palaryn 0.1.0

package/dist/src/executor/slack-executor.js

@@ -0,0 +1,147 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SlackExecutor = void 0;
+const web_api_1 = require("@slack/web-api");
+/**
+ * Slack executor using the @slack/web-api WebClient.
+ * Handles tool calls with tool name `slack.*` (e.g., slack.post_message).
+ */
+class SlackExecutor {
+    constructor(token) {
+        this.client = new web_api_1.WebClient(token);
+    }
+    async execute(toolCall) {
+        const action = this.resolveAction(toolCall);
+        switch (action) {
+            case 'post_message':
+                return this.postMessage(toolCall);
+            case 'update_message':
+                return this.updateMessage(toolCall);
+            case 'add_reaction':
+                return this.addReaction(toolCall);
+            case 'list_channels':
+                return this.listChannels(toolCall);
+            case 'channel_history':
+                return this.channelHistory(toolCall);
+            case 'upload_file':
+                return this.uploadFile(toolCall);
+            default:
+                throw new Error(`Unsupported Slack action: ${action}`);
+        }
+    }
+    /**
+     * Resolve the Slack action from either `args.action` or the tool name suffix.
+     * e.g., tool name "slack.post_message" yields action "post_message".
+     */
+    resolveAction(toolCall) {
+        if (toolCall.args.action && typeof toolCall.args.action === 'string') {
+            return toolCall.args.action;
+        }
+        const toolName = toolCall.tool.name;
+        const dotIndex = toolName.indexOf('.');
+        if (dotIndex !== -1) {
+            return toolName.substring(dotIndex + 1);
+        }
+        throw new Error(`Unsupported Slack action: ${toolName}`);
+    }
+    // Post a message to a channel
+    async postMessage(toolCall) {
+        const { channel, text, blocks } = toolCall.args;
+        if (!channel || typeof channel !== 'string') {
+            throw new Error('Missing or invalid "channel" argument for slack.post_message');
+        }
+        if (!text || typeof text !== 'string') {
+            throw new Error('Missing or invalid "text" argument for slack.post_message');
+        }
+        const result = await this.client.chat.postMessage({
+            channel,
+            text,
+            ...(blocks ? { blocks: blocks } : {}),
+        });
+        return { http_status: 200, body: result, headers: {} };
+    }
+    // Update an existing message
+    async updateMessage(toolCall) {
+        const { channel, ts, text, blocks } = toolCall.args;
+        if (!channel || typeof channel !== 'string') {
+            throw new Error('Missing or invalid "channel" argument for slack.update_message');
+        }
+        if (!ts || typeof ts !== 'string') {
+            throw new Error('Missing or invalid "ts" argument for slack.update_message');
+        }
+        if (!text || typeof text !== 'string') {
+            throw new Error('Missing or invalid "text" argument for slack.update_message');
+        }
+        const result = await this.client.chat.update({
+            channel,
+            ts,
+            text,
+            ...(blocks ? { blocks: blocks } : {}),
+        });
+        return { http_status: 200, body: result, headers: {} };
+    }
+    // Add a reaction to a message
+    async addReaction(toolCall) {
+        const { channel, timestamp, name } = toolCall.args;
+        if (!channel || typeof channel !== 'string') {
+            throw new Error('Missing or invalid "channel" argument for slack.add_reaction');
+        }
+        if (!timestamp || typeof timestamp !== 'string') {
+            throw new Error('Missing or invalid "timestamp" argument for slack.add_reaction');
+        }
+        if (!name || typeof name !== 'string') {
+            throw new Error('Missing or invalid "name" argument for slack.add_reaction');
+        }
+        const result = await this.client.reactions.add({
+            channel,
+            timestamp,
+            name,
+        });
+        return { http_status: 200, body: result, headers: {} };
+    }
+    // List channels
+    async listChannels(toolCall) {
+        const { types, limit } = toolCall.args;
+        const result = await this.client.conversations.list({
+            types: types || 'public_channel',
+            ...(limit ? { limit: limit } : {}),
+        });
+        return { http_status: 200, body: result, headers: {} };
+    }
+    // Get channel history
+    async channelHistory(toolCall) {
+        const { channel, limit, oldest, latest } = toolCall.args;
+        if (!channel || typeof channel !== 'string') {
+            throw new Error('Missing or invalid "channel" argument for slack.channel_history');
+        }
+        const result = await this.client.conversations.history({
+            channel,
+            ...(limit ? { limit: limit } : {}),
+            ...(oldest ? { oldest: oldest } : {}),
+            ...(latest ? { latest: latest } : {}),
+        });
+        return { http_status: 200, body: result, headers: {} };
+    }
+    // Upload a file
+    async uploadFile(toolCall) {
+        const { channels, content, filename, title } = toolCall.args;
+        if (!channels || typeof channels !== 'string') {
+            throw new Error('Missing or invalid "channels" argument for slack.upload_file');
+        }
+        if (!content || typeof content !== 'string') {
+            throw new Error('Missing or invalid "content" argument for slack.upload_file');
+        }
+        if (!filename || typeof filename !== 'string') {
+            throw new Error('Missing or invalid "filename" argument for slack.upload_file');
+        }
+        const result = await this.client.files.upload({
+            channels,
+            content,
+            filename,
+            ...(title ? { title: title } : {}),
+        });
+        return { http_status: 200, body: result, headers: {} };
+    }
+}
+exports.SlackExecutor = SlackExecutor;
+//# sourceMappingURL=slack-executor.js.map

