mcp-rce-guard 0.1.0

package/dist/isolation/cgroups.js

@@ -0,0 +1,33 @@
+/**
+ * cgroups-v2 resource cap synthesis.
+ *
+ * v0.1 emits a *spec* listing the files-to-write and values. The actual
+ * write happens in the spawning helper (separation-of-concerns: we don't
+ * want to write to /sys/fs/cgroup from inside a tool handler — that needs
+ * elevated privileges that the MCP server typically lacks).
+ */
+export function buildCgroupSpec(cgroupName, profile) {
+    const cgroupPath = `/sys/fs/cgroup/${cgroupName}`;
+    const writes = [];
+    if (profile.memMB !== undefined) {
+        // memory.max accepts bytes.
+        const bytes = profile.memMB * 1024 * 1024;
+        writes.push({ file: `${cgroupPath}/memory.max`, value: String(bytes) });
+    }
+    if (profile.pidMax !== undefined) {
+        writes.push({ file: `${cgroupPath}/pids.max`, value: String(profile.pidMax) });
+    }
+    if (profile.cpuMs !== undefined) {
+        // cpu.max format: "<quota> <period>". 100ms period; quota = cpuMs * 1000 / period_count.
+        // Simplified: derive quota_us = cpuMs * 1000 spread over a 100_000us period.
+        // For caps on TOTAL CPU time the spawner uses RLIMIT_CPU instead — see spec.
+        const periodUs = 100_000;
+        const quotaUs = Math.max(1000, Math.min(periodUs, profile.cpuMs * 1000));
+        writes.push({
+            file: `${cgroupPath}/cpu.max`,
+            value: `${quotaUs} ${periodUs}`
+        });
+    }
+    return { cgroupPath, writes };
+}
+//# sourceMappingURL=cgroups.js.map

package/dist/isolation/cgroups.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cgroups.js","sourceRoot":"","sources":["../../src/isolation/cgroups.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAWH,MAAM,UAAU,eAAe,CAC7B,UAAkB,EAClB,OAAyB;IAEzB,MAAM,UAAU,GAAG,kBAAkB,UAAU,EAAE,CAAC;IAClD,MAAM,MAAM,GAAyB,EAAE,CAAC;IAExC,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAChC,4BAA4B;QAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,GAAG,IAAI,GAAG,IAAI,CAAC;QAC1C,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,UAAU,aAAa,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,UAAU,WAAW,EAAE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAChC,yFAAyF;QACzF,6EAA6E;QAC7E,6EAA6E;QAC7E,MAAM,QAAQ,GAAG,OAAO,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC;QACzE,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,GAAG,UAAU,UAAU;YAC7B,KAAK,EAAE,GAAG,OAAO,IAAI,QAAQ,EAAE;SAChC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;AAChC,CAAC"}

package/dist/isolation/landlock.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Linux landlock policy synthesis.
+ *
+ * v0.1 emits a *policy descriptor* — a serializable representation of the
+ * landlock ruleset — but does NOT directly invoke the prctl/landlock_create_ruleset
+ * syscalls. Reason: the landlock syscall interface requires either a tiny native
+ * addon or a `libc.dlopen` dance, both of which add binary-distribution complexity.
+ *
+ * The actual enforcement contract is: the spawning helper uses the `landlock-restrict`
+ * tool (bundled in `mcp-rce-fixtures` for v0.1; will become its own bin in v0.2)
+ * to apply the policy descriptor before exec'ing the target binary. Same pattern
+ * as `firejail` or `bubblewrap` — split policy-eval from enforcement.
+ *
+ * Anti-Pattern provenance: Nginx-MCP RCE CVSS 9.8 (subprocess inheritert volle
+ * parent-permissions). Defense: explicit policy descriptor that lists every
+ * allowed fs path + access flag.
+ */
+import type { IsolationProfile } from "../types.js";
+export interface LandlockPolicyDescriptor {
+    version: 1;
+    ruleset: {
+        handledAccessFs: string[];
+        rules: Array<{
+            path: string;
+            access: ("read" | "execute" | "write")[];
+        }>;
+    };
+}
+/**
+ * Build a landlock policy descriptor from an isolation profile.
+ *
+ * - fsReadOnly entries → read+execute access.
+ * - fsWritable entries → read+execute+write access.
+ * - Everything else: implicit deny.
+ */
+export declare function buildLandlockPolicy(profile: IsolationProfile): LandlockPolicyDescriptor;
+/**
+ * Validate that a path appears in the policy. Used by audit_subprocess to
+ * detect when the requested binary lives outside the read-only roots.
+ */
+export declare function policyAllowsExec(policy: LandlockPolicyDescriptor, binaryPath: string): boolean;
+//# sourceMappingURL=landlock.d.ts.map

