mstro-app 0.3.7 → 0.3.9

package/dist/server/mcp/bouncer-integration.js

@@ -33,7 +33,7 @@
 import { spawn } from 'node:child_process';
 import { AnalyticsEvents, trackEvent } from '../services/analytics.js';
 import { captureException } from '../services/sentry.js';
-import { CRITICAL_THREATS, matchesPattern, requiresAIReview, SAFE_OPERATIONS } from './security-patterns.js';
+import { CRITICAL_THREATS, matchesPattern, normalizeOperation, requiresAIReview, SAFE_OPERATIONS } from './security-patterns.js';
 /** Timeout for Haiku bouncer subprocess calls (ms). Configurable via env var. */
 const HAIKU_TIMEOUT_MS = parseInt(process.env.BOUNCER_HAIKU_TIMEOUT_MS || '10000', 10);
 // ========== Decision Cache ==========
@@ -51,6 +51,10 @@ function getCachedDecision(operation) {
     }
     return entry.decision;
 }
+/** Clear the decision cache. Exposed for testing statistical reliability (multiple runs per operation). */
+export function clearDecisionCache() {
+    decisionCache.clear();
+}
 function cacheDecision(operation, decision) {
     // Don't cache low-confidence or error-fallback decisions
     if (decision.confidence < 50)
@@ -226,13 +230,44 @@ function finalizeDecision(operation, decision, layer, startTime, context, logFn,
         cacheDecision(operation, decision);
     return decision;
 }
+/**
+ * Layer 2: Haiku AI analysis with timeout/error handling.
+ */
+async function runHaikuAnalysis(request, operation, startTime, fin) {
+    if (process.env.BOUNCER_USE_AI === 'false') {
+        console.error('[Bouncer] AI analysis disabled (BOUNCER_USE_AI=false)');
+        return fin({ decision: 'warn_allow', confidence: 60, reasoning: 'Operation requires review but AI analysis is disabled. Proceeding with caution.', threatLevel: 'medium' }, 'ai-disabled', { skipCache: true, skipAnalytics: true });
+    }
+    console.error('[Bouncer] 🤖 Invoking Haiku for AI analysis...');
+    trackEvent(AnalyticsEvents.BOUNCER_HAIKU_REVIEW, { operation_length: operation.length });
+    const claudeCommand = process.env.CLAUDE_COMMAND || 'claude';
+    const workingDir = request.context?.workingDirectory || process.cwd();
+    try {
+        const decision = await analyzeWithHaiku(request, claudeCommand, workingDir);
+        console.error(`[Bouncer] ✓ Haiku decision: ${decision.decision} (${decision.confidence}% confidence) [${Math.round(performance.now() - startTime)}ms]`);
+        console.error(`[Bouncer] Reasoning: ${decision.reasoning}`);
+        return fin(decision, 'haiku-ai');
+    }
+    catch (error) {
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        if (errorMessage.includes('timed out')) {
+            console.error(`[Bouncer] ⚠️  Haiku analysis timed out after ${HAIKU_TIMEOUT_MS}ms — defaulting to ALLOW`);
+            captureException(error, { context: 'bouncer.haiku_timeout', operation });
+            return fin({ decision: 'allow', confidence: 50, reasoning: `Security analysis timed out after ${HAIKU_TIMEOUT_MS}ms. Defaulting to allow — user initiated the action.`, threatLevel: 'medium' }, 'haiku-timeout', { skipCache: true });
+        }
+        console.error(`[Bouncer] ⚠️  Haiku analysis failed: ${errorMessage}`);
+        captureException(error, { context: 'bouncer.haiku_analysis', operation });
+        return fin({ decision: 'deny', confidence: 0, reasoning: `Security analysis failed: ${errorMessage}. Denying for safety.`, threatLevel: 'critical' }, 'ai-error', { skipCache: true, skipAnalytics: true, error: errorMessage });
+    }
+}
 /**
  * Main bouncer review function - 2-layer hybrid system
  */
 export async function reviewOperation(request) {
     const { logBouncerDecision } = await import('./security-audit.js');
     const startTime = performance.now();
-    const { operation } = request;
+    const { operation: rawOperation } = request;
+    const operation = normalizeOperation(rawOperation);
     const fin = (d, layer, opts) => finalizeDecision(operation, d, layer, startTime, request.context, logBouncerDecision, opts);
     // Check cache first
     const cached = getCachedDecision(operation);
@@ -252,14 +287,9 @@ export async function reviewOperation(request) {
         return fin({ decision: 'allow', confidence: 95, reasoning: 'Empty tool parameters - operation is a no-op with no side effects.', threatLevel: 'low' }, 'pattern-noop', { skipAnalytics: true });
     }
     // LAYER 1: Pattern-Based Fast Path (< 5ms)
-    // Check safe operations FIRST — allows trusted sources (e.g., brew, rustup)
-    // to pass before hitting critical threat patterns like curl|bash
-    const safeOperation = matchesPattern(operation, SAFE_OPERATIONS);
-    if (safeOperation) {
-        console.error('[Bouncer] ⚡ Fast path: Safe operation approved');
-        return fin({ decision: 'allow', confidence: 95, reasoning: 'Operation matches known-safe patterns. No security concerns detected.', threatLevel: 'low' }, 'pattern-safe');
-    }
-    // Critical threats (rm -rf /, fork bombs) — ALWAYS denied
+    // Critical threats (rm -rf /, fork bombs) — ALWAYS denied, checked first
+    // to prevent chained commands (e.g., "echo hello; rm -rf /") from bypassing
+    // via a safe prefix match.
