mcp-rce-guard 0.1.0

package/dist/cli.js

@@ -0,0 +1,128 @@
+#!/usr/bin/env node
+/**
+ * mcp-rce-guard CLI.
+ *
+ * Subcommands:
+ *   serve                       — run the stdio MCP server (same as mcp-rce-guard-server bin)
+ *   platform                    — print detected isolation backend + capabilities
+ *   scan-cve <command...>       — run CVE replay fixtures against a candidate command
+ *   audit-log [--since=..]      — print recent audit-log entries
+ *   policy <profile.json>       — emit landlock + sandbox-exec + cgroups specs from a profile
+ */
+import { Command } from "commander";
+import { readFileSync } from "node:fs";
+import { detectPlatform } from "./isolation/platform.js";
+import { runReplay } from "./cve/replay.js";
+import { readAudit, rotateAuditLog, auditLogPath } from "./audit/log.js";
+import { buildLandlockPolicy } from "./isolation/landlock.js";
+import { buildSandboxProfile } from "./isolation/sandbox-exec.js";
+import { buildCgroupSpec } from "./isolation/cgroups.js";
+import { IsolationProfileSchema } from "./types.js";
+import { resolveProfile } from "./trust-tiers.js";
+import { NAME, VERSION } from "./version.js";
+import { main as serverMain } from "./server.js";
+const program = new Command();
+program
+    .name(NAME)
+    .description("Layer-3 RCE defense for MCP servers")
+    .version(VERSION);
+program
+    .command("serve")
+    .description("Run the stdio MCP server")
+    .action(async () => {
+    await serverMain();
+});
+program
+    .command("platform")
+    .description("Print detected isolation backend + capabilities")
+    .action(() => {
+    const info = detectPlatform();
+    process.stdout.write(JSON.stringify(info, null, 2) + "\n");
+});
+program
+    .command("scan-cve")
+    .description("Run CVE replay fixtures against a candidate command")
+    .argument("<command...>", "command tokens (joined with spaces)")
+    .option("--cve <ids...>", "CVE IDs to run (default: all)")
+    .option("--timeout <ms>", "timeout in milliseconds", "30000")
+    .action((cmdTokens, opts) => {
+    const command = cmdTokens.join(" ");
+    const cveSet = opts.cve;
+    const timeoutMs = parseInt(opts.timeout, 10) || 30_000;
+    const result = runReplay(command, cveSet, timeoutMs);
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+    process.exit(result.overall === "pass" ? 0 : 2);
+});
+program
+    .command("audit-log")
+    .description("Print recent audit-log entries")
+    .option("--since <iso>", "only entries since this ISO timestamp")
+    .option("--handle <h>", "filter by subprocess handle")
+    .option("--limit <n>", "max entries", "100")
+    .action(async (opts) => {
+    const filter = {
+        limit: parseInt(opts.limit, 10) || 100
+    };
+    if (opts.since)
+        filter.since = opts.since;
+    if (opts.handle)
+        filter.subprocessHandle = opts.handle;
+    const entries = await readAudit(filter);
+    for (const e of entries) {
+        process.stdout.write(JSON.stringify(e) + "\n");
+    }
+});
+program
+    .command("cleanup")
+    .description("Force-rotate the audit log (audit.log → audit.log.1, shifting backups)")
+    .action(async () => {
+    const result = await rotateAuditLog();
+    process.stdout.write(JSON.stringify({ ...result, path: auditLogPath() }, null, 2) + "\n");
+});
+program
+    .command("policy")
+    .description("Emit isolation specs from a profile JSON file")
+    .argument("<file>", "path to profile JSON")
+    .option("--tier <tier>", "trust tier base (LOW|MEDIUM|HIGH|CRITICAL)", "MEDIUM")
+    .option("--cgroup-name <name>", "cgroup name for cgroups spec", "mcp-rce-guard-default")
+    .action((file, opts) => {
+    const raw = readFileSync(file, "utf8");
+    const overrides = IsolationProfileSchema.partial().parse(JSON.parse(raw));
+    const tier = opts.tier;
+    const profile = resolveProfile(tier, overrides);
+    const out = {
+        tier,
+        profile,
+        landlock: buildLandlockPolicy(profile),
+        sandboxExec: buildSandboxProfile(profile),
+        cgroups: buildCgroupSpec(opts.cgroupName, profile)
+    };
+    process.stdout.write(JSON.stringify(out, null, 2) + "\n");
+});
+const isDirect = (() => {
+    try {
+        return process.argv[1]?.endsWith("cli.js") ?? false;
+    }
+    catch {
+        return false;
+    }
+})();
+if (isDirect) {
+    // No args → serve. Matches the behavior of `mcp-rce-guard-server` bin.
+    if (process.argv.length <= 2) {
+        serverMain().catch((e) => {
+            const msg = e instanceof Error ? e.message : String(e);
+            process.stderr.write(`[mcp-rce-guard] fatal: ${msg}\n`);
+            process.exit(1);
+        });
+    }
+    else {
+        program.parseAsync(process.argv).catch((e) => {
+            const msg = e instanceof Error ? e.message : String(e);
+            process.stderr.write(`[mcp-rce-guard cli] error: ${msg}\n`);
+            process.exit(1);
+        });
+    }
+}
+export { program };
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAC9B,OAAO;KACJ,IAAI,CAAC,IAAI,CAAC;KACV,WAAW,CAAC,qCAAqC,CAAC;KAClD,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,0BAA0B,CAAC;KACvC,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,UAAU,EAAE,CAAC;AACrB,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,iDAAiD,CAAC;KAC9D,MAAM,CAAC,GAAG,EAAE;IACX,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;IAC9B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC7D,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,qDAAqD,CAAC;KAClE,QAAQ,CAAC,cAAc,EAAE,qCAAqC,CAAC;KAC/D,MAAM,CAAC,gBAAgB,EAAE,+BAA+B,CAAC;KACzD,MAAM,CAAC,gBAAgB,EAAE,yBAAyB,EAAE,OAAO,CAAC;KAC5D,MAAM,CAAC,CAAC,SAAmB,EAAE,IAAyC,EAAE,EAAE;IACzE,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,IAAI,CAAC,GAA0B,CAAC;IAC/C,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC;IACvD,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IACrD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC7D,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,WAAW,CAAC;KACpB,WAAW,CAAC,gCAAgC,CAAC;KAC7C,MAAM,CAAC,eAAe,EAAE,uCAAuC,CAAC;KAChE,MAAM,CAAC,cAAc,EAAE,6BAA6B,CAAC;KACrD,MAAM,CAAC,aAAa,EAAE,aAAa,EAAE,KAAK,CAAC;KAC3C,MAAM,CAAC,KAAK,EAAE,IAAwD,EAAE,EAAE;IACzE,MAAM,MAAM,GAAiE;QAC3E,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,GAAG;KACvC,CAAC;IACF,IAAI,IAAI,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IAC1C,IAAI,IAAI,CAAC,MAAM;QAAE,MAAM,CAAC,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAC;IACvD,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;IACxC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACjD,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,wEAAwE,CAAC;KACrF,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;IACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,+CAA+C,CAAC;KAC5D,QAAQ,CAAC,QAAQ,EAAE,sBAAsB,CAAC;KAC1C,MAAM,CAAC,eAAe,EAAE,4CAA4C,EAAE,QAAQ,CAAC;KAC/E,MAAM,CAAC,sBAAsB,EAAE,8BAA8B,EAAE,uBAAuB,CAAC;KACvF,MAAM,CAAC,CAAC,IAAY,EAAE,IAA0C,EAAE,EAAE;IACnE,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACvC,MAAM,SAAS,GAAG,sBAAsB,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1E,MAAM,IAAI,GAAG,IAAI,CAAC,IAA8C,CAAC;IACjE,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAChD,MAAM,GAAG,GAAG;QACV,IAAI;QACJ,OAAO;QACP,QAAQ,EAAE,mBAAmB,CAAC,OAAO,CAAC;QACtC,WAAW,EAAE,mBAAmB,CAAC,OAAO,CAAC;QACzC,OAAO,EAAE,eAAe,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC;KACnD,CAAC;IACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC5D,CAAC,CAAC,CAAC;AAEL,MAAM,QAAQ,GAAG,CAAC,GAAG,EAAE;IACrB,IAAI,CAAC;QACH,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC,CAAC,EAAE,CAAC;AAEL,IAAI,QAAQ,EAAE,CAAC;IACb,uEAAuE;IACvE,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAC7B,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,CAAU,EAAE,EAAE;YAChC,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,GAAG,IAAI,CAAC,CAAC;YACxD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAU,EAAE,EAAE;YACpD,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,GAAG,IAAI,CAAC,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,OAAO,EAAE,OAAO,EAAE,CAAC"}