package/dist/isolation/landlock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"landlock.d.ts","sourceRoot":"","sources":["../../src/isolation/landlock.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE;QACP,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,KAAK,EAAE,KAAK,CAAC;YACX,IAAI,EAAE,MAAM,CAAC;YACb,MAAM,EAAE,CAAC,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,EAAE,CAAC;SAC1C,CAAC,CAAC;KACJ,CAAC;CACH;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,gBAAgB,GAAG,wBAAwB,CA+BvF;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,wBAAwB,EAChC,UAAU,EAAE,MAAM,GACjB,OAAO,CAOT"}

package/dist/isolation/landlock.js

@@ -0,0 +1,67 @@
+/**
+ * Linux landlock policy synthesis.
+ *
+ * v0.1 emits a *policy descriptor* — a serializable representation of the
+ * landlock ruleset — but does NOT directly invoke the prctl/landlock_create_ruleset
+ * syscalls. Reason: the landlock syscall interface requires either a tiny native
+ * addon or a `libc.dlopen` dance, both of which add binary-distribution complexity.
+ *
+ * The actual enforcement contract is: the spawning helper uses the `landlock-restrict`
+ * tool (bundled in `mcp-rce-fixtures` for v0.1; will become its own bin in v0.2)
+ * to apply the policy descriptor before exec'ing the target binary. Same pattern
+ * as `firejail` or `bubblewrap` — split policy-eval from enforcement.
+ *
+ * Anti-Pattern provenance: Nginx-MCP RCE CVSS 9.8 (subprocess inheritert volle
+ * parent-permissions). Defense: explicit policy descriptor that lists every
+ * allowed fs path + access flag.
+ */
+/**
+ * Build a landlock policy descriptor from an isolation profile.
+ *
+ * - fsReadOnly entries → read+execute access.
+ * - fsWritable entries → read+execute+write access.
+ * - Everything else: implicit deny.
+ */
+export function buildLandlockPolicy(profile) {
+    const rules = [];
+    for (const path of profile.fsReadOnly) {
+        rules.push({ path, access: ["read", "execute"] });
+    }
+    for (const path of profile.fsWritable) {
+        rules.push({ path, access: ["read", "execute", "write"] });
+    }
+    return {
+        version: 1,
+        ruleset: {
+            handledAccessFs: [
+                "execute",
+                "write_file",
+                "read_file",
+                "read_dir",
+                "remove_dir",
+                "remove_file",
+                "make_char",
+                "make_dir",
+                "make_reg",
+                "make_sock",
+                "make_fifo",
+                "make_block",
+                "make_sym"
+            ],
+            rules
+        }
+    };
+}
+/**
+ * Validate that a path appears in the policy. Used by audit_subprocess to
+ * detect when the requested binary lives outside the read-only roots.
+ */
+export function policyAllowsExec(policy, binaryPath) {
+    for (const rule of policy.ruleset.rules) {
+        if (binaryPath.startsWith(rule.path) && rule.access.includes("execute")) {
+            return true;
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=landlock.js.map

package/dist/isolation/landlock.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"landlock.js","sourceRoot":"","sources":["../../src/isolation/landlock.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAeH;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAyB;IAC3D,MAAM,KAAK,GAAiD,EAAE,CAAC;IAE/D,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC,CAAC;IACpD,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO;QACL,OAAO,EAAE,CAAC;QACV,OAAO,EAAE;YACP,eAAe,EAAE;gBACf,SAAS;gBACT,YAAY;gBACZ,WAAW;gBACX,UAAU;gBACV,YAAY;gBACZ,aAAa;gBACb,WAAW;gBACX,UAAU;gBACV,UAAU;gBACV,WAAW;gBACX,WAAW;gBACX,YAAY;gBACZ,UAAU;aACX;YACD,KAAK;SACN;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,MAAgC,EAChC,UAAkB;IAElB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACxC,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACxE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/isolation/platform.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Platform detection for isolation backends.
+ *
+ * v0.1 supports Linux (landlock + cgroups-v2) and macOS (sandbox-exec).
+ * Windows is v0.2 backlog (AppContainer + Win Sandbox-API).
+ */
+export type IsolationBackend = "landlock" | "sandbox-exec" | "unsupported";
+export interface PlatformInfo {
+    os: NodeJS.Platform;
+    backend: IsolationBackend;
+    /** Linux kernel version, e.g. "5.15.0". Empty on non-Linux. */
+    kernelVersion: string;
+    /** True if cgroups-v2 unified hierarchy is mounted at /sys/fs/cgroup. */
+    hasCgroupsV2: boolean;
+    /** True if the running kernel exposes landlock syscalls (kernel >=5.13). */
+    hasLandlock: boolean;
+    /** True if /usr/bin/sandbox-exec is present (macOS only). */
+    hasSandboxExec: boolean;
+    /** Human-readable reason if backend is "unsupported". */
+    reason?: string;
+}
+export declare function detectPlatform(): PlatformInfo;
+/**
+ * Test helper: reset the cache. Required because detection uses fs reads.
+ */
+export declare function _resetPlatformCache(): void;
+//# sourceMappingURL=platform.d.ts.map

