mcp-rce-guard 0.1.0

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AAEjF,OAAO,EACL,4BAA4B,EAC5B,yBAAyB,EACzB,uBAAuB,EACvB,qBAAqB,EACrB,4BAA4B,EAC5B,qBAAqB,EACtB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAQ7C,SAAS,EAAE,CAAC,MAAe;IACzB,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;KACnE,CAAC;AACJ,CAAC;AAED,SAAS,GAAG,CAAC,OAAe;IAC1B,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAC1C,OAAO,EAAE,IAAI;KACd,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,IAAI,CAAI,EAAoB;IACzC,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACxB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,GAAG,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,MAAM,MAAM,GAAG,IAAI,SAAS,CAC1B,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,EAChC;QACE,YAAY,EAAE;YACZ,KAAK,EAAE,EAAE;SACV;QACD,YAAY,EACV,ooBAAooB;KACvoB,CACF,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,qBAAqB,EACrB;QACE,KAAK,EAAE,yCAAyC;QAChD,WAAW,EACT,0VAA0V;QAC5V,WAAW,EAAE,4BAA4B,CAAC,KAAK;QAC/C,WAAW,EAAE;YACX,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,KAAK;YACrB,aAAa,EAAE,KAAK;SACrB;KACF,EACD,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CACzD,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,kBAAkB,EAClB;QACE,KAAK,EAAE,4BAA4B;QACnC,WAAW,EACT,+JAA+J;QACjK,WAAW,EAAE,yBAAyB,CAAC,KAAK;QAC5C,WAAW,EAAE;YACX,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,IAAI;YACpB,aAAa,EAAE,KAAK;SACrB;KACF,EACD,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CACtD,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,iBAAiB,EACjB;QACE,KAAK,EAAE,yBAAyB;QAChC,WAAW,EACT,4JAA4J;QAC9J,WAAW,EAAE,uBAAuB,CAAC,KAAK;QAC1C,WAAW,EAAE;YACX,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,IAAI;YACpB,aAAa,EAAE,KAAK;SACrB;KACF,EACD,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CACpD,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,cAAc,EACd;QACE,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EACT,mRAAmR;QACrR,WAAW,EAAE,qBAAqB,CAAC,KAAK;QACxC,WAAW,EAAE;YACX,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,KAAK;YACrB,aAAa,EAAE,KAAK;SACrB;KACF,EACD,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAClD,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,sBAAsB,EACtB;QACE,KAAK,EAAE,+BAA+B;QACtC,WAAW,EACT,0VAA0V;QAC5V,WAAW,EAAE,4BAA4B,CAAC,KAAK;QAC/C,WAAW,EAAE;YACX,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,IAAI;YACpB,aAAa,EAAE,KAAK;SACrB;KACF,EACD,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CACzD,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,eAAe,EACf;QACE,KAAK,EAAE,gBAAgB;QACvB,WAAW,EACT,gGAAgG;QAClG,WAAW,EAAE,qBAAqB,CAAC,KAAK;QACxC,WAAW,EAAE;YACX,YAAY,EAAE,IAAI;YAClB,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,IAAI;YACpB,aAAa,EAAE,KAAK;SACrB;KACF,EACD,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAClD,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,IAAI;IACxB,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAE7C,sEAAsE;IACtE,MAAM,QAAQ,GAAG,KAAK,EAAE,MAAc,EAAiB,EAAE;QACvD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,cAAc;QAChB,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,MAAM,aAAa,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IACF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IACtD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;IAEpD,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,mBAAmB,OAAO,iCAAiC,CAC5D,CAAC;AACJ,CAAC;AAED,MAAM,QAAQ,GAAG,CAAC,GAAG,EAAE;IACrB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,UAAU,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,OAAO,OAAO,KAAK,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC,CAAC,EAAE,CAAC;AAEL,IAAI,QAAQ,EAAE,CAAC;IACb,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;QACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA2B,CAAW,CAAC,OAAO,IAAI,CAAC,CAAC;QACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/state.d.ts

@@ -0,0 +1,34 @@
+/**
+ * In-memory subprocess registry + canary chain registry.
+ *
+ * Process-local state. The persistent audit-log lives in audit/log.ts (NDJSON).
+ *
+ * v0.1 trade-off: registry is in-memory and resets on server restart. v0.2 will
+ * persist to ~/.mcp-rce-guard/registry.json with optional Pillar-1 signing.
+ */
+import type { EgressMode, IsolationProfile, RegisteredSubprocess } from "./types.js";
+interface CanaryChain {
+    chainId: string;
+    sourceServerId: string;
+    downstreamServerIds: string[];
+    canaryToken: string;
+    canaryPattern: string;
+    createdAt: string;
+}
+/**
+ * Compute a stable fingerprint for a profile. Two registrations with the
+ * same effective profile must produce the same fingerprint.
+ */
+export declare function profileFingerprint(profile: IsolationProfile): string;
+export declare function generateHandle(prefix?: string): string;
+export declare function registerSubprocess(serverId: string, binary: string, args: string[], trustTier: RegisteredSubprocess["trustTier"], profile: IsolationProfile): RegisteredSubprocess;
+export declare function getSubprocess(handle: string): RegisteredSubprocess | undefined;
+export declare function listSubprocesses(): readonly RegisteredSubprocess[];
+export declare function updateEgressPolicy(handle: string, allowlist: string[], mode: EgressMode): RegisteredSubprocess | undefined;
+export declare function bumpBlockedEgress(handle: string, by?: number): void;
+export declare function clearRegistry(): void;
+export declare function generateCanaryToken(): string;
+export declare function registerCanaryChain(chainId: string, sourceServerId: string, downstreamServerIds: string[], canaryPattern: string, canaryToken: string): CanaryChain;
+export declare function getCanaryChain(chainId: string): CanaryChain | undefined;
+export {};
+//# sourceMappingURL=state.d.ts.map

