mcpwall 0.1.2 → 0.3.0

package/dist/index.js

@@ -59,15 +59,35 @@ var ruleSchema = z.object({
   action: z.enum(["allow", "deny", "ask"]),
   message: z.string().optional()
 });
+var outboundMatchSchema = z.object({
+  tool: z.string().optional(),
+  server: z.string().optional(),
+  secrets: z.boolean().optional(),
+  response_contains: z.array(z.string()).optional(),
+  response_contains_regex: z.array(validRegex).optional(),
+  response_size_exceeds: z.number().positive().optional()
+}).refine(
+  (match) => Object.values(match).some((v) => v !== void 0),
+  { message: "Outbound rule must have at least one match field" }
+);
+var outboundRuleSchema = z.object({
+  name: z.string(),
+  match: outboundMatchSchema,
+  action: z.enum(["allow", "deny", "redact", "log_only"]),
+  message: z.string().optional()
+});
 var configSchema = z.object({
   version: z.number(),
   settings: z.object({
     log_dir: z.string(),
     log_level: z.enum(["debug", "info", "warn", "error"]),
     default_action: z.enum(["allow", "deny", "ask"]),
-    log_args: z.enum(["full", "none"]).optional()
+    log_args: z.enum(["full", "none"]).optional(),
+    outbound_default_action: z.enum(["allow", "deny", "redact", "log_only"]).optional(),
+    log_redacted: z.enum(["none", "hash", "full"]).optional()
   }),
   rules: z.array(ruleSchema),
+  outbound_rules: z.array(outboundRuleSchema).optional(),
   secrets: z.object({
     patterns: z.array(secretPatternSchema)
   }).optional()
@@ -146,6 +166,20 @@ var DEFAULT_RULES = [
     message: "Blocked: detected secret in arguments"
   }
 ];
+var DEFAULT_OUTBOUND_RULES = [
+  {
+    name: "redact-secrets-in-responses",
+    match: { secrets: true },
+    action: "redact",
+    message: "Secret detected in server response and redacted"
+  },
+  {
+    name: "flag-large-responses",
+    match: { response_size_exceeds: 102400 },
+    action: "log_only",
+    message: "Response exceeds 100KB"
+  }
+];
 var DEFAULT_CONFIG = {
   version: 1,
   settings: {
@@ -154,6 +188,7 @@ var DEFAULT_CONFIG = {
     default_action: "allow"
   },
   rules: DEFAULT_RULES,
+  outbound_rules: DEFAULT_OUTBOUND_RULES,
   secrets: {
     patterns: DEFAULT_SECRET_PATTERNS
   }
@@ -210,6 +245,10 @@ function mergeConfigs(global, project) {
     },
     // Project rules first (higher priority), then global rules
     rules: [...project.rules, ...global.rules],
+    outbound_rules: [
+      ...project.outbound_rules || [],
+      ...global.outbound_rules || []
+    ].length > 0 ? [...project.outbound_rules || [], ...global.outbound_rules || []] : void 0,
     secrets: {
       patterns: [
         ...project.secrets?.patterns || [],
@@ -310,6 +349,52 @@ function deepScanObject(obj, patterns) {
   }
   return null;
 }
+function redactSecrets(obj, patterns, marker = "[REDACTED BY MCPWALL]") {
+  const matchCounts = /* @__PURE__ */ new Map();
+  function redactString(str) {
+    let result = str;
+    for (const pattern of patterns) {
+      pattern.regex.lastIndex = 0;
+      let match;
+      const globalRegex = new RegExp(pattern.regex.source, "g");
+      while ((match = globalRegex.exec(result)) !== null) {
+        if (pattern.entropy_threshold !== void 0) {
+          const entropy = shannonEntropy(match[0]);
+          if (entropy < pattern.entropy_threshold) {
+            continue;
+          }
+        }
+        matchCounts.set(pattern.name, (matchCounts.get(pattern.name) || 0) + 1);
+        result = result.slice(0, match.index) + marker + result.slice(match.index + match[0].length);
+        globalRegex.lastIndex = match.index + marker.length;
+      }
+    }
+    return result;
+  }
+  function walk(node) {
+    if (typeof node === "string") {
+      return redactString(node);
+    }
+    if (Array.isArray(node)) {
+      return node.map(walk);
+    }