package/dist/src/executor/slack-executor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"slack-executor.js","sourceRoot":"","sources":["../../../src/executor/slack-executor.ts"],"names":[],"mappings":";;;AAAA,4CAA2C;AAK3C;;;GAGG;AACH,MAAa,aAAa;IAGxB,YAAY,KAAa;QACvB,IAAI,CAAC,MAAM,GAAG,IAAI,mBAAS,CAAC,KAAK,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,QAAkB;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QAE5C,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,cAAc;gBACjB,OAAO,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;YACpC,KAAK,gBAAgB;gBACnB,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;YACtC,KAAK,cAAc;gBACjB,OAAO,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;YACpC,KAAK,eAAe;gBAClB,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YACrC,KAAK,iBAAiB;gBACpB,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YACvC,KAAK,aAAa;gBAChB,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACnC;gBACE,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,aAAa,CAAC,QAAkB;QACtC,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,IAAI,OAAO,QAAQ,CAAC,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACrE,OAAO,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC;QAC9B,CAAC;QAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC;QACpC,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;YACpB,OAAO,QAAQ,CAAC,SAAS,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,8BAA8B;IACtB,KAAK,CAAC,WAAW,CAAC,QAAkB;QAC1C,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC;QAEhD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;QAClF,CAAC;QACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC/E,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC;YAChD,OAAO;YACP,IAAI;YACJ,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAmB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACnD,CAAC,CAAC;QAEH,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACzD,CAAC;IAED,6BAA6B;IACrB,KAAK,CAAC,aAAa,CAAC,QAAkB;QAC5C,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC;QAEpD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;QACpF,CAAC;QACD,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACjF,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;YAC3C,OAAO;YACP,EAAE;YACF,IAAI;YACJ,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAmB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACnD,CAAC,CAAC;QAEH,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACzD,CAAC;IAED,8BAA8B;IACtB,KAAK,CAAC,WAAW,CAAC,QAAkB;QAC1C,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC;QAEnD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;QAClF,CAAC;QACD,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;QACpF,CAAC;QACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC/E,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC;YAC7C,OAAO;YACP,SAAS;YACT,IAAI;SACL,CAAC,CAAC;QAEH,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACzD,CAAC;IAED,gBAAgB;IACR,KAAK,CAAC,YAAY,CAAC,QAAkB;QAC3C,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC;QAEvC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC;YAClD,KAAK,EAAG,KAAgB,IAAI,gBAAgB;YAC5C,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7C,CAAC,CAAC;QAEH,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACzD,CAAC;IAED,sBAAsB;IACd,KAAK,CAAC,cAAc,CAAC,QAAkB;QAC7C,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC;QAEzD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;QACrF,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC;YACrD,OAAO;YACP,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/C,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChD,CAAC,CAAC;QAEH,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACzD,CAAC;IAED,gBAAgB;IACR,KAAK,CAAC,UAAU,CAAC,QAAkB;QACzC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC;QAE7D,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;QAClF,CAAC;QACD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACjF,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;QAClF,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC;YAC5C,QAAQ;YACR,OAAO;YACP,QAAQ;YACR,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7C,CAAC,CAAC;QAEH,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACzD,CAAC;CACF;AAtKD,sCAsKC"}