package/dist/state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.d.ts","sourceRoot":"","sources":["../src/state.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EACV,UAAU,EACV,gBAAgB,EAChB,oBAAoB,EACrB,MAAM,YAAY,CAAC;AAIpB,UAAU,WAAW;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;IACvB,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,gBAAgB,GAAG,MAAM,CAUpE;AAED,wBAAgB,cAAc,CAAC,MAAM,SAAO,GAAG,MAAM,CAEpD;AAED,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EAAE,EACd,SAAS,EAAE,oBAAoB,CAAC,WAAW,CAAC,EAC5C,OAAO,EAAE,gBAAgB,GACxB,oBAAoB,CAkBtB;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,oBAAoB,GAAG,SAAS,CAE9E;AAED,wBAAgB,gBAAgB,IAAI,SAAS,oBAAoB,EAAE,CAElE;AAED,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EAAE,EACnB,IAAI,EAAE,UAAU,GACf,oBAAoB,GAAG,SAAS,CAgBlC;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,SAAI,GAAG,IAAI,CAI9D;AAED,wBAAgB,aAAa,IAAI,IAAI,CAGpC;AAID,wBAAgB,mBAAmB,IAAI,MAAM,CAI5C;AAED,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,MAAM,EACf,cAAc,EAAE,MAAM,EACtB,mBAAmB,EAAE,MAAM,EAAE,EAC7B,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,WAAW,CAWb;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAEvE"}

package/dist/state.js

@@ -0,0 +1,104 @@
+/**
+ * In-memory subprocess registry + canary chain registry.
+ *
+ * Process-local state. The persistent audit-log lives in audit/log.ts (NDJSON).
+ *
+ * v0.1 trade-off: registry is in-memory and resets on server restart. v0.2 will
+ * persist to ~/.mcp-rce-guard/registry.json with optional Pillar-1 signing.
+ */
+import { createHash, randomBytes } from "node:crypto";
+const subprocesses = new Map();
+const canaryChains = new Map();
+/**
+ * Compute a stable fingerprint for a profile. Two registrations with the
+ * same effective profile must produce the same fingerprint.
+ */
+export function profileFingerprint(profile) {
+    const canonical = JSON.stringify({
+        fsReadOnly: [...profile.fsReadOnly].sort(),
+        fsWritable: [...profile.fsWritable].sort(),
+        cpuMs: profile.cpuMs ?? null,
+        memMB: profile.memMB ?? null,
+        pidMax: profile.pidMax ?? null,
+        egressAllowlist: [...profile.egressAllowlist].sort()
+    });
+    return createHash("sha256").update(canonical).digest("hex").slice(0, 32);
+}
+export function generateHandle(prefix = "sp") {
+    return `${prefix}_${randomBytes(12).toString("hex")}`;
+}
+export function registerSubprocess(serverId, binary, args, trustTier, profile) {
+    const subprocessHandle = generateHandle();
+    const now = new Date().toISOString();
+    const record = {
+        subprocessHandle,
+        serverId,
+        binary,
+        args: [...args],
+        trustTier,
+        profile,
+        profileFingerprint: profileFingerprint(profile),
+        egressMode: "default-deny",
+        egressModeSetAt: now,
+        blockedEgressAttempts: 0,
+        registeredAt: now
+    };
+    subprocesses.set(subprocessHandle, record);
+    return record;
+}
+export function getSubprocess(handle) {
+    return subprocesses.get(handle);
+}
+export function listSubprocesses() {
+    return Array.from(subprocesses.values());
+}
+export function updateEgressPolicy(handle, allowlist, mode) {
+    const record = subprocesses.get(handle);
+    if (!record)
+        return undefined;
+    record.profile = {
+        ...record.profile,
+        egressAllowlist: [...allowlist]
+    };
+    record.profileFingerprint = profileFingerprint(record.profile);
+    // Only bump egressModeSetAt when the mode actually transitions. Pure
+    // allowlist edits without mode-change keep the original timestamp so the
+    // staleness WARN measures actual mode-dwell time, not edit churn.
+    if (record.egressMode !== mode) {
+        record.egressMode = mode;
+        record.egressModeSetAt = new Date().toISOString();
+    }
+    return record;
+}
+export function bumpBlockedEgress(handle, by = 1) {
+    const record = subprocesses.get(handle);
+    if (!record)
+        return;
+    record.blockedEgressAttempts += by;
+}
+export function clearRegistry() {
+    subprocesses.clear();
+    canaryChains.clear();
+}
+/* canary chains */
+export function generateCanaryToken() {
+    // 32-byte high-entropy hex; prefix marks it as a canary so legitimate
+    // tools can detect + redact in their logs.
+    return `__MCP_CANARY_${randomBytes(32).toString("hex")}__`;
+}
+export function registerCanaryChain(chainId, sourceServerId, downstreamServerIds, canaryPattern, canaryToken) {
+    const chain = {
+        chainId,
+        sourceServerId,
+        downstreamServerIds: [...downstreamServerIds],
+        canaryToken,
+        canaryPattern,
+        createdAt: new Date().toISOString()
+    };
+    canaryChains.set(chainId, chain);
+    return chain;
+}
+export function getCanaryChain(chainId) {
+    return canaryChains.get(chainId);
+}
+//# sourceMappingURL=state.js.map

