still stabilising;
+  failures surface as CI annotations but do not block. v0.2 promotes it to a
+  hard gate once upstream is stable.
+- **Audit log is unsigned in v0.1**. See "Audit log location" above. v0.2
+  adds a verified Acra-pattern signed chain.
+
+## v0.2 Roadmap (parked, no commit date)
+
+- pnpm-workspace mit `mcp-rce-guard` + `mcp-rce-demo` + `mcp-rce-fixtures` (Marketplace-Distribution-Hygiene: CVE-Fixtures separate distribution).
+- NAPI-RS Landlock binding fuer Linux (kernel >=5.13). Plain `child_process.spawn` mit prctl + LANDLOCK_CREATE_RULESET ist nicht testbar ohne C-Bridge.
+- macOS sandbox-exec execa wrap mit profile-file lifecycle (deny-network triggert connection-refused, deny-fs-read triggert EACCES).
+- cgroups-v2 fs.writeFile mit Permission-Checks + cleanup-on-exit + signal handlers.
+- Integration tests `tests/integration/linux-landlock.test.ts` + `tests/integration/macos-sandbox-exec.test.ts`.
+- Reference server `mcp-rce-demo` mit 6 Tools die jede Capability live demonstrieren (read_isolated_file, attempt_egress_blocked, spawn_subprocess_audited, replay_cve_demo, inject_canary_demo, get_demo_audit).
+- Latency test "subprocess-Spawn p95 <200ms" auf ubuntu-latest GitHub Actions runner.
+- Sigstore Trusted Publishing OIDC fuer alle 3 npm-Packages.
+- Verified Acra-pattern audit-log chain: KDF master-key → per-entry HMAC, key rotation with overlap window, integrated `verify_audit_log` tool. Replaces the v0.1 HMAC-SHA256 prototype that was removed pre-publish for lacking a verifier.
+
+## License
+
+MIT — Copyright (c) 2026 Matthias Meyer (StudioMeyer)

package/dist/audit/log.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Append-only NDJSON audit log.
+ *
+ * Path: ${MCP_RCE_GUARD_HOME:-~/.mcp-rce-guard}/audit.log
+ *
+ * Each line is a JSON-serialized AuditLogEntry. The log is append-only with
+ * size-based rotation (Reviewer S1024 F6): when the active log exceeds
+ * `MCP_RCE_GUARD_AUDIT_MAX_BYTES` (default 100MB), it is atomically renamed
+ * to `audit.log.1`, the previous .1 becomes .2, etc., up to .10. Anything
+ * beyond .10 is dropped to bound disk usage.
+ *
+ * Pre-Publish-Audit (2026-05-13 F1/F3/F5):
+ *   - HMAC-SHA256 signing path removed: the v0.1 implementation lacked a
+ *     verifier, key-validation and rotation-safety, making it security
+ *     theatre per Acra-pattern (industry baseline for HMAC audit-log chains).
+ *     v0.2 will reintroduce a verified Acra-style signed chain.
+ *   - NDJSON reader now uses `JSON.parse(line.trim())` per line; the previous
+ *     tab-splitting scheme silently dropped entries whose arg strings
+ *     contained a literal tab character.
+ */
+import type { AuditLogEntry } from "../types.js";
+export declare function auditLogPath(): string;
+/**
+ * Rotate the active log: rename audit.log → audit.log.1 (shifting existing
+ * .1 → .2 etc., up to .MAX_ROTATED_BACKUPS). Anything beyond .10 is unlinked.
+ * Atomic via fs.rename, which is atomic on the same filesystem on POSIX.
+ *
+ * Known Issue v0.1 (Pre-Publish-Audit F2): TOCTOU race window between the
+ * size-check and the rename. In multi-process / high-concurrency setups, two
+ * appenders may both observe "needs rotation" and both attempt the rename;
+ * the loser's append lands in the freshly-created empty active log. v0.2
+ * will gate rotation behind `proper-lockfile` or an equivalent advisory
+ * lockfile. v0.1 callers should serialize writes or accept the race.
+ */
+export declare function rotateAuditLog(): Promise<{
+    rotated: boolean;
+    reason?: string;
+}>;
+/**
+ * Append a single audit-log entry. Idempotent against duplicate calls — every
+ * call writes a distinct line because `ts` is auto-stamped if missing.
+ *
+ * Triggers rotation BEFORE writing if the active log already exceeds the
+ * configured cap. This is a best-effort guard; under heavy concurrency the
+ * log may briefly exceed the cap by one batch (acceptable for audit
+ * semantics).
+ */
+export declare function appendAudit(entry: Omit<AuditLogEntry, "ts"> & {
+    ts?: string;
+}): Promise<void>;
+/**
+ * Read entries with optional filters.
+ *
+ * Pre-Publish-Audit F3: each line is parsed as a single JSON document. The
+ * earlier implementation split on the last tab character (legacy HMAC suffix
+ * carve-out); arg strings containing a literal tab were silently truncated
+ * and the surviving prefix failed JSON.parse, dropping the entry. The
+ * NDJSON-standard read path used here is robust to any byte content the
+ * JSON encoder produced.
+ */
+export declare function readAudit(filter?: {
+    subprocessHandle?: string;
+    since?: string;
+    limit?: number;
+}): Promise<AuditLogEntry[]>;
+/**
+ * Test helper: clear the log file. NOT a public API — imported directly
+ * from this module by tests; intentionally absent from `src/index.ts`
+ * re-exports so external consumers cannot accidentally drop their
+ * audit trail (Pre-Publish-Audit F9).
+ *
+ * @internal
+ */
+export declare function clearAuditLog(): Promise<void>;
+//# sourceMappingURL=log.d.ts.map