package/dist/src/index.d.ts

@@ -0,0 +1,25 @@
+export { Gateway, PreExecuteResult } from './server/gateway';
+export { createApp, HealthCheck, HealthCheckResult, CreateAppResult } from './server/app';
+export { sendError, ErrorCode, ErrorResponse } from './server/errors';
+export { PolicyEngine, OPAEngine } from './policy';
+export { DLPScanner, DLPBackend, DLPDetection, RegexDLPBackend, TruffleHogBackend, CompositeDLPScanner } from './dlp';
+export { BudgetManager, CostRecord } from './budget/manager';
+export { UsageExtractor } from './budget/usage-extractor';
+export { AuditLogger } from './audit/logger';
+export { ToolExecutor, ExecutorRegistry, HttpExecutor, NoopExecutor, SlackExecutor } from './executor';
+export { ApprovalManager } from './approval/manager';
+export { ApprovalWebhook } from './approval/webhook';
+export { RateLimiter } from './ratelimit/limiter';
+export { GatewayMetrics } from './metrics';
+export { GatewayTracer, TracingConfig } from './tracing';
+export { DEFAULT_CONFIG } from './config/defaults';
+export { validateConfig, ConfigIssue, ConfigValidationResult } from './config/validate';
+export * from './storage';
+export { MCPBridge, startMCPBridge } from './mcp';
+export { createAdminRouter } from './admin';
+export { parseProxyAuth, ProxyAuthResult } from './middleware/auth';
+export { AnomalyDetector, AnomalyConfig, AnomalyAlert, AnomalyType } from './anomaly';
+export { createForwardProxy, buildToolCallFromProxy, ForwardProxyServer } from './proxy';
+export { SessionReplayEngine, ReplayComparison, ReplayResult } from './replay';
+export * from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC1F,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,EAAE,eAAe,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,OAAO,CAAC;AACtH,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AACvG,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AACxF,cAAc,WAAW,CAAC;AAC1B,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpE,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACtF,OAAO,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AACzF,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAC/E,cAAc,SAAS,CAAC"}

package/dist/src/index.js

@@ -0,0 +1,74 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionReplayEngine = exports.buildToolCallFromProxy = exports.createForwardProxy = exports.AnomalyDetector = exports.parseProxyAuth = exports.createAdminRouter = exports.startMCPBridge = exports.MCPBridge = exports.validateConfig = exports.DEFAULT_CONFIG = exports.GatewayTracer = exports.GatewayMetrics = exports.RateLimiter = exports.ApprovalWebhook = exports.ApprovalManager = exports.SlackExecutor = exports.NoopExecutor = exports.HttpExecutor = exports.ExecutorRegistry = exports.AuditLogger = exports.UsageExtractor = exports.BudgetManager = exports.CompositeDLPScanner = exports.TruffleHogBackend = exports.RegexDLPBackend = exports.DLPScanner = exports.OPAEngine = exports.PolicyEngine = exports.ErrorCode = exports.sendError = exports.createApp = exports.Gateway = void 0;
+var gateway_1 = require("./server/gateway");
+Object.defineProperty(exports, "Gateway", { enumerable: true, get: function () { return gateway_1.Gateway; } });
+var app_1 = require("./server/app");
+Object.defineProperty(exports, "createApp", { enumerable: true, get: function () { return app_1.createApp; } });
+var errors_1 = require("./server/errors");
+Object.defineProperty(exports, "sendError", { enumerable: true, get: function () { return errors_1.sendError; } });
+Object.defineProperty(exports, "ErrorCode", { enumerable: true, get: function () { return errors_1.ErrorCode; } });
+var policy_1 = require("./policy");
+Object.defineProperty(exports, "PolicyEngine", { enumerable: true, get: function () { return policy_1.PolicyEngine; } });
+Object.defineProperty(exports, "OPAEngine", { enumerable: true, get: function () { return policy_1.OPAEngine; } });
+var dlp_1 = require("./dlp");
+Object.defineProperty(exports, "DLPScanner", { enumerable: true, get: function () { return dlp_1.DLPScanner; } });
+Object.defineProperty(exports, "RegexDLPBackend", { enumerable: true, get: function () { return dlp_1.RegexDLPBackend; } });
+Object.defineProperty(exports, "TruffleHogBackend", { enumerable: true, get: function () { return dlp_1.TruffleHogBackend; } });
+Object.defineProperty(exports, "CompositeDLPScanner", { enumerable: true, get: function () { return dlp_1.CompositeDLPScanner; } });
+var manager_1 = require("./budget/manager");
+Object.defineProperty(exports, "BudgetManager", { enumerable: true, get: function () { return manager_1.BudgetManager; } });
+var usage_extractor_1 = require("./budget/usage-extractor");
+Object.defineProperty(exports, "UsageExtractor", { enumerable: true, get: function () { return usage_extractor_1.UsageExtractor; } });
+var logger_1 = require("./audit/logger");
+Object.defineProperty(exports, "AuditLogger", { enumerable: true, get: function () { return logger_1.AuditLogger; } });
+var executor_1 = require("./executor");
+Object.defineProperty(exports, "ExecutorRegistry", { enumerable: true, get: function () { return executor_1.ExecutorRegistry; } });
+Object.defineProperty(exports, "HttpExecutor", { enumerable: true, get: function () { return executor_1.HttpExecutor; } });
+Object.defineProperty(exports, "NoopExecutor", { enumerable: true, get: function () { return executor_1.NoopExecutor; } });
+Object.defineProperty(exports, "SlackExecutor", { enumerable: true, get: function () { return executor_1.SlackExecutor; } });
+var manager_2 = require("./approval/manager");
+Object.defineProperty(exports, "ApprovalManager", { enumerable: true, get: function () { return manager_2.ApprovalManager; } });
+var webhook_1 = require("./approval/webhook");
+Object.defineProperty(exports, "ApprovalWebhook", { enumerable: true, get: function () { return webhook_1.ApprovalWebhook; } });
+var limiter_1 = require("./ratelimit/limiter");
+Object.defineProperty(exports, "RateLimiter", { enumerable: true, get: function () { return limiter_1.RateLimiter; } });
+var metrics_1 = require("./metrics");
+Object.defineProperty(exports, "GatewayMetrics", { enumerable: true, get: function () { return metrics_1.GatewayMetrics; } });
+var tracing_1 = require("./tracing");
+Object.defineProperty(exports, "GatewayTracer", { enumerable: true, get: function () { return tracing_1.GatewayTracer; } });
+var defaults_1 = require("./config/defaults");
+Object.defineProperty(exports, "DEFAULT_CONFIG", { enumerable: true, get: function () { return defaults_1.DEFAULT_CONFIG; } });
+var validate_1 = require("./config/validate");
+Object.defineProperty(exports, "validateConfig", { enumerable: true, get: function () { return validate_1.validateConfig; } });
+__exportStar(require("./storage"), exports);
+var mcp_1 = require("./mcp");
+Object.defineProperty(exports, "MCPBridge", { enumerable: true, get: function () { return mcp_1.MCPBridge; } });
+Object.defineProperty(exports, "startMCPBridge", { enumerable: true, get: function () { return mcp_1.startMCPBridge; } });
+var admin_1 = require("./admin");
+Object.defineProperty(exports, "createAdminRouter", { enumerable: true, get: function () { return admin_1.createAdminRouter; } });
+var auth_1 = require("./middleware/auth");
+Object.defineProperty(exports, "parseProxyAuth", { enumerable: true, get: function () { return auth_1.parseProxyAuth; } });
+var anomaly_1 = require("./anomaly");
+Object.defineProperty(exports, "AnomalyDetector", { enumerable: true, get: function () { return anomaly_1.AnomalyDetector; } });
+var proxy_1 = require("./proxy");
+Object.defineProperty(exports, "createForwardProxy", { enumerable: true, get: function () { return proxy_1.createForwardProxy; } });
+Object.defineProperty(exports, "buildToolCallFromProxy", { enumerable: true, get: function () { return proxy_1.buildToolCallFromProxy; } });
+var replay_1 = require("./replay");
+Object.defineProperty(exports, "SessionReplayEngine", { enumerable: true, get: function () { return replay_1.SessionReplayEngine; } });
+__exportStar(require("./types"), exports);
+//# sourceMappingURL=index.js.map