     const criticalThreat = matchesPattern(operation, CRITICAL_THREATS);
     if (criticalThreat) {
         console.error('[Bouncer] ⚡ Fast path: CRITICAL THREAT detected');
@@ -269,37 +299,23 @@ export async function reviewOperation(request) {
             enforceable: true,
         }, 'pattern-critical');
     }
-    // LAYER 2: Haiku AI Analysis (~200-500ms)
-    // Default allow for operations that don't need AI review
+    // Use requiresAIReview() for nuanced routing — handles sensitive paths,
+    // safe operations with guards (chain operators, pipes, expansion), and
+    // exfiltration patterns in a single consistent check.
     if (!requiresAIReview(operation)) {
-        console.error('[Bouncer] ⚡ Fast path: No concerning patterns, allowing');
-        return fin({ decision: 'allow', confidence: 80, reasoning: 'Operation appears safe based on pattern analysis. No obvious threats detected.', threatLevel: 'low' }, 'pattern-default');
-    }
-    if (process.env.BOUNCER_USE_AI === 'false') {
-        console.error('[Bouncer] AI analysis disabled (BOUNCER_USE_AI=false)');
-        return fin({ decision: 'warn_allow', confidence: 60, reasoning: 'Operation requires review but AI analysis is disabled. Proceeding with caution.', threatLevel: 'medium' }, 'ai-disabled', { skipCache: true, skipAnalytics: true });
-    }
-    console.error('[Bouncer] 🤖 Invoking Haiku for AI analysis...');
-    trackEvent(AnalyticsEvents.BOUNCER_HAIKU_REVIEW, { operation_length: operation.length });
-    const claudeCommand = process.env.CLAUDE_COMMAND || 'claude';
-    const workingDir = request.context?.workingDirectory || process.cwd();
-    try {
-        const decision = await analyzeWithHaiku(request, claudeCommand, workingDir);
-        console.error(`[Bouncer] ✓ Haiku decision: ${decision.decision} (${decision.confidence}% confidence) [${Math.round(performance.now() - startTime)}ms]`);
-        console.error(`[Bouncer] Reasoning: ${decision.reasoning}`);
-        return fin(decision, 'haiku-ai');
-    }
-    catch (error) {
-        const errorMessage = error instanceof Error ? error.message : String(error);
-        if (errorMessage.includes('timed out')) {
-            console.error(`[Bouncer] ⚠️  Haiku analysis timed out after ${HAIKU_TIMEOUT_MS}ms — defaulting to ALLOW`);
-            captureException(error, { context: 'bouncer.haiku_timeout', operation });
-            return fin({ decision: 'allow', confidence: 50, reasoning: `Security analysis timed out after ${HAIKU_TIMEOUT_MS}ms. Defaulting to allow — user initiated the action.`, threatLevel: 'medium' }, 'haiku-timeout', { skipCache: true });
-        }
-        console.error(`[Bouncer] ⚠️  Haiku analysis failed: ${errorMessage}`);
-        captureException(error, { context: 'bouncer.haiku_analysis', operation });
-        return fin({ decision: 'deny', confidence: 0, reasoning: `Security analysis failed: ${errorMessage}. Denying for safety.`, threatLevel: 'critical' }, 'ai-error', { skipCache: true, skipAnalytics: true, error: errorMessage });
+        const isSafe = matchesPattern(operation, SAFE_OPERATIONS);
+        console.error(`[Bouncer] ⚡ Fast path: ${isSafe ? 'Safe operation approved' : 'No concerning patterns, allowing'}`);
+        return fin({
+            decision: 'allow',
+            confidence: isSafe ? 95 : 80,
+            reasoning: isSafe
+                ? 'Operation matches known-safe patterns. No security concerns detected.'
