mcp-warden 0.1.0

package/dist/security/pii-redactor.js

@@ -0,0 +1,62 @@
+/**
+ * Placeholder used when sensitive values are removed.
+ */
+export const REDACTION_TOKEN = "[REDACTED]";
+/**
+ * Finds common email address patterns.
+ */
+const EMAIL_REGEX = /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi;
+/**
+ * Finds key-like secrets with common prefixes such as sk- and key-.
+ */
+const API_KEY_REGEX = /\b(?:sk|key|api|token)-[A-Z0-9_-]{8,}\b/gi;
+/**
+ * Finds IPv4 addresses and excludes impossible octets.
+ */
+const IPV4_REGEX = /\b(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\b/g;
+/**
+ * Redacts sensitive values from a plain string.
+ */
+export function redactSensitiveText(input) {
+    let redactedCount = 0;
+    const replacer = () => {
+        redactedCount += 1;
+        return REDACTION_TOKEN;
+    };
+    let value = input.replace(EMAIL_REGEX, replacer);
+    value = value.replace(API_KEY_REGEX, replacer);
+    value = value.replace(IPV4_REGEX, replacer);
+    return {
+        value,
+        redactedCount
+    };
+}
+/**
+ * Recursively redacts sensitive content from arbitrary JSON-like payloads.
+ */
+export function redactSensitiveData(value) {
+    const seen = new WeakMap();
+    const transform = (candidate) => {
+        if (typeof candidate === "string") {
+            return redactSensitiveText(candidate).value;
+        }
+        if (Array.isArray(candidate)) {
+            return candidate.map((entry) => transform(entry));
+        }
+        if (!candidate || typeof candidate !== "object") {
+            return candidate;
+        }
+        if (seen.has(candidate)) {
+            return seen.get(candidate);
+        }
+        const inputRecord = candidate;
+        const outputRecord = {};
+        seen.set(candidate, outputRecord);
+        for (const [key, entry] of Object.entries(inputRecord)) {
+            outputRecord[key] = transform(entry);
+        }
+        return outputRecord;
+    };
+    return transform(value);
+}
+//# sourceMappingURL=pii-redactor.js.map

package/dist/security/pii-redactor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-redactor.js","sourceRoot":"","sources":["../../src/security/pii-redactor.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,YAAY,CAAC;AAE5C;;GAEG;AACH,MAAM,WAAW,GAAG,6CAA6C,CAAC;AAElE;;GAEG;AACH,MAAM,aAAa,GAAG,2CAA2C,CAAC;AAElE;;GAEG;AACH,MAAM,UAAU,GACd,sFAAsF,CAAC;AAUzF;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,MAAM,QAAQ,GAAG,GAAW,EAAE;QAC5B,aAAa,IAAI,CAAC,CAAC;QACnB,OAAO,eAAe,CAAC;IACzB,CAAC,CAAC;IAEF,IAAI,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IACjD,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAC/C,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAE5C,OAAO;QACL,KAAK;QACL,aAAa;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAI,KAAQ;IAC7C,MAAM,IAAI,GAAG,IAAI,OAAO,EAAmB,CAAC;IAE5C,MAAM,SAAS,GAAG,CAAC,SAAkB,EAAW,EAAE;QAChD,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;YAClC,OAAO,mBAAmB,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC;QAC9C,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7B,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;YAChD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7B,CAAC;QAED,MAAM,WAAW,GAAG,SAAoC,CAAC;QACzD,MAAM,YAAY,GAA4B,EAAE,CAAC;QACjD,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAElC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;YACvD,YAAY,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACvC,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC,CAAC;IAEF,OAAO,SAAS,CAAC,KAAK,CAAM,CAAC;AAC/B,CAAC","sourcesContent":["/**\n * Placeholder used when sensitive values are removed.\n */\nexport const REDACTION_TOKEN = \"[REDACTED]\";\n\n/**\n * Finds common email address patterns.\n */\nconst EMAIL_REGEX = /\\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,}\\b/gi;\n\n/**\n * Finds key-like secrets with common prefixes such as sk- and key-.\n */\nconst API_KEY_REGEX = /\\b(?:sk|key|api|token)-[A-Z0-9_-]{8,}\\b/gi;\n\n/**\n * Finds IPv4 addresses and excludes impossible octets.\n */\nconst IPV4_REGEX =\n  /\\b(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.){3}(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\b/g;\n\n/**\n * Summary of a single text redaction operation.\n */\nexport interface RedactionSummary {\n  value: string;\n  redactedCount: number;\n}\n\n/**\n * Redacts sensitive values from a plain string.\n */\nexport function redactSensitiveText(input: string): RedactionSummary {\n  let redactedCount = 0;\n\n  const replacer = (): string => {\n    redactedCount += 1;\n    return REDACTION_TOKEN;\n  };\n\n  let value = input.replace(EMAIL_REGEX, replacer);\n  value = value.replace(API_KEY_REGEX, replacer);\n  value = value.replace(IPV4_REGEX, replacer);\n\n  return {\n    value,\n    redactedCount\n  };\n}\n\n/**\n * Recursively redacts sensitive content from arbitrary JSON-like payloads.\n */\nexport function redactSensitiveData<T>(value: T): T {\n  const seen = new WeakMap<object, unknown>();\n\n  const transform = (candidate: unknown): unknown => {\n    if (typeof candidate === \"string\") {\n      return redactSensitiveText(candidate).value;\n    }\n\n    if (Array.isArray(candidate)) {\n      return candidate.map((entry) => transform(entry));\n    }\n\n    if (!candidate || typeof candidate !== \"object\") {\n      return candidate;\n    }\n\n    if (seen.has(candidate)) {\n      return seen.get(candidate);\n    }\n\n    const inputRecord = candidate as Record<string, unknown>;\n    const outputRecord: Record<string, unknown> = {};\n    seen.set(candidate, outputRecord);\n\n    for (const [key, entry] of Object.entries(inputRecord)) {\n      outputRecord[key] = transform(entry);\n    }\n\n    return outputRecord;\n  };\n\n  return transform(value) as T;\n}"]}