package/dist/isolation/platform.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform.d.ts","sourceRoot":"","sources":["../../src/isolation/platform.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,MAAM,MAAM,gBAAgB,GAAG,UAAU,GAAG,cAAc,GAAG,aAAa,CAAC;AAE3E,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC,QAAQ,CAAC;IACpB,OAAO,EAAE,gBAAgB,CAAC;IAC1B,+DAA+D;IAC/D,aAAa,EAAE,MAAM,CAAC;IACtB,yEAAyE;IACzE,YAAY,EAAE,OAAO,CAAC;IACtB,4EAA4E;IAC5E,WAAW,EAAE,OAAO,CAAC;IACrB,6DAA6D;IAC7D,cAAc,EAAE,OAAO,CAAC;IACxB,yDAAyD;IACzD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAID,wBAAgB,cAAc,IAAI,YAAY,CA0C7C;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C"}

package/dist/isolation/platform.js

@@ -0,0 +1,96 @@
+/**
+ * Platform detection for isolation backends.
+ *
+ * v0.1 supports Linux (landlock + cgroups-v2) and macOS (sandbox-exec).
+ * Windows is v0.2 backlog (AppContainer + Win Sandbox-API).
+ */
+import { existsSync, readFileSync } from "node:fs";
+import { platform } from "node:process";
+let cached = null;
+export function detectPlatform() {
+    if (cached)
+        return cached;
+    const os = platform;
+    let backend = "unsupported";
+    let kernelVersion = "";
+    let hasCgroupsV2 = false;
+    let hasLandlock = false;
+    let hasSandboxExec = false;
+    let reason;
+    if (os === "linux") {
+        kernelVersion = readKernelVersion();
+        hasLandlock = kernelMeetsMin(kernelVersion, 5, 13);
+        hasCgroupsV2 = isCgroupsV2();
+        if (hasLandlock) {
+            backend = "landlock";
+        }
+        else {
+            reason = `Linux kernel ${kernelVersion} does not support landlock (need >=5.13)`;
+        }
+    }
+    else if (os === "darwin") {
+        hasSandboxExec = existsSync("/usr/bin/sandbox-exec");
+        if (hasSandboxExec) {
+            backend = "sandbox-exec";
+        }
+        else {
+            reason = "macOS sandbox-exec binary not found at /usr/bin/sandbox-exec";
+        }
+    }
+    else {
+        reason = `Platform ${os} is not supported in v0.1 (Windows is v0.2 backlog)`;
+    }
+    const info = {
+        os,
+        backend,
+        kernelVersion,
+        hasCgroupsV2,
+        hasLandlock,
+        hasSandboxExec,
+        ...(reason !== undefined ? { reason } : {})
+    };
+    cached = info;
+    return info;
+}
+/**
+ * Test helper: reset the cache. Required because detection uses fs reads.
+ */
+export function _resetPlatformCache() {
+    cached = null;
+}
+function readKernelVersion() {
+    try {
+        const raw = readFileSync("/proc/version", "utf8");
+        const m = raw.match(/Linux version (\d+\.\d+\.\d+)/);
+        return m?.[1] ?? "";
+    }
+    catch {
+        return "";
+    }
+}
+function kernelMeetsMin(version, minMajor, minMinor) {
+    const parts = version.split(".").map((p) => parseInt(p, 10));
+    const major = parts[0];
+    const minor = parts[1];
+    if (major === undefined || minor === undefined || Number.isNaN(major) || Number.isNaN(minor)) {
+        return false;
+    }
+    if (major > minMajor)
+        return true;
+    if (major < minMajor)
+        return false;
+    return minor >= minMinor;
+}
+function isCgroupsV2() {
+    try {
+        const mounts = readFileSync("/proc/mounts", "utf8");
+        return mounts.split("\n").some((line) => {
+            const fields = line.split(/\s+/);
+            return fields[2] === "cgroup2";
+        });
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=platform.js.map

