mcp-rce-guard 0.1.0

package/dist/tools/trackCanary.js

@@ -0,0 +1,44 @@
+/**
+ * Tool: track_canary
+ *
+ * Issues a canary token + registers a chain. v0.1 returns the token + a
+ * pre-evaluated leakDetected=false because actual leak detection requires
+ * the calling MCP-aware controller to feed downstream-server output back
+ * via a corpus parameter (added in v0.2).
+ *
+ * Pattern provenance: arXiv 2604.27819 (MCPHunt, April 2026) — taint
+ * tracking via canary-token injection across MCP server boundaries.
+ *
+ * Confused-Deputy defense (CVE-2026-27124): if the chain controller pipes
+ * downstream output back to detect_leaks, a leak via egress channel will
+ * be flagged.
+ */
+import { TrackCanaryArgsSchema } from "../types.js";
+import { registerCanaryChain } from "../state.js";
+import { makeCanary } from "../canary/tracker.js";
+import { appendAudit } from "../audit/log.js";
+export async function trackCanaryTool(rawArgs) {
+    const args = TrackCanaryArgsSchema.parse(rawArgs);
+    const { token, pattern } = makeCanary(args.canaryPattern);
+    registerCanaryChain(args.chainId, args.sourceServerId, args.downstreamServerIds, pattern, token);
+    // v0.1: leak detection requires a separate corpus feed; here we always
+    // return false at registration time. The library export `detectLeaks`
+    // is the entry-point for callers that want to scan their own corpus.
+    await appendAudit({
+        subprocessHandle: "n/a",
+        action: "track_canary",
+        verdict: "approve",
+        serverId: args.sourceServerId,
+        meta: {
+            chainId: args.chainId,
+            downstreamServerIds: args.downstreamServerIds,
+            tokenPrefix: token.slice(0, 24)
+        }
+    });
+    return {
+        canaryToken: token,
+        leakDetected: false,
+        leakLocations: []
+    };
+}
+//# sourceMappingURL=trackCanary.js.map

package/dist/tools/trackCanary.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trackCanary.js","sourceRoot":"","sources":["../../src/tools/trackCanary.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EACL,qBAAqB,EAEtB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,UAAU,EAAqB,MAAM,sBAAsB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAQ9C,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAAgB;IACpD,MAAM,IAAI,GAAoB,qBAAqB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAEnE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1D,mBAAmB,CACjB,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,cAAc,EACnB,IAAI,CAAC,mBAAmB,EACxB,OAAO,EACP,KAAK,CACN,CAAC;IAEF,uEAAuE;IACvE,sEAAsE;IACtE,qEAAqE;IACrE,MAAM,WAAW,CAAC;QAChB,gBAAgB,EAAE,KAAK;QACvB,MAAM,EAAE,cAAc;QACtB,OAAO,EAAE,SAAS;QAClB,QAAQ,EAAE,IAAI,CAAC,cAAc;QAC7B,IAAI,EAAE;YACJ,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;YAC7C,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;SAChC;KACF,CAAC,CAAC;IAEH,OAAO;QACL,WAAW,EAAE,KAAK;QAClB,YAAY,EAAE,KAAK;QACnB,aAAa,EAAE,EAAE;KAClB,CAAC;AACJ,CAAC"}

package/dist/trust-tiers.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Trust-Tier defaults for register_subprocess.
+ *
+ * Each tier defines a sensible isolation profile so callers can register
+ * a subprocess with minimal config. Profiles are intentionally conservative
+ * — escalation requires explicit per-field overrides.
+ *
+ * Anti-Pattern provenance: Nginx-MCP RCE CVSS 9.8 (subprocess inheritert
+ * volle parent-permissions weil keine Profile-Defaults existieren).
+ */
+import type { IsolationProfile } from "./types.js";
+export type TrustTier = "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+export declare const TRUST_TIER_DEFAULTS: Record<TrustTier, IsolationProfile>;
+/**
+ * Merge a partial profile onto a tier default. Caller-supplied fields win.
+ */
+export declare function resolveProfile(tier: TrustTier, override: Partial<IsolationProfile>): IsolationProfile;
+//# sourceMappingURL=trust-tiers.d.ts.map

package/dist/trust-tiers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust-tiers.d.ts","sourceRoot":"","sources":["../src/trust-tiers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEnD,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE/D,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,SAAS,EAAE,gBAAgB,CA+CnE,CAAC;AAEF;;GAEG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAClC,gBAAgB,CAUlB"}