package/dist/security/rate-limiter.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Sliding-window limiter configuration.
+ */
+export interface RateLimiterOptions {
+    maxCallsPerMinute: number;
+}
+/**
+ * Result of evaluating a rate-limited request.
+ */
+export interface RateLimitDecision {
+    allowed: boolean;
+    retryAfterMs?: number;
+}
+/**
+ * In-memory sliding-window limiter for tool call volume.
+ */
+export declare class RateLimiter {
+    private readonly maxCallsPerMinute;
+    private readonly callTimestampsMs;
+    /**
+     * Creates a new limiter using calls per rolling minute as the quota.
+     */
+    constructor(options: RateLimiterOptions);
+    /**
+     * Checks whether a request can proceed and records it when allowed.
+     */
+    consume(now?: number): RateLimitDecision;
+    /**
+     * Returns current limiter occupancy for diagnostics and testing.
+     */
+    getCount(): number;
+}
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/security/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../src/security/rate-limiter.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;IAE3C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAW;IAE5C;;OAEG;gBACgB,OAAO,EAAE,kBAAkB;IAK9C;;OAEG;IACI,OAAO,CAAC,GAAG,GAAE,MAAmB,GAAG,iBAAiB;IAwB3D;;OAEG;IACI,QAAQ,IAAI,MAAM;CAG1B"}

