npm - protect-mcp - Versions diffs - 0.1.1 → 0.2.1 - Mend

protect-mcp 0.1.1 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +126 -60
package/dist/chunk-D733KAPG.mjs +252 -0
package/dist/chunk-ZCKNFULF.mjs +613 -0
package/dist/cli.js +3100 -20
package/dist/cli.mjs +144 -7
package/dist/ed25519-EDO4K4EP.mjs +2289 -0
package/dist/index.d.mts +681 -6
package/dist/index.d.ts +681 -6
package/dist/index.js +698 -17
package/dist/index.mjs +357 -3
package/dist/utils-IDWBSHJU.mjs +76 -0
package/package.json +13 -5
package/dist/chunk-L3QWKSGY.mjs +0 -297

package/dist/chunk-ZCKNFULF.mjs ADDED Viewed

@@ -0,0 +1,613 @@
+// src/policy.ts
+import { createHash } from "crypto";
+import { readFileSync } from "fs";
+function loadPolicy(path) {
+  const raw = readFileSync(path, "utf-8");
+  const parsed = JSON.parse(raw);
+  if (!parsed.tools || typeof parsed.tools !== "object") {
+    throw new Error(`Invalid policy file: missing "tools" object in ${path}`);
+  }
+  const policy = {
+    tools: parsed.tools,
+    default_tier: parsed.default_tier || "unknown",
+    policy_engine: parsed.policy_engine || "built-in",
+    ...parsed.external ? { external: parsed.external } : {}
+  };
+  const digest = computePolicyDigest(policy);
+  return {
+    policy,
+    digest,
+    credentials: parsed.credentials,
+    signing: parsed.signing
+  };
+}
+function computePolicyDigest(policy) {
+  const canonical = JSON.stringify(sortKeysDeep(policy));
+  return createHash("sha256").update(canonical).digest("hex").slice(0, 16);
+}
+function sortKeysDeep(obj) {
+  if (obj === null || typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map(sortKeysDeep);
+  const sorted = {};
+  for (const key of Object.keys(obj).sort()) {
+    sorted[key] = sortKeysDeep(obj[key]);
+  }
+  return sorted;
+}
+function getToolPolicy(toolName, policy) {
+  if (!policy) {
+    return { require: "any" };
+  }
+  if (policy.tools[toolName]) {
+    return policy.tools[toolName];
+  }
+  if (policy.tools["*"]) {
+    return policy.tools["*"];
+  }
+  return { require: "any" };
+}
+function parseRateLimit(spec) {
+  const match = spec.match(/^(\d+)\/(second|minute|hour|day)$/);
+  if (!match) {
+    throw new Error(`Invalid rate limit format: "${spec}". Expected "N/unit" (e.g. "5/hour")`);
+  }
+  const count = parseInt(match[1], 10);
+  const unit = match[2];
+  const windowMs = {
+    second: 1e3,
+    minute: 6e4,
+    hour: 36e5,
+    day: 864e5
+  };
+  return { count, windowMs: windowMs[unit] };
+}
+function checkRateLimit(key, limit, store) {
+  const now = Date.now();
+  const windowStart = now - limit.windowMs;
+  const timestamps = (store.get(key) || []).filter((t) => t > windowStart);
+  if (timestamps.length >= limit.count) {
+    store.set(key, timestamps);
+    return { allowed: false, remaining: 0 };
+  }
+  timestamps.push(now);
+  store.set(key, timestamps);
+  return { allowed: true, remaining: limit.count - timestamps.length };
+}
+// src/admission.ts
+function evaluateTier(manifest, overrides) {
+  if (!manifest) {
+    return {
+      tier: "unknown",
+      reason: "no_manifest_presented"
+    };
+  }
+  if (overrides && manifest.agent_id && overrides[manifest.agent_id]) {
+    return {
+      tier: overrides[manifest.agent_id],
+      agent_id: manifest.agent_id,
+      manifest_hash: manifest.manifest_hash,
+      reason: "operator_override"
+    };
+  }
+  if (manifest.signature_valid === false) {
+    return {
+      tier: "unknown",
+      agent_id: manifest.agent_id,
+      manifest_hash: manifest.manifest_hash,
+      reason: "invalid_manifest_signature"
+    };
+  }
+  if (manifest.signature_valid === true) {
+    if (manifest.evidence_summary) {
+      const es = manifest.evidence_summary;
+      if (es.receipt_count >= 10 && es.epoch_span >= 3 && es.issuer_count >= 2) {
+        return {
+          tier: "evidenced",