package/dist/cve/replay.d.ts

@@ -0,0 +1,44 @@
+/**
+ * CVE replay engine.
+ *
+ * v0.1 ships built-in replay logic for three 2026-CVEs. Each fixture is a
+ * deterministic predicate that examines the candidate `targetServerCommand`
+ * + the registered subprocess profile and decides if the configuration
+ * would be vulnerable. A `pass` verdict means the configuration BLOCKS the
+ * vuln class; `fail` means the configuration is still vulnerable.
+ *
+ * The fixtures are *behavioral predicates*, not exploit payloads, so this
+ * package can ship without security-distribution-hygiene flags. The
+ * separate `mcp-rce-fixtures` package contains additional offline replay
+ * suites for CI use; v0.1 inlines just enough to make the tool useful
+ * without requiring the fixtures package.
+ *
+ * Sources:
+ *   - MCP-SDK-RCE 22.04.2026 (Cloudflare patch in createMcpHandler)
+ *   - CVE-2026-27124 (FastMCP Confused Deputy)
+ *   - Nginx-MCP RCE CVSS 9.8
+ */
+import type { CveId } from "../types.js";
+export interface CveFixture {
+    id: CveId;
+    description: string;
+    predicate: (cmd: string) => CveFixtureResult;
+}
+export interface CveFixtureResult {
+    status: "pass" | "fail";
+    evidence: string;
+}
+export declare const BUILT_IN_FIXTURES: readonly CveFixture[];
+export declare function getFixture(id: CveId): CveFixture | undefined;
+export interface ReplayPerCve {
+    id: CveId;
+    status: "pass" | "fail" | "skipped";
+    durationMs: number;
+    evidence?: string;
+}
+export interface ReplayResult {
+    overall: "pass" | "fail";
+    perCve: ReplayPerCve[];
+}
+export declare function runReplay(targetCommand: string, cveSet?: CveId[], timeoutMs?: number): ReplayResult;
+//# sourceMappingURL=replay.d.ts.map

