mcpwall 0.1.0

package/dist/index.js

@@ -0,0 +1,1106 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { program } from "commander";
+import { createRequire } from "module";
+
+// src/config/loader.ts
+import { readFile } from "fs/promises";
+import { homedir } from "os";
+import { join, resolve, dirname } from "path";
+import { fileURLToPath } from "url";
+import { parse as parseYaml } from "yaml";
+
+// src/config/schema.ts
+import { z } from "zod";
+function hasReDoSRisk(pattern) {
+  const nestedQuantifier = /\([^)]*[+*][^)]*\)[+*{]/;
+  if (nestedQuantifier.test(pattern)) {
+    return true;
+  }
+  const quantifiedAlternation = /\([^)]*\|[^)]*\)[+*]{1,2}/;
+  if (quantifiedAlternation.test(pattern)) {
+    return true;
+  }
+  return false;
+}
+var validRegex = z.string().refine(
+  (val) => {
+    try {
+      new RegExp(val);
+      return true;
+    } catch {
+      return false;
+    }
+  },
+  (val) => ({ message: `Invalid regex: "${val}"` })
+).refine(
+  (val) => !hasReDoSRisk(val),
+  (val) => ({ message: `Potentially unsafe regex (ReDoS risk): "${val}" \u2014 avoid nested quantifiers like (a+)+` })
+);
+var secretPatternSchema = z.object({
+  name: z.string(),
+  regex: validRegex,
+  entropy_threshold: z.number().optional()
+});
+var argumentMatcherSchema = z.object({
+  pattern: z.string().optional(),
+  regex: validRegex.optional(),
+  not_under: z.string().optional(),
+  secrets: z.boolean().optional()
+});
+var ruleSchema = z.object({
+  name: z.string(),
+  match: z.object({
+    method: z.string().optional(),
+    tool: z.string().optional(),
+    arguments: z.record(z.string(), argumentMatcherSchema).optional()
+  }),
+  action: z.enum(["allow", "deny", "ask"]),
+  message: z.string().optional()
+});
+var configSchema = z.object({
+  version: z.number(),
+  settings: z.object({
+    log_dir: z.string(),
+    log_level: z.enum(["debug", "info", "warn", "error"]),
+    default_action: z.enum(["allow", "deny", "ask"]),
+    log_args: z.enum(["full", "none"]).optional()
+  }),
+  rules: z.array(ruleSchema),
+  secrets: z.object({
+    patterns: z.array(secretPatternSchema)
+  }).optional()
+});
+function parseConfig(raw) {
+  return configSchema.parse(raw);
+}
+
+// src/config/defaults.ts
+var DEFAULT_SECRET_PATTERNS = [
+  {
+    name: "aws-access-key",
+    regex: "AKIA[0-9A-Z]{16}"
+  },
+  {
+    name: "aws-secret-key",
+    regex: "[A-Za-z0-9/+=]{40}",
+    entropy_threshold: 4.5
+  },
+  {
+    name: "github-token",
+    regex: "(gh[ps]_[A-Za-z0-9_]{36,}|github_pat_[A-Za-z0-9_]{22,})"
+  },
+  {
+    name: "openai-key",
+    regex: "sk-[A-Za-z0-9]{20,}"
+  },
+  {
+    name: "anthropic-key",
+    regex: "sk-ant-[A-Za-z0-9-]{20,}"
+  },
+  {
+    name: "stripe-key",
+    regex: "(sk|pk|rk)_(test|live)_[A-Za-z0-9]{24,}"
+  },
+  {
+    name: "private-key-header",
+    regex: "-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----"
+  },
+  {
+    name: "jwt-token",
+    regex: "eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}"
+  },
+  {
+    name: "slack-token",
+    regex: "xox[bpoas]-[A-Za-z0-9-]+"
+  },
+  {
+    name: "database-url",
+    regex: "(postgres|mysql|mongodb|redis)://[^\\s]+"
+  }
+];
+var DEFAULT_RULES = [
+  {
+    name: "block-ssh-keys",
+    match: { method: "tools/call", tool: "*", arguments: { _any_value: { regex: "(\\.ssh/|id_rsa|id_ed25519)" } } },
+    action: "deny",
+    message: "Blocked: access to SSH keys"
+  },
+  {
+    name: "block-env-files",
+    match: { method: "tools/call", tool: "*", arguments: { _any_value: { regex: "(\\.env(\\.local|\\.prod|\\.dev)?$|\\.env/)" } } },
+    action: "deny",
+    message: "Blocked: access to .env files"
+  },
+  {
+    name: "block-destructive-commands",
+    match: { method: "tools/call", tool: "*", arguments: { _any_value: { regex: "(rm\\s+-rf|rm\\s+-r\\s+/|mkfs\\.|dd\\s+if=)" } } },
+    action: "deny",
+    message: "Blocked: dangerous command"
+  },
+  {
+    name: "block-secret-leakage",
+    match: { method: "tools/call", tool: "*", arguments: { _any_value: { secrets: true } } },
+    action: "deny",
+    message: "Blocked: detected secret in arguments"
+  }
+];
+var DEFAULT_CONFIG = {
+  version: 1,
+  settings: {