package/dist/trust-tiers.js

@@ -0,0 +1,73 @@
+/**
+ * Trust-Tier defaults for register_subprocess.
+ *
+ * Each tier defines a sensible isolation profile so callers can register
+ * a subprocess with minimal config. Profiles are intentionally conservative
+ * — escalation requires explicit per-field overrides.
+ *
+ * Anti-Pattern provenance: Nginx-MCP RCE CVSS 9.8 (subprocess inheritert
+ * volle parent-permissions weil keine Profile-Defaults existieren).
+ */
+export const TRUST_TIER_DEFAULTS = {
+    /**
+     * LOW = highest isolation. For unverified third-party MCP tools.
+     * Read-only fs, tiny scratch, no egress, hard CPU/mem caps.
+     */
+    LOW: {
+        fsReadOnly: ["/usr", "/lib", "/lib64", "/bin", "/sbin", "/etc"],
+        fsWritable: [],
+        cpuMs: 5_000,
+        memMB: 128,
+        pidMax: 32,
+        egressAllowlist: []
+    },
+    /**
+     * MEDIUM = medium isolation. For first-party tools that need light egress.
+     */
+    MEDIUM: {
+        fsReadOnly: ["/usr", "/lib", "/lib64", "/bin", "/sbin", "/etc"],
+        fsWritable: [],
+        cpuMs: 30_000,
+        memMB: 512,
+        pidMax: 128,
+        egressAllowlist: ["api.anthropic.com:443", "api.openai.com:443"]
+    },
+    /**
+     * HIGH = relaxed isolation. For tools that need broader egress + larger budgets.
+     */
+    HIGH: {
+        fsReadOnly: ["/usr", "/lib", "/lib64", "/bin", "/sbin", "/etc"],
+        fsWritable: [],
+        cpuMs: 120_000,
+        memMB: 2048,
+        pidMax: 512,
+        egressAllowlist: ["api.anthropic.com:443", "api.openai.com:443", "github.com:443"]
+    },
+    /**
+     * CRITICAL = minimum isolation. Audit-only egress (still default-deny on caps).
+     * Use only for fully-trusted first-party tools that need broad system access.
+     */
+    CRITICAL: {
+        fsReadOnly: [],
+        fsWritable: [],
+        cpuMs: 600_000,
+        memMB: 8192,
+        pidMax: 2048,
+        egressAllowlist: ["*"]
+    }
+};
+/**
+ * Merge a partial profile onto a tier default. Caller-supplied fields win.
+ */
+export function resolveProfile(tier, override) {
+    const base = TRUST_TIER_DEFAULTS[tier];
+    return {
+        fsReadOnly: override.fsReadOnly ?? base.fsReadOnly,
+        fsWritable: override.fsWritable ?? base.fsWritable,
+        cpuMs: override.cpuMs ?? base.cpuMs,
+        memMB: override.memMB ?? base.memMB,
+        pidMax: override.pidMax ?? base.pidMax,
+        egressAllowlist: override.egressAllowlist ?? base.egressAllowlist
+    };
+}
+//# sourceMappingURL=trust-tiers.js.map