+                : 'Operation appears safe based on pattern analysis. No obvious threats detected.',
+            threatLevel: 'low'
+        }, isSafe ? 'pattern-safe' : 'pattern-default');
     }
+    // LAYER 2: Haiku AI Analysis (~200-500ms)
+    return runHaikuAnalysis(request, operation, startTime, fin);
 }
 /**
  * Export risk classification utility

package/dist/server/mcp/bouncer-integration.js.map

@@ -1 +1 @@
-{"version":3,"file":"bouncer-integration.js","sourceRoot":"","sources":["../../../server/mcp/bouncer-integration.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AACvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAEhC,iFAAiF;AACjF,MAAM,gBAAgB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,OAAO,EAAE,EAAE,CAAC,CAAC;AAEvF,uCAAuC;AAEvC,0CAA0C;AAC1C,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,QAAQ,EAAE,EAAE,CAAC,CAAC;AAChF,MAAM,cAAc,GAAG,GAAG,CAAC;AAO3B,MAAM,aAAa,GAAG,IAAI,GAAG,EAA0B,CAAC;AAExD,SAAS,iBAAiB,CAAC,SAAiB;IAC1C,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;QACjC,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC,QAAQ,CAAC;AACxB,CAAC;AAED,SAAS,aAAa,CAAC,SAAiB,EAAE,QAAyB;IACjE,yDAAyD;IACzD,IAAI,QAAQ,CAAC,UAAU,GAAG,EAAE;QAAE,OAAO;IACrC,wCAAwC;IACxC,IAAI,aAAa,CAAC,IAAI,IAAI,cAAc,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QACnD,IAAI,QAAQ,KAAK,SAAS;YAAE,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC7D,CAAC;IACD,aAAa,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC;AACnF,CAAC;AA2BD,+CAA+C;AAE/C,SAAS,qBAAqB,CAAC,IAAY;IACzC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;YACzD,OAAO,OAAO,CAAC,MAAM,CAAC;QACxB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,gBAAgB;IAClB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAY;IACvC,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC1D,OAAO,cAAc,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAC9D,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACrD,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,gBAAgB,CAAC,MAA+B;IACvD,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACnD,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,MAAM,CAAC,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;IACvD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9C,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,oCAAoC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,QAAuC;QACxD,UAAU,EAAG,MAAM,CAAC,UAAqB,IAAI,CAAC;QAC9C,SAAS,EAAG,MAAM,CAAC,SAAoB,IAAI,uBAAuB;QAClE,WAAW,EAAG,MAAM,CAAC,YAA+C,IAAI,QAAQ;QAChF,WAAW,EAAE,MAAM,CAAC,WAAiC;KACtD,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAY;IACtC,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACjE,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IAEvF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,SAAS,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACpC,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,gBAAgB,CAC7B,OAA6B,EAC7B,gBAAwB,QAAQ,EAChC,cAAsB,OAAO,CAAC,GAAG,EAAE;IAEnC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG;;aAEN,OAAO,CAAC,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;2GA0B6E,CAAC;QAExG,MAAM,IAAI,GAAG;YACX,SAAS;YACT,iBAAiB,EAAE,MAAM;YACzB,SAAS,EAAE,OAAO;SACnB,CAAC;QAEF,MAAM,KAAK,GAAG,KAAK,CAAC,aAAa,EAAE,IAAI,EAAE;YACvC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QAEH,wBAAwB;QACxB,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QAElB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;QAErB,sDAAsD;QACtD,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,QAAQ,GAAG,IAAI,CAAC;YAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC,EAAE,gBAAgB,CAAC,CAAC;QAErB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC/B,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC5B,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC/B,WAAW,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YAEpB,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,KAAK,CAAC,kCAAkC,gBAAgB,IAAI,CAAC,CAAC,CAAC;gBAC1E,OAAO;YACT,CAAC;YAED,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,IAAI,KAAK,WAAW,EAAE,CAAC,CAAC,CAAC;gBAC7E,OAAO;YACT,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;gBACnD,OAAO,CAAC,QAAQ,CAAC,CAAC;YACpB,CAAC;YAAC,OAAO,KAAc,EAAE,CAAC;gBACxB,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;gBACvD,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;YACjH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;YAC1B,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,SAAiB,EACjB,QAAyB,EACzB,KAAa,EACb,SAAiB,EACjB,OAAwC,EACxC,KAAiE,EACjE,IAAuE;IAEvE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;IAE5D,KAAK,CAAC,SAAS,EAAE,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,SAAS,EAAE;QAC3E,OAAO,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,CAAC,IAAI,EAAE,KAAK,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;KACxG,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,EAAE,aAAa,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,mBAAmB,CAAC,CAAC,CAAC,eAAe,CAAC,oBAAoB,CAAC;QACxH,UAAU,CAAC,KAAK,EAAE;YAChB,KAAK;YACL,gBAAgB,EAAE,SAAS,CAAC,MAAM;YAClC,YAAY,EAAE,QAAQ,CAAC,WAAW;YAClC,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,UAAU,EAAE,SAAS;SACtB,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,SAAS;QAAE,aAAa,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACzD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAA6B;IACjE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;IACnE,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IACpC,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;IAC9B,MAAM,GAAG,GAAG,CAAC,CAAkB,EAAE,KAAa,EAAE,IAA6C,EAAE,EAAE,CAC/F,gBAAgB,CAAC,SAAS,EAAE,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,kBAAkB,EAAE,IAAI,CAAC,CAAC;IAE9F,oBAAoB;IACpB,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC5C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,0BAA0B,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;QACnF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAClD,OAAO,CAAC,KAAK,CAAC,wBAAwB,SAAS,EAAE,CAAC,CAAC;IACnD,IAAI,OAAO,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,2BAA2B,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,yEAAyE;IACzE,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,EAAE,SAAS,CAAC;IAC7C,IAAI,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtF,OAAO,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;QACtE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,oEAAoE,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE,cAAc,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAClM,CAAC;IAED,2CAA2C;IAE3C,4EAA4E;IAC5E,iEAAiE;IACjE,