package/dist/audit/log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"log.d.ts","sourceRoot":"","sources":["../../src/audit/log.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAMH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAajD,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAiBD;;;;;;;;;;;GAWG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwBrF;AAYD;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,GAAG;IAAE,EAAE,CAAC,EAAE,MAAM,CAAA;CAAE,GACjD,OAAO,CAAC,IAAI,CAAC,CAmBf;AAED;;;;;;;;;GASG;AACH,wBAAsB,SAAS,CAAC,MAAM,CAAC,EAAE;IACvC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CA4B3B;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAYnD"}

package/dist/audit/log.js

@@ -0,0 +1,191 @@
+/**
+ * Append-only NDJSON audit log.
+ *
+ * Path: ${MCP_RCE_GUARD_HOME:-~/.mcp-rce-guard}/audit.log
+ *
+ * Each line is a JSON-serialized AuditLogEntry. The log is append-only with
+ * size-based rotation (Reviewer S1024 F6): when the active log exceeds
+ * `MCP_RCE_GUARD_AUDIT_MAX_BYTES` (default 100MB), it is atomically renamed
+ * to `audit.log.1`, the previous .1 becomes .2, etc., up to .10. Anything
+ * beyond .10 is dropped to bound disk usage.
+ *
+ * Pre-Publish-Audit (2026-05-13 F1/F3/F5):
+ *   - HMAC-SHA256 signing path removed: the v0.1 implementation lacked a
+ *     verifier, key-validation and rotation-safety, making it security
+ *     theatre per Acra-pattern (industry baseline for HMAC audit-log chains).
+ *     v0.2 will reintroduce a verified Acra-style signed chain.
+ *   - NDJSON reader now uses `JSON.parse(line.trim())` per line; the previous
+ *     tab-splitting scheme silently dropped entries whose arg strings
+ *     contained a literal tab character.
+ */
+import { promises as fs } from "node:fs";
+import { existsSync, mkdirSync, statSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, dirname } from "node:path";
+/**
+ * Reviewer S1024 F6: cap on active log size before rotation. Default 100MB.
+ * Configurable via env so ops can tune for high-volume tenants.
+ */
+const DEFAULT_MAX_BYTES = 100 * 1024 * 1024;
+const MAX_ROTATED_BACKUPS = 10;
+function homeDir() {
+    return process.env["MCP_RCE_GUARD_HOME"] ?? join(homedir(), ".mcp-rce-guard");
+}
+export function auditLogPath() {
+    return join(homeDir(), "audit.log");
+}
+function maxBytes() {
+    const raw = process.env["MCP_RCE_GUARD_AUDIT_MAX_BYTES"];
+    if (!raw)
+        return DEFAULT_MAX_BYTES;
+    const parsed = Number.parseInt(raw, 10);
+    if (!Number.isFinite(parsed) || parsed <= 0)
+        return DEFAULT_MAX_BYTES;
+    return parsed;
+}
+function ensureDir(path) {
+    const dir = dirname(path);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    }
+}
+/**
+ * Rotate the active log: rename audit.log → audit.log.1 (shifting existing
+ * .1 → .2 etc., up to .MAX_ROTATED_BACKUPS). Anything beyond .10 is unlinked.
+ * Atomic via fs.rename, which is atomic on the same filesystem on POSIX.
+ *
+ * Known Issue v0.1 (Pre-Publish-Audit F2): TOCTOU race window between the
+ * size-check and the rename. In multi-process / high-concurrency setups, two
+ * appenders may both observe "needs rotation" and both attempt the rename;
+ * the loser's append lands in the freshly-created empty active log. v0.2
+ * will gate rotation behind `proper-lockfile` or an equivalent advisory
+ * lockfile. v0.1 callers should serialize writes or accept the race.
+ */
+export async function rotateAuditLog() {
+    const active = auditLogPath();
+    if (!existsSync(active)) {
+        return { rotated: false, reason: "no active log" };
+    }
+    // Shift backups: .9 → .10, .8 → .9, ..., .1 → .2
+    for (let i = MAX_ROTATED_BACKUPS; i >= 2; i--) {
+        const from = `${active}.${i - 1}`;
+        const to = `${active}.${i}`;
+        if (existsSync(from)) {
+            // If destination exists (overflow at .10), drop it first.
+            if (existsSync(to)) {
+                await fs.unlink(to);
+            }
+            await fs.rename(from, to);