+    log_dir: "~/.mcpwall/logs",
+    log_level: "info",
+    default_action: "allow"
+  },
+  rules: DEFAULT_RULES,
+  secrets: {
+    patterns: DEFAULT_SECRET_PATTERNS
+  }
+};
+
+// src/config/loader.ts
+function resolveConfigPaths() {
+  const home = homedir();
+  const cwd = process.cwd();
+  return {
+    global: join(home, ".mcpwall", "config.yml"),
+    project: join(cwd, ".mcpwall.yml")
+  };
+}
+async function loadConfigFile(path2) {
+  try {
+    const contents = await readFile(path2, "utf-8");
+    const raw = parseYaml(contents);
+    const config = parseConfig(raw);
+    return config;
+  } catch (err) {
+    const error = err instanceof Error ? err : new Error(String(err));
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    throw new Error(`Failed to load config from ${path2}: ${error.message}`);
+  }
+}
+function substituteVariables(value) {
+  return value.replace(/\$\{HOME\}/g, homedir()).replace(/\$\{PROJECT_DIR\}/g, process.cwd()).replace(/^~\//, join(homedir(), "/"));
+}
+function substituteInObject(obj) {
+  if (typeof obj === "string") {
+    return substituteVariables(obj);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map(substituteInObject);
+  }
+  if (obj && typeof obj === "object") {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      result[key] = substituteInObject(value);
+    }
+    return result;
+  }
+  return obj;
+}
+function mergeConfigs(global, project) {
+  return {
+    version: project.version,
+    settings: {
+      ...global.settings,
+      ...project.settings
+    },
+    // Project rules first (higher priority), then global rules
+    rules: [...project.rules, ...global.rules],
+    secrets: {
+      patterns: [
+        ...project.secrets?.patterns || [],
+        ...global.secrets?.patterns || []
+      ]
+    }
+  };
+}
+async function loadBuiltinDefaultRules() {
+  try {
+    const thisFile = fileURLToPath(import.meta.url);
+    const packageRoot = dirname(dirname(thisFile));
+    const defaultRulesPath = join(packageRoot, "rules", "default.yml");
+    const config = await loadConfigFile(defaultRulesPath);
+    if (config) {
+      return config;
+    }
+  } catch {
+  }
+  return DEFAULT_CONFIG;
+}
+async function loadConfig(configPath) {
+  if (configPath) {
+    const resolved = resolve(configPath);
+    const config2 = await loadConfigFile(resolved);
+    if (!config2) {
+      throw new Error(`Config file not found: ${resolved}`);
+    }
+    const substituted2 = substituteInObject(config2);
+    return substituted2;
+  }
+  const paths = resolveConfigPaths();
+  const [globalConfig, projectConfig] = await Promise.all([
+    loadConfigFile(paths.global),
+    loadConfigFile(paths.project)
+  ]);
+  let config;
+  if (projectConfig && globalConfig) {
+    config = mergeConfigs(globalConfig, projectConfig);
+  } else if (projectConfig) {
+    config = projectConfig;
+  } else if (globalConfig) {
+    config = globalConfig;
+  } else {
+    config = await loadBuiltinDefaultRules();
+  }
+  const substituted = substituteInObject(config);
+  return substituted;
+}
+
+// src/engine/policy.ts
+import { minimatch } from "minimatch";
+
+// src/engine/secrets.ts
+function compileSecretPatterns(patterns) {
+  return patterns.map((p) => ({
+    name: p.name,
+    regex: new RegExp(p.regex),
+    entropy_threshold: p.entropy_threshold
+  }));
+}
+function scanForSecrets(value, patterns) {
+  for (const pattern of patterns) {
+    pattern.regex.lastIndex = 0;
+    const match = pattern.regex.exec(value);
+    if (match) {
+      if (pattern.entropy_threshold !== void 0) {
+        const matchedString = match[0];
+        const entropy = shannonEntropy(matchedString);
+        if (entropy < pattern.entropy_threshold) {
+          continue;
+        }
+      }
+      return pattern.name;
+    }
+  }
+  return null;
+}
+function deepScanObject(obj, patterns) {
+  if (typeof obj === "string") {
+    return scanForSecrets(obj, patterns);
+  }
+  if (Array.isArray(obj)) {
+    for (const item of obj) {
+      const found = deepScanObject(item, patterns);
+      if (found) {
+        return found;
+      }
+    }
+  }
+  if (obj && typeof obj === "object") {
+    for (const value of Object.values(obj)) {