package/dist/isolation/platform.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform.js","sourceRoot":"","sources":["../../src/isolation/platform.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAmBxC,IAAI,MAAM,GAAwB,IAAI,CAAC;AAEvC,MAAM,UAAU,cAAc;IAC5B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,EAAE,GAAG,QAAQ,CAAC;IACpB,IAAI,OAAO,GAAqB,aAAa,CAAC;IAC9C,IAAI,aAAa,GAAG,EAAE,CAAC;IACvB,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,WAAW,GAAG,KAAK,CAAC;IACxB,IAAI,cAAc,GAAG,KAAK,CAAC;IAC3B,IAAI,MAA0B,CAAC;IAE/B,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;QACnB,aAAa,GAAG,iBAAiB,EAAE,CAAC;QACpC,WAAW,GAAG,cAAc,CAAC,aAAa,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QACnD,YAAY,GAAG,WAAW,EAAE,CAAC;QAC7B,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,GAAG,UAAU,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,gBAAgB,aAAa,0CAA0C,CAAC;QACnF,CAAC;IACH,CAAC;SAAM,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC3B,cAAc,GAAG,UAAU,CAAC,uBAAuB,CAAC,CAAC;QACrD,IAAI,cAAc,EAAE,CAAC;YACnB,OAAO,GAAG,cAAc,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,8DAA8D,CAAC;QAC1E,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,YAAY,EAAE,qDAAqD,CAAC;IAC/E,CAAC;IAED,MAAM,IAAI,GAAiB;QACzB,EAAE;QACF,OAAO;QACP,aAAa;QACb,YAAY;QACZ,WAAW;QACX,cAAc;QACd,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5C,CAAC;IACF,MAAM,GAAG,IAAI,CAAC;IACd,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,GAAG,IAAI,CAAC;AAChB,CAAC;AAED,SAAS,iBAAiB;IACxB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAClD,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACrD,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,QAAgB,EAAE,QAAgB;IACzE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC7D,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACvB,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACvB,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7F,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,GAAG,QAAQ;QAAE,OAAO,IAAI,CAAC;IAClC,IAAI,KAAK,GAAG,QAAQ;QAAE,OAAO,KAAK,CAAC;IACnC,OAAO,KAAK,IAAI,QAAQ,CAAC;AAC3B,CAAC;AAED,SAAS,WAAW;IAClB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;QACpD,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;YACtC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACjC,OAAO,MAAM,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC;QACjC,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/isolation/sandbox-exec.d.ts

@@ -0,0 +1,17 @@
+/**
+ * macOS sandbox-exec policy synthesis.
+ *
+ * Emits a Scheme-syntax sandbox profile (.sb) that can be passed to
+ * `/usr/bin/sandbox-exec -p` before the target binary. Apple's sandbox-exec
+ * is non-public-API but stable since 10.5; v0.1 ships it, v0.2 evaluates
+ * App Sandbox via Entitlements as fallback (per Architect-Empfehlung).
+ */
+import type { IsolationProfile } from "../types.js";
+/**
+ * Build a sandbox-exec profile string from an isolation profile.
+ *
+ * Default-deny + per-rule allow. The sandbox profile language is Scheme-derived,
+ * see `man sandbox-exec` and `/usr/share/sandbox/`.
+ */
+export declare function buildSandboxProfile(profile: IsolationProfile): string;
+//# sourceMappingURL=sandbox-exec.d.ts.map

package/dist/isolation/sandbox-exec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-exec.d.ts","sourceRoot":"","sources":["../../src/isolation/sandbox-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,gBAAgB,GAAG,MAAM,CAqCrE"}