package/dist/state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.js","sourceRoot":"","sources":["../src/state.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAOtD,MAAM,YAAY,GAAG,IAAI,GAAG,EAAgC,CAAC;AAW7D,MAAM,YAAY,GAAG,IAAI,GAAG,EAAuB,CAAC;AAEpD;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAyB;IAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/B,UAAU,EAAE,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE;QAC1C,UAAU,EAAE,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE;QAC1C,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI;QAC5B,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI;QAC5B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,IAAI;QAC9B,eAAe,EAAE,CAAC,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE;KACrD,CAAC,CAAC;IACH,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAM,GAAG,IAAI;IAC1C,OAAO,GAAG,MAAM,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,QAAgB,EAChB,MAAc,EACd,IAAc,EACd,SAA4C,EAC5C,OAAyB;IAEzB,MAAM,gBAAgB,GAAG,cAAc,EAAE,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,MAAM,GAAyB;QACnC,gBAAgB;QAChB,QAAQ;QACR,MAAM;QACN,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;QACf,SAAS;QACT,OAAO;QACP,kBAAkB,EAAE,kBAAkB,CAAC,OAAO,CAAC;QAC/C,UAAU,EAAE,cAAc;QAC1B,eAAe,EAAE,GAAG;QACpB,qBAAqB,EAAE,CAAC;QACxB,YAAY,EAAE,GAAG;KAClB,CAAC;IACF,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAC3C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc;IAC1C,OAAO,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,MAAc,EACd,SAAmB,EACnB,IAAgB;IAEhB,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,MAAM,CAAC,OAAO,GAAG;QACf,GAAG,MAAM,CAAC,OAAO;QACjB,eAAe,EAAE,CAAC,GAAG,SAAS,CAAC;KAChC,CAAC;IACF,MAAM,CAAC,kBAAkB,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/D,qEAAqE;IACrE,yEAAyE;IACzE,kEAAkE;IAClE,IAAI,MAAM,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;QAC/B,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QACzB,MAAM,CAAC,eAAe,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACpD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAc,EAAE,EAAE,GAAG,CAAC;IACtD,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM;QAAE,OAAO;IACpB,MAAM,CAAC,qBAAqB,IAAI,EAAE,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,YAAY,CAAC,KAAK,EAAE,CAAC;IACrB,YAAY,CAAC,KAAK,EAAE,CAAC;AACvB,CAAC;AAED,mBAAmB;AAEnB,MAAM,UAAU,mBAAmB;IACjC,sEAAsE;IACtE,2CAA2C;IAC3C,OAAO,gBAAgB,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,OAAe,EACf,cAAsB,EACtB,mBAA6B,EAC7B,aAAqB,EACrB,WAAmB;IAEnB,MAAM,KAAK,GAAgB;QACzB,OAAO;QACP,cAAc;QACd,mBAAmB,EAAE,CAAC,GAAG,mBAAmB,CAAC;QAC7C,WAAW;QACX,aAAa;QACb,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IACF,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACjC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,OAAO,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACnC,CAAC"}

package/dist/tools/audit.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Tool: audit_subprocess
+ *
+ * Verifies a candidate args set against the registered subprocess profile.
+ * Returns approve | block | quarantine + reason.
+ *
+ * Layer-2 (Pillar 8) interaction: args are normalized via the shared
+ * normalize.ts pipeline (NFKC + ZWC + Bidi) before any comparison.
+ *
+ * Layer-1 (Pillar 1) interaction: when MCP_RCE_GUARD_PILLAR1_FINGERPRINT is
+ * set in the environment, the tool reflects that into pillar1Fingerprint
+ * for cross-pillar audit traceability. v0.1 trust-on-first-use, v0.2 will
+ * verify against a Sigstore key.
+ *
+ * Anti-Pattern provenance: MCP-SDK-RCE 22.04.2026 (Tool-Args ungesanitized
+ * in subprocess command-strings).
+ */
+import { type AuditVerdictType } from "../types.js";
+export interface AuditSubprocessResult {
+    verdict: AuditVerdictType;
+    reason: string;
+    pillar1Fingerprint?: string;
+    pillar8Allowlist: "pass" | "fail";
+}
+export declare function auditSubprocessTool(rawArgs: unknown): Promise<AuditSubprocessResult>;
+//# sourceMappingURL=audit.d.ts.map

package/dist/tools/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/tools/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAGL,KAAK,gBAAgB,EACtB,MAAM,aAAa,CAAC;AAKrB,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,gBAAgB,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAAC;CACnC;AAED,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,qBAAqB,CAAC,CAgFhC"}