+      const found = deepScanObject(value, patterns);
+      if (found) {
+        return found;
+      }
+    }
+  }
+  return null;
+}
+function shannonEntropy(str) {
+  if (str.length === 0) {
+    return 0;
+  }
+  const freq = {};
+  for (const char of str) {
+    freq[char] = (freq[char] || 0) + 1;
+  }
+  const len = str.length;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+// src/engine/policy.ts
+import { homedir as homedir2, platform } from "os";
+import { resolve as resolvePath } from "path";
+import { realpathSync } from "fs";
+var CASE_INSENSITIVE_FS = platform() === "darwin" || platform() === "win32";
+var PolicyEngine = class {
+  config;
+  compiledSecrets;
+  /** Pre-compiled regexes keyed by "ruleIndex:argKey" */
+  compiledMatchers = /* @__PURE__ */ new Map();
+  constructor(config) {
+    this.config = config;
+    const askRules = config.rules.filter((r) => r.action === "ask");
+    if (askRules.length > 0) {
+      process.stderr.write(`[mcpwall] Warning: ${askRules.length} rule(s) use action "ask" which is not yet interactive \u2014 these will ALLOW traffic (logged). Rules: ${askRules.map((r) => r.name).join(", ")}
+`);
+    }
+    this.compiledSecrets = compileSecretPatterns(config.secrets?.patterns || []);
+    for (let i = 0; i < config.rules.length; i++) {
+      const rule = config.rules[i];
+      if (rule.match.arguments) {
+        for (const [key, matcher] of Object.entries(rule.match.arguments)) {
+          if (matcher.regex) {
+            this.compiledMatchers.set(`${i}:${key}`, {
+              regex: new RegExp(matcher.regex)
+            });
+          }
+        }
+      }
+    }
+  }
+  /**
+   * Evaluate a JSON-RPC message against all rules
+   * Returns the action to take (allow/deny/ask) and the matched rule
+   */
+  evaluate(msg) {
+    if (!msg.method) {
+      return { action: "allow", rule: null };
+    }
+    for (let i = 0; i < this.config.rules.length; i++) {
+      const rule = this.config.rules[i];
+      if (this.matchesRule(msg, rule, i)) {
+        return {
+          action: rule.action,
+          rule: rule.name,
+          message: rule.message
+        };
+      }
+    }
+    return {
+      action: this.config.settings.default_action,
+      rule: null
+    };
+  }
+  matchesRule(msg, rule, ruleIndex) {
+    if (rule.match.method && rule.match.method !== msg.method) {
+      return false;
+    }
+    if (!rule.match.method && (rule.match.tool || rule.match.arguments)) {
+      if (msg.method !== "tools/call") {
+        return false;
+      }
+    }
+    if (msg.method === "tools/call") {
+      const params = msg.params;
+      if (!params || typeof params !== "object") {
+        return false;
+      }
+      if (rule.match.tool) {
+        const toolName = params.name;
+        if (!toolName || typeof toolName !== "string") {
+          return false;
+        }
+        if (!minimatch(toolName, rule.match.tool, { dot: true })) {
+          return false;
+        }
+      }
+      if (rule.match.arguments) {
+        const args = params.arguments;
+        if (!args || typeof args !== "object") {
+          return false;
+        }
+        for (const [key, matcher] of Object.entries(rule.match.arguments)) {
+          const compiled = this.compiledMatchers.get(`${ruleIndex}:${key}`);
+          if (key === "_any_value") {
+            if (!this.matchesAnyValue(args, matcher, compiled)) {
+              return false;
+            }
+          } else {
+            const value = args[key];
+            if (!this.matchesArgumentValue(value, matcher, compiled)) {
+              return false;
+            }
+          }
+        }
+      }
+    }
+    return true;
+  }
+  matchesAnyValue(args, matcher, compiled) {
+    if (matcher.secrets) {
+      return deepScanObject(args, this.compiledSecrets) !== null;
+    }
+    return this.deepMatchAny(args, matcher, compiled);
+  }
+  deepMatchAny(obj, matcher, compiled) {
+    if (obj === null || obj === void 0) return false;
+    if (typeof obj === "string" || typeof obj === "number" || typeof obj === "boolean") {
+      return this.matchesArgumentValue(obj, matcher, compiled);
+    }
+    if (Array.isArray(obj)) {