package/dist/isolation/sandbox-exec.js

@@ -0,0 +1,58 @@
+/**
+ * macOS sandbox-exec policy synthesis.
+ *
+ * Emits a Scheme-syntax sandbox profile (.sb) that can be passed to
+ * `/usr/bin/sandbox-exec -p` before the target binary. Apple's sandbox-exec
+ * is non-public-API but stable since 10.5; v0.1 ships it, v0.2 evaluates
+ * App Sandbox via Entitlements as fallback (per Architect-Empfehlung).
+ */
+/**
+ * Build a sandbox-exec profile string from an isolation profile.
+ *
+ * Default-deny + per-rule allow. The sandbox profile language is Scheme-derived,
+ * see `man sandbox-exec` and `/usr/share/sandbox/`.
+ */
+export function buildSandboxProfile(profile) {
+    const lines = [
+        "(version 1)",
+        "(deny default)",
+        "(allow process-fork)",
+        "(allow process-exec self)",
+        "(allow signal (target self))",
+        "(allow sysctl-read)",
+        "(allow mach-lookup)",
+        "(allow ipc-posix-shm)",
+        "(allow file-read-metadata)"
+    ];
+    for (const path of profile.fsReadOnly) {
+        lines.push(`(allow file-read* (subpath "${escapeSchemeString(path)}"))`);
+        lines.push(`(allow process-exec (subpath "${escapeSchemeString(path)}"))`);
+    }
+    for (const path of profile.fsWritable) {
+        lines.push(`(allow file-read* file-write* (subpath "${escapeSchemeString(path)}"))`);
+    }
+    // Network egress: default-deny. Allowlist entries are emitted as remote-host
+    // matchers. Wildcard "*" permits all (audit-only mode).
+    if (profile.egressAllowlist.includes("*")) {
+        lines.push("(allow network-outbound)");
+    }
+    else {
+        for (const entry of profile.egressAllowlist) {
+            const [host, port] = parseHostPort(entry);
+            if (host && port) {
+                lines.push(`(allow network-outbound (remote ip "${escapeSchemeString(host)}:${port}"))`);
+            }
+        }
+    }
+    return lines.join("\n") + "\n";
+}
+function parseHostPort(entry) {
+    const m = entry.match(/^([^:]+):(\d+)$/);
+    if (!m || !m[1] || !m[2])
+        return [null, null];
+    return [m[1], m[2]];
+}
+function escapeSchemeString(s) {
+    return s.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+}
+//# sourceMappingURL=sandbox-exec.js.map

package/dist/isolation/sandbox-exec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-exec.js","sourceRoot":"","sources":["../../src/isolation/sandbox-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAyB;IAC3D,MAAM,KAAK,GAAa;QACtB,aAAa;QACb,gBAAgB;QAChB,sBAAsB;QACtB,2BAA2B;QAC3B,8BAA8B;QAC9B,qBAAqB;QACrB,qBAAqB;QACrB,uBAAuB;QACvB,4BAA4B;KAC7B,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,+BAA+B,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzE,KAAK,CAAC,IAAI,CAAC,iCAAiC,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7E,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,2CAA2C,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvF,CAAC;IAED,6EAA6E;IAC7E,wDAAwD;IACxD,IAAI,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACzC,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5C,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;YAC1C,IAAI,IAAI,IAAI,IAAI,EAAE,CAAC;gBACjB,KAAK,CAAC,IAAI,CACR,uCAAuC,kBAAkB,CAAC,IAAI,CAAC,IAAI,IAAI,KAAK,CAC7E,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AACjC,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC9C,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,kBAAkB,CAAC,CAAS;IACnC,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACvD,CAAC"}

package/dist/normalize.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Argument normalization for subprocess audit.
+ *
+ * Provenance: shared with Pillar 8 (mcp-stdio-shellguard) — same NFKC + Zero-Width-Char-Strip
+ * + Bidi-Block pipeline. Wiederverwendung garantiert dass Layer-2 Allowlist und Layer-3
+ * Sandbox-Audit auf identischer canonical form arbeiten.
+ *
+ * Anti-Pattern provenance: Fullwidth-Unicode-Bypass (mcp-server-attestation R3, S912),
+ * Zero-Width-Joiner-Smuggling (ai-shield Round-2 Finding F2).
+ */
+/**
+ * Normalize a single argument string for safe comparison against an allowlist.
+ *
+ * Applies in order:
+ *   1. NFKC unicode normalization (collapses fullwidth/halfwidth + compat chars).
+ *   2. Strip zero-width / format-control codepoints.
+ *   3. Strip bidi-control codepoints.
+ *
+ * Returns the canonical form. Comparison MUST always go through this function.
+ */
+export declare function normalizeArg(input: string): string;
+/**
+ * Normalize an entire args array. Returns a new array (never mutates input).
+ */
+export declare function normalizeArgs(args: readonly string[]): string[];
+/**
+ * Quick smell-test: does an input contain any zero-width or bidi codepoint?
+ * Used by the audit-log to mark suspicious args even when normalization
+ * makes them comparable.
+ */
+export declare function hasInvisibleCodepoints(input: string): boolean;
+//# sourceMappingURL=normalize.d.ts.map