+        }
+    }
+    // Move active → .1
+    const dotOne = `${active}.1`;
+    if (existsSync(dotOne)) {
+        await fs.unlink(dotOne);
+    }
+    await fs.rename(active, dotOne);
+    return { rotated: true };
+}
+function shouldRotate(path) {
+    if (!existsSync(path))
+        return false;
+    try {
+        const st = statSync(path);
+        return st.size >= maxBytes();
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Append a single audit-log entry. Idempotent against duplicate calls — every
+ * call writes a distinct line because `ts` is auto-stamped if missing.
+ *
+ * Triggers rotation BEFORE writing if the active log already exceeds the
+ * configured cap. This is a best-effort guard; under heavy concurrency the
+ * log may briefly exceed the cap by one batch (acceptable for audit
+ * semantics).
+ */
+export async function appendAudit(entry) {
+    const finalEntry = {
+        ts: entry.ts ?? new Date().toISOString(),
+        subprocessHandle: entry.subprocessHandle,
+        action: entry.action,
+        verdict: entry.verdict,
+        ...(entry.serverId !== undefined ? { serverId: entry.serverId } : {}),
+        ...(entry.reason !== undefined ? { reason: entry.reason } : {}),
+        ...(entry.meta !== undefined ? { meta: entry.meta } : {})
+    };
+    const path = auditLogPath();
+    ensureDir(path);
+    if (shouldRotate(path)) {
+        await rotateAuditLog();
+    }
+    // JSON.stringify never emits a literal newline inside the string (all
+    // control chars are escaped). One entry == one NDJSON line.
+    const line = JSON.stringify(finalEntry);
+    await fs.appendFile(path, line + "\n", { mode: 0o600 });
+}
+/**
+ * Read entries with optional filters.
+ *
+ * Pre-Publish-Audit F3: each line is parsed as a single JSON document. The
+ * earlier implementation split on the last tab character (legacy HMAC suffix
+ * carve-out); arg strings containing a literal tab were silently truncated
+ * and the surviving prefix failed JSON.parse, dropping the entry. The
+ * NDJSON-standard read path used here is robust to any byte content the
+ * JSON encoder produced.
+ */
+export async function readAudit(filter) {
+    const path = auditLogPath();
+    if (!existsSync(path))
+        return [];
+    const raw = await fs.readFile(path, "utf8");
+    // Splitting on \n is safe: JSON.stringify escapes embedded newlines as \n
+    // (literal two-character sequence) so a real newline only appears at the
+    // entry boundary written by appendAudit.
+    const lines = raw.split("\n").filter((l) => l.length > 0);
+    const entries = [];
+    for (const rawLine of lines) {
+        try {
+            const parsed = JSON.parse(rawLine.trim());
+            if (filter?.subprocessHandle && parsed.subprocessHandle !== filter.subprocessHandle) {
+                continue;
+            }
+            if (filter?.since && parsed.ts < filter.since) {
+                continue;
+            }
+            entries.push(parsed);
+        }
+        catch {
+            // Skip malformed lines; production: add a counter + WARN log.
+            continue;
+        }
+    }
+    if (filter?.limit && entries.length > filter.limit) {
+        return entries.slice(-filter.limit);
+    }
+    return entries;
+}
+/**
+ * Test helper: clear the log file. NOT a public API — imported directly
+ * from this module by tests; intentionally absent from `src/index.ts`
+ * re-exports so external consumers cannot accidentally drop their
+ * audit trail (Pre-Publish-Audit F9).
+ *
+ * @internal
+ */
+export async function clearAuditLog() {
+    const path = auditLogPath();
+    if (existsSync(path)) {
+        await fs.unlink(path);
+    }
+    // Also clear any rotated backups so test runs start clean.
+    for (let i = 1; i <= MAX_ROTATED_BACKUPS; i++) {
+        const backup = `${path}.${i}`;
+        if (existsSync(backup)) {
+            await fs.unlink(backup);
+        }
+    }
+}
+//# sourceMappingURL=log.js.map