package/dist/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,4CAA6D;AAApD,kGAAA,OAAO,OAAA;AAChB,oCAA0F;AAAjF,gGAAA,SAAS,OAAA;AAClB,0CAAsE;AAA7D,mGAAA,SAAS,OAAA;AAAE,mGAAA,SAAS,OAAA;AAC7B,mCAAmD;AAA1C,sGAAA,YAAY,OAAA;AAAE,mGAAA,SAAS,OAAA;AAChC,6BAAsH;AAA7G,iGAAA,UAAU,OAAA;AAA4B,sGAAA,eAAe,OAAA;AAAE,wGAAA,iBAAiB,OAAA;AAAE,0GAAA,mBAAmB,OAAA;AACtG,4CAA6D;AAApD,wGAAA,aAAa,OAAA;AACtB,4DAA0D;AAAjD,iHAAA,cAAc,OAAA;AACvB,yCAA6C;AAApC,qGAAA,WAAW,OAAA;AACpB,uCAAuG;AAAhF,4GAAA,gBAAgB,OAAA;AAAE,wGAAA,YAAY,OAAA;AAAE,wGAAA,YAAY,OAAA;AAAE,yGAAA,aAAa,OAAA;AAClF,8CAAqD;AAA5C,0GAAA,eAAe,OAAA;AACxB,8CAAqD;AAA5C,0GAAA,eAAe,OAAA;AACxB,+CAAkD;AAAzC,sGAAA,WAAW,OAAA;AACpB,qCAA2C;AAAlC,yGAAA,cAAc,OAAA;AACvB,qCAAyD;AAAhD,wGAAA,aAAa,OAAA;AACtB,8CAAmD;AAA1C,0GAAA,cAAc,OAAA;AACvB,8CAAwF;AAA/E,0GAAA,cAAc,OAAA;AACvB,4CAA0B;AAC1B,6BAAkD;AAAzC,gGAAA,SAAS,OAAA;AAAE,qGAAA,cAAc,OAAA;AAClC,iCAA4C;AAAnC,0GAAA,iBAAiB,OAAA;AAC1B,0CAAoE;AAA3D,sGAAA,cAAc,OAAA;AACvB,qCAAsF;AAA7E,0GAAA,eAAe,OAAA;AACxB,iCAAyF;AAAhF,2GAAA,kBAAkB,OAAA;AAAE,+GAAA,sBAAsB,OAAA;AACnD,mCAA+E;AAAtE,6GAAA,mBAAmB,OAAA;AAC5B,0CAAwB"}