package/dist/cve/replay.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"replay.d.ts","sourceRoot":"","sources":["../../src/cve/replay.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAGzC,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,KAAK,CAAC;IACV,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,gBAAgB,CAAC;CAC9C;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAoGD,eAAO,MAAM,iBAAiB,EAAE,SAAS,UAAU,EAqElD,CAAC;AAEF,wBAAgB,UAAU,CAAC,EAAE,EAAE,KAAK,GAAG,UAAU,GAAG,SAAS,CAE5D;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,KAAK,CAAC;IACV,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,MAAM,EAAE,YAAY,EAAE,CAAC;CACxB;AAED,wBAAgB,SAAS,CACvB,aAAa,EAAE,MAAM,EACrB,MAAM,CAAC,EAAE,KAAK,EAAE,EAChB,SAAS,SAAS,GACjB,YAAY,CAqCd"}

package/dist/cve/replay.js

@@ -0,0 +1,221 @@
+/**
+ * CVE replay engine.
+ *
+ * v0.1 ships built-in replay logic for three 2026-CVEs. Each fixture is a
+ * deterministic predicate that examines the candidate `targetServerCommand`
+ * + the registered subprocess profile and decides if the configuration
+ * would be vulnerable. A `pass` verdict means the configuration BLOCKS the
+ * vuln class; `fail` means the configuration is still vulnerable.
+ *
+ * The fixtures are *behavioral predicates*, not exploit payloads, so this
+ * package can ship without security-distribution-hygiene flags. The
+ * separate `mcp-rce-fixtures` package contains additional offline replay
+ * suites for CI use; v0.1 inlines just enough to make the tool useful
+ * without requiring the fixtures package.
+ *
+ * Sources:
+ *   - MCP-SDK-RCE 22.04.2026 (Cloudflare patch in createMcpHandler)
+ *   - CVE-2026-27124 (FastMCP Confused Deputy)
+ *   - Nginx-MCP RCE CVSS 9.8
+ */
+import { normalizeArg } from "../normalize.js";
+/**
+ * Allowlist of variable names that are considered safe to embed verbatim in
+ * a target command. Anything outside this allowlist gets flagged as
+ * potential confused-deputy material by the cve-2026-27124 fixture.
+ *
+ * Reviewer S1024 F4-Sub-b: previous code used a narrow blocklist
+ * (`API_KEY|SECRET|TOKEN|PASSWORD|BEARER`) and missed obvious credentials
+ * like `AUTH_HEADER`, `COOKIE`, `SESSION_ID`, `PRIVATE_KEY`, `REFRESH_TOKEN`.
+ * Inverting to allowlist closes the entire credential-name surface.
+ */
+const SAFE_ENV_VARS = new Set([
+    "HOME",
+    "USER",
+    "USERNAME",
+    "LOGNAME",
+    "SHELL",
+    "PATH",
+    "LANG",
+    "LC_ALL",
+    "LC_CTYPE",
+    "TZ",
+    "TERM",
+    "TMPDIR",
+    "TEMP",
+    "TMP",
+    "PWD",
+    "OLDPWD",
+    "HOSTNAME",
+    "DISPLAY",
+    "EDITOR",
+    "PAGER",
+    "NODE_ENV",
+    "DEBUG",
+    "CI"
+]);
+/**
+ * Shell binaries that are commonly used to wrap a subprocess and grant it the
+ * full inheritance surface that Nginx-MCP RCE (CVSS 9.8) exploits. Broadened
+ * per Reviewer S1024 F4-Sub-c — busybox/dash/csh/ksh/fish/tcsh now covered,
+ * arbitrary absolute paths covered, indirect invocation (`exec`, `nice`, `env`)
+ * covered.
+ */
+const SHELL_BINARIES = [
+    "sh",
+    "bash",
+    "zsh",
+    "dash",
+    "ksh",
+    "csh",
+    "tcsh",
+    "fish",
+    "ash",
+    "busybox"
+];
+/**
+ * Detect any unquoted shell metacharacter or substitution form anywhere in
+ * the command. Covers (Reviewer S1024 F4-Sub-a evidence):
+ *   - Standalone metachars: `;`, `|`, `&` (single + double), `>`, `<`
+ *   - Command substitution: backticks `` `cmd` ``
+ *   - `$(cmd)` substitution
+ *   - `<<<` here-strings
+ *   - `${VAR}` and `$VAR` variable expansions adjacent to metachars
+ */
+const SHELL_METACHAR_PATTERNS = [
+    { pattern: /`[^`]*`/, name: "backtick command substitution" },
+    { pattern: /\$\([^)]*\)/, name: "$(...) command substitution" },
+    { pattern: /<<</, name: "here-string redirect (<<<)" },
+    { pattern: /(^|[^\\])[;]/, name: "unescaped semicolon" },
+    { pattern: /(^|[^\\|])\|(?!\|)/, name: "unescaped pipe" },
+    { pattern: /(^|[^\\&])&(?!&)/, name: "unescaped background ampersand" },
+    { pattern: /(^|[^\\])&&/, name: "logical-and operator" },
+    { pattern: /(^|[^\\])\|\|/, name: "logical-or operator" },
+    { pattern: /(^|[^\\])>(?!>)/, name: "stdout redirect" },
+    { pattern: /(^|[^\\])>>/, name: "append redirect" },
+    { pattern: /(^|[^\\])<(?![<])/, name: "stdin redirect" },
+    { pattern: /\$\{[^}]+\}/, name: "${VAR} expansion" },
+    { pattern: /\$[A-Za-z_][A-Za-z0-9_]*/, name: "$VAR expansion" }
+];
+function findShellInvocation(cmd) {
+    // Tokenize on whitespace + simple separators so we can spot a shell
+    // binary anywhere in the command (not just anchored at the start).
+    const tokens = cmd
+        .split(/[\s;|&]+/)
+        .map((t) => t.trim())
+        .filter((t) => t.length > 0);
+    for (const token of tokens) {
+        // Strip absolute-path prefix to compare just the basename.
+        const basename = token.split("/").pop() ?? token;
+        if (SHELL_BINARIES.includes(basename)) {