+      for (const item of obj) {
+        if (this.deepMatchAny(item, matcher, compiled)) return true;
+      }
+      return false;
+    }
+    if (typeof obj === "object") {
+      for (const value of Object.values(obj)) {
+        if (this.deepMatchAny(value, matcher, compiled)) return true;
+      }
+      return false;
+    }
+    return false;
+  }
+  matchesArgumentValue(value, matcher, compiled) {
+    const strValue = typeof value === "string" ? value : JSON.stringify(value);
+    if (matcher.pattern) {
+      if (minimatch(strValue, matcher.pattern)) {
+        return true;
+      }
+    }
+    if (matcher.regex && compiled?.regex) {
+      compiled.regex.lastIndex = 0;
+      if (compiled.regex.test(strValue)) {
+        return true;
+      }
+    }
+    if (matcher.not_under) {
+      const allowedPath = this.expandPath(matcher.not_under);
+      const normalizedAllowed = this.normalizePath(allowedPath);
+      const normalizedValue = this.normalizePath(strValue);
+      if (!normalizedValue.startsWith(normalizedAllowed)) {
+        return true;
+      }
+    }
+    if (matcher.secrets) {
+      return deepScanObject(value, this.compiledSecrets) !== null;
+    }
+    return false;
+  }
+  expandPath(path2) {
+    return path2.replace(/\$\{HOME\}/g, homedir2()).replace(/\$\{PROJECT_DIR\}/g, process.cwd()).replace(/^~\//, homedir2() + "/");
+  }
+  normalizePath(p) {
+    let normalized = p.replace(/^["']|["']$/g, "");
+    normalized = resolvePath(normalized);
+    try {
+      normalized = realpathSync(normalized);
+    } catch {
+    }
+    if (CASE_INSENSITIVE_FS) {
+      normalized = normalized.toLowerCase();
+    }
+    if (!normalized.endsWith("/")) {
+      normalized += "/";
+    }
+    return normalized;
+  }
+};
+
+// src/logger.ts
+import * as fs from "fs";
+import * as path from "path";
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+var Logger = class {
+  logDir;
+  logLevel;
+  currentLogFile = null;
+  writeStream = null;
+  constructor(options) {
+    this.logDir = this.expandPath(options.logDir);
+    this.logLevel = LOG_LEVELS[options.logLevel] || LOG_LEVELS.info;
+    if (!fs.existsSync(this.logDir)) {
+      fs.mkdirSync(this.logDir, { recursive: true });
+    }
+  }
+  log(entry) {
+    const level = this.getLogLevel(entry.action);
+    if (LOG_LEVELS[level] < this.logLevel) {
+      return;
+    }
+    const fullEntry = {
+      ...entry,
+      ts: entry.ts || (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.writeToFile(fullEntry);
+    this.writeToStderr(fullEntry);
+  }
+  close() {
+    if (this.writeStream) {
+      this.writeStream.end();
+      this.writeStream = null;
+    }
+  }
+  writeToFile(entry) {
+    const logFile = this.getLogFilePath();
+    if (logFile !== this.currentLogFile) {
+      if (this.writeStream) {
+        this.writeStream.end();
+      }
+      this.currentLogFile = logFile;
+      this.writeStream = fs.createWriteStream(logFile, { flags: "a" });
+      this.writeStream.on("error", (err) => {
+        process.stderr.write(`[mcpwall] Log write error: ${err.message}
+`);
+        this.writeStream = null;
+      });
+    }
+    const line = JSON.stringify(entry) + "\n";
+    if (this.writeStream) {
+      this.writeStream.write(line);
+    } else {
+      fs.appendFileSync(logFile, line);
+    }
+  }
+  writeToStderr(entry) {
+    const timestamp = new Date(entry.ts).toISOString().substring(11, 19);
+    const action = this.formatAction(entry.action);
+    const method = entry.method || "unknown";
+    const tool = entry.tool ? ` ${entry.tool}` : "";
+    const rule = entry.rule ? ` [${entry.rule}]` : "";
+    const message = entry.message ? ` - ${entry.message}` : "";
+    const logLine = `[${timestamp}] ${action} ${method}${tool}${rule}${message}
+`;
+    process.stderr.write(logLine);
+  }
+  getLogFilePath() {
+    const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+    return path.join(this.logDir, `${date}.jsonl`);
+  }
+  getLogLevel(action) {
+    switch (action) {
+      case "deny":
+        return "warn";
+      case "ask":
+        return "info";
+      case "allow":
+        return "debug";
+      default:
+        return "info";
+    }
