npm - protect-mcp - Versions diffs - 0.2.1 → 0.3.0 - Mend

protect-mcp 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -115,7 +115,7 @@ interface DecisionLog {
     /** Decision: allow or deny */
     decision: 'allow' | 'deny';
     /** Why this decision was made */
-    reason_code: 'policy_allow' | 'policy_block' | 'rate_limit_exceeded' | 'observe_mode' | 'default_allow' | 'tier_insufficient' | 'external_pdp_allow' | 'external_pdp_deny' | 'external_pdp_error';
+    reason_code: string;
     /** SHA-256 digest of the canonicalized policy file */
     policy_digest: string;
     /** Which policy engine made the decision */
@@ -154,6 +154,63 @@ interface ProtectConfig {
     credentials?: Record<string, CredentialConfig>;
 }
+/**
+ * Summary of evidence for tier evaluation.
+ */
+interface EvidenceSummary$1 {
+    receipt_count: number;
+    epoch_span: number;
+    issuer_count: number;
+}
+/**
+ * Thresholds for the 'evidenced' tier.
+ */
+interface EvidenceThresholds {
+    min_receipts: number;
+    min_epoch_span: number;
+    min_issuers: number;
+}
+/**
+ * Evidence store — tracks receipt history per agent.
+ */
+declare class EvidenceStore {
+    private agents;
+    private filePath;
+    private dirty;
+    constructor(dir?: string);
+    /**
+     * Record a receipt observation for an agent.
+     */
+    record(agentId: string, issuer: string, timestamp?: string): void;
+    /**
+     * Get the evidence summary for an agent.
+     */
+    getSummary(agentId: string): EvidenceSummary$1;
+    /**
+     * Check if an agent meets the evidenced tier thresholds.
+     */
+    meetsEvidencedThreshold(agentId: string, thresholds?: EvidenceThresholds): boolean;
+    /**
+     * Persist to disk (call periodically or on shutdown).
+     */
+    save(): void;
+    /**
+     * Load from disk.
+     */
+    private load;
+    /**
+     * Get total agent count (for status display).
+     */
+    agentCount(): number;
+    /**
+     * Get all agent summaries (for status display).
+     */
+    allSummaries(): Array<{
+        agent_id: string;
+        summary: EvidenceSummary$1;
+    }>;
+}
 /**
  * @scopeblind/protect-mcp — Trust Tier Admission Evaluator
  *
@@ -163,8 +220,7 @@ interface ProtectConfig {
  *
  * Tiers (ascending): unknown → signed-known → evidenced → privileged
  *
- * Sprint 2: Simple evaluation (has valid manifest = signed-known).
- * Full evidence evaluation (evidenced tier) is stubbed.
+ * v2: Real evidence evaluation via EvidenceStore when available.
  */
 /**
@@ -180,7 +236,7 @@ interface ManifestPresentation {
     public_key?: string;
     /** Whether the manifest signature was verified */
     signature_valid?: boolean;
-    /** Optional evidence summary for tier upgrade */
+    /** Optional evidence summary for tier upgrade (inline, without store) */
     evidence_summary?: {
         receipt_count: number;
         epoch_span: number;
@@ -201,92 +257,51 @@ interface AdmissionResult {
  * Maps agent IDs to explicitly assigned tiers.
  */
 type TierOverrides = Record<string, TrustTier>;
+/**
+ * Options for tier evaluation.
+ */
+interface EvaluateTierOptions {
+    overrides?: TierOverrides;
+    evidenceStore?: EvidenceStore;
+    thresholds?: EvidenceThresholds;
+}
 /**
  * Evaluate an agent's trust tier based on their presented credentials.
  *
  * @param manifest - Manifest presentation from the agent (or null if none)
- * @param overrides - Operator-configured tier overrides
+ * @param opts - Evaluation options (overrides, evidence store, thresholds)
  * @returns AdmissionResult with assigned tier
  */
-declare function evaluateTier(manifest: ManifestPresentation | null, overrides?: TierOverrides): AdmissionResult;
+declare function evaluateTier(manifest: ManifestPresentation | null, opts?: TierOverrides | EvaluateTierOptions): AdmissionResult;
 /**
  * Check if a trust tier meets the minimum required tier.
  */
 declare function meetsMinTier(actual: TrustTier, required: TrustTier): boolean;
-/**
- * ProtectGateway — stdio MITM proxy for MCP servers.
- *
- * Sits between an MCP client (stdin/stdout) and a wrapped MCP server (child process).
- * Intercepts `tools/call` requests for policy enforcement and decision logging.