+          agent_id: manifest.agent_id,
+          manifest_hash: manifest.manifest_hash,
+          reason: "evidence_threshold_met"
+        };
+      }
+    }
+    return {
+      tier: "signed-known",
+      agent_id: manifest.agent_id,
+      manifest_hash: manifest.manifest_hash,
+      reason: "valid_signed_manifest"
+    };
+  }
+  return {
+    tier: "unknown",
+    agent_id: manifest.agent_id,
+    manifest_hash: manifest.manifest_hash,
+    reason: "manifest_unverified"
+  };
+}
+function meetsMinTier(actual, required) {
+  const order = ["unknown", "signed-known", "evidenced", "privileged"];
+  return order.indexOf(actual) >= order.indexOf(required);
+}
+// src/credentials.ts
+function resolveCredential(label, credentials) {
+  if (!credentials || !credentials[label]) {
+    return {
+      resolved: false,
+      label,
+      error: `credential "${label}" not configured`
+    };
+  }
+  const config = credentials[label];
+  const value = process.env[config.value_env];
+  if (!value) {
+    return {
+      resolved: false,
+      label,
+      error: `environment variable "${config.value_env}" for credential "${label}" is not set`
+    };
+  }
+  return {
+    resolved: true,
+    label,
+    value,
+    inject: config.inject,
+    name: config.name
+  };
+}
+function listCredentialLabels(credentials) {
+  if (!credentials) return [];
+  return Object.keys(credentials);
+}
+function validateCredentials(credentials) {
+  const warnings = [];
+  if (!credentials) return warnings;
+  for (const [label, config] of Object.entries(credentials)) {
+    if (!config.value_env) {
+      warnings.push(`credential "${label}": missing value_env`);
+      continue;
+    }
+    if (!config.inject) {
+      warnings.push(`credential "${label}": missing inject type`);
+      continue;
+    }
+    if (!process.env[config.value_env]) {
+      warnings.push(`credential "${label}": env var "${config.value_env}" not set`);
+    }
+  }
+  return warnings;
+}
+// src/signing.ts
+import { readFileSync as readFileSync2, existsSync } from "fs";
+var signerState = null;
+var artifactsModule = null;
+async function initSigning(config) {
+  const warnings = [];
+  if (!config || config.enabled === false) {
+    return warnings;
+  }
+  try {
+    artifactsModule = await import("@veritasacta/artifacts");
+  } catch {
+    warnings.push("signing: @veritasacta/artifacts not available \u2014 receipts will be unsigned");
+    return warnings;
+  }
+  if (config.key_path) {
+    if (!existsSync(config.key_path)) {
+      warnings.push(`signing: key file not found at ${config.key_path} \u2014 run "protect-mcp init" to generate`);
+      return warnings;
+    }
+    try {
+      const keyData = JSON.parse(readFileSync2(config.key_path, "utf-8"));
+      if (!keyData.privateKey || !keyData.publicKey) {
+        warnings.push("signing: key file missing privateKey or publicKey fields");
+        return warnings;
+      }
+      signerState = {
+        privateKey: keyData.privateKey,
+        publicKey: keyData.publicKey,
+        kid: artifactsModule.computeKid(keyData.publicKey),
+        issuer: config.issuer || "protect-mcp"
+      };
+    } catch (err) {
+      warnings.push(`signing: failed to load key file: ${err instanceof Error ? err.message : err}`);
+    }
+  }
+  return warnings;
+}
+function signDecision(entry) {
+  if (!signerState || !artifactsModule) {
+    return { signed: null, artifact_type: "none" };
+  }
+  const artifactType = entry.decision === "deny" ? "gateway_restraint" : "decision_receipt";
+  try {
+    const payload = {
+      tool: entry.tool,
+      decision: entry.decision,
+      reason_code: entry.reason_code,
+      policy_digest: entry.policy_digest,
+      scope: entry.request_id,
+      // request scope
+      mode: entry.mode,
+      request_id: entry.request_id