package/dist/security/rate-limiter.js

@@ -0,0 +1,43 @@
+/**
+ * In-memory sliding-window limiter for tool call volume.
+ */
+export class RateLimiter {
+    maxCallsPerMinute;
+    callTimestampsMs;
+    /**
+     * Creates a new limiter using calls per rolling minute as the quota.
+     */
+    constructor(options) {
+        this.maxCallsPerMinute = Math.max(1, options.maxCallsPerMinute);
+        this.callTimestampsMs = [];
+    }
+    /**
+     * Checks whether a request can proceed and records it when allowed.
+     */
+    consume(now = Date.now()) {
+        const oneMinuteAgo = now - 60_000;
+        while (this.callTimestampsMs.length > 0) {
+            const head = this.callTimestampsMs[0];
+            if (head === undefined || head > oneMinuteAgo) {
+                break;
+            }
+            this.callTimestampsMs.shift();
+        }
+        if (this.callTimestampsMs.length >= this.maxCallsPerMinute) {
+            const oldest = this.callTimestampsMs[0] ?? now;
+            return {
+                allowed: false,
+                retryAfterMs: Math.max(0, 60_000 - (now - oldest))
+            };
+        }
+        this.callTimestampsMs.push(now);
+        return { allowed: true };
+    }
+    /**
+     * Returns current limiter occupancy for diagnostics and testing.
+     */
+    getCount() {
+        return this.callTimestampsMs.length;
+    }
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/security/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../src/security/rate-limiter.ts"],"names":[],"mappings":"AAeA;;GAEG;AACH,MAAM,OAAO,WAAW;IACL,iBAAiB,CAAS;IAE1B,gBAAgB,CAAW;IAE5C;;OAEG;IACH,YAAmB,OAA2B;QAC5C,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAChE,IAAI,CAAC,gBAAgB,GAAG,EAAE,CAAC;IAC7B,CAAC;IAED;;OAEG;IACI,OAAO,CAAC,MAAc,IAAI,CAAC,GAAG,EAAE;QACrC,MAAM,YAAY,GAAG,GAAG,GAAG,MAAM,CAAC;QAElC,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;YACtC,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,GAAG,YAAY,EAAE,CAAC;gBAC9C,MAAM;YACR,CAAC;YAED,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC;QAChC,CAAC;QAED,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC;YAC/C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,CAAC;aACnD,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACI,QAAQ;QACb,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC;IACtC,CAAC;CACF","sourcesContent":["/**\n * Sliding-window limiter configuration.\n */\nexport interface RateLimiterOptions {\n  maxCallsPerMinute: number;\n}\n\n/**\n * Result of evaluating a rate-limited request.\n */\nexport interface RateLimitDecision {\n  allowed: boolean;\n  retryAfterMs?: number;\n}\n\n/**\n * In-memory sliding-window limiter for tool call volume.\n */\nexport class RateLimiter {\n  private readonly maxCallsPerMinute: number;\n\n  private readonly callTimestampsMs: number[];\n\n  /**\n   * Creates a new limiter using calls per rolling minute as the quota.\n   */\n  public constructor(options: RateLimiterOptions) {\n    this.maxCallsPerMinute = Math.max(1, options.maxCallsPerMinute);\n    this.callTimestampsMs = [];\n  }\n\n  /**\n   * Checks whether a request can proceed and records it when allowed.\n   */\n  public consume(now: number = Date.now()): RateLimitDecision {\n    const oneMinuteAgo = now - 60_000;\n\n    while (this.callTimestampsMs.length > 0) {\n      const head = this.callTimestampsMs[0];\n      if (head === undefined || head > oneMinuteAgo) {\n        break;\n      }\n\n      this.callTimestampsMs.shift();\n    }\n\n    if (this.callTimestampsMs.length >= this.maxCallsPerMinute) {\n      const oldest = this.callTimestampsMs[0] ?? now;\n      return {\n        allowed: false,\n        retryAfterMs: Math.max(0, 60_000 - (now - oldest))\n      };\n    }\n\n    this.callTimestampsMs.push(now);\n    return { allowed: true };\n  }\n\n  /**\n   * Returns current limiter occupancy for diagnostics and testing.\n   */\n  public getCount(): number {\n    return this.callTimestampsMs.length;\n  }\n}"]}