- * Passes through all other JSON-RPC messages transparently.
- *
- * v2 features:
- * - Shadow mode (default): observe + signed receipts, no blocking
- * - Trust-tier gating: evaluate manifest at admission, assign tier
- * - Credential vault: inject secrets, agent never sees raw keys
- * - BYOPE: pluggable policy decision via external HTTP webhook
- * - Signed receipts: every decision produces a signed artifact
- */
 declare class ProtectGateway {
     private child;
     private config;
     private rateLimitStore;
     private clientReader;
+    private logFilePath;
+    private evidenceStore;
+    private receiptBuffer;
     private currentTier;
     private admissionResult;
     constructor(config: ProtectConfig);
-    /**
-     * Start the gateway: spawn child process and wire up message relay.
-     */
     start(): Promise<void>;
-    /**
-     * Set the trust tier for this session.
-     * Called at admission (first interaction) or by explicit manifest presentation.
-     */
     setManifest(manifest: ManifestPresentation | null): AdmissionResult;
-    /**
-     * Handle a message from the MCP client (stdin).
-     * Intercept tools/call requests; pass through everything else.
-     */
     private handleClientMessage;
-    /**
-     * Handle a message from the wrapped MCP server (child stdout).
-     * Forward to client (stdout) transparently.
-     */
+    private interceptToolCallAsync;
     private handleServerMessage;
-    /**
-     * Intercept a tools/call request. Returns a JSON-RPC error response if denied, null if allowed.
-     */
+    private injectParamsCredentials;
     private interceptToolCall;
-    /**
-     * Get the applicable rate limit spec based on the agent's tier.
-     */
     private getTierRateLimit;
-    /**
-     * Emit a structured decision log to stderr.
-     * If signing is enabled, also emits a signed artifact.
-     */
     private emitDecisionLog;
-    /**
-     * Create a JSON-RPC error response.
-     */
     private makeErrorResponse;
-    /**
-     * Send a message to the child process (wrapped MCP server).
-     */
     private sendToChild;
-    /**
-     * Send a message to the MCP client (stdout).
-     */
     private sendToClient;
-    /**
-     * Log a message to stderr (debug output).
-     */
     private log;
-    /**
-     * Stop the gateway: kill child process and exit.
-     */
     stop(): void;
 }

package/dist/index.d.ts CHANGED Viewed

@@ -115,7 +115,7 @@ interface DecisionLog {
     /** Decision: allow or deny */
     decision: 'allow' | 'deny';
     /** Why this decision was made */
-    reason_code: 'policy_allow' | 'policy_block' | 'rate_limit_exceeded' | 'observe_mode' | 'default_allow' | 'tier_insufficient' | 'external_pdp_allow' | 'external_pdp_deny' | 'external_pdp_error';
+    reason_code: string;
     /** SHA-256 digest of the canonicalized policy file */
     policy_digest: string;
     /** Which policy engine made the decision */
@@ -154,6 +154,63 @@ interface ProtectConfig {
     credentials?: Record<string, CredentialConfig>;
 }
+/**
+ * Summary of evidence for tier evaluation.
+ */
+interface EvidenceSummary$1 {
+    receipt_count: number;
+    epoch_span: number;
+    issuer_count: number;
+}
+/**
+ * Thresholds for the 'evidenced' tier.
+ */
+interface EvidenceThresholds {
+    min_receipts: number;
+    min_epoch_span: number;
+    min_issuers: number;
+}
+/**
+ * Evidence store — tracks receipt history per agent.
+ */
+declare class EvidenceStore {
+    private agents;
+    private filePath;
+    private dirty;
+    constructor(dir?: string);
+    /**
+     * Record a receipt observation for an agent.
+     */
+    record(agentId: string, issuer: string, timestamp?: string): void;
+    /**
+     * Get the evidence summary for an agent.
+     */
+    getSummary(agentId: string): EvidenceSummary$1;
+    /**
+     * Check if an agent meets the evidenced tier thresholds.
+     */
+    meetsEvidencedThreshold(agentId: string, thresholds?: EvidenceThresholds): boolean;
+    /**
+     * Persist to disk (call periodically or on shutdown).
+     */
+    save(): void;
+    /**
+     * Load from disk.
+     */
+    private load;
+    /**
+     * Get total agent count (for status display).
+     */
+    agentCount(): number;
+    /**
+     * Get all agent summaries (for status display).
