partnercore-proxy 0.1.0

package/dist/utils/logger.js

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * Logger utility for PartnerCore Proxy
+ *
+ * Security: This logger automatically masks sensitive data like API keys,
+ * passwords, and tokens to prevent accidental exposure in logs.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createLogger = createLogger;
+exports.getLogger = getLogger;
+exports.setLogLevel = setLogLevel;
+const winston_1 = __importDefault(require("winston"));
+let loggerInstance = null;
+/**
+ * Patterns that indicate sensitive data in log messages
+ */
+const SENSITIVE_PATTERNS = [
+    // API keys and tokens
+    /api[_-]?key[=:]\s*['"]?([a-zA-Z0-9_-]{20,})['"]?/gi,
+    /token[=:]\s*['"]?([a-zA-Z0-9_.-]{20,})['"]?/gi,
+    /bearer\s+([a-zA-Z0-9_.-]{20,})/gi,
+    /authorization[=:]\s*['"]?([a-zA-Z0-9_.-]{20,})['"]?/gi,
+    // Passwords
+    /password[=:]\s*['"]?([^\s'"]+)['"]?/gi,
+    /secret[=:]\s*['"]?([^\s'"]+)['"]?/gi,
+];
+/**
+ * Mask sensitive data in a string
+ */
+function maskSensitiveString(str) {
+    let masked = str;
+    for (const pattern of SENSITIVE_PATTERNS) {
+        masked = masked.replace(pattern, (match, group) => {
+            const capturedGroup = group ?? '';
+            if (capturedGroup.length > 8) {
+                return match.replace(capturedGroup, `${capturedGroup.slice(0, 4)}****${capturedGroup.slice(-4)}`);
+            }
+            return match.replace(capturedGroup || match, '****');
+        });
+    }
+    return masked;
+}
+/**
+ * Format for masking sensitive data
+ */
+const maskSensitiveFormat = winston_1.default.format((info) => {
+    if (typeof info.message === 'string') {
+        info.message = maskSensitiveString(info.message);
+    }
+    return info;
+});
+/**
+ * Create and configure the logger
+ */
+function createLogger(level = 'info') {
+    if (loggerInstance) {
+        return loggerInstance;
+    }
+    loggerInstance = winston_1.default.createLogger({
+        level,
+        format: winston_1.default.format.combine(maskSensitiveFormat(), winston_1.default.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss' }), winston_1.default.format.errors({ stack: true }), winston_1.default.format.printf(({ level, message, timestamp, ...meta }) => {
+            // Mask sensitive data in metadata too
+            let metaStr = '';
+            if (Object.keys(meta).length) {
+                const maskedMeta = maskSensitiveString(JSON.stringify(meta));
+                metaStr = ` ${maskedMeta}`;
+            }
+            const ts = String(timestamp ?? '');
+            const msg = String(message ?? '');
+            return `[${ts}] ${level.toUpperCase()}: ${msg}${metaStr}`;
+        })),
+        transports: [
+            new winston_1.default.transports.Console({
+                stderrLevels: ['error', 'warn'],
+            }),
+        ],
+    });
+    return loggerInstance;
+}
+/**
+ * Get the logger instance (creates one if not exists)
+ */
+function getLogger() {
+    if (!loggerInstance) {
+        return createLogger();
+    }
+    return loggerInstance;
+}
+/**
+ * Set log level dynamically
+ */
+function setLogLevel(level) {
+    const logger = getLogger();
+    logger.level = level;
+}
+//# sourceMappingURL=logger.js.map