+    if (node && typeof node === "object") {
+      const result = {};
+      for (const [key, value] of Object.entries(node)) {
+        result[key] = walk(value);
+      }
+      return result;
+    }
+    return node;
+  }
+  const redacted = walk(obj);
+  const matches = Array.from(matchCounts.entries()).map(([pattern, count]) => ({ pattern, count }));
+  return {
+    redacted,
+    matches,
+    wasRedacted: matches.length > 0
+  };
+}
 function shannonEntropy(str) {
   if (str.length === 0) {
     return 0;
@@ -497,6 +582,128 @@ var PolicyEngine = class {
   }
 };
 
+// src/engine/outbound-policy.ts
+import { minimatch as minimatch2 } from "minimatch";
+var OutboundPolicyEngine = class {
+  rules;
+  defaultAction;
+  compiledSecrets;
+  compiledRegexes = /* @__PURE__ */ new Map();
+  constructor(config) {
+    this.rules = config.outbound_rules || [];
+    this.defaultAction = config.settings.outbound_default_action || "allow";
+    this.compiledSecrets = compileSecretPatterns(config.secrets?.patterns || []);
+    for (const rule of this.rules) {
+      if (rule.match.response_contains_regex) {
+        const compiled = rule.match.response_contains_regex.map((pattern) => ({
+          source: pattern,
+          regex: new RegExp(pattern, "i")
+        }));
+        this.compiledRegexes.set(rule.name, compiled);
+      }
+    }
+  }
+  /**
+   * Evaluate a response message against outbound rules.
+   * Returns the decision (action + matched rule).
+   */
+  evaluate(msg, toolName, serverName) {
+    for (const rule of this.rules) {
+      if (this.matchesRule(msg, rule, toolName, serverName)) {
+        return {
+          action: rule.action,
+          rule: rule.name,
+          message: rule.message
+        };
+      }
+    }
+    return {
+      action: this.defaultAction,
+      rule: null
+    };
+  }
+  /**
+   * Redact secrets from a response message.
+   * Returns the redacted message and match details.
+   */
+  redactResponse(msg) {
+    const redactionResult = redactSecrets(msg.result, this.compiledSecrets);
+    const redactedMsg = {
+      ...msg,
+      result: redactionResult.redacted
+    };
+    return { message: redactedMsg, result: redactionResult };
+  }
+  matchesRule(msg, rule, toolName, serverName) {
+    const match = rule.match;
+    if (match.tool) {
+      if (!toolName || !minimatch2(toolName, match.tool, { dot: true })) {
+        return false;
+      }
+    }
+    if (match.server) {
+      if (!serverName || !minimatch2(serverName, match.server, { dot: true })) {
+        return false;
+      }
+    }
+    if (match.secrets) {
+      const text = this.extractResponseText(msg);
+      if (!text) return false;
+      const hasSecrets = redactSecrets(msg.result, this.compiledSecrets).wasRedacted;
+      if (!hasSecrets) return false;
+    }
+    if (match.response_contains) {
+      const text = this.extractResponseText(msg);
+      if (!text) return false;
+      const lower = text.toLowerCase();
+      const found = match.response_contains.some((phrase) => lower.includes(phrase.toLowerCase()));
+      if (!found) return false;
+    }
+    if (match.response_contains_regex) {
+      const text = this.extractResponseText(msg);
+      if (!text) return false;
+      const compiled = this.compiledRegexes.get(rule.name) || [];
+      const found = compiled.some((c) => {
+        c.regex.lastIndex = 0;
+        return c.regex.test(text);
+      });
+      if (!found) return false;
+    }
+    if (match.response_size_exceeds !== void 0) {
+      const serialized = JSON.stringify(msg.result ?? msg.error ?? "");
+      const byteSize = Buffer.byteLength(serialized, "utf-8");
+      if (byteSize <= match.response_size_exceeds) return false;
+    }
+    return true;
+  }
+  /**
+   * Extract text content from an MCP response message.