+  }
+  formatAction(action) {
+    switch (action) {
+      case "allow":
+        return "\x1B[32mALLOW\x1B[0m";
+      // green
+      case "deny":
+        return "\x1B[31mDENY\x1B[0m";
+      // red
+      case "ask":
+        return "\x1B[33mASK\x1B[0m";
+      // yellow
+      default:
+        return action.toUpperCase();
+    }
+  }
+  expandPath(p) {
+    if (p.startsWith("~/")) {
+      return path.join(process.env.HOME || "", p.slice(2));
+    }
+    return p;
+  }
+};
+
+// src/proxy.ts
+import { spawn } from "child_process";
+
+// src/parser.ts
+function parseJsonRpcLineEx(line) {
+  const trimmed = line.trim();
+  if (!trimmed) {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(trimmed);
+    if (Array.isArray(parsed)) {
+      const messages = [];
+      for (const item of parsed) {
+        if (item && typeof item === "object" && item.jsonrpc === "2.0") {
+          messages.push(item);
+        }
+      }
+      if (messages.length > 0) {
+        return { type: "batch", messages };
+      }
+      return null;
+    }
+    if (!parsed || typeof parsed !== "object" || parsed.jsonrpc !== "2.0") {
+      return null;
+    }
+    return { type: "single", message: parsed };
+  } catch {
+    return null;
+  }
+}
+var MAX_LINE_LENGTH = 10 * 1024 * 1024;
+function createLineBuffer(onLine) {
+  let buffer = "";
+  return {
+    push(chunk) {
+      buffer += chunk;
+      if (buffer.length > MAX_LINE_LENGTH && !buffer.includes("\n")) {
+        process.stderr.write(`[mcpwall] Warning: discarding oversized message (${buffer.length} bytes)
+`);
+        buffer = "";
+        return;
+      }
+      const lines = buffer.split("\n");
+      buffer = lines.pop() || "";
+      for (const line of lines) {
+        if (line) {
+          onLine(line);
+        }
+      }
+    },
+    flush() {
+      if (buffer.trim()) {
+        onLine(buffer);
+        buffer = "";
+      }
+    }
+  };
+}
+
+// src/proxy.ts
+function createProxy(options) {
+  const { command, args, policyEngine, logger, logArgs = "none" } = options;
+  const child = spawn(command, args, {
+    stdio: ["pipe", "pipe", "inherit"]
+  });
+  let isShuttingDown = false;
+  child.on("error", (err) => {
+    process.stderr.write(`[mcpwall] Error spawning ${command}: ${err.message}
+`);
+    process.exit(1);
+  });
+  function evaluateMessage(msg, decision) {
+    let toolName;
+    if (msg.method === "tools/call" && msg.params && typeof msg.params === "object") {
+      toolName = msg.params.name;
+    }
+    if (decision.action === "deny") {
+      logger.log({
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        method: msg.method,
+        tool: toolName,
+        args: "[REDACTED]",
+        action: "deny",
+        rule: decision.rule,
+        message: decision.message
+      });
+      return false;
+    }
+    const loggedArgs = logArgs === "full" && msg.method === "tools/call" ? msg.params?.arguments : void 0;
+    logger.log({
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      method: msg.method,
+      tool: toolName,
+      args: loggedArgs,
+      action: decision.action,
+      rule: decision.rule,
+      message: decision.message
+    });
+    return true;
+  }
+  function buildDenyError(msg, decision) {
+    return {
+      jsonrpc: "2.0",
+      id: msg.id,
+      error: {
+        code: -32600,
+        message: `[mcpwall] ${decision.message || "Blocked by policy"}`
+      }
+    };
+  }
+  const inboundBuffer = createLineBuffer((line) => {
+    try {
+      const result = parseJsonRpcLineEx(line);
+      if (!result) {
+        if (child.stdin && !child.stdin.destroyed) {
+          child.stdin.write(line + "\n");
+        }
+        return;
+      }
+      if (result.type === "single") {
+        const msg = result.message;
+        const decision = policyEngine.evaluate(msg);
+        if (decision.action === "deny") {
+          if (msg.id !== void 0 && msg.id !== null) {
+            process.stdout.write(JSON.stringify(buildDenyError(msg, decision)) + "\n");
+          }
+          evaluateMessage(msg, decision);
+          return;
+        }
+        evaluateMessage(msg, decision);
+        if (child.stdin && !child.stdin.destroyed) {