package/dist/src/mcp/auth-verifier.d.ts

@@ -0,0 +1,23 @@
+import { OAuthTokenVerifier } from '@modelcontextprotocol/sdk/server/auth/provider.js';
+import { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+import { AuthConfig } from '../types/config';
+import { UserApiKeyStore } from '../storage/interfaces';
+import { PalarynOAuthProvider } from './oauth-provider';
+export interface HybridVerifierDeps {
+    oauthProvider?: PalarynOAuthProvider;
+    authConfig: AuthConfig;
+    userApiKeyStore?: UserApiKeyStore;
+}
+export declare class HybridTokenVerifier implements OAuthTokenVerifier {
+    private oauthProvider?;
+    private authConfig;
+    private userApiKeyStore?;
+    constructor(deps: HybridVerifierDeps);
+    /**
+     * Constant-time API key lookup. Iterates all configured keys and uses
+     * crypto.timingSafeEqual to prevent timing-based side-channel attacks.
+     */
+    private constantTimeLookup;
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+}
+//# sourceMappingURL=auth-verifier.d.ts.map

package/dist/src/mcp/auth-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-verifier.d.ts","sourceRoot":"","sources":["../../../src/mcp/auth-verifier.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,kBAAkB,EAAE,MAAM,mDAAmD,CAAC;AACvF,OAAO,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAExD,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAExD,MAAM,WAAW,kBAAkB;IACjC,aAAa,CAAC,EAAE,oBAAoB,CAAC;IACrC,UAAU,EAAE,UAAU,CAAC;IACvB,eAAe,CAAC,EAAE,eAAe,CAAC;CACnC;AAED,qBAAa,mBAAoB,YAAW,kBAAkB;IAC5D,OAAO,CAAC,aAAa,CAAC,CAAuB;IAC7C,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,eAAe,CAAC,CAAkB;gBAE9B,IAAI,EAAE,kBAAkB;IAMpC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAcpB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;CAmG1D"}