+            return token;
+        }
+    }
+    return null;
+}
+export const BUILT_IN_FIXTURES = [
+    {
+        id: "mcp-sdk-rce-2026-04-22",
+        description: "MCP-SDK ungesanitized Tool-Args fed into shell command. Predicate: command must NOT contain ANY shell metacharacters or substitution forms (broadened per Reviewer S1024 F4-Sub-a — covers ;, |, &, &&, ||, backticks, $(), <<<, redirects, ${VAR}, $VAR).",
+        predicate: (cmd) => {
+            for (const { pattern, name } of SHELL_METACHAR_PATTERNS) {
+                if (pattern.test(cmd)) {
+                    return {
+                        status: "fail",
+                        evidence: `command contains ${name} (${cmd}) — shell-injection class`
+                    };
+                }
+            }
+            return {
+                status: "pass",
+                evidence: "no shell metacharacters or substitution forms detected"
+            };
+        }
+    },
+    {
+        id: "cve-2026-27124",
+        description: "FastMCP Confused Deputy — server forwards caller-controlled token to downstream. Predicate: any embedded `${VAR}` or `$VAR` must be in the SAFE_ENV_VARS allowlist (Reviewer S1024 F4-Sub-b — invert to allowlist).",
+        predicate: (cmd) => {
+            // Match both ${VAR_NAME} and $VAR_NAME forms.
+            const bracedRe = /\$\{([A-Za-z_][A-Za-z0-9_]*)[^}]*\}/g;
+            const bareRe = /\$([A-Za-z_][A-Za-z0-9_]*)\b/g;
+            const flagged = [];
+            for (const re of [bracedRe, bareRe]) {
+                let m;
+                while ((m = re.exec(cmd)) !== null) {
+                    const name = m[1];
+                    if (name && !SAFE_ENV_VARS.has(name)) {
+                        flagged.push(name);
+                    }
+                }
+            }
+            if (flagged.length > 0) {
+                const list = Array.from(new Set(flagged)).join(", ");
+                return {
+                    status: "fail",
+                    evidence: `command embeds non-allowlisted env-var(s): ${list} — potential confused-deputy class`
+                };
+            }
+            return {
+                status: "pass",
+                evidence: "no non-allowlisted env-vars embedded in command"
+            };
+        }
+    },
+    {
+        id: "nginx-mcp-rce-9.8",
+        description: "Nginx-MCP RCE CVSS 9.8 — bridge-server spawns subprocess inheriting full parent permissions. Predicate: no shell binary may appear anywhere in the command, regardless of path/invocation form (broadened per Reviewer S1024 F4-Sub-c — busybox/dash/csh/ksh/fish/tcsh covered, arbitrary paths covered, indirect invocation covered).",
+        predicate: (cmd) => {
+            const found = findShellInvocation(cmd);
+            if (found !== null) {
+                return {
+                    status: "fail",
+                    evidence: `command invokes shell binary "${found}" — RCE-bridge class`
+                };
+            }
+            return {
+                status: "pass",
+                evidence: "no shell binary invocation detected"
+            };
+        }
+    }
+];
+export function getFixture(id) {
+    return BUILT_IN_FIXTURES.find((f) => f.id === id);
+}
+export function runReplay(targetCommand, cveSet, timeoutMs = 30_000) {
+    // Reviewer F3 (Session post-S1056): pre-normalize the target command before
+    // feeding it to predicates. NFKC + ZWC-strip + Bidi-block ensures
+    // Fullwidth-Unicode-Bypass payloads like `＄（rm -rf /）` collapse to
+    // `$(rm -rf /)` and trigger SHELL_METACHAR_PATTERNS. Without this step,
+    // `scan_cve_replay` returned false-negatives on the simulate_attacker_input
+    // fullwidth-unicode corpus that README §13 explicitly claims to cover.
+    // The audit_subprocess path already normalizes via Pillar-8 shared normalize.ts;
+    // this aligns scan_cve_replay with the same canonical form.
+    const normalizedCommand = normalizeArg(targetCommand);
+    const ids = cveSet ?? BUILT_IN_FIXTURES.map((f) => f.id);
+    const perCve = [];
+    const startAll = Date.now();
+    for (const id of ids) {
+        const fixture = getFixture(id);
+        if (!fixture) {
+            perCve.push({ id, status: "skipped", durationMs: 0, evidence: "unknown fixture id" });
+            continue;
+        }
+        if (Date.now() - startAll > timeoutMs) {
+            perCve.push({ id, status: "skipped", durationMs: 0, evidence: "timeout" });
+            continue;
+        }
+        const start = Date.now();
+        const result = fixture.predicate(normalizedCommand);
+        perCve.push({
+            id,
+            status: result.status,
+            durationMs: Date.now() - start,
+            evidence: result.evidence
+        });
+    }
+    const overall = perCve.every((r) => r.status !== "fail") ? "pass" : "fail";
+    return { overall, perCve };
+}
+//# sourceMappingURL=replay.js.map