package/dist/tools/audit.js

@@ -0,0 +1,97 @@
+/**
+ * Tool: audit_subprocess
+ *
+ * Verifies a candidate args set against the registered subprocess profile.
+ * Returns approve | block | quarantine + reason.
+ *
+ * Layer-2 (Pillar 8) interaction: args are normalized via the shared
+ * normalize.ts pipeline (NFKC + ZWC + Bidi) before any comparison.
+ *
+ * Layer-1 (Pillar 1) interaction: when MCP_RCE_GUARD_PILLAR1_FINGERPRINT is
+ * set in the environment, the tool reflects that into pillar1Fingerprint
+ * for cross-pillar audit traceability. v0.1 trust-on-first-use, v0.2 will
+ * verify against a Sigstore key.
+ *
+ * Anti-Pattern provenance: MCP-SDK-RCE 22.04.2026 (Tool-Args ungesanitized
+ * in subprocess command-strings).
+ */
+import { AuditSubprocessArgsSchema } from "../types.js";
+import { getSubprocess } from "../state.js";
+import { normalizeArgs, hasInvisibleCodepoints } from "../normalize.js";
+import { appendAudit } from "../audit/log.js";
+export async function auditSubprocessTool(rawArgs) {
+    const args = AuditSubprocessArgsSchema.parse(rawArgs);
+    const record = getSubprocess(args.subprocessHandle);
+    if (!record) {
+        const result = {
+            verdict: "block",
+            reason: `unknown subprocess handle: ${args.subprocessHandle}`,
+            pillar8Allowlist: "fail"
+        };
+        await appendAudit({
+            subprocessHandle: args.subprocessHandle,
+            action: "audit_subprocess",
+            verdict: "block",
+            reason: result.reason
+        });
+        return result;
+    }
+    // Pillar 8: normalize + allowlist check.
+    const normalizedRequested = normalizeArgs(args.requestedArgs);
+    const normalizedRegistered = normalizeArgs(record.args);
+    // Detection signal: any invisible codepoint in requested args raises
+    // suspicion even if normalization makes the args comparable.
+    const suspicious = args.requestedArgs.some(hasInvisibleCodepoints);
+    // Allowlist semantics: requested args must be a prefix/exact-match of
+    // registered args (the registered args are the *trusted invocation*).
+    let pillar8 = "pass";
+    let mismatchReason = "";
+    if (normalizedRequested.length !== normalizedRegistered.length) {
+        pillar8 = "fail";
+        mismatchReason = `arg-count mismatch: requested=${normalizedRequested.length}, registered=${normalizedRegistered.length}`;
+    }
+    else {
+        for (let i = 0; i < normalizedRequested.length; i++) {
+            if (normalizedRequested[i] !== normalizedRegistered[i]) {
+                pillar8 = "fail";
+                mismatchReason = `arg[${i}] mismatch: requested=${JSON.stringify(normalizedRequested[i])}, registered=${JSON.stringify(normalizedRegistered[i])}`;
+                break;
+            }
+        }
+    }
+    let verdict;
+    let reason;
+    if (pillar8 === "fail") {
+        verdict = "block";
+        reason = `Pillar-8 allowlist fail: ${mismatchReason}`;
+    }
+    else if (suspicious) {
+        verdict = "quarantine";
+        reason = "args contain invisible/bidi codepoints; quarantine for human review";
+    }
+    else {
+        verdict = "approve";
+        reason = "Pillar-8 allowlist pass + no suspicious codepoints";
+    }
+    const pillar1 = process.env["MCP_RCE_GUARD_PILLAR1_FINGERPRINT"];
+    const result = {
+        verdict,
+        reason,
+        pillar8Allowlist: pillar8,
+        ...(pillar1 ? { pillar1Fingerprint: pillar1 } : {})
+    };
+    await appendAudit({
+        subprocessHandle: record.subprocessHandle,
+        serverId: record.serverId,
+        action: "audit_subprocess",
+        verdict,
+        reason,
+        meta: {
+            pillar8: pillar8,
+            suspicious,
+            profileFingerprint: record.profileFingerprint
+        }
+    });
+    return result;
+}
+//# sourceMappingURL=audit.js.map