package/dist/src/mcp/auth-verifier.js

@@ -0,0 +1,162 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HybridTokenVerifier = void 0;
+/**
+ * Hybrid OAuth Token Verifier for MCP bearer auth.
+ *
+ * Implements OAuthTokenVerifier from the MCP SDK. Tries OAuth token
+ * verification first, then falls back to API key lookup (config keys +
+ * SaaS user keys). This preserves backward compatibility so that existing
+ * `--header "Authorization: Bearer <api-key>"` usage still works.
+ */
+const crypto = __importStar(require("crypto"));
+const auth_1 = require("../middleware/auth");
+class HybridTokenVerifier {
+    constructor(deps) {
+        this.oauthProvider = deps.oauthProvider;
+        this.authConfig = deps.authConfig;
+        this.userApiKeyStore = deps.userApiKeyStore;
+    }
+    /**
+     * Constant-time API key lookup. Iterates all configured keys and uses
+     * crypto.timingSafeEqual to prevent timing-based side-channel attacks.
+     */
+    constantTimeLookup(token) {
+        const tokenHash = crypto.createHash('sha256').update(token).digest();
+        let matched;
+        for (const key of Object.keys(this.authConfig.api_keys)) {
+            const keyHash = crypto.createHash('sha256').update(key).digest();
+            if (crypto.timingSafeEqual(tokenHash, keyHash)) {
+                matched = key;
+            }
+        }
+        return matched;
+    }
+    async verifyAccessToken(token) {
+        // 1. Try OAuth token first (if provider is configured)
+        if (this.oauthProvider) {
+            try {
+                return await this.oauthProvider.verifyAccessToken(token);
+            }
+            catch {
+                // Not an OAuth token — fall through to API key
+            }
+        }
+        // 2. Try config API keys (constant-time comparison to prevent timing attacks)
+        if (this.authConfig.enabled) {
+            const matchedKey = this.constantTimeLookup(token);
+            const keyConfig = matchedKey ? this.authConfig.api_keys[matchedKey] : undefined;
+            if (keyConfig && !keyConfig.revoked) {
+                if (keyConfig.expires_at) {
+                    const expiresAt = new Date(keyConfig.expires_at);
+                    if (expiresAt.getTime() <= Date.now()) {
+                        throw new Error('API key has expired');
+                    }
+                }
+                // Fire-and-forget: update last_used_at
+                keyConfig.last_used_at = new Date().toISOString();
+                const roles = keyConfig.roles || [];
+                const permissions = (0, auth_1.resolvePermissions)(roles, this.authConfig.rbac);
+                return {
+                    token,
+                    clientId: 'api_key',
+                    scopes: ['mcp:tools'],
+                    expiresAt: keyConfig.expires_at
+                        ? Math.floor(new Date(keyConfig.expires_at).getTime() / 1000)
+                        : Math.floor(Date.now() / 1000) + 86400, // default: 24h from now
+                    extra: {
+                        workspace_id: keyConfig.workspace_id,
+                        actor_id: `apikey:${crypto.createHash('sha256').update(token).digest('hex').slice(0, 12)}`,
+                        roles,
+                        permissions,
+                        auth_method: 'api_key',
+                    },
+                };
+            }
+        }
+        // 3. Try SaaS-generated API keys (UserApiKeyStore, supports salted + unsalted)
+        if (this.userApiKeyStore) {
+            let saasKey;
+            if (this.userApiKeyStore.verifyToken) {
+                saasKey = this.userApiKeyStore.verifyToken(token);
+            }
+            else {
+                const keyHash = crypto.createHash('sha256').update(token).digest('hex');
+                saasKey = this.userApiKeyStore.getByKeyHash(keyHash);
+            }
+            if (saasKey && !saasKey.revoked) {
+                // Fire-and-forget: update last_used_at
+                this.userApiKeyStore.update(saasKey.id, { last_used_at: new Date().toISOString() });
+                const roles = saasKey.roles || [];
+                const permissions = (0, auth_1.resolvePermissions)(roles, this.authConfig.rbac);
+                return {
+                    token,
+                    clientId: 'api_key',
+                    scopes: ['mcp:tools'],
+                    expiresAt: Math.floor(Date.now() / 1000) + 86400, // 24h
+                    extra: {
+                        workspace_id: saasKey.workspace_id,
+                        actor_id: `apikey:${crypto.createHash('sha256').update(token).digest('hex').slice(0, 12)}`,
+                        user_id: saasKey.user_id,
+                        roles,
+                        permissions,
+                        auth_method: 'api_key',
+                        api_key_tags: saasKey.tags && saasKey.tags.length > 0 ? saasKey.tags : undefined,
+                    },
+                };
+            }
+        }
+        // 4. Auth disabled — anonymous access
+        if (!this.authConfig.enabled) {
+            return {
+                token,
+                clientId: 'anonymous',
+                scopes: ['mcp:tools'],
+                expiresAt: Math.floor(Date.now() / 1000) + 86400,
+                extra: {
+                    workspace_id: 'ws_default',
+                    actor_id: 'anonymous',
+                    roles: [],
+                    permissions: [],
+                    auth_method: 'none',
+                },
+            };
+        }
+        throw new Error('Invalid access token');
+    }
+}
+exports.HybridTokenVerifier = HybridTokenVerifier;
+//# sourceMappingURL=auth-verifier.js.map