+   * Handles MCP standard content array format: { content: [{ type: "text", text: "..." }] }
+   * Falls back to JSON.stringify for non-standard formats.
+   */
+  extractResponseText(msg) {
+    if (msg.result === void 0 && msg.error === void 0) {
+      return null;
+    }
+    if (msg.error) {
+      return msg.error.message || JSON.stringify(msg.error);
+    }
+    const result = msg.result;
+    if (result && Array.isArray(result.content)) {
+      const texts = [];
+      for (const block of result.content) {
+        if (block && typeof block === "object" && typeof block.text === "string") {
+          texts.push(block.text);
+        }
+      }
+      if (texts.length > 0) {
+        return texts.join("\n");
+      }
+    }
+    return JSON.stringify(result);
+  }
+};
+
 // src/logger.ts
 import * as fs from "fs";
 import * as path from "path";
@@ -560,11 +767,12 @@ var Logger = class {
   writeToStderr(entry) {
     const timestamp = new Date(entry.ts).toISOString().substring(11, 19);
     const action = this.formatAction(entry.action);
+    const direction = entry.direction === "outbound" ? "outbound " : "";
     const method = entry.method || "unknown";
     const tool = entry.tool ? ` ${entry.tool}` : "";
     const rule = entry.rule ? ` [${entry.rule}]` : "";
     const message = entry.message ? ` - ${entry.message}` : "";
-    const logLine = `[${timestamp}] ${action} ${method}${tool}${rule}${message}
+    const logLine = `[${timestamp}] ${action} ${direction}${method}${tool}${rule}${message}
 `;
     process.stderr.write(logLine);
   }
@@ -575,9 +783,11 @@ var Logger = class {
   getLogLevel(action) {
     switch (action) {
       case "deny":
+      case "redact":
         return "warn";
       case "ask":
       case "allow":
+      case "log_only":
         return "info";
       default:
         return "info";
@@ -594,6 +804,12 @@ var Logger = class {
       case "ask":
         return "\x1B[33mASK\x1B[0m";
       // yellow
+      case "redact":
+        return "\x1B[36mREDACT\x1B[0m";
+      // cyan
+      case "log_only":
+        return "\x1B[34mLOG\x1B[0m";
+      // blue
       default:
         return action.toUpperCase();
     }
@@ -668,7 +884,33 @@ function createLineBuffer(onLine) {
 
 // src/proxy.ts
 function createProxy(options) {
-  const { command, args, policyEngine, logger, logArgs = "none" } = options;
+  const { command, args, policyEngine, logger, logArgs = "none", outboundPolicyEngine, logRedacted = "none", serverName } = options;
+  const pendingRequests = /* @__PURE__ */ new Map();
+  const REQUEST_TTL_MS = 6e4;
+  function trackRequest(msg) {
+    if (msg.id !== void 0 && msg.id !== null && msg.method === "tools/call") {
+      const params = msg.params;
+      pendingRequests.set(msg.id, {
+        tool: params?.name,
+        method: msg.method,
+        ts: Date.now()
+      });
+    }
+  }
+  function resolveRequest(id) {
+    if (id === void 0 || id === null) return void 0;
+    const ctx = pendingRequests.get(id);
+    if (ctx) {
+      pendingRequests.delete(id);
+    }
+    const now = Date.now();
+    for (const [key, val] of pendingRequests) {
+      if (now - val.ts > REQUEST_TTL_MS) {
+        pendingRequests.delete(key);
+      }
+    }
+    return ctx;
+  }
   const child = spawn(command, args, {
     stdio: ["pipe", "pipe", "inherit"]
   });
@@ -737,6 +979,7 @@ function createProxy(options) {
           return;
         }
         evaluateMessage(msg, decision);
+        trackRequest(msg);
         if (child.stdin && !child.stdin.destroyed) {
           child.stdin.write(line + "\n");
         }
@@ -754,6 +997,7 @@ function createProxy(options) {
             }
           } else {
             evaluateMessage(msg, decision);
+            trackRequest(msg);
             forwarded.push(msg);