package/dist/utils/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;AAoDH,oCA+BC;AAKD,8BAKC;AAKD,kCAGC;AAnGD,sDAA8B;AAE9B,IAAI,cAAc,GAA0B,IAAI,CAAC;AAEjD;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACzB,sBAAsB;IACtB,oDAAoD;IACpD,+CAA+C;IAC/C,kCAAkC;IAClC,uDAAuD;IACvD,YAAY;IACZ,uCAAuC;IACvC,qCAAqC;CACtC,CAAC;AAEF;;GAEG;AACH,SAAS,mBAAmB,CAAC,GAAW;IACtC,IAAI,MAAM,GAAG,GAAG,CAAC;IAEjB,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,KAAa,EAAE,KAAyB,EAAE,EAAE;YAC5E,MAAM,aAAa,GAAG,KAAK,IAAI,EAAE,CAAC;YAClC,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,OAAO,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACpG,CAAC;YACD,OAAO,KAAK,CAAC,OAAO,CAAC,aAAa,IAAI,KAAK,EAAE,MAAM,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,mBAAmB,GAAG,iBAAO,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;IAClD,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACrC,IAAI,CAAC,OAAO,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,CAAC,CAAC;AAEH;;GAEG;AACH,SAAgB,YAAY,CAAC,QAAgB,MAAM;IACjD,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,cAAc,GAAG,iBAAO,CAAC,YAAY,CAAC;QACpC,KAAK;QACL,MAAM,EAAE,iBAAO,CAAC,MAAM,CAAC,OAAO,CAC5B,mBAAmB,EAAE,EACrB,iBAAO,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC,EAC3D,iBAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EACtC,iBAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE;YAC/D,sCAAsC;YACtC,IAAI,OAAO,GAAG,EAAE,CAAC;YACjB,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;gBAC7B,MAAM,UAAU,GAAG,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC7D,OAAO,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,CAAC;YACD,MAAM,EAAE,GAAG,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;YACnC,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;YAClC,OAAO,IAAI,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,KAAK,GAAG,GAAG,OAAO,EAAE,CAAC;QAC5D,CAAC,CAAC,CACH;QACD,UAAU,EAAE;YACV,IAAI,iBAAO,CAAC,UAAU,CAAC,OAAO,CAAC;gBAC7B,YAAY,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;aAChC,CAAC;SACH;KACF,CAAC,CAAC;IAEH,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,SAAgB,SAAS;IACvB,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,YAAY,EAAE,CAAC;IACxB,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,SAAgB,WAAW,CAAC,KAAa;IACvC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;AACvB,CAAC"}

package/dist/utils/security.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Security utilities for PartnerCore Proxy
+ *
+ * Provides path sanitization, input validation, and secret masking
+ * to prevent common security vulnerabilities.
+ */
+/**
+ * Mask sensitive values in objects for safe logging
+ */
+export declare function maskSensitiveData(obj: unknown, depth?: number): unknown;
+/**
+ * Validate and sanitize a file path to prevent directory traversal
+ *
+ * @param filePath - The path to validate
+ * @param workspaceRoot - The allowed root directory
+ * @returns The sanitized absolute path
+ * @throws SecurityError if path is outside workspace or contains suspicious patterns
+ */
+export declare function sanitizePath(filePath: string, workspaceRoot: string): string;
+/**
+ * Validate that a path exists and is within the workspace
+ */
+export declare function validatePathExists(filePath: string, workspaceRoot: string, type?: 'file' | 'directory' | 'any'): string;
+/**
+ * Validate tool arguments against expected schema
+ */
+export declare function validateToolArgs(args: Record<string, unknown>, required: string[], types: Record<string, 'string' | 'number' | 'boolean' | 'object' | 'array'>): void;
+/**
+ * Sanitize string input to prevent injection
+ */
+export declare function sanitizeString(input: string, maxLength?: number): string;
+/**
+ * Security error with code for categorization
+ */
+export declare class SecurityError extends Error {
+    code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Validation error for invalid input
+ */
+export declare class ValidationError extends Error {
+    constructor(message: string);
+}
+/**
+ * Rate limiter for API calls
+ */
+export declare class RateLimiter {
+    private requests;
+    private readonly maxRequests;
+    private readonly windowMs;
+    constructor(maxRequests: number, windowMs: number);
+    /**
+     * Check if a request is allowed
+     */
+    isAllowed(): boolean;
+    /**
+     * Get remaining requests in current window
+     */
+    remaining(): number;