package/dist/cve/replay.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"replay.js","sourceRoot":"","sources":["../../src/cve/replay.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAa/C;;;;;;;;;GASG;AACH,MAAM,aAAa,GAAwB,IAAI,GAAG,CAAC;IACjD,MAAM;IACN,MAAM;IACN,UAAU;IACV,SAAS;IACT,OAAO;IACP,MAAM;IACN,MAAM;IACN,QAAQ;IACR,UAAU;IACV,IAAI;IACJ,MAAM;IACN,QAAQ;IACR,MAAM;IACN,KAAK;IACL,KAAK;IACL,QAAQ;IACR,UAAU;IACV,SAAS;IACT,QAAQ;IACR,OAAO;IACP,UAAU;IACV,OAAO;IACP,IAAI;CACL,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,cAAc,GAAsB;IACxC,IAAI;IACJ,MAAM;IACN,KAAK;IACL,MAAM;IACN,KAAK;IACL,KAAK;IACL,MAAM;IACN,MAAM;IACN,KAAK;IACL,SAAS;CACV,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,uBAAuB,GAAiD;IAC5E,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,+BAA+B,EAAE;IAC7D,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,6BAA6B,EAAE;IAC/D,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,4BAA4B,EAAE;IACtD,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,qBAAqB,EAAE;IACxD,EAAE,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,gBAAgB,EAAE;IACzD,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,gCAAgC,EAAE;IACvE,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,sBAAsB,EAAE;IACxD,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,qBAAqB,EAAE;IACzD,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,iBAAiB,EAAE;IACvD,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,iBAAiB,EAAE;IACnD,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,gBAAgB,EAAE;IACxD,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,kBAAkB,EAAE;IACpD,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,gBAAgB,EAAE;CAChE,CAAC;AAEF,SAAS,mBAAmB,CAAC,GAAW;IACtC,oEAAoE;IACpE,mEAAmE;IACnE,MAAM,MAAM,GAAG,GAAG;SACf,KAAK,CAAC,UAAU,CAAC;SACjB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,2DAA2D;QAC3D,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC;QACjD,IAAI,cAAc,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtC,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAA0B;IACtD;QACE,EAAE,EAAE,wBAAwB;QAC5B,WAAW,EACT,4PAA4P;QAC9P,SAAS,EAAE,CAAC,GAAG,EAAE,EAAE;YACjB,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,uBAAuB,EAAE,CAAC;gBACxD,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACtB,OAAO;wBACL,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,oBAAoB,IAAI,KAAK,GAAG,2BAA2B;qBACtE,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,wDAAwD;aACnE,CAAC;QACJ,CAAC;KACF;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,WAAW,EACT,qNAAqN;QACvN,SAAS,EAAE,CAAC,GAAG,EAAE,EAAE;YACjB,8CAA8C;YAC9C,MAAM,QAAQ,GAAG,sCAAsC,CAAC;YACxD,MAAM,MAAM,GAAG,+BAA+B,CAAC;YAC/C,MAAM,OAAO,GAAa,EAAE,CAAC;YAC7B,KAAK,MAAM,EAAE,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAyB,CAAC;gBAC9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBACnC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBAClB,IAAI,IAAI,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;wBACrC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACrB,CAAC;gBACH,CAAC;YACH,CAAC;YACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACrD,OAAO;oBACL,MAAM,EAAE,MAAM;oBACd,QAAQ,EAAE,8CAA8C,IAAI,oCAAoC;iBACjG,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,iDAAiD;aAC5D,CAAC;QACJ,CAAC;KACF;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,WAAW,EACT,wUAAwU;QAC1U,SAAS,EAAE,CAAC,GAAG,EAAE,EAAE;YACjB,MAAM,KAAK,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;YACvC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBACnB,OAAO;oBACL,MAAM,EAAE,MAAM;oBACd,QAAQ,EAAE,iCAAiC,KAAK,sBAAsB;iBACvE,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,qCAAqC;aAChD,CAAC;QACJ,CAAC;KACF;CACF,CAAC;AAEF,MAAM,UAAU,UAAU,CAAC,EAAS;IAClC,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AACpD,CAAC;AAcD,MAAM,UAAU,SAAS,CACvB,aAAqB,EACrB,MAAgB,EAChB,SAAS,GAAG,MAAM;IAElB,4EAA4E;IAC5E,kEAAkE;IAClE,mEAAmE;IACnE,wEAAwE;IACxE,4EAA4E;IAC5E,uEAAuE;IACvE,iFAAiF;IACjF,4DAA4D;IAC5D,MAAM,iBAAiB,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;IAEtD,MAAM,GAAG,GAAG,MAAM,IAAI,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACzD,MAAM,MAAM,GAAmB,EAAE,CAAC;IAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE5B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC;QAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,oBAAoB,EAAE,CAAC,CAAC;YACtF,SAAS;QACX,CAAC;QACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,GAAG,SAAS,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;YAC3E,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC;YACV,EAAE;YACF,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;YAC9B,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,MAAM,OAAO,GAAoB,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IAC5F,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AAC7B,CAAC"}