package/dist/src/mcp/auth-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-verifier.js","sourceRoot":"","sources":["../../../src/mcp/auth-verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;GAOG;AACH,+CAAiC;AAKjC,6CAAwD;AASxD,MAAa,mBAAmB;IAK9B,YAAY,IAAwB;QAClC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;QACxC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;QAClC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;IAC9C,CAAC;IAED;;;OAGG;IACK,kBAAkB,CAAC,KAAa;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QACrE,IAAI,OAA2B,CAAC;QAEhC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACxD,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;YACjE,IAAI,MAAM,CAAC,eAAe,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC;gBAC/C,OAAO,GAAG,GAAG,CAAC;YAChB,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAa;QACnC,uDAAuD;QACvD,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC3D,CAAC;YAAC,MAAM,CAAC;gBACP,+CAA+C;YACjD,CAAC;QACH,CAAC;QAED,8EAA8E;QAC9E,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YAC5B,MAAM,UAAU,GAAG,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAChF,IAAI,SAAS,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;gBACpC,IAAI,SAAS,CAAC,UAAU,EAAE,CAAC;oBACzB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;oBACjD,IAAI,SAAS,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;wBACtC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;oBACzC,CAAC;gBACH,CAAC;gBAED,uCAAuC;gBACvC,SAAS,CAAC,YAAY,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;gBAElD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,IAAI,EAAE,CAAC;gBACpC,MAAM,WAAW,GAAG,IAAA,yBAAkB,EAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;gBAEpE,OAAO;oBACL,KAAK;oBACL,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,CAAC,WAAW,CAAC;oBACrB,SAAS,EAAE,SAAS,CAAC,UAAU;wBAC7B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;wBAC7D,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,EAAE,wBAAwB;oBACnE,KAAK,EAAE;wBACL,YAAY,EAAE,SAAS,CAAC,YAAY;wBACpC,QAAQ,EAAE,UAAU,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;wBAC1F,KAAK;wBACL,WAAW;wBACX,WAAW,EAAE,SAAS;qBACvB;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,IAAI,OAA6D,CAAC;YAClE,IAAI,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;gBACrC,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACxE,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YACvD,CAAC;YACD,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;gBAChC,uCAAuC;gBACvC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;gBAEpF,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;gBAClC,MAAM,WAAW,GAAG,IAAA,yBAAkB,EAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;gBAEpE,OAAO;oBACL,KAAK;oBACL,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,CAAC,WAAW,CAAC;oBACrB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,EAAE,MAAM;oBACxD,KAAK,EAAE;wBACL,YAAY,EAAE,OAAO,CAAC,YAAY;wBAClC,QAAQ,EAAE,UAAU,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;wBAC1F,OAAO,EAAE,OAAO,CAAC,OAAO;wBACxB,KAAK;wBACL,WAAW;wBACX,WAAW,EAAE,SAAS;wBACtB,YAAY,EAAE,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;qBACjF;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YAC7B,OAAO;gBACL,KAAK;gBACL,QAAQ,EAAE,WAAW;gBACrB,MAAM,EAAE,CAAC,WAAW,CAAC;gBACrB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK;gBAChD,KAAK,EAAE;oBACL,YAAY,EAAE,YAAY;oBAC1B,QAAQ,EAAE,WAAW;oBACrB,KAAK,EAAE,EAAE;oBACT,WAAW,EAAE,EAAE;oBACf,WAAW,EAAE,MAAM;iBACpB;aACF,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;CACF;AAhID,kDAgIC"}

package/dist/src/mcp/bridge.d.ts

@@ -0,0 +1,132 @@
+import { Readable, Writable } from 'stream';
+import { Gateway } from '../server/gateway';
+import { Actor, Source } from '../types/tool-call';
+import { GatewayConfig } from '../types/config';
+/**
+ * Configuration for the MCP bridge defaults.
+ * These values are used when MCP tool calls do not supply them explicitly.
+ */
+export interface MCPBridgeConfig {
+    /** Default workspace ID for tool calls */
+    workspace_id?: string;
+    /** Default actor for tool calls */
+    actor?: Actor;
+    /** Default source platform identifier */
+    source?: Source;
+    /** Default task ID (if not provided, a new UUID is generated per call) */
+    task_id?: string;
+}
+/**
+ * MCPBridge wraps a Palaryn Gateway instance as an MCP server, exposing
+ * the gateway's tool execution capabilities through the Model Context Protocol.
+ *
+ * Communication uses JSON-RPC 2.0 over stdio (line-delimited).
+ *
+ * It exposes three MCP tools:
+ * - `http_request` - Execute any HTTP request through the gateway
+ * - `http_get` - Shorthand for GET requests
+ * - `http_post` - Shorthand for POST requests
+ *
+ * Each tool constructs a proper ToolCall, runs it through the full gateway
+ * pipeline (policy, DLP, budget, rate limiting, execution), and returns
+ * the ToolResult as the MCP response.
+ *
+ * Supported MCP methods:
+ * - `initialize` - Protocol handshake (returns server info and capabilities)
+ * - `notifications/initialized` - Client acknowledgment (no-op notification)
+ * - `tools/list` - List available tools with their JSON schemas
+ * - `tools/call` - Execute a tool through the gateway
+ * - `ping` - Health check
+ */
+export declare class MCPBridge {
+    private gateway;
+    private bridgeConfig;
+    private transport;
+    private initialized;
+    constructor(gateway: Gateway, bridgeConfig?: MCPBridgeConfig);
+    /**
+     * Connect via stdio transport (reads from stdin, writes to stdout).
+     * This is the standard way to run an MCP server for CLI-based clients.
+     * Optionally accepts custom input/output streams for testing.
+     */
+    connectStdio(input?: Readable, output?: Writable): Promise<void>;
+    /**
+     * Close the transport and shut down the gateway.
+     */
+    close(): Promise<void>;
+    /**
+     * Returns the underlying Gateway instance.
+     */
+    getGateway(): Gateway;
+    /**
+     * Whether the MCP handshake has been completed.
+     */
+    isInitialized(): boolean;
+    /** Handle an incoming JSON-RPC message (request or notification). */
+    private handleMessage;
+    /** Handle a JSON-RPC notification (no response expected). */
+    private handleNotification;
+    /** Handle a JSON-RPC request and send a response. */
+    private handleRequest;
+    /** Handle `initialize` - protocol handshake. */
+    private handleInitialize;
+    /** Handle `tools/list` - return all registered tool definitions. */
+    private handleToolsList;
+    /** Handle `tools/call` - execute a tool through the gateway. */
+    private handleToolsCall;
+    /** Execute `http_request` tool - arbitrary HTTP method. */
+    private executeHttpRequest;
+    /** Execute `http_get` tool - GET request shorthand. */
+    private executeHttpGet;
+    /** Execute `http_post` tool - POST request shorthand. */
+    private executeHttpPost;
+    /**
+     * Build a ToolCall from MCP tool arguments, applying bridge defaults.
+     */
+    private buildToolCall;
+    /**
+     * Execute a ToolCall through the gateway and format as MCP result.
+     */
+    private executeAndFormat;
+    /**
+     * Convert a gateway ToolResult into an MCP CallToolResult.
+     *
+     * The result includes:
+     * - The tool output body (or error message) as the primary text content
+     * - Gateway metadata (status, policy decision, DLP report, budget, timing)
+     *   as a second text content block for transparency
+     */
+    private formatResult;
+    /**
+     * Map an HTTP method to a ToolInfo capability level.
+     */
+    private methodToCapability;
+    /**
+     * Attempt to parse a body string as JSON, falling back to the raw string.
+     */
+    private parseBody;
+    /**
+     * Create an MCP tool error result.
+     */
+    private toolError;
+    /**
+     * Send a successful JSON-RPC response.
+     */
+    private sendResult;
+    /**
+     * Send a JSON-RPC error response.
+     */
+    private sendError;
+}
+/**
+ * Create a Gateway instance with the given config (or defaults),
+ * wrap it in an MCPBridge, and connect via stdio transport.
+ *
+ * This is the main entry point for running Palaryn as an MCP server.
+ *
+ * @param gatewayConfig - Full gateway configuration (defaults to DEFAULT_CONFIG with auth disabled)
+ * @param bridgeConfig - MCP bridge defaults for workspace, actor, source
+ * @returns The connected MCPBridge instance
+ */
+export declare function startMCPBridge(gatewayConfig?: Partial<GatewayConfig>, bridgeConfig?: MCPBridgeConfig): Promise<MCPBridge>;
+//# sourceMappingURL=bridge.d.ts.map