package/dist/tools/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/tools/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,yBAAyB,EAG1B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAS9C,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAgB;IAEhB,MAAM,IAAI,GAAwB,yBAAyB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAE3E,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACpD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,MAAM,GAA0B;YACpC,OAAO,EAAE,OAAO;YAChB,MAAM,EAAE,8BAA8B,IAAI,CAAC,gBAAgB,EAAE;YAC7D,gBAAgB,EAAE,MAAM;SACzB,CAAC;QACF,MAAM,WAAW,CAAC;YAChB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;YACvC,MAAM,EAAE,kBAAkB;YAC1B,OAAO,EAAE,OAAO;YAChB,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,yCAAyC;IACzC,MAAM,mBAAmB,GAAG,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC9D,MAAM,oBAAoB,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAExD,qEAAqE;IACrE,6DAA6D;IAC7D,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IAEnE,sEAAsE;IACtE,sEAAsE;IACtE,IAAI,OAAO,GAAoB,MAAM,CAAC;IACtC,IAAI,cAAc,GAAG,EAAE,CAAC;IACxB,IAAI,mBAAmB,CAAC,MAAM,KAAK,oBAAoB,CAAC,MAAM,EAAE,CAAC;QAC/D,OAAO,GAAG,MAAM,CAAC;QACjB,cAAc,GAAG,iCAAiC,mBAAmB,CAAC,MAAM,gBAAgB,oBAAoB,CAAC,MAAM,EAAE,CAAC;IAC5H,CAAC;SAAM,CAAC;QACN,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,mBAAmB,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACpD,IAAI,mBAAmB,CAAC,CAAC,CAAC,KAAK,oBAAoB,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvD,OAAO,GAAG,MAAM,CAAC;gBACjB,cAAc,GAAG,OAAO,CAAC,yBAAyB,IAAI,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,gBAAgB,IAAI,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAClJ,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,OAAyB,CAAC;IAC9B,IAAI,MAAc,CAAC;IACnB,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,OAAO,GAAG,OAAO,CAAC;QAClB,MAAM,GAAG,4BAA4B,cAAc,EAAE,CAAC;IACxD,CAAC;SAAM,IAAI,UAAU,EAAE,CAAC;QACtB,OAAO,GAAG,YAAY,CAAC;QACvB,MAAM,GAAG,qEAAqE,CAAC;IACjF,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,SAAS,CAAC;QACpB,MAAM,GAAG,oDAAoD,CAAC;IAChE,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IAEjE,MAAM,MAAM,GAA0B;QACpC,OAAO;QACP,MAAM;QACN,gBAAgB,EAAE,OAAO;QACzB,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpD,CAAC;IAEF,MAAM,WAAW,CAAC;QAChB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAE,kBAAkB;QAC1B,OAAO;QACP,MAAM;QACN,IAAI,EAAE;YACJ,OAAO,EAAE,OAAO;YAChB,UAAU;YACV,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;SAC9C;KACF,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/tools/getAuditLog.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Tool: get_audit_log
+ *
+ * Read-only access to the NDJSON audit log. Filterable by subprocessHandle,
+ * since-timestamp, and limit.
+ *
+ * Additionally emits a `staleEgressModeWarnings` array: every currently-
+ * registered subprocess that has been left in egressMode="audit-only" longer
+ * than `staleEgressModeThresholdDays` (default 7) is surfaced as a WARN.
+ * This implements the PLAN.md §Predicted-Impact §inject_egress_policy
+ * at-risk-regression-mitigation ("Reviewer-Pass im Pillar-9-Audit-Tool
+ * flaggt 'Mode: audit-only seit >7d' als WARN") so operators do not
+ * silently sit on a soft policy.
+ *
+ * Log rotation lives in audit/log.ts (auto-rotate on 100MB threshold,
+ * 10 backups, `mcp-rce-guard cleanup` CLI for manual purge).
+ */
+import { type AuditLogEntry, type StaleEgressModeWarning } from "../types.js";
+export interface GetAuditLogResult {
+    entries: AuditLogEntry[];
+    staleEgressModeWarnings: StaleEgressModeWarning[];
+}
+/**
+ * Build the staleness-WARN list. A subprocess is stale if:
+ *   - egressMode === "audit-only", AND
+ *   - now() - egressModeSetAt > thresholdDays
+ *
+ * Threshold 0 disables the check (returns empty array). Subprocesses with
+ * an unparseable egressModeSetAt are skipped silently — better to under-warn
+ * than to false-positive on a malformed timestamp.
+ */
+export declare function computeStaleEgressModeWarnings(thresholdDays: number, now?: Date): StaleEgressModeWarning[];
+export declare function getAuditLogTool(rawArgs: unknown): Promise<GetAuditLogResult>;
+//# sourceMappingURL=getAuditLog.d.ts.map

package/dist/tools/getAuditLog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getAuditLog.d.ts","sourceRoot":"","sources":["../../src/tools/getAuditLog.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAGL,KAAK,aAAa,EAClB,KAAK,sBAAsB,EAC5B,MAAM,aAAa,CAAC;AAIrB,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,uBAAuB,EAAE,sBAAsB,EAAE,CAAC;CACnD;AAID;;;;;;;;GAQG;AACH,wBAAgB,8BAA8B,CAC5C,aAAa,EAAE,MAAM,EACrB,GAAG,GAAE,IAAiB,GACrB,sBAAsB,EAAE,CAmB1B;AAED,wBAAsB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAiBlF"}

package/dist/tools/getAuditLog.js

@@ -0,0 +1,65 @@
+/**
+ * Tool: get_audit_log
+ *
+ * Read-only access to the NDJSON audit log. Filterable by subprocessHandle,
+ * since-timestamp, and limit.
+ *
+ * Additionally emits a `staleEgressModeWarnings` array: every currently-
+ * registered subprocess that has been left in egressMode="audit-only" longer
+ * than `staleEgressModeThresholdDays` (default 7) is surfaced as a WARN.
+ * This implements the PLAN.md §Predicted-Impact §inject_egress_policy
+ * at-risk-regression-mitigation ("Reviewer-Pass im Pillar-9-Audit-Tool
+ * flaggt 'Mode: audit-only seit >7d' als WARN") so operators do not
+ * silently sit on a soft policy.
+ *
+ * Log rotation lives in audit/log.ts (auto-rotate on 100MB threshold,
+ * 10 backups, `mcp-rce-guard cleanup` CLI for manual purge).
+ */
+import { GetAuditLogArgsSchema } from "../types.js";
+import { readAudit } from "../audit/log.js";
+import { listSubprocesses } from "../state.js";
+const MS_PER_DAY = 24 * 60 * 60 * 1000;
+/**
+ * Build the staleness-WARN list. A subprocess is stale if:
+ *   - egressMode === "audit-only", AND
+ *   - now() - egressModeSetAt > thresholdDays
+ *
+ * Threshold 0 disables the check (returns empty array). Subprocesses with
+ * an unparseable egressModeSetAt are skipped silently — better to under-warn
+ * than to false-positive on a malformed timestamp.
+ */
+export function computeStaleEgressModeWarnings(thresholdDays, now = new Date()) {
+    if (thresholdDays <= 0)
+        return [];
+    const warnings = [];
+    for (const sp of listSubprocesses()) {
+        if (sp.egressMode !== "audit-only")
+            continue;
+        const setAt = Date.parse(sp.egressModeSetAt);
+        if (!Number.isFinite(setAt))
+            continue;
+        const ageDays = (now.getTime() - setAt) / MS_PER_DAY;
+        if (ageDays > thresholdDays) {
+            warnings.push({
+                subprocessHandle: sp.subprocessHandle,
+                serverId: sp.serverId,
+                egressMode: sp.egressMode,
+                egressModeSetAt: sp.egressModeSetAt,
+                ageDays: Math.round(ageDays * 100) / 100
+            });
+        }
+    }
+    return warnings;
+}
+export async function getAuditLogTool(rawArgs) {
+    const args = GetAuditLogArgsSchema.parse(rawArgs);
+    const filter = { limit: args.limit };
+    if (args.subprocessHandle !== undefined)
+        filter.subprocessHandle = args.subprocessHandle;
+    if (args.since !== undefined)
+        filter.since = args.since;
+    const entries = await readAudit(filter);
+    const staleEgressModeWarnings = computeStaleEgressModeWarnings(args.staleEgressModeThresholdDays);
+    return { entries, staleEgressModeWarnings };
+}
+//# sourceMappingURL=getAuditLog.js.map