package/dist/egress/policy.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Egress policy evaluation.
+ *
+ * Default-deny: a host:port is allowed only if it matches an entry in the
+ * allowlist. Wildcard "*" allows all (audit-only mode). Subdomain matching
+ * uses literal suffix-with-dot (no glob).
+ *
+ * Pre-Publish-Audit F7: host strings on both sides of the match are first
+ * NFKC + zero-width-strip + bidi-block normalized via Pillar-8 normalize.ts
+ * and lowercased, so a fullwidth-unicode hostname (e.g. `ｅｘａｍｐｌｅ.com`)
+ * cannot smuggle past an allowlist that lists the ASCII form.
+ */
+export interface EgressDecision {
+    allowed: boolean;
+    reason: string;
+}
+/**
+ * Evaluate whether a host:port pair is allowed by the allowlist.
+ *
+ * Allowlist entry forms:
+ *   - "*"               → allow all (used in audit-only mode)
+ *   - "example.com:443" → exact host:port match
+ *   - ".example.com:443"→ suffix match (any subdomain)
+ *   - "example.com:*"   → host match, any port
+ */
+export declare function evaluateEgress(host: string, port: number, allowlist: readonly string[]): EgressDecision;
+//# sourceMappingURL=policy.d.ts.map

package/dist/egress/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/egress/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAWD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,SAAS,MAAM,EAAE,GAC3B,cAAc,CAchB"}

package/dist/egress/policy.js

@@ -0,0 +1,62 @@
+/**
+ * Egress policy evaluation.
+ *
+ * Default-deny: a host:port is allowed only if it matches an entry in the
+ * allowlist. Wildcard "*" allows all (audit-only mode). Subdomain matching
+ * uses literal suffix-with-dot (no glob).
+ *
+ * Pre-Publish-Audit F7: host strings on both sides of the match are first
+ * NFKC + zero-width-strip + bidi-block normalized via Pillar-8 normalize.ts
+ * and lowercased, so a fullwidth-unicode hostname (e.g. `ｅｘａｍｐｌｅ.com`)
+ * cannot smuggle past an allowlist that lists the ASCII form.
+ */
+import { normalizeArg } from "../normalize.js";
+/**
+ * Canonicalize a host string: NFKC + invisible-codepoint strip via the
+ * shared normalize pipeline, then lowercase. Used on both allowlist entries
+ * and the candidate host so matching is locale-stable and unicode-safe.
+ */
+function canonicalHost(host) {
+    return normalizeArg(host).toLowerCase();
+}
+/**
+ * Evaluate whether a host:port pair is allowed by the allowlist.
+ *
+ * Allowlist entry forms:
+ *   - "*"               → allow all (used in audit-only mode)
+ *   - "example.com:443" → exact host:port match
+ *   - ".example.com:443"→ suffix match (any subdomain)
+ *   - "example.com:*"   → host match, any port
+ */
+export function evaluateEgress(host, port, allowlist) {
+    if (!host || !Number.isFinite(port) || port < 0 || port > 65535) {
+        return { allowed: false, reason: "invalid host or port" };
+    }
+    if (allowlist.includes("*")) {
+        return { allowed: true, reason: "wildcard allow" };
+    }
+    const candidate = canonicalHost(host);
+    for (const entry of allowlist) {
+        if (matches(candidate, port, entry)) {
+            return { allowed: true, reason: `match: ${entry}` };
+        }
+    }
+    return { allowed: false, reason: "default-deny: no allowlist match" };
+}
+function matches(host, port, entry) {
+    const colonIdx = entry.lastIndexOf(":");
+    if (colonIdx < 0)
+        return false;
+    const entryHost = canonicalHost(entry.slice(0, colonIdx));
+    const entryPort = entry.slice(colonIdx + 1);
+    // Port match
+    if (entryPort !== "*" && entryPort !== String(port)) {
+        return false;
+    }
+    // Host match (both sides already canonicalized).
+    if (entryHost.startsWith(".")) {
+        return host.endsWith(entryHost) || host === entryHost.slice(1);
+    }
+    return host === entryHost;
+}
+//# sourceMappingURL=policy.js.map