+    /**
+     * Get time until window resets (ms)
+     */
+    resetIn(): number;
+}
+//# sourceMappingURL=security.d.ts.map

package/dist/utils/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA6CH;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,SAAI,GAAG,OAAO,CA8ClE;AAwCD;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CAwF5E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,IAAI,GAAE,MAAM,GAAG,WAAW,GAAG,KAAa,GACzC,MAAM,CA2BR;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,QAAQ,EAAE,MAAM,EAAE,EAClB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,QAAQ,GAAG,OAAO,CAAC,GAC1E,IAAI,CA2BN;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,SAAQ,GAAG,MAAM,CAcvE;AAED;;GAEG;AACH,qBAAa,aAAc,SAAQ,KAAK;IACtC,IAAI,EAAE,MAAM,CAAC;gBAED,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;CAK1C;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAgB;IAChC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM;IAKjD;;OAEG;IACH,SAAS,IAAI,OAAO;IAmBpB;;OAEG;IACH,SAAS,IAAI,MAAM;IAMnB;;OAEG;IACH,OAAO,IAAI,MAAM;CAKlB"}

package/dist/utils/security.js

@@ -0,0 +1,358 @@
+"use strict";
+/**
+ * Security utilities for PartnerCore Proxy
+ *
+ * Provides path sanitization, input validation, and secret masking
+ * to prevent common security vulnerabilities.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RateLimiter = exports.ValidationError = exports.SecurityError = void 0;
+exports.maskSensitiveData = maskSensitiveData;
+exports.sanitizePath = sanitizePath;
+exports.validatePathExists = validatePathExists;
+exports.validateToolArgs = validateToolArgs;
+exports.sanitizeString = sanitizeString;
+const path = __importStar(require("path"));
+const fs = __importStar(require("fs"));
+/**
+ * Sensitive patterns that should never be logged
+ * Expanded to catch more credential types
+ */
+const SENSITIVE_KEY_PATTERNS = [
+    /api[_-]?key/i,
+    /password/i,
+    /secret/i,
+    /token/i,
+    /bearer/i,
+    /authorization/i,
+    /credential/i,
+    /access[_-]?key/i, // AWS access keys
+    /private[_-]?key/i, // Private keys
+    /connection[_-]?string/i, // Connection strings
+    /^auth$/i, // Simple 'auth' key
+    /session[_-]?id/i, // Session identifiers
+    /refresh[_-]?token/i, // Refresh tokens
+    /client[_-]?secret/i, // OAuth client secrets
+    /signing[_-]?key/i, // Signing keys
+    /encryption[_-]?key/i, // Encryption keys
+    /cert(?:ificate)?/i, // Certificates
+];
+/**
+ * Patterns that indicate a value is likely a secret
+ * (regardless of key name)
+ */
+const SECRET_VALUE_PATTERNS = [
+    /^-----BEGIN.*KEY-----/, // PEM format keys
+    /^sk_live_/, // Stripe live keys
+    /^sk_test_/, // Stripe test keys
+    /^AKIA[A-Z0-9]{16}$/, // AWS access key IDs
+    /^ghp_[a-zA-Z0-9]{36}$/, // GitHub personal access tokens
+    /^gho_[a-zA-Z0-9]{36}$/, // GitHub OAuth tokens
+    /^github_pat_/, // GitHub PATs (new format)
+    /^xox[bpras]-/, // Slack tokens
+    /^eyJ[a-zA-Z0-9_-]*\./, // JWT tokens
+];
+/**
+ * Mask sensitive values in objects for safe logging
+ */
+function maskSensitiveData(obj, depth = 0) {
+    if (depth > 10)
+        return '[MAX_DEPTH]';
+    if (obj === null || obj === undefined)
+        return obj;
+    if (typeof obj === 'string') {
+        // Check if the value looks like a known secret format
+        for (const pattern of SECRET_VALUE_PATTERNS) {
+            if (pattern.test(obj)) {
+                return '[REDACTED]';
+            }
+        }
+        // Mask strings that look like keys/tokens (long alphanumeric strings)
+        if (obj.length > 20 && /^[a-zA-Z0-9+/=_-]+$/.test(obj)) {
+            return `[MASKED:${obj.slice(0, 4)}...${obj.slice(-4)}]`;
+        }
+        return obj;
+    }
+    if (Array.isArray(obj)) {
+        return obj.map(item => maskSensitiveData(item, depth + 1));