package/dist/tools/getAuditLog.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getAuditLog.js","sourceRoot":"","sources":["../../src/tools/getAuditLog.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,qBAAqB,EAItB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAO/C,MAAM,UAAU,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEvC;;;;;;;;GAQG;AACH,MAAM,UAAU,8BAA8B,CAC5C,aAAqB,EACrB,MAAY,IAAI,IAAI,EAAE;IAEtB,IAAI,aAAa,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IAClC,MAAM,QAAQ,GAA6B,EAAE,CAAC;IAC9C,KAAK,MAAM,EAAE,IAAI,gBAAgB,EAAE,EAAE,CAAC;QACpC,IAAI,EAAE,CAAC,UAAU,KAAK,YAAY;YAAE,SAAS;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,SAAS;QACtC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,KAAK,CAAC,GAAG,UAAU,CAAC;QACrD,IAAI,OAAO,GAAG,aAAa,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE,CAAC,gBAAgB;gBACrC,QAAQ,EAAE,EAAE,CAAC,QAAQ;gBACrB,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,eAAe,EAAE,EAAE,CAAC,eAAe;gBACnC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,GAAG;aACzC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAAgB;IACpD,MAAM,IAAI,GAAoB,qBAAqB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAEnE,MAAM,MAAM,GAIR,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;IAC1B,IAAI,IAAI,CAAC,gBAAgB,KAAK,SAAS;QAAE,MAAM,CAAC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;IACzF,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS;QAAE,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IAExD,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,uBAAuB,GAAG,8BAA8B,CAC5D,IAAI,CAAC,4BAA4B,CAClC,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;AAC9C,CAAC"}

package/dist/tools/injectEgress.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Tool: inject_egress_policy
+ *
+ * Updates a registered subprocess's egress allowlist + mode. Destructive:
+ * modifies runtime policy. Returns applied + cumulative blocked-attempts
+ * counter (since registration).
+ *
+ * Anti-Pattern provenance: Nginx-MCP RCE CVSS 9.8 (subprocess kann beliebig
+ * egress → exfiltration via curl/wget/raw-socket vom kompromittierten
+ * subprocess).
+ *
+ * Mode trade-off: audit-only erlaubt Operators die Policy zu bauen ohne
+ * Production-Traffic zu brechen, aber ist eine "soft policy" — get_audit_log
+ * markiert mode prominent damit Operator nicht in audit-only haengen bleiben.
+ */
+export interface InjectEgressPolicyResult {
+    applied: boolean;
+    blockedAttempts: number;
+}
+export declare function injectEgressPolicyTool(rawArgs: unknown): Promise<InjectEgressPolicyResult>;
+//# sourceMappingURL=injectEgress.d.ts.map

package/dist/tools/injectEgress.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"injectEgress.d.ts","sourceRoot":"","sources":["../../src/tools/injectEgress.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AASH,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,wBAAwB,CAAC,CAgCnC"}

package/dist/tools/injectEgress.js

@@ -0,0 +1,49 @@
+/**
+ * Tool: inject_egress_policy
+ *
+ * Updates a registered subprocess's egress allowlist + mode. Destructive:
+ * modifies runtime policy. Returns applied + cumulative blocked-attempts
+ * counter (since registration).
+ *
+ * Anti-Pattern provenance: Nginx-MCP RCE CVSS 9.8 (subprocess kann beliebig
+ * egress → exfiltration via curl/wget/raw-socket vom kompromittierten
+ * subprocess).
+ *
+ * Mode trade-off: audit-only erlaubt Operators die Policy zu bauen ohne
+ * Production-Traffic zu brechen, aber ist eine "soft policy" — get_audit_log
+ * markiert mode prominent damit Operator nicht in audit-only haengen bleiben.
+ */
+import { InjectEgressPolicyArgsSchema } from "../types.js";
+import { updateEgressPolicy, getSubprocess } from "../state.js";
+import { appendAudit } from "../audit/log.js";
+export async function injectEgressPolicyTool(rawArgs) {
+    const args = InjectEgressPolicyArgsSchema.parse(rawArgs);
+    const updated = updateEgressPolicy(args.subprocessHandle, args.allowlist, args.mode);
+    if (!updated) {
+        await appendAudit({
+            subprocessHandle: args.subprocessHandle,
+            action: "inject_egress_policy",
+            verdict: "block",
+            reason: "unknown subprocess handle"
+        });
+        return { applied: false, blockedAttempts: 0 };
+    }
+    await appendAudit({
+        subprocessHandle: updated.subprocessHandle,
+        serverId: updated.serverId,
+        action: "inject_egress_policy",
+        verdict: "approve",
+        meta: {
+            mode: updated.egressMode,
+            allowlistSize: args.allowlist.length,
+            profileFingerprint: updated.profileFingerprint
+        }
+    });
+    // Re-read counter (could have been bumped by a concurrent egress evaluator).
+    const fresh = getSubprocess(updated.subprocessHandle);
+    return {
+        applied: true,
+        blockedAttempts: fresh?.blockedEgressAttempts ?? 0
+    };
+}
+//# sourceMappingURL=injectEgress.js.map