           }
         }
@@ -789,22 +1033,113 @@ function createProxy(options) {
       child.stdin.end();
     }
   });
+  function evaluateOutbound(msg) {
+    if (!outboundPolicyEngine) {
+      process.stdout.write(JSON.stringify(msg) + "\n");
+      if (msg.result !== void 0 || msg.error !== void 0) {
+        logger.log({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          method: "response",
+          tool: void 0,
+          action: "allow",
+          rule: null,
+          direction: "outbound",
+          message: msg.error ? `Error: ${msg.error.message}` : void 0
+        });
+      }
+      return;
+    }
+    const ctx = resolveRequest(msg.id);
+    const toolName = ctx?.tool;
+    if (msg.result === void 0 && msg.error === void 0) {
+      process.stdout.write(JSON.stringify(msg) + "\n");
+      return;
+    }
+    const decision = outboundPolicyEngine.evaluate(msg, toolName, serverName);
+    switch (decision.action) {
+      case "allow": {
+        process.stdout.write(JSON.stringify(msg) + "\n");
+        logger.log({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          method: "response",
+          tool: toolName,
+          action: "allow",
+          rule: decision.rule,
+          direction: "outbound",
+          message: msg.error ? `Error: ${msg.error.message}` : void 0
+        });
+        break;
+      }
+      case "deny": {
+        const blocked = {
+          jsonrpc: "2.0",
+          id: msg.id,
+          result: {
+            content: [{
+              type: "text",
+              text: `[BLOCKED BY MCPWALL] ${decision.message || "Response blocked by outbound policy"}`
+            }]
+          }
+        };
+        process.stdout.write(JSON.stringify(blocked) + "\n");
+        logger.log({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          method: "response",
+          tool: toolName,
+          action: "deny",
+          rule: decision.rule,
+          direction: "outbound",
+          message: decision.message
+        });
+        break;
+      }
+      case "redact": {
+        const { message: redactedMsg, result: redactionResult } = outboundPolicyEngine.redactResponse(msg);
+        process.stdout.write(JSON.stringify(redactedMsg) + "\n");
+        const patternNames = redactionResult.matches.map((m) => m.pattern);
+        logger.log({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          method: "response",
+          tool: toolName,
+          action: "redact",
+          rule: decision.rule,
+          direction: "outbound",
+          message: decision.message,
+          redacted_patterns: patternNames.length > 0 ? patternNames : void 0
+        });
+        break;
+      }
+      case "log_only": {
+        process.stdout.write(JSON.stringify(msg) + "\n");
+        logger.log({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          method: "response",
+          tool: toolName,
+          action: "log_only",
+          rule: decision.rule,
+          direction: "outbound",
+          message: decision.message
+        });
+        break;
+      }
+    }
+  }
   const outboundBuffer = createLineBuffer((line) => {
     try {
-      process.stdout.write(line + "\n");
       const result = parseJsonRpcLineEx(line);
-      if (result?.type === "single") {
-        const msg = result.message;
-        if (msg.result !== void 0 || msg.error !== void 0) {
-          logger.log({
-            ts: (/* @__PURE__ */ new Date()).toISOString(),
-            method: "response",
-            tool: void 0,
-            action: "allow",
-            rule: null,
-            message: msg.error ? `Error: ${msg.error.message}` : void 0
-          });
+      if (!result) {
+        process.stdout.write(line + "\n");
+        return;
+      }
+      if (result.type === "single") {