+    }
+    if (typeof obj === 'object') {
+        const masked = {};
+        for (const [key, value] of Object.entries(obj)) {
+            // Skip prototype pollution vectors
+            if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+                continue;
+            }
+            const isSensitiveKey = SENSITIVE_KEY_PATTERNS.some(pattern => pattern.test(key));
+            if (isSensitiveKey && typeof value === 'string' && value.length > 0) {
+                masked[key] = '[REDACTED]';
+            }
+            else {
+                masked[key] = maskSensitiveData(value, depth + 1);
+            }
+        }
+        return masked;
+    }
+    return obj;
+}
+/**
+ * Decode URL-encoded strings recursively to catch bypass attempts
+ */
+function decodeUrlRecursive(input, maxIterations = 3) {
+    let decoded = input;
+    let prev = '';
+    let iterations = 0;
+    // Keep decoding until no change or max iterations
+    while (decoded !== prev && iterations < maxIterations) {
+        prev = decoded;
+        try {
+            decoded = decodeURIComponent(decoded);
+        }
+        catch {
+            // Invalid encoding, return as-is
+            break;
+        }
+        iterations++;
+    }
+    return decoded;
+}
+/**
+ * Check for path traversal patterns in a string
+ */
+function containsTraversalPatterns(input) {
+    const patterns = [
+        /\.\.[/\\]/, // ../  or ..\
+        /[/\\]\.\./, // /..  or \..
+        /^\.\./, // starts with ..
+        /\.\.$/, // ends with ..
+        /^\.\.$/, // just ..
+    ];
+    return patterns.some(p => p.test(input));
+}
+/**
+ * Validate and sanitize a file path to prevent directory traversal
+ *
+ * @param filePath - The path to validate
+ * @param workspaceRoot - The allowed root directory
+ * @returns The sanitized absolute path
+ * @throws SecurityError if path is outside workspace or contains suspicious patterns
+ */
+function sanitizePath(filePath, workspaceRoot) {
+    // Check for null bytes first (before any other processing)
+    if (filePath.includes('\0')) {
+        throw new SecurityError('Null byte detected in path', 'NULL_BYTE_INJECTION');
+    }
+    // Decode URL encoding recursively to catch bypass attempts
+    const decoded = decodeUrlRecursive(filePath);
+    // Check for traversal in both original and decoded versions
+    if (containsTraversalPatterns(filePath) || containsTraversalPatterns(decoded)) {
+        throw new SecurityError('Path traversal pattern detected', 'PATH_TRAVERSAL');
+    }
+    // Check for absolute paths (platform-aware)
+    if (path.isAbsolute(decoded)) {
+        throw new SecurityError('Absolute paths are not allowed', 'ABSOLUTE_PATH');
+    }
+    // Check for Windows drive letters even on non-Windows
+    if (/^[a-zA-Z]:/.test(decoded)) {
+        throw new SecurityError('Windows drive paths are not allowed', 'ABSOLUTE_PATH');
+    }
+    // Check for paths that start with / (Unix absolute)
+    if (decoded.startsWith('/') && process.platform !== 'win32') {
+        // On Windows, /something becomes relative, but on Unix it's absolute
+        throw new SecurityError('Absolute paths are not allowed', 'ABSOLUTE_PATH');
+    }
+    // Additional suspicious patterns that might indicate attack attempts
+    const suspiciousPatterns = [
+        /%2e/i, // Any remaining URL-encoded dots
+        /%5c/i, // URL-encoded backslash
+        /%2f/i, // URL-encoded forward slash
+        /%00/i, // URL-encoded null
+        /\uff0e/, // Full-width period
+        /\u2024/, // One dot leader
+        /\u2025/, // Two dot leader
+        /\u2026/, // Horizontal ellipsis
+        /\ufe52/, // Small full stop
+        /\uff0f/, // Full-width solidus
+        /\uff3c/, // Full-width reverse solidus
+        /%c0%ae/i, // Overlong UTF-8 encoding of .