package/dist/normalize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"normalize.d.ts","sourceRoot":"","sources":["../src/normalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAuBH;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQlD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,EAAE,CAE/D;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAK7D"}

package/dist/normalize.js

@@ -0,0 +1,66 @@
+/**
+ * Argument normalization for subprocess audit.
+ *
+ * Provenance: shared with Pillar 8 (mcp-stdio-shellguard) — same NFKC + Zero-Width-Char-Strip
+ * + Bidi-Block pipeline. Wiederverwendung garantiert dass Layer-2 Allowlist und Layer-3
+ * Sandbox-Audit auf identischer canonical form arbeiten.
+ *
+ * Anti-Pattern provenance: Fullwidth-Unicode-Bypass (mcp-server-attestation R3, S912),
+ * Zero-Width-Joiner-Smuggling (ai-shield Round-2 Finding F2).
+ */
+/**
+ * Two distinct regex objects per pattern to avoid the V8 well-known footgun
+ * where a `/g`-flagged RegExp carries mutable `lastIndex`. The `_STRIP` form
+ * (with `/g`) is used by `.replace()` to remove all occurrences. The `_TEST`
+ * form (without `/g`) is used by `.test()` for stateless boolean checks.
+ *
+ * Bug context: a single `/g` regex used for both `.replace()` (mutates state)
+ * AND `.test()` (consults state) makes the test result flip on alternating
+ * calls. Reviewer S1024 F3 documented this; regression test in
+ * `tests/unit/normalize.test.ts` covers it.
+ */
+const ZERO_WIDTH_STRIP = /[\u200B-\u200F\u2028-\u202F\u2060-\u206F\uFEFF]/g;
+const ZERO_WIDTH_TEST = /[\u200B-\u200F\u2028-\u202F\u2060-\u206F\uFEFF]/;
+/**
+ * Bidi control codepoints: U+2066..U+2069 (LRI/RLI/FSI/PDI), U+202A..U+202E (LRE/RLE/PDF/LRO/RLO).
+ * These are weaponized in trojan-source attacks (CVE-2021-42574).
+ */
+const BIDI_CONTROL_STRIP = /[\u202A-\u202E\u2066-\u2069]/g;
+const BIDI_CONTROL_TEST = /[\u202A-\u202E\u2066-\u2069]/;
+/**
+ * Normalize a single argument string for safe comparison against an allowlist.
+ *
+ * Applies in order:
+ *   1. NFKC unicode normalization (collapses fullwidth/halfwidth + compat chars).
+ *   2. Strip zero-width / format-control codepoints.
+ *   3. Strip bidi-control codepoints.
+ *
+ * Returns the canonical form. Comparison MUST always go through this function.
+ */
+export function normalizeArg(input) {
+    if (typeof input !== "string") {
+        throw new TypeError(`normalizeArg expects string, got ${typeof input}`);
+    }
+    let s = input.normalize("NFKC");
+    s = s.replace(ZERO_WIDTH_STRIP, "");
+    s = s.replace(BIDI_CONTROL_STRIP, "");
+    return s;
+}
+/**
+ * Normalize an entire args array. Returns a new array (never mutates input).
+ */
+export function normalizeArgs(args) {
+    return args.map(normalizeArg);
+}
+/**
+ * Quick smell-test: does an input contain any zero-width or bidi codepoint?
+ * Used by the audit-log to mark suspicious args even when normalization
+ * makes them comparable.
+ */
+export function hasInvisibleCodepoints(input) {
+    // IMPORTANT: use the non-/g regex variants. `.test()` on a /g-flagged
+    // RegExp consults+mutates `lastIndex`, which makes the result flip on
+    // alternating calls with the same input (Reviewer S1024 F3).
+    return ZERO_WIDTH_TEST.test(input) || BIDI_CONTROL_TEST.test(input);
+}
+//# sourceMappingURL=normalize.js.map