+          child.stdin.write(line + "\n");
+        }
+        return;
+      }
+      if (result.type === "batch") {
+        const forwarded = [];
+        const errors = [];
+        for (const msg of result.messages) {
+          const decision = policyEngine.evaluate(msg);
+          if (decision.action === "deny") {
+            evaluateMessage(msg, decision);
+            if (msg.id !== void 0 && msg.id !== null) {
+              errors.push(buildDenyError(msg, decision));
+            }
+          } else {
+            evaluateMessage(msg, decision);
+            forwarded.push(msg);
+          }
+        }
+        if (errors.length === 1) {
+          process.stdout.write(JSON.stringify(errors[0]) + "\n");
+        } else if (errors.length > 1) {
+          process.stdout.write(JSON.stringify(errors) + "\n");
+        }
+        if (forwarded.length > 0 && child.stdin && !child.stdin.destroyed) {
+          if (forwarded.length === 1) {
+            child.stdin.write(JSON.stringify(forwarded[0]) + "\n");
+          } else {
+            child.stdin.write(JSON.stringify(forwarded) + "\n");
+          }
+        }
+        return;
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`[mcpwall] Error processing inbound message: ${message}
+`);
+      if (child.stdin && !child.stdin.destroyed) {
+        child.stdin.write(line + "\n");
+      }
+    }
+  });
+  process.stdin.on("data", (chunk) => {
+    inboundBuffer.push(chunk.toString());
+  });
+  process.stdin.on("end", () => {
+    inboundBuffer.flush();
+    if (child.stdin && !child.stdin.destroyed) {
+      child.stdin.end();
+    }
+  });
+  const outboundBuffer = createLineBuffer((line) => {
+    try {
+      process.stdout.write(line + "\n");
+      const result = parseJsonRpcLineEx(line);
+      if (result?.type === "single") {
+        const msg = result.message;
+        if (msg.result !== void 0 || msg.error !== void 0) {
+          logger.log({
+            ts: (/* @__PURE__ */ new Date()).toISOString(),
+            method: "response",
+            tool: void 0,
+            action: "allow",
+            rule: null,
+            message: msg.error ? `Error: ${msg.error.message}` : void 0
+          });
+        }
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`[mcpwall] Error processing outbound message: ${message}
+`);
+      try {
+        process.stdout.write(line + "\n");
+      } catch {
+      }
+    }
+  });
+  if (child.stdout) {
+    child.stdout.on("data", (chunk) => {
+      outboundBuffer.push(chunk.toString());
+    });
+    child.stdout.on("end", () => {
+      outboundBuffer.flush();
+    });
+  }
+  child.on("exit", (code, signal) => {
+    if (!isShuttingDown) {
+      isShuttingDown = true;
+      logger.close();
+      if (signal) {
+        process.stderr.write(`[mcpwall] Child process killed by signal ${signal}
+`);
+        process.exit(1);
+      } else {
+        process.exit(code ?? 0);
+      }
+    }
+  });
+  function handleSignal(sig) {
+    if (!isShuttingDown && child && !child.killed) {
+      isShuttingDown = true;
+      child.kill(sig);
+      setTimeout(() => {
+        if (!child.killed) {
+          child.kill("SIGKILL");
+        }
+      }, 5e3).unref();
+    }
+  }
+  process.on("SIGINT", () => handleSignal("SIGINT"));
+  process.on("SIGTERM", () => handleSignal("SIGTERM"));
+  process.on("SIGHUP", () => handleSignal("SIGHUP"));
+  process.on("exit", () => {
+    if (!isShuttingDown) {
+      logger.close();
+      if (child && !child.killed) {
+        child.kill();
+      }
+    }
+  });
+  return child;
+}
+
+// src/cli/init.ts
+import { readFile as readFile2, writeFile, mkdir } from "fs/promises";
+import { existsSync as existsSync2 } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join3 } from "path";
+import { createInterface } from "readline/promises";
+import { stringify as yamlStringify } from "yaml";
+async function runInit() {
+  process.stderr.write("\n\u{1F512} mcpwall setup wizard\n\n");
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stderr
+  });
+  try {
+    const configPaths = [
+      { path: join3(homedir3(), ".claude.json"), name: "Claude Code global config" },