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAChE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,uEAAuE,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE,cAAc,CAAC,CAAC;IAC5K,CAAC;IAED,0DAA0D;IAC1D,MAAM,cAAc,GAAG,cAAc,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;IACnE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACjE,OAAO,GAAG,CAAC;YACT,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,uBAAuB,cAAc,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,UAAU;YACpH,WAAW,EAAE,qJAAqJ;YAClK,WAAW,EAAE,IAAI;SAClB,EAAE,kBAAkB,CAAC,CAAC;IACzB,CAAC;IAED,0CAA0C;IAE1C,yDAAyD;IACzD,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;QACzE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,gFAAgF,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE,iBAAiB,CAAC,CAAC;IACxL,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,OAAO,EAAE,CAAC;QAC3C,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QACvE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,iFAAiF,EAAE,WAAW,EAAE,QAAQ,EAAE,EAAE,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACvO,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;IAChE,UAAU,CAAC,eAAe,CAAC,oBAAoB,EAAE,EAAE,gBAAgB,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAEzF,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,QAAQ,CAAC;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,EAAE,gBAAgB,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAEtE,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,aAAa,EAAE,UAAU,CAAC,CAAC;QAC5E,OAAO,CAAC,KAAK,CAAC,+BAA+B,QAAQ,CAAC,QAAQ,KAAK,QAAQ,CAAC,UAAU,kBAAkB,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACxJ,OAAO,CAAC,KAAK,CAAC,wBAAwB,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;QAC5D,OAAO,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAE5E,IAAI,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACvC,OAAO,CAAC,KAAK,CAAC,gDAAgD,gBAAgB,0BAA0B,CAAC,CAAC;YAC1G,gBAAgB,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,uBAAuB,EAAE,SAAS,EAAE,CAAC,CAAC;YACzE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,qCAAqC,gBAAgB,sDAAsD,EAAE,WAAW,EAAE,QAAQ,EAAE,EAAE,eAAe,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzO,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,wCAAwC,YAAY,EAAE,CAAC,CAAC;QACtE,gBAAgB,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,CAAC;QAC1E,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,EAAE,SAAS,EAAE,6BAA6B,YAAY,uBAAuB,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;IACnO,CAAC;AACH,CAAC;AAED;;GAEG;AACH,OAAO,EAAE,YAAY,IAAI,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAE/E;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAA6B,EAC7B,QAAiB,IAAI;IAErB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,OAAO,CAAC;IACvC,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IACpC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"bouncer-integration.js","sourceRoot":"","sources":["../../../server/mcp/bouncer-integration.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AACvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAEhC,iFAAiF;AACjF,MAAM,gBAAgB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,OAAO,EAAE,EAAE,CAAC,CAAC;AAEvF,uCAAuC;AAEvC,0CAA0C;AAC1C,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,QAAQ,EAAE,EAAE,CAAC,CAAC;AAChF,MAAM,cAAc,GAAG,GAAG,CAAC;AAO3B,MAAM,aAAa,GAAG,IAAI,GAAG,EAA0B,CAAC;AAExD,SAAS,iBAAiB,CAAC,SAAiB;IAC1C,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;QACjC,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC,QAAQ,CAAC;AACxB,CAAC;AAED,2GAA2G;AAC3G,MAAM,UAAU,kBAAkB;IAChC,aAAa,CAAC,KAAK,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,aAAa,CAAC,SAAiB,EAAE,QAAyB;IACjE,yDAAyD;IACzD,IAAI,QAAQ,CAAC,UAAU,GAAG,EAAE;QAAE,OAAO;IACrC,wCAAwC;IACxC,IAAI,aAAa,CAAC,IAAI,IAAI,cAAc,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QACnD,IAAI,QAAQ,KAAK,SAAS;YAAE,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC7D,CAAC;IACD,aAAa,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC;AACnF,CAAC;AA2BD,+CAA+C;AAE/C,SAAS,qBAAqB,CAAC,IAAY;IACzC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;YACzD,OAAO,OAAO,CAAC,MAAM,CAAC;QACxB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,gBAAgB;IAClB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAY;IACvC,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC1D,OAAO,cAAc,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAC9D,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACrD,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,gBAAgB,CAAC,MAA+B;IACvD,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACnD,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,MAAM,CAAC,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;IACvD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9C,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,oCAAoC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,QAAuC;QACxD,UAAU,EAAG,MAAM,CAAC,UAAqB,IAAI,CAAC;QAC9C,SAAS,EAAG,MAAM,CAAC,SAAoB,IAAI,uBAAuB;QAClE,WAAW,EAAG,MAAM,CAAC,YAA+C,IAAI,QAAQ;QAChF,WAAW,EAAE,MAAM,CAAC,WAAiC;KACtD,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAY;IACtC,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACjE,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IAEvF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,SAAS,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACpC,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,gBAAgB,CAC7B,OAA6B,EAC7B,gBAAwB,QAAQ,EAChC,cAAsB,OAAO,CAAC,GAAG,EAAE;IAEnC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG;;aAEN,OAAO,CAAC,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;2GA0B6E,CAAC;QAExG,MAAM,IAAI,GAAG;YACX,SAAS;YACT,iBAAiB,EAAE,MAAM;YACzB,SAAS,EAAE,OAAO;SACnB,CAAC;QAEF,MAAM,KAAK,GAAG,KAAK,CAAC,aAAa,EAAE,IAAI,EAAE;YACvC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QAEH,wBAAwB;QACxB,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QAElB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;QAErB,sDAAsD;QACtD,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,QAAQ,GAAG,IAAI,CAAC;YAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC,EAAE,gBAAgB,CAAC,CAAC;QAErB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC/B,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC5B,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC/B,WAAW,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YAEpB,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,KAAK,CAAC,kCAAkC,gBAAgB,IAAI,CAAC,CAAC,CAAC;gBAC1E,OAAO;YACT,CAAC;YAED,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,IAAI,KAAK,WAAW,EAAE,CAAC,CAAC,CAAC;gBAC7E,OAAO;YACT,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;gBACnD,OAAO,CAAC,QAAQ,CAAC,CAAC;YACpB,CAAC;YAAC,OAAO,KAAc,EAAE,CAAC;gBACxB,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;gBACvD,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;YACjH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;YAC1B,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,SAAiB,EACjB,QAAyB,EACzB,KAAa,EACb,SAAiB,EACjB,OAAwC,EACxC,KAAiE,EACjE,IAAuE;IAEvE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;IAE5D,KAAK,CAAC,SAAS,EAAE,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,SAAS,EAAE;QAC3E,OAAO,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,CAAC,IAAI,EAAE,KAAK,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;KACxG,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,EAAE,aAAa,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,mBAAmB,CAAC,CAAC,CAAC,eAAe,CAAC,oBAAoB,CAAC;QACxH,UAAU,CAAC,KAAK,EAAE;YAChB,KAAK;YACL,gBAAgB,EAAE,SAAS,CAAC,MAAM;YAClC,YAAY,EAAE,QAAQ,CAAC,WAAW;YAClC,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,UAAU,EAAE,SAAS;SACtB,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,SAAS;QAAE,aAAa,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACzD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAC7B,OAA6B,EAC7B,SAAiB,EACjB,SAAiB,EACjB,GAA0G;IAE1G,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,OAAO,EAAE,CAAC;QAC3C,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QACvE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,iFAAiF,EAAE,WAAW,EAAE,QAAQ,EAAE,EAAE,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACvO,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;IAChE,UAAU,CAAC,eAAe,CAAC,oBAAoB,EAAE,EAAE,gBAAgB,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAEzF,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,QAAQ,CAAC;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,EAAE,gBAAgB,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAEtE,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,aAAa,EAAE,UAAU,CAAC,CAAC;QAC5E,OAAO,CAAC,KAAK,CAAC,+BAA+B,QAAQ,CAAC,QAAQ,KAAK,QAAQ,CAAC,UAAU,kBAAkB,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACxJ,OAAO,CAAC,KAAK,CAAC,wBAAwB,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;QAC5D,OAAO,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAE5E,IAAI,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACvC,OAAO,CAAC,KAAK,CAAC,gDAAgD,gBAAgB,0BAA0B,CAAC,CAAC;YAC1G,gBAAgB,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,uBAAuB,EAAE,SAAS,EAAE,CAAC,CAAC;YACzE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,qCAAqC,gBAAgB,sDAAsD,EAAE,WAAW,EAAE,QAAQ,EAAE,EAAE,eAAe,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzO,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,wCAAwC,YAAY,EAAE,CAAC,CAAC;QACtE,gBAAgB,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,wBAAwB,EAAE,SAAS,EAAE,CAAC,CAAC;QAC1E,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,EAAE,SAAS,EAAE,6BAA6B,YAAY,uBAAuB,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;IACnO,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAA6B;IACjE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;IACnE,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IACpC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC;IAC5C,MAAM,SAAS,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;IACnD,MAAM,GAAG,GAAG,CAAC,CAAkB,EAAE,KAAa,EAAE,IAA6C,EAAE,EAAE,CAC/F,gBAAgB,CAAC,SAAS,EAAE,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,kBAAkB,EAAE,IAAI,CAAC,CAAC;IAE9F,oBAAoB;IACpB,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC5C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,0BAA0B,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;QACnF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAClD,OAAO,CAAC,KAAK,CAAC,wBAAwB,SAAS,EAAE,CAAC,CAAC;IACnD,IAAI,OAAO,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,2BAA2B,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,yEAAyE;IACzE,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,EAAE,SAAS,CAAC;IAC7C,IAAI,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtF,OAAO,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;QACtE,OAAO,GAAG,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,oEAAoE,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE,cAAc,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAClM,CAAC;IAED,2CAA2C;IAE3C,yEAAyE;IACzE,4EAA4E;IAC5E,2BAA2B;IAC3B,MAAM,cAAc,GAAG,cAAc,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;IACnE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACjE,OAAO,GAAG,CAAC;YACT,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,uBAAuB,cAAc,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,UAAU;YACpH,WAAW,EAAE,qJAAqJ;YAClK,WAAW,EAAE,IAAI;SAClB,EAAE,kBAAkB,CAAC,CAAC;IACzB,CAAC;IAED,wEAAwE;IACxE,uEAAuE;IACvE,sDAAsD;IACtD,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;QAC1D,OAAO,CAAC,KAAK,CAAC,0BAA0B,MAAM,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,kCAAkC,EAAE,CAAC,CAAC;QACnH,OAAO,GAAG,CAAC;YACT,QAAQ,EAAE,OAAO;YACjB,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE;YAC5B,SAAS,EAAE,MAAM;gBACf,CAAC,CAAC,uEAAuE;gBACzE,CAAC,CAAC,gFAAgF;YACpF,WAAW,EAAE,KAAK;SACnB,EAAE,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAClD,CAAC;IAED,0CAA0C;IAC1C,OAAO,gBAAgB,CAAC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;AAC9D,CAAC;AAED;;GAEG;AACH,OAAO,EAAE,YAAY,IAAI,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAE/E;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAA6B,EAC7B,QAAiB,IAAI;IAErB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,OAAO,CAAC;IACvC,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IACpC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/server/mcp/bouncer-sandbox.d.ts

@@ -0,0 +1,60 @@
+export interface SandboxExecResult {
+    /** The sandboxed command that was actually run */
+    wrappedCommand: string;
+    /** Whether sandbox-runtime is available on this platform */
+    sandboxAvailable: boolean;
+    /** Whether the sandbox contained the operation (no violations) */
+    contained: boolean;
+    /** List of violation descriptions if any escaped the sandbox */
+    violations: string[];
+}
+export interface CanaryCheckResult {
+    /** Whether the canary file still exists (should be true if sandbox contained the write) */
+    canaryIntact: boolean;
+    /** Whether a file was written outside the sandbox (should be false) */
+    escapeDetected: boolean;
+}
+/**
+ * Test harness that wraps command execution in sandbox-runtime.