package/dist/audit/log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"log.js","sourceRoot":"","sources":["../../src/audit/log.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAG1C;;;GAGG;AACH,MAAM,iBAAiB,GAAG,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;AAC5C,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,SAAS,OAAO;IACd,OAAO,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,gBAAgB,CAAC,CAAC;AAChF,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,QAAQ;IACf,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,iBAAiB,CAAC;IACnC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,iBAAiB,CAAC;IACtE,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnD,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACrD,CAAC;IACD,iDAAiD;IACjD,KAAK,IAAI,CAAC,GAAG,mBAAmB,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC;QAC5B,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,0DAA0D;YAC1D,IAAI,UAAU,CAAC,EAAE,CAAC,EAAE,CAAC;gBACnB,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACtB,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IACD,mBAAmB;IACnB,MAAM,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC;IAC7B,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACvB,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC;IACD,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC1B,OAAO,EAAE,CAAC,IAAI,IAAI,QAAQ,EAAE,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAkD;IAElD,MAAM,UAAU,GAAkB;QAChC,EAAE,EAAE,KAAK,CAAC,EAAE,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACxC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,GAAG,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrE,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1D,CAAC;IACF,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,SAAS,CAAC,IAAI,CAAC,CAAC;IAChB,IAAI,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,MAAM,cAAc,EAAE,CAAC;IACzB,CAAC;IACD,sEAAsE;IACtE,4DAA4D;IAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACxC,MAAM,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAC1D,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,MAI/B;IACC,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC5C,0EAA0E;IAC1E,yEAAyE;IACzE,yCAAyC;IACzC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAoB,EAAE,CAAC;IACpC,KAAK,MAAM,OAAO,IAAI,KAAK,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAkB,CAAC;YAC3D,IAAI,MAAM,EAAE,gBAAgB,IAAI,MAAM,CAAC,gBAAgB,KAAK,MAAM,CAAC,gBAAgB,EAAE,CAAC;gBACpF,SAAS;YACX,CAAC;YACD,IAAI,MAAM,EAAE,KAAK,IAAI,MAAM,CAAC,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;gBAC9C,SAAS;YACX,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,8DAA8D;YAC9D,SAAS;QACX,CAAC;IACH,CAAC;IACD,IAAI,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;QACnD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;IACD,2DAA2D;IAC3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,mBAAmB,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9C,MAAM,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC;QAC9B,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACvB,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/canary/tracker.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Canary token tracking for cross-server credential leak detection.
+ *
+ * Pattern provenance: arXiv 2604.27819 (MCPHunt, April 2026) — taint tracking
+ * via canary-token injection across MCP server boundaries. If a token leaves
+ * the chain via stdout/network/fs, the controller flags the leak channel.
+ *
+ * v0.1 ist scanner-only: detect_leaks scant a corpus of textual outputs for
+ * the canary token. The actual injection happens at the calling MCP server's
+ * tool boundary via track_canary which returns the token + downstream IDs.
+ */
+export type LeakChannel = "stdout" | "network-egress" | "fs-write";
+export interface LeakLocation {
+    serverId: string;
+    channel: LeakChannel;
+}
+export interface CorpusEntry {
+    serverId: string;
+    channel: LeakChannel;
+    content: string;
+}
+/**
+ * Build a canary token + pattern. Caller may supply a fixed pattern (for
+ * tests) or accept the high-entropy default.
+ */
+export declare function makeCanary(pattern?: string): {
+    token: string;
+    pattern: string;
+};
+/**
+ * Scan a corpus for canary leaks. Returns one LeakLocation per matching entry.
+ *
+ * False-positive note: a tool that legitimately echoes a canary in its own
+ * structured output would be flagged. Mitigation: callers should redact the
+ * token from logs they emit, or pass a unique pattern per chain.
+ */
+export declare function detectLeaks(corpus: readonly CorpusEntry[], pattern: string): LeakLocation[];
+//# sourceMappingURL=tracker.d.ts.map