+      { path: join3(process.cwd(), ".mcp.json"), name: "Claude Code project config" }
+    ];
+    const foundConfigs = [];
+    for (const { path: path2, name } of configPaths) {
+      if (existsSync2(path2)) {
+        try {
+          const contents = await readFile2(path2, "utf-8");
+          const config = JSON.parse(contents);
+          if (config.mcpServers && Object.keys(config.mcpServers).length > 0) {
+            foundConfigs.push({ path: path2, name, config });
+          }
+        } catch (error) {
+          process.stderr.write(`[mcpwall] Warning: Could not parse ${path2}
+`);
+        }
+      }
+    }
+    if (foundConfigs.length === 0) {
+      process.stderr.write("No MCP server configurations found.\n");
+      process.stderr.write("Looked for:\n");
+      process.stderr.write("  - ~/.claude.json\n");
+      process.stderr.write("  - ./.mcp.json\n\n");
+      process.stderr.write("You can manually configure mcpwall by wrapping your MCP server commands:\n");
+      process.stderr.write("  Original: npx -y @some/server\n");
+      process.stderr.write("  Wrapped:  npx -y mcpwall -- npx -y @some/server\n\n");
+      rl.close();
+      return;
+    }
+    process.stderr.write("Found MCP servers:\n\n");
+    const allServers = [];
+    for (const { path: path2, name, config } of foundConfigs) {
+      process.stderr.write(`In ${name} (${path2}):
+`);
+      for (const [serverName, serverConfig] of Object.entries(config.mcpServers)) {
+        allServers.push({ configPath: path2, serverName, config: serverConfig });
+        const commandStr = `${serverConfig.command} ${serverConfig.args.join(" ")}`;
+        process.stderr.write(`  [${allServers.length}] ${serverName}: ${commandStr}
+`);
+      }
+      process.stderr.write("\n");
+    }
+    const answer = await rl.question(
+      'Enter server numbers to wrap (comma-separated, or "all" for all): '
+    );
+    let selectedIndices;
+    if (answer.trim().toLowerCase() === "all") {
+      selectedIndices = allServers.map((_, i) => i);
+    } else {
+      selectedIndices = answer.split(",").map((s) => parseInt(s.trim()) - 1).filter((i) => i >= 0 && i < allServers.length);
+    }
+    if (selectedIndices.length === 0) {
+      process.stderr.write("No servers selected. Exiting.\n");
+      rl.close();
+      return;
+    }
+    process.stderr.write("\nWrapping servers with mcpwall...\n\n");
+    for (const index of selectedIndices) {
+      const { configPath, serverName, config } = allServers[index];
+      if (config.command === "npx" && config.args.includes("mcpwall")) {
+        process.stderr.write(`  \u2713 ${serverName} is already wrapped
+`);
+        continue;
+      }
+      const wrappedConfig = {
+        command: "npx",
+        args: ["-y", "mcpwall", "--", config.command, ...config.args],
+        env: config.env
+      };
+      const configContents = await readFile2(configPath, "utf-8");
+      const fullConfig = JSON.parse(configContents);
+      fullConfig.mcpServers[serverName] = wrappedConfig;
+      await writeFile(configPath, JSON.stringify(fullConfig, null, 2), "utf-8");
+      process.stderr.write(`  \u2713 Wrapped ${serverName}
+`);
+    }
+    const firewallConfigDir = join3(homedir3(), ".mcpwall");
+    const firewallConfigPath = join3(firewallConfigDir, "config.yml");
+    if (!existsSync2(firewallConfigPath)) {
+      process.stderr.write("\nCreating default firewall configuration...\n");
+      if (!existsSync2(firewallConfigDir)) {
+        await mkdir(firewallConfigDir, { recursive: true });
+      }
+      const yamlConfig = yamlStringify(DEFAULT_CONFIG);
+      await writeFile(firewallConfigPath, yamlConfig, "utf-8");
+      process.stderr.write(`  \u2713 Created ${firewallConfigPath}
+`);
+    } else {
+      process.stderr.write(`
+  \u2713 Config already exists: ${firewallConfigPath}
+`);
+    }
+    process.stderr.write("\n\u2705 Setup complete!\n\n");
+    process.stderr.write("Your MCP servers are now protected by mcpwall.\n");
+    process.stderr.write(`View logs in: ${join3(homedir3(), ".mcpwall/logs")}
+`);
+    process.stderr.write(`Edit rules in: ${firewallConfigPath}
+
+`);
+  } finally {
+    rl.close();
+  }
+}
+
+// src/cli/wrap.ts