+        /%c1%1c/i, // Overlong UTF-8 encoding of /
+        /%c0%af/i, // Overlong UTF-8 encoding of /
+    ];
+    for (const pattern of suspiciousPatterns) {
+        if (pattern.test(filePath)) {
+            throw new SecurityError('Suspicious encoding pattern detected', 'SUSPICIOUS_ENCODING');
+        }
+    }
+    // Normalize both paths
+    const normalizedRoot = path.resolve(workspaceRoot);
+    const normalizedPath = path.resolve(workspaceRoot, decoded);
+    // Check for path traversal after resolution
+    if (!normalizedPath.startsWith(normalizedRoot)) {
+        throw new SecurityError('Path resolves outside workspace', 'PATH_TRAVERSAL');
+    }
+    // Ensure the path doesn't equal root exactly when input was empty
+    // This is fine - empty string resolves to workspace root
+    return normalizedPath;
+}
+/**
+ * Validate that a path exists and is within the workspace
+ */
+function validatePathExists(filePath, workspaceRoot, type = 'any') {
+    const sanitized = sanitizePath(filePath, workspaceRoot);
+    if (!fs.existsSync(sanitized)) {
+        throw new SecurityError('Path does not exist', 'PATH_NOT_FOUND');
+    }
+    const stat = fs.statSync(sanitized);
+    if (type === 'file' && !stat.isFile()) {
+        throw new SecurityError('Expected file but found directory', 'NOT_A_FILE');
+    }
+    if (type === 'directory' && !stat.isDirectory()) {
+        throw new SecurityError('Expected directory but found file', 'NOT_A_DIRECTORY');
+    }
+    return sanitized;
+}
+/**
+ * Validate tool arguments against expected schema
+ */
+function validateToolArgs(args, required, types) {
+    // Check required fields
+    for (const field of required) {
+        if (!(field in args) || args[field] === undefined || args[field] === null) {
+            throw new ValidationError(`Missing required argument: ${field}`);
+        }
+    }
+    // Check types
+    for (const [field, expectedType] of Object.entries(types)) {
+        if (!(field in args))
+            continue;
+        const value = args[field];
+        let actualType;
+        if (Array.isArray(value)) {
+            actualType = 'array';
+        }
+        else {
+            actualType = typeof value;
+        }
+        if (actualType !== expectedType) {
+            throw new ValidationError(`Invalid type for ${field}: expected ${expectedType}, got ${actualType}`);
+        }
+    }
+}
+/**
+ * Sanitize string input to prevent injection
+ */
+function sanitizeString(input, maxLength = 10000) {
+    if (typeof input !== 'string') {
+        throw new ValidationError('Expected string input');
+    }
+    // Truncate if too long
+    if (input.length > maxLength) {
+        input = input.slice(0, maxLength);
+    }
+    // Remove null bytes
+    input = input.replace(/\0/g, '');
+    return input;
+}
+/**
+ * Security error with code for categorization
+ */
+class SecurityError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.name = 'SecurityError';
+        this.code = code;
+    }
+}
+exports.SecurityError = SecurityError;
+/**
+ * Validation error for invalid input
+ */
+class ValidationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ValidationError';
+    }
+}
+exports.ValidationError = ValidationError;
+/**
+ * Rate limiter for API calls
+ */
+class RateLimiter {
+    requests = [];
+    maxRequests;
+    windowMs;
+    constructor(maxRequests, windowMs) {
+        this.maxRequests = maxRequests;
+        this.windowMs = windowMs;
+    }
+    /**
+     * Check if a request is allowed
+     */
+    isAllowed() {
+        // Handle edge cases
+        if (this.maxRequests <= 0) {
+            return false;
+        }
+        const now = Date.now();
+        // Remove old requests outside the window