+    };
+    if (entry.tier) payload.tier = entry.tier;
+    if (entry.credential_ref) payload.credential_ref = entry.credential_ref;
+    if (entry.rate_limit_remaining !== void 0) {
+      payload.rate_limit_remaining = entry.rate_limit_remaining;
+    }
+    if (entry.policy_engine) payload.policy_engine = entry.policy_engine;
+    const result = artifactsModule.createSignedArtifact(
+      artifactType,
+      payload,
+      signerState.privateKey,
+      {
+        kid: signerState.kid,
+        issuer: signerState.issuer
+      }
+    );
+    return {
+      signed: JSON.stringify(result.artifact),
+      artifact_type: artifactType
+    };
+  } catch (err) {
+    return {
+      signed: null,
+      artifact_type: artifactType,
+      warning: `signing failed: ${err instanceof Error ? err.message : "unknown error"}`
+    };
+  }
+}
+function getSignerInfo() {
+  if (!signerState) return null;
+  return {
+    publicKey: signerState.publicKey,
+    kid: signerState.kid,
+    issuer: signerState.issuer
+  };
+}
+function isSigningEnabled() {
+  return signerState !== null && artifactsModule !== null;
+}
+// src/gateway.ts
+import { spawn } from "child_process";
+import { randomUUID } from "crypto";
+import { createInterface } from "readline";
+var ProtectGateway = class {
+  child = null;
+  config;
+  rateLimitStore = /* @__PURE__ */ new Map();
+  clientReader = null;
+  // Trust-tier state for the current session
+  currentTier = "unknown";
+  admissionResult = null;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Start the gateway: spawn child process and wire up message relay.
+   */
+  async start() {
+    const { command, args, verbose } = this.config;
+    const mode = this.config.enforce ? "enforce" : "shadow";
+    if (verbose) {
+      this.log(`Starting gateway in ${mode} mode`);
+      this.log(`Wrapping: ${command} ${args.join(" ")}`);
+      if (this.config.policy) {
+        this.log(`Policy digest: ${this.config.policyDigest}`);
+      }
+      if (isSigningEnabled()) {
+        this.log("Signing: enabled (receipts will be signed)");
+      }
+      if (this.config.credentials) {
+        const labels = Object.keys(this.config.credentials);
+        this.log(`Credential vault: ${labels.length} credential(s) configured [${labels.join(", ")}]`);
+      }
+    }
+    this.child = spawn(command, args, {
+      stdio: ["pipe", "pipe", "pipe"],
+      env: { ...process.env }
+    });
+    if (!this.child.stdin || !this.child.stdout || !this.child.stderr) {
+      throw new Error("Failed to create pipes to child process");
+    }
+    this.child.stderr.on("data", (data) => {
+      process.stderr.write(data);
+    });
+    const childReader = createInterface({ input: this.child.stdout, crlfDelay: Infinity });
+    childReader.on("line", (line) => {
+      this.handleServerMessage(line);
+    });
+    this.clientReader = createInterface({ input: process.stdin, crlfDelay: Infinity });
+    this.clientReader.on("line", (line) => {
+      this.handleClientMessage(line);
+    });
+    this.child.on("exit", (code, signal) => {
+      if (this.config.verbose) {
+        this.log(`Child process exited (code=${code}, signal=${signal})`);
+      }
+      process.exit(code ?? 1);
+    });
+    this.child.on("error", (err) => {
+      this.log(`Child process error: ${err.message}`);
+      process.exit(1);
+    });
+    process.on("SIGINT", () => this.stop());
+    process.on("SIGTERM", () => this.stop());
+    process.stdin.on("end", () => {
+      if (this.config.verbose) {
+        this.log("Client stdin closed, closing child stdin");
+      }
+      if (this.child?.stdin?.writable) {
+        this.child.stdin.end();
+      }
+    });
+  }
+  /**
+   * Set the trust tier for this session.
+   * Called at admission (first interaction) or by explicit manifest presentation.