+ * Provides canary files and violation tracking to verify containment.
+ */
+export declare class BouncerSandboxHarness {
+    private sandboxManager;
+    private sandboxAvailable;
+    private tempDir;
+    private canaryDir;
+    constructor();
+    /**
+     * Initialize the sandbox. Falls back gracefully if bwrap/sandbox-exec not available.
+     */
+    initialize(): Promise<{
+        available: boolean;
+        reason?: string;
+    }>;
+    /**
+     * Execute a command inside the sandbox. Returns containment results.
+     * If sandbox is not available, validates the bouncer decision only (no actual execution).
+     */
+    executeInSandbox(command: string): Promise<SandboxExecResult>;
+    /**
+     * Place a canary file and return a checker to verify containment.
+     * If a sandboxed command can delete or modify the canary, containment failed.
+     */
+    placeCanary(name: string): {
+        path: string;
+        check: () => CanaryCheckResult;
+    };
+    /**
+     * Get the temp directory where sandboxed commands can write.
+     */
+    getSandboxWriteDir(): string;
+    /**
+     * Whether the sandbox is actually available and initialized.
+     */
+    isAvailable(): boolean;
+    /**
+     * Clean up temp dirs and reset sandbox state.
+     */
+    cleanup(): Promise<void>;
+}
+//# sourceMappingURL=bouncer-sandbox.d.ts.map

package/dist/server/mcp/bouncer-sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bouncer-sandbox.d.ts","sourceRoot":"","sources":["../../../server/mcp/bouncer-sandbox.ts"],"names":[],"mappings":"AAuBA,MAAM,WAAW,iBAAiB;IAChC,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;IACvB,4DAA4D;IAC5D,gBAAgB,EAAE,OAAO,CAAC;IAC1B,kEAAkE;IAClE,SAAS,EAAE,OAAO,CAAC;IACnB,gEAAgE;IAChE,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,2FAA2F;IAC3F,YAAY,EAAE,OAAO,CAAC;IACtB,uEAAuE;IACvE,cAAc,EAAE,OAAO,CAAC;CACzB;AAED;;;GAGG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,cAAc,CAA0F;IAChH,OAAO,CAAC,gBAAgB,CAAS;IACjC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,SAAS,CAAS;;IAQ1B;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAiDpE;;;OAGG;IACG,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAmDnE;;;OAGG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,iBAAiB,CAAA;KAAE;IAc3E;;OAEG;IACH,kBAAkB,IAAI,MAAM;IAI5B;;OAEG;IACH,WAAW,IAAI,OAAO;IAItB;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAc/B"}

package/dist/server/mcp/bouncer-sandbox.js

@@ -0,0 +1,182 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+/**
+ * Sandbox Harness for Bouncer Testing
+ *
+ * Wraps command execution in Anthropic's sandbox-runtime (bubblewrap on Linux,
+ * sandbox-exec on macOS) to safely test what happens when the bouncer FAILS —
+ * i.e., when a malicious tool call gets through.
+ *
+ * Usage in tests:
+ *   const harness = new BouncerSandboxHarness();
+ *   await harness.initialize();
+ *   const result = await harness.executeInSandbox('rm -rf /tmp/test-canary');
+ *   expect(result.violations).toContain(...)
+ *   await harness.cleanup();
+ */
+import { execSync } from 'node:child_process';
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+/**
+ * Test harness that wraps command execution in sandbox-runtime.
+ * Provides canary files and violation tracking to verify containment.
+ */
+export class BouncerSandboxHarness {
+    sandboxManager = null;
+    sandboxAvailable = false;
+    tempDir;
+    canaryDir;
+    constructor() {
+        this.tempDir = mkdtempSync(join(tmpdir(), 'bouncer-sandbox-'));
+        this.canaryDir = join(this.tempDir, 'canaries');
+        mkdirSync(this.canaryDir, { recursive: true });
+    }
+    /**
+     * Initialize the sandbox. Falls back gracefully if bwrap/sandbox-exec not available.