+        evaluateOutbound(result.message);
+        return;
+      }
+      if (result.type === "batch") {
+        for (const msg of result.messages) {
+          evaluateOutbound(msg);
         }
+        return;
       }
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -863,13 +1198,80 @@ function createProxy(options) {
 }
 
 // src/cli/init.ts
-import { readFile as readFile2, writeFile, mkdir } from "fs/promises";
+import { readFile as readFile2, writeFile, mkdir, readdir } from "fs/promises";
 import { existsSync as existsSync2 } from "fs";
 import { homedir as homedir3 } from "os";
-import { join as join3 } from "path";
+import { join as join3, resolve as resolve2, dirname as dirname2 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
 import { createInterface } from "readline/promises";
 import { stringify as yamlStringify } from "yaml";
-async function runInit() {
+function getProfilesDir() {
+  const thisFile = fileURLToPath2(import.meta.url);
+  const packageRoot = dirname2(dirname2(thisFile));
+  return join3(packageRoot, "rules", "profiles");
+}
+async function listAvailableProfiles() {
+  const profilesDir = getProfilesDir();
+  try {
+    const entries = await readdir(profilesDir);
+    return entries.filter((f) => f.endsWith(".yaml")).map((f) => f.replace(/\.yaml$/, ""));
+  } catch {
+    return [];
+  }
+}
+async function loadProfile(profile) {
+  if (!/^[a-z0-9-]+$/.test(profile)) {
+    const available = await listAvailableProfiles();
+    process.stderr.write(`[mcpwall] Invalid profile name "${profile}". Names must be lowercase letters, numbers, and hyphens only.
+`);
+    if (available.length > 0) {
+      process.stderr.write(`  Available profiles: ${available.join(", ")}
+`);
+    }
+    process.exit(1);
+  }
+  const profilesDir = getProfilesDir();
+  const profilePath = join3(profilesDir, `${profile}.yaml`);
+  const resolvedProfiles = resolve2(profilesDir);
+  const resolvedProfile = resolve2(profilePath);
+  if (!resolvedProfile.startsWith(resolvedProfiles + "/") && resolvedProfile !== resolvedProfiles) {
+    process.stderr.write(`[mcpwall] Invalid profile name "${profile}".
+`);
+    process.exit(1);
+  }
+  try {
+    return await readFile2(profilePath, "utf-8");
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      const available = await listAvailableProfiles();
+      const profileList = available.length > 0 ? available.join(", ") : "(none found)";
+      process.stderr.write(`[mcpwall] Unknown profile "${profile}". Available profiles: ${profileList}
+`);
+      process.exit(1);
+    }
+    throw err;
+  }
+}
+async function runInit(profile) {
+  if (profile) {
+    if (!/^[a-z0-9-]+$/.test(profile)) {
+      const available2 = await listAvailableProfiles();
+      process.stderr.write(`[mcpwall] Invalid profile name "${profile}". Names must be lowercase letters, numbers, and hyphens only.
+`);
+      if (available2.length > 0) {
+        process.stderr.write(`  Available profiles: ${available2.join(", ")}
+`);
+      }
+      process.exit(1);
+    }
+    const available = await listAvailableProfiles();
+    if (!available.includes(profile)) {
+      const profileList = available.length > 0 ? available.join(", ") : "(none found)";
+      process.stderr.write(`[mcpwall] Unknown profile "${profile}". Available profiles: ${profileList}
+`);
+      process.exit(1);
+    }
+  }
   process.stderr.write("\n\u{1F512} mcpwall setup wizard\n\n");
   const rl = createInterface({
     input: process.stdin,
@@ -878,7 +1280,12 @@ async function runInit() {
   try {
     const configPaths = [
       { path: join3(homedir3(), ".claude.json"), name: "Claude Code global config" },
-      { path: join3(process.cwd(), ".mcp.json"), name: "Claude Code project config" }