package/dist/trust-tiers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust-tiers.js","sourceRoot":"","sources":["../src/trust-tiers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH,MAAM,CAAC,MAAM,mBAAmB,GAAwC;IACtE;;;OAGG;IACH,GAAG,EAAE;QACH,UAAU,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC;QAC/D,UAAU,EAAE,EAAE;QACd,KAAK,EAAE,KAAK;QACZ,KAAK,EAAE,GAAG;QACV,MAAM,EAAE,EAAE;QACV,eAAe,EAAE,EAAE;KACpB;IACD;;OAEG;IACH,MAAM,EAAE;QACN,UAAU,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC;QAC/D,UAAU,EAAE,EAAE;QACd,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,GAAG;QACV,MAAM,EAAE,GAAG;QACX,eAAe,EAAE,CAAC,uBAAuB,EAAE,oBAAoB,CAAC;KACjE;IACD;;OAEG;IACH,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC;QAC/D,UAAU,EAAE,EAAE;QACd,KAAK,EAAE,OAAO;QACd,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,GAAG;QACX,eAAe,EAAE,CAAC,uBAAuB,EAAE,oBAAoB,EAAE,gBAAgB,CAAC;KACnF;IACD;;;OAGG;IACH,QAAQ,EAAE;QACR,UAAU,EAAE,EAAE;QACd,UAAU,EAAE,EAAE;QACd,KAAK,EAAE,OAAO;QACd,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,IAAI;QACZ,eAAe,EAAE,CAAC,GAAG,CAAC;KACvB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,IAAe,EACf,QAAmC;IAEnC,MAAM,IAAI,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACvC,OAAO;QACL,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU;QAClD,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU;QAClD,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK;QACnC,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK;QACnC,MAAM,EAAE,QAAQ,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM;QACtC,eAAe,EAAE,QAAQ,CAAC,eAAe,IAAI,IAAI,CAAC,eAAe;KAClE,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,187 @@
+/**
+ * Shared types + Zod schemas for mcp-rce-guard tools.
+ */
+import { z } from "zod";
+/**
+ * Isolation profile applied to a subprocess at register_subprocess time.
+ * Field semantics are platform-dependent — see src/isolation/{landlock,sandbox-exec,cgroups}.ts
+ * for how each field is realized on Linux + macOS.
+ */
+export interface IsolationProfile {
+    /** Read-only filesystem roots the subprocess may traverse. */
+    fsReadOnly: string[];
+    /** Writable scratch directories (typically per-spawn ephemeral). */
+    fsWritable: string[];
+    /** CPU time cap in milliseconds. Soft cap, enforced via cgroups-v2 cpu.max on Linux. */
+    cpuMs?: number;
+    /** RSS cap in megabytes. Hard cap, enforced via cgroups-v2 memory.max on Linux. */
+    memMB?: number;
+    /** Max child PIDs. Hard cap, enforced via cgroups-v2 pids.max on Linux. */
+    pidMax?: number;
+    /**
+     * Network egress allowlist as host:port pairs. "*" allows all (audit-only).
+     * Default-deny: empty array blocks all egress.
+     */
+    egressAllowlist: string[];
+}
+export declare const IsolationProfileSchema: z.ZodObject<{
+    fsReadOnly: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    fsWritable: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    cpuMs: z.ZodOptional<z.ZodNumber>;
+    memMB: z.ZodOptional<z.ZodNumber>;
+    pidMax: z.ZodOptional<z.ZodNumber>;
+    egressAllowlist: z.ZodDefault<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+export declare const TrustTierSchema: z.ZodEnum<{
+    LOW: "LOW";
+    MEDIUM: "MEDIUM";
+    HIGH: "HIGH";
+    CRITICAL: "CRITICAL";
+}>;
+/**
+ * Args for register_subprocess.
+ */
+export declare const RegisterSubprocessArgsSchema: z.ZodObject<{
+    serverId: z.ZodString;
+    binary: z.ZodString;
+    args: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    trustTier: z.ZodEnum<{
+        LOW: "LOW";
+        MEDIUM: "MEDIUM";
+        HIGH: "HIGH";
+        CRITICAL: "CRITICAL";
+    }>;
+    isolationProfile: z.ZodDefault<z.ZodObject<{
+        fsReadOnly: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+        fsWritable: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+        cpuMs: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
+        memMB: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
+        pidMax: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
+        egressAllowlist: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString>>>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type RegisterSubprocessArgs = z.infer<typeof RegisterSubprocessArgsSchema>;
+/**
+ * Args for audit_subprocess.
+ */
+export declare const AuditSubprocessArgsSchema: z.ZodObject<{
+    subprocessHandle: z.ZodString;
+    requestedArgs: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+export type AuditSubprocessArgs = z.infer<typeof AuditSubprocessArgsSchema>;
+export declare const AuditVerdict: z.ZodEnum<{
+    approve: "approve";
+    block: "block";
+    quarantine: "quarantine";
+}>;
+export type AuditVerdictType = z.infer<typeof AuditVerdict>;
+/**
+ * Args for scan_cve_replay.
+ */
+export declare const CveIdSchema: z.ZodEnum<{
+    "mcp-sdk-rce-2026-04-22": "mcp-sdk-rce-2026-04-22";
+    "cve-2026-27124": "cve-2026-27124";
+    "nginx-mcp-rce-9.8": "nginx-mcp-rce-9.8";
+}>;
+export type CveId = z.infer<typeof CveIdSchema>;
+export declare const ScanCveReplayArgsSchema: z.ZodObject<{
+    targetServerCommand: z.ZodString;