+     */
+    async initialize() {
+        try {
+            const { SandboxManager } = await import('@anthropic-ai/sandbox-runtime');
+            if (!SandboxManager.isSupportedPlatform()) {
+                return { available: false, reason: 'Platform not supported by sandbox-runtime' };
+            }
+            const deps = SandboxManager.checkDependencies();
+            if (deps.errors.length > 0) {
+                return {
+                    available: false,
+                    reason: `Missing dependencies: ${deps.errors.join(', ')}`,
+                };
+            }
+            await SandboxManager.initialize({
+                network: {
+                    allowedDomains: [], // Block ALL network access
+                    deniedDomains: ['*'],
+                },
+                filesystem: {
+                    denyRead: [
+                        '/home/*/.ssh',
+                        '/home/*/.aws',
+                        '/home/*/.gnupg',
+                        '/etc/shadow',
+                        '/etc/passwd',
+                    ],
+                    allowWrite: [this.tempDir], // Only allow writes to our temp dir
+                    denyWrite: [
+                        '/',
+                        '/home',
+                        '/etc',
+                        '/usr',
+                        '/var',
+                    ],
+                },
+            });
+            this.sandboxManager = SandboxManager;
+            this.sandboxAvailable = true;
+            return { available: true };
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            return { available: false, reason: `Failed to initialize sandbox: ${msg}` };
+        }
+    }
+    /**
+     * Execute a command inside the sandbox. Returns containment results.
+     * If sandbox is not available, validates the bouncer decision only (no actual execution).
+     */
+    async executeInSandbox(command) {
+        if (!this.sandboxAvailable || !this.sandboxManager) {
+            return {
+                wrappedCommand: command,
+                sandboxAvailable: false,
+                contained: true,
+                violations: ['Sandbox not available — decision-only testing mode'],
+            };
+        }
+        const violations = [];
+        try {
+            const wrappedCommand = await this.sandboxManager.wrapWithSandbox(command);
+            // Execute the wrapped command and capture violations
+            try {
+                execSync(wrappedCommand, {
+                    timeout: 5000,
+                    stdio: 'pipe',
+                    cwd: this.tempDir,
+                });
+            }
+            catch {
+                // Command failure inside sandbox is expected for malicious ops
+            }
+            // Check violation store
+            const stderr = this.sandboxManager.annotateStderrWithSandboxFailures(command, '');
+            if (stderr) {
+                violations.push(stderr);
+            }
+            this.sandboxManager.cleanupAfterCommand();
+            return {
+                wrappedCommand,
+                sandboxAvailable: true,
+                contained: violations.length === 0,
+                violations,
+            };
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            violations.push(`Sandbox execution error: ${msg}`);
+            return {
+                wrappedCommand: command,
+                sandboxAvailable: true,
+                contained: true, // Error means the command didn't execute
+                violations,
+            };
+        }
+    }
+    /**
+     * Place a canary file and return a checker to verify containment.
+     * If a sandboxed command can delete or modify the canary, containment failed.
+     */
+    placeCanary(name) {
+        const canaryPath = join(this.canaryDir, name);
+        const escapePath = join(this.canaryDir, `${name}.escaped`);
+        writeFileSync(canaryPath, `canary-${Date.now()}`, 'utf-8');
+        return {
+            path: canaryPath,
+            check: () => ({
+                canaryIntact: existsSync(canaryPath),
+                escapeDetected: existsSync(escapePath),
+            }),
+        };
+    }
+    /**
+     * Get the temp directory where sandboxed commands can write.
+     */
+    getSandboxWriteDir() {
+        return this.tempDir;
+    }
+    /**
+     * Whether the sandbox is actually available and initialized.
+     */
+    isAvailable() {
+        return this.sandboxAvailable;
+    }
+    /**
+     * Clean up temp dirs and reset sandbox state.