+        this.requests = this.requests.filter(time => now - time < this.windowMs);
+        if (this.requests.length >= this.maxRequests) {
+            return false;
+        }
+        this.requests.push(now);
+        return true;
+    }
+    /**
+     * Get remaining requests in current window
+     */
+    remaining() {
+        const now = Date.now();
+        this.requests = this.requests.filter(time => now - time < this.windowMs);
+        return Math.max(0, this.maxRequests - this.requests.length);
+    }
+    /**
+     * Get time until window resets (ms)
+     */
+    resetIn() {
+        if (this.requests.length === 0)
+            return 0;
+        const oldest = Math.min(...this.requests);
+        return Math.max(0, this.windowMs - (Date.now() - oldest));
+    }
+}
+exports.RateLimiter = RateLimiter;
+//# sourceMappingURL=security.js.map

package/dist/utils/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDH,8CA8CC;AAgDD,oCAwFC;AAKD,gDA+BC;AAKD,4CA+BC;AAKD,wCAcC;AA/TD,2CAA6B;AAC7B,uCAAyB;AAEzB;;;GAGG;AACH,MAAM,sBAAsB,GAAG;IAC7B,cAAc;IACd,WAAW;IACX,SAAS;IACT,QAAQ;IACR,SAAS;IACT,gBAAgB;IAChB,aAAa;IACb,iBAAiB,EAAM,kBAAkB;IACzC,kBAAkB,EAAK,eAAe;IACtC,wBAAwB,EAAE,qBAAqB;IAC/C,SAAS,EAAc,oBAAoB;IAC3C,iBAAiB,EAAM,sBAAsB;IAC7C,oBAAoB,EAAG,iBAAiB;IACxC,oBAAoB,EAAG,uBAAuB;IAC9C,kBAAkB,EAAK,eAAe;IACtC,qBAAqB,EAAE,kBAAkB;IACzC,mBAAmB,EAAI,eAAe;CACvC,CAAC;AAEF;;;GAGG;AACH,MAAM,qBAAqB,GAAG;IAC5B,uBAAuB,EAAM,kBAAkB;IAC/C,WAAW,EAAkB,mBAAmB;IAChD,WAAW,EAAkB,mBAAmB;IAChD,oBAAoB,EAAS,qBAAqB;IAClD,uBAAuB,EAAM,gCAAgC;IAC7D,uBAAuB,EAAM,sBAAsB;IACnD,cAAc,EAAe,2BAA2B;IACxD,cAAc,EAAe,eAAe;IAC5C,sBAAsB,EAAO,aAAa;CAC3C,CAAC;AAEF;;GAEG;AACH,SAAgB,iBAAiB,CAAC,GAAY,EAAE,KAAK,GAAG,CAAC;IACvD,IAAI,KAAK,GAAG,EAAE;QAAE,OAAO,aAAa,CAAC;IAErC,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC;IAElD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,sDAAsD;QACtD,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;YAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtB,OAAO,YAAY,CAAC;YACtB,CAAC;QACH,CAAC;QAED,sEAAsE;QACtE,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,IAAI,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACvD,OAAO,WAAW,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC1D,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,MAAM,GAA4B,EAAE,CAAC;QAE3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,mCAAmC;YACnC,IAAI,GAAG,KAAK,WAAW,IAAI,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;gBACxE,SAAS;YACX,CAAC;YAED,MAAM,cAAc,GAAG,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;YAEjF,IAAI,cAAc,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpE,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;YAC7B,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,KAAK,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,KAAa,EAAE,aAAa,GAAG,CAAC;IAC1D,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,kDAAkD;IAClD,OAAO,OAAO,KAAK,IAAI,IAAI,UAAU,GAAG,aAAa,EAAE,CAAC;QACtD,IAAI,GAAG,OAAO,CAAC;QACf,IAAI,CAAC;YACH,OAAO,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;YACjC,MAAM;QACR,CAAC;QACD,UAAU,EAAE,CAAC;IACf,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,yBAAyB,CAAC,KAAa;IAC9C,MAAM,QAAQ,GAAG;QACf,WAAW,EAAa,cAAc;QACtC,WAAW,EAAa,cAAc;QACtC,OAAO,EAAiB,iBAAiB;QACzC,OAAO,EAAiB,eAAe;QACvC,QAAQ,EAAgB,UAAU;KACnC,CAAC;IAEF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,YAAY,CAAC,QAAgB,EAAE,aAAqB;IAClE,2DAA2D;IAC3D,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,aAAa,CACrB,4BAA4B,EAC5B,qBAAqB,CACtB,CAAC;IACJ,CAAC;IAED,2DAA2D;IAC3D,MAAM,OAAO,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAE7C,4DAA4D;IAC5D,IAAI,yBAAyB,CAAC,QAAQ,CAAC,IAAI,yBAAyB,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9E,MAAM,IAAI,aAAa,CACrB,iCAAiC,EACjC,gBAAgB,CACjB,CAAC;IACJ,CAAC;IAED,4CAA4C;IAC5C,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