package/dist/types/policy.d.ts

@@ -0,0 +1,94 @@
+import { z } from "zod";
+/**
+ * Enumerates the supported access modes for protected filesystem locations.
+ * - `read-only`: reads are allowed and write/delete operations are denied.
+ * - `blocked`: all access is denied.
+ */
+export declare const PathRestrictionModeSchema: z.ZodEnum<["read-only", "blocked"]>;
+/**
+ * Declares a protected filesystem path and the enforcement mode applied to it.
+ */
+export declare const PathRestrictionSchema: z.ZodObject<{
+    /**
+     * Directory path to protect. Absolute paths are recommended for reliability.
+     */
+    path: z.ZodString;
+    /**
+     * Restriction mode for the directory.
+     */
+    mode: z.ZodEnum<["read-only", "blocked"]>;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    mode: "read-only" | "blocked";
+}, {
+    path: string;
+    mode: "read-only" | "blocked";
+}>;
+/**
+ * Rule that identifies which tools are allowed by policy.
+ * - A string value matches a specific tool name.
+ * - A regular expression supports pattern-based matching.
+ */
+export declare const ToolRuleSchema: z.ZodUnion<[z.ZodString, z.ZodType<RegExp, z.ZodTypeDef, RegExp>]>;
+/**
+ * Defines the complete guardian policy used to authorize and throttle tool calls.
+ */
+export declare const GuardianPolicySchema: z.ZodObject<{
+    /**
+     * Tools that an agent is allowed to execute.
+     * Supports exact matches and regex-based matching.
+     */
+    allowedTools: z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodType<RegExp, z.ZodTypeDef, RegExp>]>, "many">;
+    /**
+     * Filesystem directories with explicit read-only or blocked behavior.
+     */
+    restrictedPaths: z.ZodArray<z.ZodObject<{
+        /**
+         * Directory path to protect. Absolute paths are recommended for reliability.
+         */
+        path: z.ZodString;
+        /**
+         * Restriction mode for the directory.
+         */
+        mode: z.ZodEnum<["read-only", "blocked"]>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        mode: "read-only" | "blocked";
+    }, {
+        path: string;
+        mode: "read-only" | "blocked";
+    }>, "many">;
+    /**
+     * Maximum number of tool calls allowed in a rolling one-minute window.
+     */
+    maxCallsPerMinute: z.ZodNumber;
+    /**
+     * If true, destructive actions (for example: delete/write) require explicit approval.
+     */
+    approvalRequired: z.ZodBoolean;
+}, "strip", z.ZodTypeAny, {
+    allowedTools: (string | RegExp)[];
+    restrictedPaths: {
+        path: string;
+        mode: "read-only" | "blocked";
+    }[];
+    maxCallsPerMinute: number;
+    approvalRequired: boolean;
+}, {
+    allowedTools: (string | RegExp)[];
+    restrictedPaths: {
+        path: string;
+        mode: "read-only" | "blocked";
+    }[];
+    maxCallsPerMinute: number;
+    approvalRequired: boolean;
+}>;
+/**
+ * Type-safe representation of a single path restriction entry.
+ */
+export type PathRestriction = z.infer<typeof PathRestrictionSchema>;
+/**
+ * Type-safe representation of the guardian policy payload.
+ */
+export type GuardianPolicy = z.infer<typeof GuardianPolicySchema>;
+//# sourceMappingURL=policy.d.ts.map

package/dist/types/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/types/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,qCAAmC,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,qBAAqB;IAChC;;OAEG;;IAEH;;OAEG;;;;;;;;EAEH,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,cAAc,oEAAqD,CAAC;AAEjF;;GAEG;AACH,eAAO,MAAM,oBAAoB;IAC/B;;;OAGG;;IAGH;;OAEG;;QA7BH;;WAEG;;QAEH;;WAEG;;;;;;;;;IA0BH;;OAEG;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;EAEH,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC"}

package/dist/types/policy.js

@@ -0,0 +1,49 @@
+import { z } from "zod";
+/**
+ * Enumerates the supported access modes for protected filesystem locations.
+ * - `read-only`: reads are allowed and write/delete operations are denied.
+ * - `blocked`: all access is denied.
+ */
+export const PathRestrictionModeSchema = z.enum(["read-only", "blocked"]);
+/**
+ * Declares a protected filesystem path and the enforcement mode applied to it.
+ */
+export const PathRestrictionSchema = z.object({
+    /**
+     * Directory path to protect. Absolute paths are recommended for reliability.
+     */
+    path: z.string().min(1, "path cannot be empty"),
+    /**
+     * Restriction mode for the directory.
+     */
+    mode: PathRestrictionModeSchema
+});
+/**
+ * Rule that identifies which tools are allowed by policy.
+ * - A string value matches a specific tool name.
+ * - A regular expression supports pattern-based matching.
+ */
+export const ToolRuleSchema = z.union([z.string().min(1), z.instanceof(RegExp)]);
+/**
+ * Defines the complete guardian policy used to authorize and throttle tool calls.
+ */
+export const GuardianPolicySchema = z.object({
+    /**
+     * Tools that an agent is allowed to execute.
+     * Supports exact matches and regex-based matching.
+     */
+    allowedTools: z.array(ToolRuleSchema).min(1, "at least one tool rule is required"),
+    /**
+     * Filesystem directories with explicit read-only or blocked behavior.
+     */
+    restrictedPaths: z.array(PathRestrictionSchema),
+    /**
+     * Maximum number of tool calls allowed in a rolling one-minute window.
+     */
+    maxCallsPerMinute: z.number().int().positive(),
+    /**
+     * If true, destructive actions (for example: delete/write) require explicit approval.
+     */
+    approvalRequired: z.boolean()
+});
+//# sourceMappingURL=policy.js.map