+    cveSet: z.ZodOptional<z.ZodArray<z.ZodEnum<{
+        "mcp-sdk-rce-2026-04-22": "mcp-sdk-rce-2026-04-22";
+        "cve-2026-27124": "cve-2026-27124";
+        "nginx-mcp-rce-9.8": "nginx-mcp-rce-9.8";
+    }>>>;
+    timeoutMs: z.ZodDefault<z.ZodNumber>;
+}, z.core.$strip>;
+export type ScanCveReplayArgs = z.infer<typeof ScanCveReplayArgsSchema>;
+/**
+ * Args for track_canary.
+ */
+export declare const TrackCanaryArgsSchema: z.ZodObject<{
+    chainId: z.ZodString;
+    sourceServerId: z.ZodString;
+    downstreamServerIds: z.ZodArray<z.ZodString>;
+    canaryPattern: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type TrackCanaryArgs = z.infer<typeof TrackCanaryArgsSchema>;
+/**
+ * Args for inject_egress_policy.
+ */
+export declare const EgressModeSchema: z.ZodEnum<{
+    "default-deny": "default-deny";
+    "audit-only": "audit-only";
+}>;
+export type EgressMode = z.infer<typeof EgressModeSchema>;
+export declare const InjectEgressPolicyArgsSchema: z.ZodObject<{
+    subprocessHandle: z.ZodString;
+    allowlist: z.ZodArray<z.ZodString>;
+    mode: z.ZodEnum<{
+        "default-deny": "default-deny";
+        "audit-only": "audit-only";
+    }>;
+}, z.core.$strip>;
+export type InjectEgressPolicyArgs = z.infer<typeof InjectEgressPolicyArgsSchema>;
+/**
+ * Args for get_audit_log.
+ *
+ * `staleEgressModeThresholdDays` (default 7) drives the audit-only-staleness
+ * WARN list — see PLAN.md §Predicted-Impact §inject_egress_policy
+ * at-risk-regression-mitigation. Operators can lower the threshold for
+ * stricter staleness or set it to 0 to disable the check.
+ */
+export declare const GetAuditLogArgsSchema: z.ZodObject<{
+    subprocessHandle: z.ZodOptional<z.ZodString>;
+    since: z.ZodOptional<z.ZodString>;
+    limit: z.ZodDefault<z.ZodNumber>;
+    staleEgressModeThresholdDays: z.ZodDefault<z.ZodNumber>;
+}, z.core.$strip>;
+export type GetAuditLogArgs = z.infer<typeof GetAuditLogArgsSchema>;
+/**
+ * One entry in the get_audit_log staleness-WARN list. Emitted when a
+ * registered subprocess has been left in egressMode="audit-only" longer
+ * than `staleEgressModeThresholdDays`. See PLAN.md §Predicted-Impact
+ * §inject_egress_policy.
+ */
+export interface StaleEgressModeWarning {
+    subprocessHandle: string;
+    serverId: string;
+    egressMode: EgressMode;
+    egressModeSetAt: string;
+    ageDays: number;
+}
+/**
+ * Audit-log entry shape (NDJSON line in ~/.mcp-rce-guard/audit.log).
+ */
+export interface AuditLogEntry {
+    ts: string;
+    subprocessHandle: string;
+    action: string;
+    verdict: string;
+    serverId?: string;
+    reason?: string;
+    meta?: Record<string, unknown>;
+}
+/**
+ * Internal subprocess registry record.
+ */
+export interface RegisteredSubprocess {
+    subprocessHandle: string;
+    serverId: string;
+    binary: string;
+    args: string[];
+    trustTier: "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+    profile: IsolationProfile;
+    profileFingerprint: string;
+    /** Active egress mode after inject_egress_policy. Defaults to default-deny. */
+    egressMode: EgressMode;
+    /**
+     * ISO timestamp of the last egress-mode transition. Initialised to
+     * registeredAt and bumped on every inject_egress_policy that successfully
+     * applies. Drives the audit-only-staleness WARN in get_audit_log.
+     */
+    egressModeSetAt: string;
+    /** Tracked blocked-egress attempts since policy injection. */
+    blockedEgressAttempts: number;
+    registeredAt: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,8DAA8D;IAC9D,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,oEAAoE;IACpE,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,wFAAwF;IACxF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2EAA2E;IAC3E,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,eAAO,MAAM,sBAAsB;;;;;;;iBAOjC,CAAC;AAEH,eAAO,MAAM,eAAe;;;;;EAAgD,CAAC;AAE7E;;GAEG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;iBAMvC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAElF;;GAEG;AACH,eAAO,MAAM,yBAAyB;;;iBAGpC,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E,eAAO,MAAM,YAAY;;;;EAA6C,CAAC;AACvE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAE5D;;GAEG;AACH,eAAO,MAAM,WAAW;;;;EAItB,CAAC;AACH,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEhD,eAAO,MAAM,uBAAuB;;;;;;;;iBAIlC,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAExE;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;iBAKhC,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;EAAyC,CAAC;AACvE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D,eAAO,MAAM,4BAA4B;;;;;;;iBAIvC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAElF;;;;;;;GAOG;AACH,eAAO,MAAM,qBAAqB;;;;;iBAUhC,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACrC,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,gBAAgB,EAAE,MAAM,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IAClD,OAAO,EAAE,gBAAgB,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,+EAA+E;IAC/E,UAAU,EAAE,UAAU,CAAC;IACvB;;;;OAIG;IACH,eAAe,EAAE,MAAM,CAAC;IACxB,8DAA8D;IAC9D,qBAAqB,EAAE,MAAM,CAAC;IAC9B,YAAY,EAAE,MAAM,CAAC;CACtB"}