,aAAa,CACrB,gCAAgC,EAChC,eAAe,CAChB,CAAC;IACJ,CAAC;IAED,sDAAsD;IACtD,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,aAAa,CACrB,qCAAqC,EACrC,eAAe,CAChB,CAAC;IACJ,CAAC;IAED,oDAAoD;IACpD,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAC5D,qEAAqE;QACrE,MAAM,IAAI,aAAa,CACrB,gCAAgC,EAChC,eAAe,CAChB,CAAC;IACJ,CAAC;IAED,qEAAqE;IACrE,MAAM,kBAAkB,GAAG;QACzB,MAAM,EAAkB,iCAAiC;QACzD,MAAM,EAAkB,wBAAwB;QAChD,MAAM,EAAkB,4BAA4B;QACpD,MAAM,EAAkB,mBAAmB;QAC3C,QAAQ,EAAgB,oBAAoB;QAC5C,QAAQ,EAAgB,iBAAiB;QACzC,QAAQ,EAAgB,iBAAiB;QACzC,QAAQ,EAAgB,sBAAsB;QAC9C,QAAQ,EAAgB,kBAAkB;QAC1C,QAAQ,EAAgB,qBAAqB;QAC7C,QAAQ,EAAgB,6BAA6B;QACrD,SAAS,EAAe,+BAA+B;QACvD,SAAS,EAAe,+BAA+B;QACvD,SAAS,EAAe,+BAA+B;KACxD,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,aAAa,CACrB,sCAAsC,EACtC,qBAAqB,CACtB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACnD,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;IAE5D,4CAA4C;IAC5C,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,aAAa,CACrB,iCAAiC,EACjC,gBAAgB,CACjB,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,yDAAyD;IAEzD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAChC,QAAgB,EAChB,aAAqB,EACrB,OAAqC,KAAK;IAE1C,MAAM,SAAS,GAAG,YAAY,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAExD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,aAAa,CACrB,qBAAqB,EACrB,gBAAgB,CACjB,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEpC,IAAI,IAAI,KAAK,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,aAAa,CACrB,mCAAmC,EACnC,YAAY,CACb,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,KAAK,WAAW,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;QAChD,MAAM,IAAI,aAAa,CACrB,mCAAmC,EACnC,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,IAA6B,EAC7B,QAAkB,EAClB,KAA2E;IAE3E,wBAAwB;IACxB,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;YAC1E,MAAM,IAAI,eAAe,CAAC,8BAA8B,KAAK,EAAE,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAED,cAAc;IACd,KAAK,MAAM,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC;YAAE,SAAS;QAE/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1B,IAAI,UAAkB,CAAC;QAEvB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,UAAU,GAAG,OAAO,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,OAAO,KAAK,CAAC;QAC5B,CAAC;QAED,IAAI,UAAU,KAAK,YAAY,EAAE,CAAC;YAChC,MAAM,IAAI,eAAe,CACvB,oBAAoB,KAAK,cAAc,YAAY,SAAS,UAAU,EAAE,CACzE,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,KAAa,EAAE,SAAS,GAAG,KAAK;IAC7D,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,eAAe,CAAC,uBAAuB,CAAC,CAAC;IACrD,CAAC;IAED,uBAAuB;IACvB,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC7B,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IACpC,CAAC;IAED,oBAAoB;IACpB,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAEjC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAa,aAAc,SAAQ,KAAK;IACtC,IAAI,CAAS;IAEb,YAAY,OAAe,EAAE,IAAY;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;QAC5B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AARD,sCAQC;AAED;;GAEG;AACH,MAAa,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AALD,0CAKC;AAED;;GAEG;AACH,MAAa,WAAW;IACd,QAAQ,GAAa,EAAE,CAAC;IACf,WAAW,CAAS;IACpB,QAAQ,CAAS;IAElC,YAAY,WAAmB,EAAE,QAAgB;QAC/C,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,SAAS;QACP,oBAAoB;QACpB,IAAI,IAAI,CAAC,WAAW,IAAI,CAAC,EAAE,CAAC;YAC1B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,yCAAyC;QACzC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEzE,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC7C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,SAAS;QACP,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,QAAQ,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC;IAC5D,CAAC;CACF;AAjDD,kCAiDC"}

package/mcp.json

@@ -0,0 +1,125 @@
+{