+      { path: join3(process.cwd(), ".mcp.json"), name: "Claude Code project config" },
+      { path: join3(homedir3(), ".cursor", "mcp.json"), name: "Cursor global config" },
+      { path: join3(process.cwd(), ".cursor", "mcp.json"), name: "Cursor project config" },
+      { path: join3(homedir3(), ".config", "windsurf", "mcp.json"), name: "Windsurf config" },
+      { path: join3(homedir3(), ".vscode", "mcp.json"), name: "VS Code global config" },
+      { path: join3(process.cwd(), ".vscode", "mcp.json"), name: "VS Code project config" }
     ];
     const foundConfigs = [];
     for (const { path: path2, name } of configPaths) {
@@ -898,8 +1305,11 @@ async function runInit() {
     if (foundConfigs.length === 0) {
       process.stderr.write("No MCP server configurations found.\n");
       process.stderr.write("Looked for:\n");
-      process.stderr.write("  - ~/.claude.json\n");
-      process.stderr.write("  - ./.mcp.json\n\n");
+      for (const { path: path2, name } of configPaths) {
+        process.stderr.write(`  - ${path2} (${name})
+`);
+      }
+      process.stderr.write("\n");
       process.stderr.write("You can manually configure mcpwall by wrapping your MCP server commands:\n");
       process.stderr.write("  Original: npx -y @some/server\n");
       process.stderr.write("  Wrapped:  npx -y mcpwall -- npx -y @some/server\n\n");
@@ -955,11 +1365,39 @@ async function runInit() {
     }
     const firewallConfigDir = join3(homedir3(), ".mcpwall");
     const firewallConfigPath = join3(firewallConfigDir, "config.yml");
-    if (!existsSync2(firewallConfigPath)) {
-      process.stderr.write("\nCreating default firewall configuration...\n");
-      if (!existsSync2(firewallConfigDir)) {
-        await mkdir(firewallConfigDir, { recursive: true });
+    if (!existsSync2(firewallConfigDir)) {
+      await mkdir(firewallConfigDir, { recursive: true });
+    }
+    if (profile) {
+      const profileContent = await loadProfile(profile);
+      if (existsSync2(firewallConfigPath)) {
+        const overwrite = await rl.question(
+          `
+  Config already exists: ${firewallConfigPath}
+  Overwrite with "${profile}" profile? (y/n): `
+        );
+        if (overwrite.trim().toLowerCase() !== "y") {
+          process.stderr.write("  Keeping existing config.\n");
+        } else {
+          await writeFile(firewallConfigPath, profileContent, "utf-8");
+          process.stderr.write(`
+  \u2713 Applied "${profile}" profile to ${firewallConfigPath}
+`);
+          process.stderr.write(`  Edit ${firewallConfigPath} to customize.
+`);
+        }
+      } else {
+        process.stderr.write(`
+Creating firewall configuration from "${profile}" profile...
+`);
+        await writeFile(firewallConfigPath, profileContent, "utf-8");
+        process.stderr.write(`  \u2713 Created ${firewallConfigPath} using "${profile}" profile
+`);
+        process.stderr.write(`  Edit ${firewallConfigPath} to customize.
+`);
       }
+    } else if (!existsSync2(firewallConfigPath)) {
+      process.stderr.write("\nCreating default firewall configuration...\n");
       const yamlConfig = yamlStringify(DEFAULT_CONFIG);
       await writeFile(firewallConfigPath, yamlConfig, "utf-8");
       process.stderr.write(`  \u2713 Created ${firewallConfigPath}
@@ -988,7 +1426,12 @@ import { homedir as homedir4 } from "os";
 import { join as join4 } from "path";
 var CONFIG_PATHS = [
   () => join4(homedir4(), ".claude.json"),
-  () => join4(process.cwd(), ".mcp.json")
+  () => join4(process.cwd(), ".mcp.json"),
+  () => join4(homedir4(), ".cursor", "mcp.json"),
+  () => join4(process.cwd(), ".cursor", "mcp.json"),
+  () => join4(homedir4(), ".config", "windsurf", "mcp.json"),
+  () => join4(homedir4(), ".vscode", "mcp.json"),
+  () => join4(process.cwd(), ".vscode", "mcp.json")
 ];
 async function runWrap(serverName) {