package/dist/egress/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/egress/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAO/C;;;;GAIG;AACH,SAAS,aAAa,CAAC,IAAY;IACjC,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAC5B,IAAY,EACZ,IAAY,EACZ,SAA4B;IAE5B,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;QAChE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IAC5D,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACrD,CAAC;IACD,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IACtC,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;QACtD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;AACxE,CAAC;AAED,SAAS,OAAO,CAAC,IAAY,EAAE,IAAY,EAAE,KAAa;IACxD,MAAM,QAAQ,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,QAAQ,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC1D,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IAE5C,aAAa;IACb,IAAI,SAAS,KAAK,GAAG,IAAI,SAAS,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QACpD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iDAAiD;IACjD,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,KAAK,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,IAAI,KAAK,SAAS,CAAC;AAC5B,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+/**
+ * mcp-rce-guard — public library entrypoint.
+ *
+ * This module re-exports the building blocks for callers that want to
+ * embed mcp-rce-guard in their own MCP server / CLI tool.
+ */
+export { NAME, VERSION } from "./version.js";
+export { IsolationProfileSchema, RegisterSubprocessArgsSchema, AuditSubprocessArgsSchema, ScanCveReplayArgsSchema, TrackCanaryArgsSchema, InjectEgressPolicyArgsSchema, GetAuditLogArgsSchema, TrustTierSchema, CveIdSchema, EgressModeSchema, AuditVerdict, type IsolationProfile, type RegisterSubprocessArgs, type AuditSubprocessArgs, type ScanCveReplayArgs, type TrackCanaryArgs, type InjectEgressPolicyArgs, type GetAuditLogArgs, type AuditLogEntry, type RegisteredSubprocess, type AuditVerdictType, type CveId, type EgressMode } from "./types.js";
+export { normalizeArg, normalizeArgs, hasInvisibleCodepoints } from "./normalize.js";
+export { TRUST_TIER_DEFAULTS, resolveProfile, type TrustTier } from "./trust-tiers.js";
+export { detectPlatform, type PlatformInfo, type IsolationBackend } from "./isolation/platform.js";
+export { buildLandlockPolicy, policyAllowsExec } from "./isolation/landlock.js";
+export type { LandlockPolicyDescriptor } from "./isolation/landlock.js";
+export { buildSandboxProfile } from "./isolation/sandbox-exec.js";
+export { buildCgroupSpec, type CgroupSpec } from "./isolation/cgroups.js";
+export { makeCanary, detectLeaks, type LeakChannel, type LeakLocation, type CorpusEntry } from "./canary/tracker.js";
+export { runReplay, BUILT_IN_FIXTURES, getFixture, type CveFixture, type ReplayResult, type ReplayPerCve } from "./cve/replay.js";
+export { evaluateEgress, type EgressDecision } from "./egress/policy.js";
+export { appendAudit, readAudit, auditLogPath } from "./audit/log.js";
+export { registerSubprocessTool, type RegisterSubprocessResult } from "./tools/register.js";
+export { auditSubprocessTool, type AuditSubprocessResult } from "./tools/audit.js";
+export { scanCveReplayTool } from "./tools/scanCve.js";
+export { trackCanaryTool, type TrackCanaryResult } from "./tools/trackCanary.js";
+export { injectEgressPolicyTool, type InjectEgressPolicyResult } from "./tools/injectEgress.js";
+export { getAuditLogTool, type GetAuditLogResult } from "./tools/getAuditLog.js";
+export { clearRegistry } from "./state.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAG7C,OAAO,EACL,sBAAsB,EACtB,4BAA4B,EAC5B,yBAAyB,EACzB,uBAAuB,EACvB,qBAAqB,EACrB,4BAA4B,EAC5B,qBAAqB,EACrB,eAAe,EACf,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,mBAAmB,EACxB,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACrB,KAAK,KAAK,EACV,KAAK,UAAU,EAChB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAGrF,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,KAAK,SAAS,EACf,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,cAAc,EACd,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChF,YAAY,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,KAAK,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAG1E,OAAO,EACL,UAAU,EACV,WAAW,EACX,KAAK,WAAW,EAChB,KAAK,YAAY,EACjB,KAAK,WAAW,EACjB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,UAAU,EACV,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,YAAY,EAClB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,cAAc,EAAE,KAAK,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAKzE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAGtE,OAAO,EACL,sBAAsB,EACtB,KAAK,wBAAwB,EAC9B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,mBAAmB,EACnB,KAAK,qBAAqB,EAC3B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EACL,eAAe,EACf,KAAK,iBAAiB,EACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,sBAAsB,EACtB,KAAK,wBAAwB,EAC9B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,KAAK,iBAAiB,EACvB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,38 @@
+/**
+ * mcp-rce-guard — public library entrypoint.
+ *
+ * This module re-exports the building blocks for callers that want to
+ * embed mcp-rce-guard in their own MCP server / CLI tool.
+ */
+export { NAME, VERSION } from "./version.js";
+// Types + schemas
+export { IsolationProfileSchema, RegisterSubprocessArgsSchema, AuditSubprocessArgsSchema, ScanCveReplayArgsSchema, TrackCanaryArgsSchema, InjectEgressPolicyArgsSchema, GetAuditLogArgsSchema, TrustTierSchema, CveIdSchema, EgressModeSchema, AuditVerdict } from "./types.js";
+// Normalize (Pillar-8-shared)
+export { normalizeArg, normalizeArgs, hasInvisibleCodepoints } from "./normalize.js";
+// Trust tiers
+export { TRUST_TIER_DEFAULTS, resolveProfile } from "./trust-tiers.js";
+// Isolation backends
+export { detectPlatform } from "./isolation/platform.js";
+export { buildLandlockPolicy, policyAllowsExec } from "./isolation/landlock.js";
+export { buildSandboxProfile } from "./isolation/sandbox-exec.js";
+export { buildCgroupSpec } from "./isolation/cgroups.js";
+// Canary
+export { makeCanary, detectLeaks } from "./canary/tracker.js";
+// CVE replay
+export { runReplay, BUILT_IN_FIXTURES, getFixture } from "./cve/replay.js";
+// Egress
+export { evaluateEgress } from "./egress/policy.js";
+// Audit log
+// Note: `clearAuditLog` is intentionally NOT re-exported here (Pre-Publish-Audit F9).
+// It is a @internal test helper; tests import it directly from "./audit/log.js".
+export { appendAudit, readAudit, auditLogPath } from "./audit/log.js";
+// Tools (programmatic access — same handlers the MCP server registers)
+export { registerSubprocessTool } from "./tools/register.js";
+export { auditSubprocessTool } from "./tools/audit.js";
+export { scanCveReplayTool } from "./tools/scanCve.js";
+export { trackCanaryTool } from "./tools/trackCanary.js";
+export { injectEgressPolicyTool } from "./tools/injectEgress.js";
+export { getAuditLogTool } from "./tools/getAuditLog.js";
+// State (test-only escape hatch — guarded by name)
+export { clearRegistry } from "./state.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE7C,kBAAkB;AAClB,OAAO,EACL,sBAAsB,EACtB,4BAA4B,EAC5B,yBAAyB,EACzB,uBAAuB,EACvB,qBAAqB,EACrB,4BAA4B,EAC5B,qBAAqB,EACrB,eAAe,EACf,WAAW,EACX,gBAAgB,EAChB,YAAY,EAab,MAAM,YAAY,CAAC;AAEpB,8BAA8B;AAC9B,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAErF,cAAc;AACd,OAAO,EACL,mBAAmB,EACnB,cAAc,EAEf,MAAM,kBAAkB,CAAC;AAE1B,qBAAqB;AACrB,OAAO,EACL,cAAc,EAGf,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAEhF,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,eAAe,EAAmB,MAAM,wBAAwB,CAAC;AAE1E,SAAS;AACT,OAAO,EACL,UAAU,EACV,WAAW,EAIZ,MAAM,qBAAqB,CAAC;AAE7B,aAAa;AACb,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,UAAU,EAIX,MAAM,iBAAiB,CAAC;AAEzB,SAAS;AACT,OAAO,EAAE,cAAc,EAAuB,MAAM,oBAAoB,CAAC;AAEzE,YAAY;AACZ,sFAAsF;AACtF,iFAAiF;AACjF,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAEtE,uEAAuE;AACvE,OAAO,EACL,sBAAsB,EAEvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,mBAAmB,EAEpB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EACL,eAAe,EAEhB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,sBAAsB,EAEvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EAEhB,MAAM,wBAAwB,CAAC;AAEhC,mDAAmD;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}