package/dist/canary/tracker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracker.d.ts","sourceRoot":"","sources":["../../src/canary/tracker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,gBAAgB,GAAG,UAAU,CAAC;AAEnE,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,WAAW,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAM/E;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,SAAS,WAAW,EAAE,EAC9B,OAAO,EAAE,MAAM,GACd,YAAY,EAAE,CAQhB"}

package/dist/canary/tracker.js

@@ -0,0 +1,40 @@
+/**
+ * Canary token tracking for cross-server credential leak detection.
+ *
+ * Pattern provenance: arXiv 2604.27819 (MCPHunt, April 2026) — taint tracking
+ * via canary-token injection across MCP server boundaries. If a token leaves
+ * the chain via stdout/network/fs, the controller flags the leak channel.
+ *
+ * v0.1 ist scanner-only: detect_leaks scant a corpus of textual outputs for
+ * the canary token. The actual injection happens at the calling MCP server's
+ * tool boundary via track_canary which returns the token + downstream IDs.
+ */
+import { generateCanaryToken } from "../state.js";
+/**
+ * Build a canary token + pattern. Caller may supply a fixed pattern (for
+ * tests) or accept the high-entropy default.
+ */
+export function makeCanary(pattern) {
+    const token = generateCanaryToken();
+    return {
+        token,
+        pattern: pattern ?? token
+    };
+}
+/**
+ * Scan a corpus for canary leaks. Returns one LeakLocation per matching entry.
+ *
+ * False-positive note: a tool that legitimately echoes a canary in its own
+ * structured output would be flagged. Mitigation: callers should redact the
+ * token from logs they emit, or pass a unique pattern per chain.
+ */
+export function detectLeaks(corpus, pattern) {
+    const out = [];
+    for (const entry of corpus) {
+        if (entry.content.includes(pattern)) {
+            out.push({ serverId: entry.serverId, channel: entry.channel });
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=tracker.js.map

package/dist/canary/tracker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracker.js","sourceRoot":"","sources":["../../src/canary/tracker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAelD;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,OAAgB;IACzC,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,OAAO;QACL,KAAK;QACL,OAAO,EAAE,OAAO,IAAI,KAAK;KAC1B,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,MAA8B,EAC9B,OAAe;IAEf,MAAM,GAAG,GAAmB,EAAE,CAAC;IAC/B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACpC,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,14 @@
+/**
+ * mcp-rce-guard CLI.
+ *
+ * Subcommands:
+ *   serve                       — run the stdio MCP server (same as mcp-rce-guard-server bin)
+ *   platform                    — print detected isolation backend + capabilities
+ *   scan-cve <command...>       — run CVE replay fixtures against a candidate command
+ *   audit-log [--since=..]      — print recent audit-log entries
+ *   policy <profile.json>       — emit landlock + sandbox-exec + cgroups specs from a profile
+ */
+import { Command } from "commander";
+declare const program: Command;
+export { program };
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAcpC,QAAA,MAAM,OAAO,SAAgB,CAAC;AA8G9B,OAAO,EAAE,OAAO,EAAE,CAAC"}