   for (const getPath of CONFIG_PATHS) {
@@ -1036,6 +1479,174 @@ async function runWrap(serverName) {
   process.exit(1);
 }
 
+// src/cli/check.ts
+var MAX_INPUT_BYTES = 10 * 1024 * 1024;
+function sanitizeForDisplay(value) {
+  const raw = typeof value === "string" ? value : JSON.stringify(value);
+  return raw.replace(/\x1b\[[0-9;]*[mGKHF]/g, "").replace(/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g, "");
+}
+async function readStdin() {
+  return new Promise((resolve3, reject) => {
+    let data = "";
+    process.stdin.setEncoding("utf-8");
+    process.stdin.on("data", (chunk) => {
+      data += chunk;
+    });
+    process.stdin.on("end", () => resolve3(data));
+    process.stdin.on("error", reject);
+  });
+}
+function printInboundDecision(decision, msg) {
+  const method = sanitizeForDisplay(msg.method ?? "(unknown)");
+  const params = msg.params;
+  const toolName = params?.name ? sanitizeForDisplay(params.name) : "";
+  const firstArg = params?.arguments ? sanitizeForDisplay(Object.values(params.arguments)[0] ?? "") : "";
+  const contextStr = [method, toolName, firstArg].filter(Boolean).join("  ");
+  if (decision.action === "allow") {
+    process.stdout.write(`\u2713 ALLOW  ${contextStr}
+`);
+    if (decision.rule) {
+      process.stdout.write(`  Rule: ${sanitizeForDisplay(decision.rule)}
+`);
+    } else {
+      process.stdout.write(`  No rule matched \u2014 default action: allow
+`);
+    }
+  } else if (decision.action === "deny") {
+    process.stdout.write(`\u2717 DENY   ${contextStr}
+`);
+    if (decision.rule) {
+      process.stdout.write(`  Rule: ${sanitizeForDisplay(decision.rule)}
+`);
+    }
+    if (decision.message) {
+      process.stdout.write(`  ${sanitizeForDisplay(decision.message)}
+`);
+    }
+  } else {
+    process.stdout.write(`? ASK    ${contextStr}
+`);
+    if (decision.rule) {
+      process.stdout.write(`  Rule: ${sanitizeForDisplay(decision.rule)}
+`);
+    }
+  }
+}
+function printOutboundDecision(decision, _msg) {
+  if (decision.action === "allow") {
+    process.stdout.write(`\u2713 ALLOW  (response)
+`);
+    if (decision.rule) {
+      process.stdout.write(`  Rule: ${sanitizeForDisplay(decision.rule)}
+`);
+    } else {
+      process.stdout.write(`  No rule matched
+`);
+    }
+  } else if (decision.action === "deny") {
+    process.stdout.write(`\u2717 DENY   (response)
+`);
+    if (decision.rule) {
+      process.stdout.write(`  Rule: ${sanitizeForDisplay(decision.rule)}
+`);
+    }
+    if (decision.message) {
+      process.stdout.write(`  ${sanitizeForDisplay(decision.message)}
+`);
+    }
+  } else if (decision.action === "redact") {
+    process.stdout.write(`~ REDACT (response)
+`);
+    if (decision.rule) {
+      process.stdout.write(`  Rule: ${sanitizeForDisplay(decision.rule)}
+`);
+    }
+    if (decision.message) {
+      process.stdout.write(`  ${sanitizeForDisplay(decision.message)}
+`);
+    }
+  } else if (decision.action === "log_only") {
+    process.stdout.write(`! LOG    (response)
+`);
+    if (decision.rule) {
+      process.stdout.write(`  Rule: ${sanitizeForDisplay(decision.rule)}
+`);
+    }
+    if (decision.message) {
+      process.stdout.write(`  ${sanitizeForDisplay(decision.message)}
+`);
+    }
+  }
+}
+async function runCheck(inputStr, configPath) {
+  if (!inputStr && process.stdin.isTTY) {
+    process.stderr.write(`Usage: mcpwall check --input '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"read_file","arguments":{"path":"/tmp/test.txt"}}}'
+`);
+    process.stderr.write(`       echo '{"jsonrpc":"2.0",...}' | mcpwall check
+`);
+    process.exit(1);
+  }
+  const raw = inputStr ?? await readStdin();
+  if (Buffer.byteLength(raw, "utf-8") > MAX_INPUT_BYTES) {
+    process.stderr.write("[mcpwall] Error: input exceeds 10MB limit\n");