+   */
+  setManifest(manifest) {
+    this.admissionResult = evaluateTier(manifest);
+    this.currentTier = this.admissionResult.tier;
+    if (this.config.verbose) {
+      this.log(`Admission: tier=${this.currentTier} agent=${this.admissionResult.agent_id || "none"} reason=${this.admissionResult.reason}`);
+    }
+    return this.admissionResult;
+  }
+  /**
+   * Handle a message from the MCP client (stdin).
+   * Intercept tools/call requests; pass through everything else.
+   */
+  handleClientMessage(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed) return;
+    let message;
+    try {
+      message = JSON.parse(trimmed);
+    } catch {
+      this.sendToChild(trimmed);
+      return;
+    }
+    if (message.method === "tools/call" && message.id !== void 0) {
+      const result = this.interceptToolCall(message);
+      if (result) {
+        this.sendToClient(JSON.stringify(result));
+        return;
+      }
+    }
+    this.sendToChild(trimmed);
+  }
+  /**
+   * Handle a message from the wrapped MCP server (child stdout).
+   * Forward to client (stdout) transparently.
+   */
+  handleServerMessage(raw) {
+    this.sendToClient(raw);
+  }
+  /**
+   * Intercept a tools/call request. Returns a JSON-RPC error response if denied, null if allowed.
+   */
+  interceptToolCall(request) {
+    const toolName = request.params?.name || "unknown";
+    const requestId = randomUUID().slice(0, 12);
+    const toolPolicy = getToolPolicy(toolName, this.config.policy);
+    const mode = this.config.enforce ? "enforce" : "shadow";
+    let credentialRef;
+    if (this.config.credentials) {
+      const cred = resolveCredential(toolName, this.config.credentials);
+      if (cred.resolved) {
+        credentialRef = cred.label;
+      } else if (cred.error && !cred.error.includes("not configured")) {
+        this.emitDecisionLog({
+          tool: toolName,
+          decision: "deny",
+          reason_code: "policy_block",
+          request_id: requestId,
+          credential_ref: toolName,
+          tier: this.currentTier
+        });
+        if (this.config.enforce) {
+          this.log(`Credential error for "${toolName}": ${cred.error}`);
+          return this.makeErrorResponse(request.id, -32600, `Credential error for tool "${toolName}"`);
+        }
+      }
+    }
+    if (toolPolicy.min_tier) {
+      if (!meetsMinTier(this.currentTier, toolPolicy.min_tier)) {
+        this.emitDecisionLog({
+          tool: toolName,
+          decision: "deny",
+          reason_code: "tier_insufficient",
+          request_id: requestId,
+          tier: this.currentTier,
+          credential_ref: credentialRef
+        });
+        if (this.config.enforce) {
+          return this.makeErrorResponse(
+            request.id,
+            -32600,
+            `Tool "${toolName}" requires tier "${toolPolicy.min_tier}", agent has "${this.currentTier}"`
+          );
+        }
+        return null;
+      }
+    }
+    if (toolPolicy.block) {
+      this.emitDecisionLog({
+        tool: toolName,
+        decision: "deny",
+        reason_code: "policy_block",
+        request_id: requestId,
+        tier: this.currentTier,
+        credential_ref: credentialRef
+      });
+      if (this.config.enforce) {
+        return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" is blocked by policy`);
+      }
+      return null;
+    }
+    const rateSpec = this.getTierRateLimit(toolPolicy, this.currentTier);
+    if (rateSpec) {
+      try {
+        const limit = parseRateLimit(rateSpec);
+        const key = `tool:${toolName}:${this.currentTier}`;
+        const { allowed, remaining } = checkRateLimit(key, limit, this.rateLimitStore);
+        if (!allowed) {
+          this.emitDecisionLog({
+            tool: toolName,
+            decision: "deny",
+            reason_code: "rate_limit_exceeded",
+            request_id: requestId,
+            rate_limit_remaining: 0,
+            tier: this.currentTier,
+            credential_ref: credentialRef
+          });
+          if (this.config.enforce) {
+            return this.makeErrorResponse(
+              request.id,
+              -32600,
+              `Tool "${toolName}" rate limit exceeded (${rateSpec})`
+            );
+          }
+          return null;
+        }
+        this.emitDecisionLog({
+          tool: toolName,
+          decision: "allow",
+          reason_code: "policy_allow",
+          request_id: requestId,
+          rate_limit_remaining: remaining,
+          tier: this.currentTier,
+          credential_ref: credentialRef
+        });
+      } catch {
+        this.emitDecisionLog({
+          tool: toolName,
+          decision: "allow",
+          reason_code: "default_allow",
+          request_id: requestId,
+          tier: this.currentTier,
+          credential_ref: credentialRef
+        });
+      }
+    } else {
+      const reasonCode = this.config.enforce ? "policy_allow" : "observe_mode";
+      this.emitDecisionLog({
+        tool: toolName,
+        decision: "allow",
+        reason_code: reasonCode,
+        request_id: requestId,
+        tier: this.currentTier,
+        credential_ref: credentialRef
+      });
+    }
+    return null;
+  }
+  /**
+   * Get the applicable rate limit spec based on the agent's tier.