+import { readFile as readFile3, writeFile as writeFile2 } from "fs/promises";
+import { existsSync as existsSync3 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join4 } from "path";
+var CONFIG_PATHS = [
+  () => join4(homedir4(), ".claude.json"),
+  () => join4(process.cwd(), ".mcp.json")
+];
+async function runWrap(serverName) {
+  for (const getPath of CONFIG_PATHS) {
+    const configPath = getPath();
+    if (!existsSync3(configPath)) continue;
+    let raw;
+    let config;
+    try {
+      raw = await readFile3(configPath, "utf-8");
+      config = JSON.parse(raw);
+    } catch {
+      continue;
+    }
+    if (!config.mcpServers?.[serverName]) continue;
+    const server = config.mcpServers[serverName];
+    if (server.command === "npx" && server.args.includes("mcpwall")) {
+      process.stderr.write(`[mcpwall] ${serverName} is already wrapped in ${configPath}
+`);
+      return;
+    }
+    config.mcpServers[serverName] = {
+      command: "npx",
+      args: ["-y", "mcpwall", "--", server.command, ...server.args],
+      env: server.env
+    };
+    await writeFile2(configPath, JSON.stringify(config, null, 2), "utf-8");
+    process.stderr.write(`[mcpwall] Wrapped ${serverName} in ${configPath}
+`);
+    process.stderr.write(`  ${server.command} ${server.args.join(" ")}
+`);
+    process.stderr.write(`  -> npx -y mcpwall -- ${server.command} ${server.args.join(" ")}
+`);
+    return;
+  }
+  process.stderr.write(`[mcpwall] Server "${serverName}" not found in any config file.
+`);
+  process.stderr.write(`Searched:
+`);
+  for (const getPath of CONFIG_PATHS) {
+    const p = getPath();
+    const exists = existsSync3(p) ? "" : " (not found)";
+    process.stderr.write(`  - ${p}${exists}
+`);
+  }
+  process.exit(1);
+}
+
+// src/index.ts
+var require2 = createRequire(import.meta.url);
+var { version } = require2("../package.json");
+var dashDashIndex = process.argv.indexOf("--");
+if (dashDashIndex !== -1) {
+  const optionsArgs = process.argv.slice(0, dashDashIndex);
+  const commandParts = process.argv.slice(dashDashIndex + 1);
+  program.name("mcpwall").description("Deterministic security proxy for MCP tool calls").version(version).option("-c, --config <path>", "Path to config file").option("--log-level <level>", "Log level", "info").parse(optionsArgs);
+  const options = program.opts();
+  (async () => {
+    try {
+      if (commandParts.length === 0) {
+        process.stderr.write("[mcpwall] Error: No command provided after --\n");
+        process.stderr.write("Usage: mcpwall [options] -- <command> [args...]\n");
+        process.exit(1);
+      }
+      const [command, ...args] = commandParts;
+      const config = await loadConfig(options.config);
+      if (options.logLevel) {
+        config.settings.log_level = options.logLevel;
+      }
+      const policyEngine = new PolicyEngine(config);
+      const logger = new Logger({
+        logDir: config.settings.log_dir,
+        logLevel: config.settings.log_level
+      });
+      createProxy({
+        command,
+        args,
+        policyEngine,
+        logger,
+        logArgs: config.settings.log_args
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`[mcpwall] Error: ${message}
+`);
+      process.exit(1);
+    }
+  })();
+} else {
+  program.name("mcpwall").description("Deterministic security proxy for MCP tool calls").version(version);
+  program.command("init").description("Interactive setup wizard to wrap existing MCP servers").action(async () => {
+    try {
+      await runInit();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`[mcpwall] Error: ${message}
+`);
+      process.exit(1);
+    }
+  });
+  program.command("wrap <server-name>").description("Wrap a specific MCP server with mcpwall").action(async (serverName) => {
+    try {
+      await runWrap(serverName);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`[mcpwall] Error: ${message}
+`);
+      process.exit(1);
+    }
+  });
+  program.option("-c, --config <path>", "Path to config file").option("--log-level <level>", "Log level", "info").argument("[command...]", "MCP server command to proxy (use -- before command)").action(() => {
+    program.help();
+  });
+  program.parse();
+}