package/dist/src/mcp/bridge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge.d.ts","sourceRoot":"","sources":["../../../src/mcp/bridge.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAE5C,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC5C,OAAO,EAA0B,KAAK,EAAE,MAAM,EAAY,MAAM,oBAAoB,CAAC;AAErF,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAiEhD;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,0CAA0C;IAC1C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mCAAmC;IACnC,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0EAA0E;IAC1E,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AA6RD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,OAAO,CAAU;IACzB,OAAO,CAAC,YAAY,CAA4B;IAChD,OAAO,CAAC,SAAS,CAA+B;IAChD,OAAO,CAAC,WAAW,CAAkB;gBAEzB,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,EAAE,eAAe;IAQ5D;;;;OAIG;IACG,YAAY,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAKtE;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ5B;;OAEG;IACH,UAAU,IAAI,OAAO;IAIrB;;OAEG;IACH,aAAa,IAAI,OAAO;IAQxB,qEAAqE;IACrE,OAAO,CAAC,aAAa;IAarB,6DAA6D;IAC7D,OAAO,CAAC,kBAAkB;IAS1B,qDAAqD;YACvC,aAAa;IAwB3B,gDAAgD;IAChD,OAAO,CAAC,gBAAgB;IAcxB,oEAAoE;IACpE,OAAO,CAAC,eAAe;IAMvB,gEAAgE;YAClD,eAAe;IAgD7B,2DAA2D;YAC7C,kBAAkB;IA8BhC,uDAAuD;YACzC,cAAc;IA0B5B,yDAAyD;YAC3C,eAAe;IA+B7B;;OAEG;IACH,OAAO,CAAC,aAAa;IA+CrB;;OAEG;YACW,gBAAgB;IA0B9B;;;;;;;OAOG;IACH,OAAO,CAAC,YAAY;IA+CpB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAiB1B;;OAEG;IACH,OAAO,CAAC,SAAS;IAQjB;;OAEG;IACH,OAAO,CAAC,SAAS;IAOjB;;OAEG;IACH,OAAO,CAAC,UAAU;IAUlB;;OAEG;IACH,OAAO,CAAC,SAAS;CASlB;AAMD;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,aAAa,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,EACtC,YAAY,CAAC,EAAE,eAAe,GAC7B,OAAO,CAAC,SAAS,CAAC,CAyBpB"}