package/dist/tools/injectEgress.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"injectEgress.js","sourceRoot":"","sources":["../../src/tools/injectEgress.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EACL,4BAA4B,EAE7B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAO9C,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAgB;IAEhB,MAAM,IAAI,GAA2B,4BAA4B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAEjF,MAAM,OAAO,GAAG,kBAAkB,CAAC,IAAI,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACrF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,WAAW,CAAC;YAChB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;YACvC,MAAM,EAAE,sBAAsB;YAC9B,OAAO,EAAE,OAAO;YAChB,MAAM,EAAE,2BAA2B;SACpC,CAAC,CAAC;QACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,EAAE,CAAC;IAChD,CAAC;IAED,MAAM,WAAW,CAAC;QAChB,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;QAC1C,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,MAAM,EAAE,sBAAsB;QAC9B,OAAO,EAAE,SAAS;QAClB,IAAI,EAAE;YACJ,IAAI,EAAE,OAAO,CAAC,UAAU;YACxB,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM;YACpC,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;SAC/C;KACF,CAAC,CAAC;IAEH,6EAA6E;IAC7E,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACtD,OAAO;QACL,OAAO,EAAE,IAAI;QACb,eAAe,EAAE,KAAK,EAAE,qBAAqB,IAAI,CAAC;KACnD,CAAC;AACJ,CAAC"}

package/dist/tools/register.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Tool: register_subprocess
+ *
+ * Registers a subprocess spec + isolation profile and returns a handle.
+ * Profile defaults are filled in from the trust tier; caller-supplied
+ * fields override the tier defaults.
+ *
+ * Anti-Pattern provenance: Nginx-MCP RCE CVSS 9.8 (subprocess inheritert
+ * volle parent-permissions weil keine Profile-Defaults existieren).
+ */
+export interface RegisterSubprocessResult {
+    subprocessHandle: string;
+    profileFingerprint: string;
+}
+export declare function registerSubprocessTool(rawArgs: unknown): Promise<RegisterSubprocessResult>;
+//# sourceMappingURL=register.d.ts.map

package/dist/tools/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/tools/register.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAWH,MAAM,WAAW,wBAAwB;IACvC,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,wBAAwB,CAAC,CAqCnC"}

package/dist/tools/register.js

@@ -0,0 +1,44 @@
+/**
+ * Tool: register_subprocess
+ *
+ * Registers a subprocess spec + isolation profile and returns a handle.
+ * Profile defaults are filled in from the trust tier; caller-supplied
+ * fields override the tier defaults.
+ *
+ * Anti-Pattern provenance: Nginx-MCP RCE CVSS 9.8 (subprocess inheritert
+ * volle parent-permissions weil keine Profile-Defaults existieren).
+ */
+import { RegisterSubprocessArgsSchema } from "../types.js";
+import { resolveProfile } from "../trust-tiers.js";
+import { registerSubprocess } from "../state.js";
+import { appendAudit } from "../audit/log.js";
+import { normalizeArg, normalizeArgs } from "../normalize.js";
+export async function registerSubprocessTool(rawArgs) {
+    const args = RegisterSubprocessArgsSchema.parse(rawArgs);
+    // Pre-Publish-Audit F6: NFKC + ZWC-strip + Bidi-block on binary + args at
+    // registration time so the stored allowlist is already in canonical form.
+    // audit_subprocess normalizes the candidate args the same way; storing the
+    // canonical form here removes a fullwidth-unicode bypass class where an
+    // attacker registers a "binary" that includes invisible codepoints and
+    // later spawns a normalized lookalike that compares equal.
+    const normalizedBinary = normalizeArg(args.binary);
+    const normalizedArgs = normalizeArgs(args.args);
+    const profile = resolveProfile(args.trustTier, args.isolationProfile);
+    const record = registerSubprocess(args.serverId, normalizedBinary, normalizedArgs, args.trustTier, profile);
+    await appendAudit({
+        subprocessHandle: record.subprocessHandle,
+        serverId: record.serverId,
+        action: "register_subprocess",
+        verdict: "approve",
+        meta: {
+            binary: record.binary,
+            trustTier: record.trustTier,
+            profileFingerprint: record.profileFingerprint
+        }
+    });
+    return {
+        subprocessHandle: record.subprocessHandle,
+        profileFingerprint: record.profileFingerprint
+    };
+}
+//# sourceMappingURL=register.js.map