package/dist/types/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/types/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC;AAE1E;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C;;OAEG;IACH,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,sBAAsB,CAAC;IAC/C;;OAEG;IACH,IAAI,EAAE,yBAAyB;CAChC,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAEjF;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C;;;OAGG;IACH,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,oCAAoC,CAAC;IAElF;;OAEG;IACH,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC;IAE/C;;OAEG;IACH,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAE9C;;OAEG;IACH,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE;CAC9B,CAAC,CAAC","sourcesContent":["import { z } from \"zod\";\n\n/**\n * Enumerates the supported access modes for protected filesystem locations.\n * - `read-only`: reads are allowed and write/delete operations are denied.\n * - `blocked`: all access is denied.\n */\nexport const PathRestrictionModeSchema = z.enum([\"read-only\", \"blocked\"]);\n\n/**\n * Declares a protected filesystem path and the enforcement mode applied to it.\n */\nexport const PathRestrictionSchema = z.object({\n  /**\n   * Directory path to protect. Absolute paths are recommended for reliability.\n   */\n  path: z.string().min(1, \"path cannot be empty\"),\n  /**\n   * Restriction mode for the directory.\n   */\n  mode: PathRestrictionModeSchema\n});\n\n/**\n * Rule that identifies which tools are allowed by policy.\n * - A string value matches a specific tool name.\n * - A regular expression supports pattern-based matching.\n */\nexport const ToolRuleSchema = z.union([z.string().min(1), z.instanceof(RegExp)]);\n\n/**\n * Defines the complete guardian policy used to authorize and throttle tool calls.\n */\nexport const GuardianPolicySchema = z.object({\n  /**\n   * Tools that an agent is allowed to execute.\n   * Supports exact matches and regex-based matching.\n   */\n  allowedTools: z.array(ToolRuleSchema).min(1, \"at least one tool rule is required\"),\n\n  /**\n   * Filesystem directories with explicit read-only or blocked behavior.\n   */\n  restrictedPaths: z.array(PathRestrictionSchema),\n\n  /**\n   * Maximum number of tool calls allowed in a rolling one-minute window.\n   */\n  maxCallsPerMinute: z.number().int().positive(),\n\n  /**\n   * If true, destructive actions (for example: delete/write) require explicit approval.\n   */\n  approvalRequired: z.boolean()\n});\n\n/**\n * Type-safe representation of a single path restriction entry.\n */\nexport type PathRestriction = z.infer<typeof PathRestrictionSchema>;\n\n/**\n * Type-safe representation of the guardian policy payload.\n */\nexport type GuardianPolicy = z.infer<typeof GuardianPolicySchema>;\n"]}

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "mcp-warden",
+  "version": "0.1.0",
+  "description": "Policy enforcement and guardrails for MCP-compatible tool execution.",
+  "type": "module",
+  "license": "MIT",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "bin": {
+    "mcp-warden": "dist/cli/index.js"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc --noEmit -p tsconfig.json",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "keywords": [
+    "mcp",
+    "guardian",
+    "policy",
+    "security"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "dependencies": {
+    "chalk": "^5.6.0",
+    "commander": "^14.0.1",
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@types/node": "^24.0.0",
+    "typescript": "^5.8.3",
+    "vitest": "^3.1.4"
+  }
+}