+     */
+    allSummaries(): Array<{
+        agent_id: string;
+        summary: EvidenceSummary$1;
+    }>;
+}
 /**
  * @scopeblind/protect-mcp — Trust Tier Admission Evaluator
  *
@@ -163,8 +220,7 @@ interface ProtectConfig {
  *
  * Tiers (ascending): unknown → signed-known → evidenced → privileged
  *
- * Sprint 2: Simple evaluation (has valid manifest = signed-known).
- * Full evidence evaluation (evidenced tier) is stubbed.
+ * v2: Real evidence evaluation via EvidenceStore when available.
  */
 /**
@@ -180,7 +236,7 @@ interface ManifestPresentation {
     public_key?: string;
     /** Whether the manifest signature was verified */
     signature_valid?: boolean;
-    /** Optional evidence summary for tier upgrade */
+    /** Optional evidence summary for tier upgrade (inline, without store) */
     evidence_summary?: {
         receipt_count: number;
         epoch_span: number;
@@ -201,92 +257,51 @@ interface AdmissionResult {
  * Maps agent IDs to explicitly assigned tiers.
  */
 type TierOverrides = Record<string, TrustTier>;
+/**
+ * Options for tier evaluation.
+ */
+interface EvaluateTierOptions {
+    overrides?: TierOverrides;
+    evidenceStore?: EvidenceStore;
+    thresholds?: EvidenceThresholds;
+}
 /**
  * Evaluate an agent's trust tier based on their presented credentials.
  *
  * @param manifest - Manifest presentation from the agent (or null if none)
- * @param overrides - Operator-configured tier overrides
+ * @param opts - Evaluation options (overrides, evidence store, thresholds)
  * @returns AdmissionResult with assigned tier
  */
-declare function evaluateTier(manifest: ManifestPresentation | null, overrides?: TierOverrides): AdmissionResult;
+declare function evaluateTier(manifest: ManifestPresentation | null, opts?: TierOverrides | EvaluateTierOptions): AdmissionResult;
 /**
  * Check if a trust tier meets the minimum required tier.
  */
 declare function meetsMinTier(actual: TrustTier, required: TrustTier): boolean;
-/**
- * ProtectGateway — stdio MITM proxy for MCP servers.
- *
- * Sits between an MCP client (stdin/stdout) and a wrapped MCP server (child process).
- * Intercepts `tools/call` requests for policy enforcement and decision logging.
- * Passes through all other JSON-RPC messages transparently.
- *
- * v2 features:
- * - Shadow mode (default): observe + signed receipts, no blocking
- * - Trust-tier gating: evaluate manifest at admission, assign tier
- * - Credential vault: inject secrets, agent never sees raw keys
- * - BYOPE: pluggable policy decision via external HTTP webhook
- * - Signed receipts: every decision produces a signed artifact
- */
 declare class ProtectGateway {
     private child;
     private config;
     private rateLimitStore;
     private clientReader;
+    private logFilePath;
+    private evidenceStore;
+    private receiptBuffer;
     private currentTier;
     private admissionResult;
     constructor(config: ProtectConfig);
-    /**
-     * Start the gateway: spawn child process and wire up message relay.
-     */
     start(): Promise<void>;
-    /**
-     * Set the trust tier for this session.
-     * Called at admission (first interaction) or by explicit manifest presentation.
-     */
     setManifest(manifest: ManifestPresentation | null): AdmissionResult;
-    /**
-     * Handle a message from the MCP client (stdin).
-     * Intercept tools/call requests; pass through everything else.
-     */
     private handleClientMessage;
-    /**
-     * Handle a message from the wrapped MCP server (child stdout).
-     * Forward to client (stdout) transparently.
-     */
+    private interceptToolCallAsync;
     private handleServerMessage;
-    /**
-     * Intercept a tools/call request. Returns a JSON-RPC error response if denied, null if allowed.
-     */
+    private injectParamsCredentials;
     private interceptToolCall;
-    /**
-     * Get the applicable rate limit spec based on the agent's tier.
-     */
     private getTierRateLimit;
-    /**
-     * Emit a structured decision log to stderr.
-     * If signing is enabled, also emits a signed artifact.
-     */
     private emitDecisionLog;
-    /**
-     * Create a JSON-RPC error response.
-     */
     private makeErrorResponse;
-    /**
-     * Send a message to the child process (wrapped MCP server).
-     */
     private sendToChild;
-    /**
-     * Send a message to the MCP client (stdout).
-     */
     private sendToClient;
-    /**
-     * Log a message to stderr (debug output).
-     */
     private log;
-    /**
-     * Stop the gateway: kill child process and exit.
-     */
     stop(): void;
 }