package/dist/tools/register.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.js","sourceRoot":"","sources":["../../src/tools/register.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,4BAA4B,EAE7B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAO9D,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAgB;IAEhB,MAAM,IAAI,GAA2B,4BAA4B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAEjF,0EAA0E;IAC1E,0EAA0E;IAC1E,2EAA2E;IAC3E,wEAAwE;IACxE,uEAAuE;IACvE,2DAA2D;IAC3D,MAAM,gBAAgB,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,cAAc,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEhD,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,kBAAkB,CAC/B,IAAI,CAAC,QAAQ,EACb,gBAAgB,EAChB,cAAc,EACd,IAAI,CAAC,SAAS,EACd,OAAO,CACR,CAAC;IAEF,MAAM,WAAW,CAAC;QAChB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAE,qBAAqB;QAC7B,OAAO,EAAE,SAAS;QAClB,IAAI,EAAE;YACJ,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;SAC9C;KACF,CAAC,CAAC;IAEH,OAAO;QACL,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;KAC9C,CAAC;AACJ,CAAC"}

package/dist/tools/scanCve.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Tool: scan_cve_replay
+ *
+ * Runs the built-in CVE replay fixtures against a target server command.
+ * Returns overall pass/fail + per-CVE detail.
+ *
+ * Anti-Pattern provenance: alle 3 frischen 2026-CVEs (MCP-SDK-RCE
+ * 22.04.2026, CVE-2026-27124 FastMCP Confused Deputy, Nginx-MCP RCE
+ * CVSS 9.8). Predicates leben in src/cve/replay.ts und sind als
+ * behavioral predicates designed (kein exploit payload).
+ */
+import { type ReplayResult } from "../cve/replay.js";
+export declare function scanCveReplayTool(rawArgs: unknown): Promise<ReplayResult>;
+//# sourceMappingURL=scanCve.d.ts.map

package/dist/tools/scanCve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanCve.d.ts","sourceRoot":"","sources":["../../src/tools/scanCve.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,EAAa,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAGhE,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC,CAgB/E"}

package/dist/tools/scanCve.js

@@ -0,0 +1,29 @@
+/**
+ * Tool: scan_cve_replay
+ *
+ * Runs the built-in CVE replay fixtures against a target server command.
+ * Returns overall pass/fail + per-CVE detail.
+ *
+ * Anti-Pattern provenance: alle 3 frischen 2026-CVEs (MCP-SDK-RCE
+ * 22.04.2026, CVE-2026-27124 FastMCP Confused Deputy, Nginx-MCP RCE
+ * CVSS 9.8). Predicates leben in src/cve/replay.ts und sind als
+ * behavioral predicates designed (kein exploit payload).
+ */
+import { ScanCveReplayArgsSchema } from "../types.js";
+import { runReplay } from "../cve/replay.js";
+import { appendAudit } from "../audit/log.js";
+export async function scanCveReplayTool(rawArgs) {
+    const args = ScanCveReplayArgsSchema.parse(rawArgs);
+    const result = runReplay(args.targetServerCommand, args.cveSet, args.timeoutMs);
+    await appendAudit({
+        subprocessHandle: "n/a",
+        action: "scan_cve_replay",
+        verdict: result.overall,
+        meta: {
+            targetServerCommand: args.targetServerCommand,
+            perCve: result.perCve.map((r) => ({ id: r.id, status: r.status }))
+        }
+    });
+    return result;
+}
+//# sourceMappingURL=scanCve.js.map

package/dist/tools/scanCve.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanCve.js","sourceRoot":"","sources":["../../src/tools/scanCve.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,uBAAuB,EAExB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAqB,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE9C,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAAgB;IACtD,MAAM,IAAI,GAAsB,uBAAuB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAEvE,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,mBAAmB,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IAEhF,MAAM,WAAW,CAAC;QAChB,gBAAgB,EAAE,KAAK;QACvB,MAAM,EAAE,iBAAiB;QACzB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,IAAI,EAAE;YACJ,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;YAC7C,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;SACnE;KACF,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/tools/trackCanary.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Tool: track_canary
+ *
+ * Issues a canary token + registers a chain. v0.1 returns the token + a
+ * pre-evaluated leakDetected=false because actual leak detection requires
+ * the calling MCP-aware controller to feed downstream-server output back
+ * via a corpus parameter (added in v0.2).
+ *
+ * Pattern provenance: arXiv 2604.27819 (MCPHunt, April 2026) — taint
+ * tracking via canary-token injection across MCP server boundaries.
+ *
+ * Confused-Deputy defense (CVE-2026-27124): if the chain controller pipes
+ * downstream output back to detect_leaks, a leak via egress channel will
+ * be flagged.
+ */
+import { type LeakLocation } from "../canary/tracker.js";
+export interface TrackCanaryResult {
+    canaryToken: string;
+    leakDetected: boolean;
+    leakLocations: LeakLocation[];
+}
+export declare function trackCanaryTool(rawArgs: unknown): Promise<TrackCanaryResult>;
+//# sourceMappingURL=trackCanary.d.ts.map

package/dist/tools/trackCanary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trackCanary.d.ts","sourceRoot":"","sources":["../../src/tools/trackCanary.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAOH,OAAO,EAAc,KAAK,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAGrE,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,OAAO,CAAC;IACtB,aAAa,EAAE,YAAY,EAAE,CAAC;CAC/B;AAED,wBAAsB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAgClF"}