package/dist/types.js

@@ -0,0 +1,82 @@
+/**
+ * Shared types + Zod schemas for mcp-rce-guard tools.
+ */
+import { z } from "zod";
+export const IsolationProfileSchema = z.object({
+    fsReadOnly: z.array(z.string()).default([]),
+    fsWritable: z.array(z.string()).default([]),
+    cpuMs: z.number().int().positive().optional(),
+    memMB: z.number().int().positive().optional(),
+    pidMax: z.number().int().positive().optional(),
+    egressAllowlist: z.array(z.string()).default([])
+});
+export const TrustTierSchema = z.enum(["LOW", "MEDIUM", "HIGH", "CRITICAL"]);
+/**
+ * Args for register_subprocess.
+ */
+export const RegisterSubprocessArgsSchema = z.object({
+    serverId: z.string().min(1).max(200),
+    binary: z.string().min(1).max(1000),
+    args: z.array(z.string().max(4000)).max(256).default([]),
+    trustTier: TrustTierSchema,
+    isolationProfile: IsolationProfileSchema.partial().default({})
+});
+/**
+ * Args for audit_subprocess.
+ */
+export const AuditSubprocessArgsSchema = z.object({
+    subprocessHandle: z.string().min(1),
+    requestedArgs: z.array(z.string().max(4000)).max(256)
+});
+export const AuditVerdict = z.enum(["approve", "block", "quarantine"]);
+/**
+ * Args for scan_cve_replay.
+ */
+export const CveIdSchema = z.enum([
+    "mcp-sdk-rce-2026-04-22",
+    "cve-2026-27124",
+    "nginx-mcp-rce-9.8"
+]);
+export const ScanCveReplayArgsSchema = z.object({
+    targetServerCommand: z.string().min(1).max(2000),
+    cveSet: z.array(CveIdSchema).min(1).max(16).optional(),
+    timeoutMs: z.number().int().positive().max(300_000).default(30_000)
+});
+/**
+ * Args for track_canary.
+ */
+export const TrackCanaryArgsSchema = z.object({
+    chainId: z.string().min(1).max(200),
+    sourceServerId: z.string().min(1).max(200),
+    downstreamServerIds: z.array(z.string().min(1).max(200)).min(1).max(32),
+    canaryPattern: z.string().min(8).max(256).optional()
+});
+/**
+ * Args for inject_egress_policy.
+ */
+export const EgressModeSchema = z.enum(["default-deny", "audit-only"]);
+export const InjectEgressPolicyArgsSchema = z.object({
+    subprocessHandle: z.string().min(1),
+    allowlist: z.array(z.string().min(1).max(500)).max(256),
+    mode: EgressModeSchema
+});
+/**
+ * Args for get_audit_log.
+ *
+ * `staleEgressModeThresholdDays` (default 7) drives the audit-only-staleness
+ * WARN list — see PLAN.md §Predicted-Impact §inject_egress_policy
+ * at-risk-regression-mitigation. Operators can lower the threshold for
+ * stricter staleness or set it to 0 to disable the check.
+ */
+export const GetAuditLogArgsSchema = z.object({
+    subprocessHandle: z.string().min(1).optional(),
+    since: z.string().datetime().optional(),
+    limit: z.number().int().positive().max(10_000).default(100),
+    staleEgressModeThresholdDays: z
+        .number()
+        .int()
+        .min(0)
+        .max(365)
+        .default(7)
+});
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAyBxB,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC3C,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC3C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7C,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC9C,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CACjD,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;AAE7E;;GAEG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IACpC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IACnC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxD,SAAS,EAAE,eAAe;IAC1B,gBAAgB,EAAE,sBAAsB,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CAC/D,CAAC,CAAC;AAGH;;GAEG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;CACtD,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;AAGvE;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,CAAC,IAAI,CAAC;IAChC,wBAAwB;IACxB,gBAAgB;IAChB,mBAAmB;CACpB,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IAChD,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;CACpE,CAAC,CAAC;AAGH;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IACnC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IAC1C,mBAAmB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;IACvE,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAGH;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC,CAAC;AAGvE,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IACvD,IAAI,EAAE,gBAAgB;CACvB,CAAC,CAAC;AAGH;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC9C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACvC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC3D,4BAA4B,EAAE,CAAC;SAC5B,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,GAAG,CAAC;SACR,OAAO,CAAC,CAAC,CAAC;CACd,CAAC,CAAC"}