package/dist/normalize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"normalize.js","sourceRoot":"","sources":["../src/normalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,gBAAgB,GAAG,kDAAkD,CAAC;AAC5E,MAAM,eAAe,GAAG,iDAAiD,CAAC;AAE1E;;;GAGG;AACH,MAAM,kBAAkB,GAAG,+BAA+B,CAAC;AAC3D,MAAM,iBAAiB,GAAG,8BAA8B,CAAC;AAEzD;;;;;;;;;GASG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,SAAS,CAAC,oCAAoC,OAAO,KAAK,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,IAAI,CAAC,GAAG,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;IACpC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;IACtC,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,IAAuB;IACnD,OAAO,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAa;IAClD,sEAAsE;IACtE,sEAAsE;IACtE,6DAA6D;IAC7D,OAAO,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACtE,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,15 @@
+/**
+ * mcp-rce-guard MCP stdio server (entry-point).
+ *
+ * Spec: MCP 2025-06-18.
+ * Transport: stdio (consistent with Pillar 1 + Pillar 8).
+ * Tools: 6 (register_subprocess, audit_subprocess, scan_cve_replay,
+ *           track_canary, inject_egress_policy, get_audit_log).
+ *
+ * The server is a thin wrapper around the programmatic tool handlers in
+ * src/tools/*.ts — same handlers the library exports.
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare function createServer(): McpServer;
+export declare function main(): Promise<void>;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AA+CpE,wBAAgB,YAAY,IAAI,SAAS,CAmHxC;AAED,wBAAsB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAqB1C"}