+  "$schema": "https://raw.githubusercontent.com/modelcontextprotocol/registry/main/mcp-registry.schema.json",
+  "name": "@ciellos/partnercore-proxy",
+  "displayName": "PartnerCore AL Proxy",
+  "description": "Local MCP proxy for Microsoft Dynamics 365 Business Central AL development. Provides real-time AL code intelligence via Language Server Protocol and connects to PartnerCore Cloud for AI-powered code review, best practices, and knowledge base access.",
+  "version": "0.1.0",
+  "author": {
+    "name": "Ciellos",
+    "url": "https://ciellos.com"
+  },
+  "license": "MIT",
+  "repository": "https://github.com/ciellos-dev/partnercore-proxy",
+  "homepage": "https://partnercore.ai",
+  "categories": [
+    "developer-tools",
+    "code-analysis",
+    "language-support"
+  ],
+  "tags": [
+    "business-central",
+    "dynamics-365",
+    "al-language",
+    "erp",
+    "code-review"
+  ],
+  "runtime": "node",
+  "transport": "stdio",
+  "command": {
+    "npx": ["@ciellos/partnercore-proxy", "start"],
+    "global": ["partnercore-proxy", "start"]
+  },
+  "configuration": {
+    "required": [],
+    "optional": [
+      {
+        "name": "PARTNERCORE_API_KEY",
+        "description": "API key for PartnerCore Cloud features (code review, KB access, templates). Get yours at https://partnercore.ai",
+        "type": "string",
+        "secret": true
+      },
+      {
+        "name": "AL_WORKSPACE_ROOT",
+        "description": "Path to AL project root (containing app.json). Defaults to current directory.",
+        "type": "string"
+      },
+      {
+        "name": "LOG_LEVEL",
+        "description": "Logging level: debug, info, warn, error",
+        "type": "string",
+        "default": "info"
+      }
+    ]
+  },
+  "tools": {
+    "local": [
+      {
+        "name": "al_get_symbols",
+        "description": "Get all symbols (tables, pages, codeunits, procedures, fields) in an AL file"
+      },
+      {
+        "name": "al_find_symbol",
+        "description": "Search for AL symbols by name across the workspace"
+      },
+      {
+        "name": "al_find_references",
+        "description": "Find all references to a symbol at a specific position"
+      },
+      {
+        "name": "al_get_diagnostics",
+        "description": "Get real compiler diagnostics (errors, warnings) for an AL file"
+      },
+      {
+        "name": "al_go_to_definition",
+        "description": "Navigate to the definition of a symbol"
+      },
+      {
+        "name": "al_hover",
+        "description": "Get type information and documentation for a symbol"
+      },
+      {
+        "name": "al_completion",
+        "description": "Get intelligent code completion suggestions"
+      }
+    ],
+    "cloud": [
+      {
+        "name": "partnercore_review",
+        "description": "AI-powered code review with 252+ AL patterns and best practices",
+        "requiresApiKey": true
+      },
+      {
+        "name": "partnercore_kb_search",
+        "description": "Search PartnerCore knowledge base for AL/BC solutions and guidance",
+        "requiresApiKey": true
+      },
+      {
+        "name": "partnercore_template",
+        "description": "Get production-ready AL code templates",
+        "requiresApiKey": true
+      }
+    ]
+  },
+  "requirements": {
+    "node": ">=18.0.0"
+  },
+  "security": {
+    "network": {
+      "outbound": [
+        {
+          "host": "marketplace.visualstudio.com",
+          "purpose": "Download Microsoft AL Language extension"
+        },
+        {
+          "host": "partnercore-mcp.azurewebsites.net",
+          "purpose": "PartnerCore Cloud MCP API (optional, requires API key)"
+        }
+      ]
+    },
+    "filesystem": {
+      "read": ["AL_WORKSPACE_ROOT"],
+      "write": ["~/.partnercore/al-extension"]
+    }
+  }
+}
+