package/dist/version.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Read the version from package.json at runtime so tests + server + CLI
+ * never drift from the actual published version.
+ */
+export declare const NAME: string;
+export declare const VERSION: string;
+//# sourceMappingURL=version.d.ts.map

package/dist/version.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAiBH,eAAO,MAAM,IAAI,QAAW,CAAC;AAC7B,eAAO,MAAM,OAAO,QAAc,CAAC"}

package/dist/version.js

@@ -0,0 +1,14 @@
+/**
+ * Read the version from package.json at runtime so tests + server + CLI
+ * never drift from the actual published version.
+ */
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { dirname, join } from "node:path";
+const here = dirname(fileURLToPath(import.meta.url));
+// dist/version.js -> ../package.json
+const pkgPath = join(here, "..", "package.json");
+const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+export const NAME = pkg.name;
+export const VERSION = pkg.version;
+//# sourceMappingURL=version.js.map

package/dist/version.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.js","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE1C,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACrD,qCAAqC;AACrC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;AAOjD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAY,CAAC;AAEjE,MAAM,CAAC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;AAC7B,MAAM,CAAC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC"}

package/package.json

@@ -0,0 +1,74 @@
+{
+  "name": "mcp-rce-guard",
+  "version": "0.1.0",
+  "description": "v0.1 policy-synthesis (descriptor-only) for MCP-server RCE defense: landlock/sandbox-exec/cgroups-v2 profile builder + CVE-replay predicates + canary tracker + append-only NDJSON audit log. v0.2 adds native enforcement + verified Acra-pattern audit-log signing.",
+  "license": "MIT",
+  "author": "Matthias Meyer (StudioMeyer)",
+  "type": "module",
+  "main": "./dist/server.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js"
+    },
+    "./normalize": {
+      "types": "./dist/normalize.d.ts",
+      "import": "./dist/normalize.js"
+    }
+  },
+  "bin": {
+    "mcp-rce-guard": "./dist/cli.js",
+    "mcp-rce-guard-server": "./dist/server.js"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json && node scripts/post-build.js",
+    "prepack": "npm run build",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "security",
+    "sandbox",
+    "rce",
+    "landlock",
+    "cve",
+    "isolation",
+    "canary",
+    "policy-synthesizer"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/studiomeyer-io/mcp-rce-guard.git"
+  },
+  "homepage": "https://github.com/studiomeyer-io/mcp-rce-guard#readme",
+  "bugs": {
+    "url": "https://github.com/studiomeyer-io/mcp-rce-guard/issues"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "commander": "^14.0.3",
+    "execa": "^9.6.1",
+    "zod": "^4.4.3"
+  },
+  "devDependencies": {
+    "@types/node": "^25.6.2",
+    "tsup": "^8.5.1",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.5"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}