+    process.exit(2);
+  }
+  const trimmed = raw.trim();
+  if (!trimmed) {
+    process.stderr.write("[mcpwall] Error: empty input\n");
+    process.exit(2);
+  }
+  const parsed = parseJsonRpcLineEx(trimmed);
+  if (!parsed) {
+    process.stderr.write('[mcpwall] Error: invalid JSON-RPC message (must have jsonrpc: "2.0")\n');
+    process.exit(2);
+  }
+  let config;
+  try {
+    config = await loadConfig(configPath);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    process.stderr.write(`[mcpwall] Error loading config: ${message}
+`);
+    process.exit(2);
+  }
+  const inboundEngine = new PolicyEngine(config);
+  const outboundEngine = config.outbound_rules?.length ? new OutboundPolicyEngine(config) : void 0;
+  const messages = parsed.type === "batch" ? parsed.messages : [parsed.message];
+  let anyDenied = false;
+  for (const msg of messages) {
+    if (msg.method) {
+      const decision = inboundEngine.evaluate(msg);
+      printInboundDecision(decision, msg);
+      if (decision.action === "deny") {
+        anyDenied = true;
+      }
+    } else if (msg.result !== void 0 || msg.error !== void 0) {
+      if (outboundEngine) {
+        const decision = outboundEngine.evaluate(msg);
+        printOutboundDecision(decision, msg);
+        if (decision.action === "deny" || decision.action === "redact") {
+          anyDenied = true;
+        }
+      } else {
+        process.stdout.write(`\u2713 ALLOW  (response)
+`);
+        process.stdout.write(`  No outbound rules configured
+`);
+      }
+    } else {
+      const decision = inboundEngine.evaluate(msg);
+      printInboundDecision(decision, msg);
+      if (decision.action === "deny") {
+        anyDenied = true;
+      }
+    }
+  }
+  if (anyDenied) {
+    process.exit(1);
+  }
+}
+
 // src/index.ts
 var require2 = createRequire(import.meta.url);
 var { version } = require2("../package.json");
@@ -1058,6 +1669,7 @@ if (dashDashIndex !== -1) {
         config.settings.log_level = options.logLevel;
       }
       const policyEngine = new PolicyEngine(config);
+      const outboundPolicyEngine = config.outbound_rules?.length ? new OutboundPolicyEngine(config) : void 0;
       const logger = new Logger({
         logDir: config.settings.log_dir,
         logLevel: config.settings.log_level
@@ -1067,7 +1679,9 @@ if (dashDashIndex !== -1) {
         args,
         policyEngine,
         logger,
-        logArgs: config.settings.log_args
+        logArgs: config.settings.log_args,
+        outboundPolicyEngine,
+        logRedacted: config.settings.log_redacted
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -1078,9 +1692,20 @@ if (dashDashIndex !== -1) {
   })();
 } else {
   program.name("mcpwall").description("Deterministic security proxy for MCP tool calls").version(version);
-  program.command("init").description("Interactive setup wizard to wrap existing MCP servers").action(async () => {
+  program.command("init").description("Interactive setup wizard to wrap existing MCP servers").option("--profile <name>", "use a named security profile (local-dev, company-laptop, strict)").action(async (options) => {
+    try {
+      await runInit(options.profile);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`[mcpwall] Error: ${message}
+`);
+      process.exit(1);
+    }
+  });
+  program.command("check").description("dry-run: test a JSON-RPC message against your rules without running the proxy").option("--input <json>", "JSON-RPC message as a string (reads from stdin if not provided)").action(async (options) => {
+    const globalOptions = program.opts();
     try {
-      await runInit();
+      await runCheck(options.input, globalOptions.config);
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
       process.stderr.write(`[mcpwall] Error: ${message}