package/dist/isolation/cgroups.d.ts

@@ -0,0 +1,20 @@
+/**
+ * cgroups-v2 resource cap synthesis.
+ *
+ * v0.1 emits a *spec* listing the files-to-write and values. The actual
+ * write happens in the spawning helper (separation-of-concerns: we don't
+ * want to write to /sys/fs/cgroup from inside a tool handler — that needs
+ * elevated privileges that the MCP server typically lacks).
+ */
+import type { IsolationProfile } from "../types.js";
+export interface CgroupSpec {
+    /** cgroup v2 path under /sys/fs/cgroup. The spawner creates it. */
+    cgroupPath: string;
+    /** key/value writes the spawner must perform. */
+    writes: Array<{
+        file: string;
+        value: string;
+    }>;
+}
+export declare function buildCgroupSpec(cgroupName: string, profile: IsolationProfile): CgroupSpec;
+//# sourceMappingURL=cgroups.d.ts.map

package/dist/isolation/cgroups.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cgroups.d.ts","sourceRoot":"","sources":["../../src/isolation/cgroups.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,WAAW,UAAU;IACzB,mEAAmE;IACnE,UAAU,EAAE,MAAM,CAAC;IACnB,iDAAiD;IACjD,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChD;AAED,wBAAgB,eAAe,CAC7B,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,gBAAgB,GACxB,UAAU,CAyBZ"}