+     */
+    async cleanup() {
+        try {
+            if (this.sandboxManager) {
+                await this.sandboxManager.reset();
+            }
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+        try {
+            rmSync(this.tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+}
+//# sourceMappingURL=bouncer-sandbox.js.map

package/dist/server/mcp/bouncer-sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bouncer-sandbox.js","sourceRoot":"","sources":["../../../server/mcp/bouncer-sandbox.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACpF,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAoBjC;;;GAGG;AACH,MAAM,OAAO,qBAAqB;IACxB,cAAc,GAAqF,IAAI,CAAC;IACxG,gBAAgB,GAAG,KAAK,CAAC;IACzB,OAAO,CAAS;IAChB,SAAS,CAAS;IAE1B;QACE,IAAI,CAAC,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;QAC/D,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAChD,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,CAAC;YACH,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,+BAA+B,CAAC,CAAC;YAEzE,IAAI,CAAC,cAAc,CAAC,mBAAmB,EAAE,EAAE,CAAC;gBAC1C,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,2CAA2C,EAAE,CAAC;YACnF,CAAC;YAED,MAAM,IAAI,GAAG,cAAc,CAAC,iBAAiB,EAAE,CAAC;YAChD,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3B,OAAO;oBACL,SAAS,EAAE,KAAK;oBAChB,MAAM,EAAE,yBAAyB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBAC1D,CAAC;YACJ,CAAC;YAED,MAAM,cAAc,CAAC,UAAU,CAAC;gBAC9B,OAAO,EAAE;oBACP,cAAc,EAAE,EAAE,EAAE,2BAA2B;oBAC/C,aAAa,EAAE,CAAC,GAAG,CAAC;iBACrB;gBACD,UAAU,EAAE;oBACV,QAAQ,EAAE;wBACR,cAAc;wBACd,cAAc;wBACd,gBAAgB;wBAChB,aAAa;wBACb,aAAa;qBACd;oBACD,UAAU,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,oCAAoC;oBAChE,SAAS,EAAE;wBACT,GAAG;wBACH,OAAO;wBACP,MAAM;wBACN,MAAM;wBACN,MAAM;qBACP;iBACF;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;YACrC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAC7B,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC7B,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,iCAAiC,GAAG,EAAE,EAAE,CAAC;QAC9E,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,gBAAgB,CAAC,OAAe;QACpC,IAAI,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACnD,OAAO;gBACL,cAAc,EAAE,OAAO;gBACvB,gBAAgB,EAAE,KAAK;gBACvB,SAAS,EAAE,IAAI;gBACf,UAAU,EAAE,CAAC,oDAAoD,CAAC;aACnE,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;YAE1E,qDAAqD;YACrD,IAAI,CAAC;gBACH,QAAQ,CAAC,cAAc,EAAE;oBACvB,OAAO,EAAE,IAAI;oBACb,KAAK,EAAE,MAAM;oBACb,GAAG,EAAE,IAAI,CAAC,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,+DAA+D;YACjE,CAAC;YAED,wBAAwB;YACxB,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,iCAAiC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAClF,IAAI,MAAM,EAAE,CAAC;gBACX,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC1B,CAAC;YAED,IAAI,CAAC,cAAc,CAAC,mBAAmB,EAAE,CAAC;YAE1C,OAAO;gBACL,cAAc;gBACd,gBAAgB,EAAE,IAAI;gBACtB,SAAS,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC;gBAClC,UAAU;aACX,CAAC;QACJ,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,UAAU,CAAC,IAAI,CAAC,4BAA4B,GAAG,EAAE,CAAC,CAAC;YACnD,OAAO;gBACL,cAAc,EAAE,OAAO;gBACvB,gBAAgB,EAAE,IAAI;gBACtB,SAAS,EAAE,IAAI,EAAE,yCAAyC;gBAC1D,UAAU;aACX,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,IAAY;QACtB,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,IAAI,UAAU,CAAC,CAAC;QAC3D,aAAa,CAAC,UAAU,EAAE,UAAU,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;QAE3D,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBACZ,YAAY,EAAE,UAAU,CAAC,UAAU,CAAC;gBACpC,cAAc,EAAE,UAAU,CAAC,UAAU,CAAC;aACvC,CAAC;SACH,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;YACpC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;QACD,IAAI,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;CACF"}

package/dist/server/mcp/security-patterns.d.ts

@@ -1,15 +1,3 @@
-/**
- * Security Patterns - Single Source of Truth
- *
- * Consolidated pattern definitions for fast-path security checks.
- * All pattern-based security decisions use this module to avoid duplication.
- *
- * PHILOSOPHY:
- * - Most operations should be evaluated by CONTEXT, not by path or extension
- * - Only truly catastrophic operations (rm -rf /, fork bombs) are auto-denied
- * - Sensitive operations (system paths, credentials) get AI review with context
- * - The question is: "Does this operation make sense given user intent?"
- */
 export interface SecurityPattern {
     pattern: RegExp;
     reason?: string;
@@ -50,6 +38,12 @@ export declare const NEEDS_AI_REVIEW: SecurityPattern[];
  * Check if operation matches any pattern in array
  */
 export declare function matchesPattern(operation: string, patterns: SecurityPattern[]): SecurityPattern | null;
+/**
+ * Normalize file paths in Write/Edit/Read operations to resolve .. traversal.
+ * Prevents path traversal attacks like "Write: /home/user/../../etc/passwd"
+ * from matching safe home-directory patterns.
+ */
+export declare function normalizeOperation(operation: string): string;
 export declare function requiresAIReview(operation: string): boolean;
 /**
  * Check if operation targets a sensitive path

package/dist/server/mcp/security-patterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-patterns.d.ts","sourceRoot":"","sources":["../../../server/mcp/security-patterns.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;GAWG;AAEH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAiB5C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,EAAE,eAAe,EAiC7C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAoC5C,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAyB5C,CAAC;AAEF;;GAEG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,GAAG,eAAe,GAAG,IAAI,CAOrG;AAoBD,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAe3D;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAEzE;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG;IAC/C,aAAa,EAAE,OAAO,CAAC;IACvB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IAClD,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CA2DA"}
+{"version":3,"file":"security-patterns.d.ts","sourceRoot":"","sources":["../../../server/mcp/security-patterns.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAiB5C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,EAAE,eAAe,EA0C7C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAoC5C,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAqH5C,CAAC;AAEF;;GAEG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,GAAG,eAAe,GAAG,IAAI,CAOrG;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAQ5D;AAgED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CA8C3D;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAEzE;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG;IAC/C,aAAa,EAAE,OAAO,CAAC;IACvB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IAClD,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CA8DA"}