package/dist/server.js

@@ -0,0 +1,152 @@
+#!/usr/bin/env node
+/**
+ * mcp-rce-guard MCP stdio server (entry-point).
+ *
+ * Spec: MCP 2025-06-18.
+ * Transport: stdio (consistent with Pillar 1 + Pillar 8).
+ * Tools: 6 (register_subprocess, audit_subprocess, scan_cve_replay,
+ *           track_canary, inject_egress_policy, get_audit_log).
+ *
+ * The server is a thin wrapper around the programmatic tool handlers in
+ * src/tools/*.ts — same handlers the library exports.
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { RegisterSubprocessArgsSchema, AuditSubprocessArgsSchema, ScanCveReplayArgsSchema, TrackCanaryArgsSchema, InjectEgressPolicyArgsSchema, GetAuditLogArgsSchema } from "./types.js";
+import { registerSubprocessTool } from "./tools/register.js";
+import { auditSubprocessTool } from "./tools/audit.js";
+import { scanCveReplayTool } from "./tools/scanCve.js";
+import { trackCanaryTool } from "./tools/trackCanary.js";
+import { injectEgressPolicyTool } from "./tools/injectEgress.js";
+import { getAuditLogTool } from "./tools/getAuditLog.js";
+import { NAME, VERSION } from "./version.js";
+function ok(result) {
+    return {
+        content: [{ type: "text", text: JSON.stringify(result, null, 2) }]
+    };
+}
+function err(message) {
+    return {
+        content: [{ type: "text", text: message }],
+        isError: true
+    };
+}
+async function safe(fn) {
+    try {
+        return ok(await fn());
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return err(`mcp-rce-guard error: ${msg}`);
+    }
+}
+export function createServer() {
+    const server = new McpServer({ name: NAME, version: VERSION }, {
+        capabilities: {
+            tools: {}
+        },
+        instructions: "v0.1 policy-synthesis library for MCP subprocess isolation. Emits landlock / sandbox-exec / cgroups-v2 policy descriptors + runs behavioral CVE-replay predicates + tracks cross-server canary leaks + appends NDJSON audit log. Does NOT call landlock/sandbox-exec/cgroups syscalls in v0.1 — the host spawner translates descriptors into platform syscalls. Native enforcement is v0.2. Use register_subprocess + audit_subprocess to synthesize + validate spawn-specs, scan_cve_replay before connecting to unknown servers, track_canary in multi-server chains, inject_egress_policy for descriptor-only egress policy, get_audit_log for forensic review."
+    });
+    server.registerTool("register_subprocess", {
+        title: "Synthesize isolation policy descriptors",
+        description: "Register a subprocess spec (binary + args) under a trust tier with an isolation profile. Returns a stable handle + profile fingerprint + policyDescriptor (landlockRuleset, sandboxExecProfile, cgroupsV2Limits). v0.1 emits descriptors only — the host spawner is responsible for translating them into platform syscalls. Native enforcement is v0.2.",
+        inputSchema: RegisterSubprocessArgsSchema.shape,
+        annotations: {
+            readOnlyHint: true,
+            destructiveHint: false,
+            idempotentHint: false,
+            openWorldHint: false
+        }
+    }, async (args) => safe(() => registerSubprocessTool(args)));
+    server.registerTool("audit_subprocess", {
+        title: "Audit a candidate args set",
+        description: "Verify candidate args against the registered subprocess. Runs Pillar-8 (NFKC + ZWC + Bidi) normalize + allowlist check. Returns approve / block / quarantine.",
+        inputSchema: AuditSubprocessArgsSchema.shape,
+        annotations: {
+            readOnlyHint: true,
+            destructiveHint: false,
+            idempotentHint: true,
+            openWorldHint: false
+        }
+    }, async (args) => safe(() => auditSubprocessTool(args)));
+    server.registerTool("scan_cve_replay", {
+        title: "Run CVE replay fixtures",
+        description: "Replay 2026 MCP CVE fixtures (mcp-sdk-rce-2026-04-22, cve-2026-27124, nginx-mcp-rce-9.8) against a candidate command. Returns overall + per-CVE pass/fail.",
+        inputSchema: ScanCveReplayArgsSchema.shape,
+        annotations: {
+            readOnlyHint: true,
+            destructiveHint: false,
+            idempotentHint: true,
+            openWorldHint: false
+        }
+    }, async (args) => safe(() => scanCveReplayTool(args)));
+    server.registerTool("track_canary", {
+        title: "Issue canary token + register chain",
+        description: "Register a multi-server canary chain. Returns a high-entropy token to inject into the source server's outbound flow. Cross-boundary leaks are detectable via the library detectLeaks() helper. State change is limited to the in-memory chain registry; no subprocess is mutated.",
+        inputSchema: TrackCanaryArgsSchema.shape,
+        annotations: {
+            readOnlyHint: true,
+            destructiveHint: false,
+            idempotentHint: false,
+            openWorldHint: false
+        }
+    }, async (args) => safe(() => trackCanaryTool(args)));
+    server.registerTool("inject_egress_policy", {
+        title: "Emit egress policy descriptor",
+        description: "Update the egress allowlist + mode (default-deny / audit-only) on a registered subprocess. v0.1 emits a descriptor only — no subprocess state, nftables, or packet-filter is modified by this call. The host spawner translates the descriptor into platform-specific enforcement. v0.2 will flip destructiveHint=true once native enforcement is wired.",
+        inputSchema: InjectEgressPolicyArgsSchema.shape,
+        annotations: {
+            readOnlyHint: true,
+            destructiveHint: false,
+            idempotentHint: true,
+            openWorldHint: false
+        }
+    }, async (args) => safe(() => injectEgressPolicyTool(args)));
+    server.registerTool("get_audit_log", {
+        title: "Read audit log",
+        description: "Read the append-only NDJSON audit log. Filter by subprocessHandle, since-timestamp, and limit.",
+        inputSchema: GetAuditLogArgsSchema.shape,
+        annotations: {
+            readOnlyHint: true,
+            destructiveHint: false,
+            idempotentHint: true,
+            openWorldHint: false
+        }
+    }, async (args) => safe(() => getAuditLogTool(args)));
+    return server;
+}
+export async function main() {
+    const server = createServer();
+    const transport = new StdioServerTransport();
+    // Graceful shutdown: SIGTERM + SIGINT close transport + flush stderr.
+    const shutdown = async (signal) => {
+        try {
+            await server.close();
+        }
+        catch {
+            // best-effort
+        }
+        process.stderr.write(`[mcp-rce-guard] received ${signal}, exiting\n`);
+        process.exit(0);
+    };
+    process.on("SIGTERM", () => void shutdown("SIGTERM"));
+    process.on("SIGINT", () => void shutdown("SIGINT"));
+    await server.connect(transport);
+    process.stderr.write(`[mcp-rce-guard] ${VERSION} listening on stdio (6 tools)\n`);
+}
+const isDirect = (() => {
+    try {
+        const argvUrl = `file://${process.argv[1]}`;
+        return argvUrl === import.meta.url || process.argv[1]?.endsWith("server.js");
+    }
+    catch {
+        return false;
+    }
+})();
+if (isDirect) {
+    main().catch((e) => {
+        process.stderr.write(`[mcp-rce-guard] fatal: ${e.message}\n`);
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=server.js.map