+   */
+  getTierRateLimit(policy, tier) {
+    if (policy.rate_limits && policy.rate_limits[tier]) {
+      const tierLimit = policy.rate_limits[tier];
+      return `${tierLimit.max}/${tierLimit.window}`;
+    }
+    return policy.rate_limit;
+  }
+  /**
+   * Emit a structured decision log to stderr.
+   * If signing is enabled, also emits a signed artifact.
+   */
+  emitDecisionLog(entry) {
+    const mode = this.config.enforce ? "enforce" : "shadow";
+    const log = {
+      v: 2,
+      tool: entry.tool || "unknown",
+      decision: entry.decision || "allow",
+      reason_code: entry.reason_code || "default_allow",
+      policy_digest: this.config.policyDigest,
+      policy_engine: this.config.policy?.policy_engine || "built-in",
+      request_id: entry.request_id || randomUUID().slice(0, 12),
+      timestamp: Date.now(),
+      mode,
+      ...entry.rate_limit_remaining !== void 0 && { rate_limit_remaining: entry.rate_limit_remaining },
+      ...entry.tier && { tier: entry.tier },
+      ...entry.credential_ref && { credential_ref: entry.credential_ref }
+    };
+    process.stderr.write(`[PROTECT_MCP] ${JSON.stringify(log)}
+`);
+    if (isSigningEnabled()) {
+      const signed = signDecision(log);
+      if (signed.signed) {
+        process.stderr.write(`[PROTECT_MCP_RECEIPT] ${signed.signed}
+`);
+      } else if (signed.warning) {
+        process.stderr.write(`[PROTECT_MCP] Warning: ${signed.warning}
+`);
+      }
+    }
+  }
+  /**
+   * Create a JSON-RPC error response.
+   */
+  makeErrorResponse(id, code, message) {
+    return {
+      jsonrpc: "2.0",
+      id,
+      error: { code, message }
+    };
+  }
+  /**
+   * Send a message to the child process (wrapped MCP server).
+   */
+  sendToChild(message) {
+    if (this.child?.stdin?.writable) {
+      this.child.stdin.write(message + "\n");
+    }
+  }
+  /**
+   * Send a message to the MCP client (stdout).
+   */
+  sendToClient(message) {
+    process.stdout.write(message + "\n");
+  }
+  /**
+   * Log a message to stderr (debug output).
+   */
+  log(message) {
+    process.stderr.write(`[PROTECT_MCP] ${message}
+`);
+  }
+  /**
+   * Stop the gateway: kill child process and exit.
+   */
+  stop() {
+    if (this.clientReader) {
+      this.clientReader.close();
+    }
+    if (this.child) {
+      this.child.kill("SIGTERM");
+      this.child = null;
+    }
+    process.exit(0);
+  }
+};
+export {
+  loadPolicy,
+  getToolPolicy,
+  parseRateLimit,
+  checkRateLimit,
+  evaluateTier,
+  meetsMinTier,
+  resolveCredential,
+  listCredentialLabels,
+  validateCredentials,
+  initSigning,
+  signDecision,
+  getSignerInfo,
+  isSigningEnabled,
+  ProtectGateway
+};