protect-mcp 0.2.2 → 0.3.1

package/dist/chunk-U7TMVD3E.mjs

@@ -0,0 +1,1105 @@
+// src/policy.ts
+import { createHash } from "crypto";
+import { readFileSync } from "fs";
+function loadPolicy(path) {
+  const raw = readFileSync(path, "utf-8");
+  const parsed = JSON.parse(raw);
+  if (!parsed.tools || typeof parsed.tools !== "object") {
+    throw new Error(`Invalid policy file: missing "tools" object in ${path}`);
+  }
+  const policy = {
+    tools: parsed.tools,
+    default_tier: parsed.default_tier || "unknown",
+    policy_engine: parsed.policy_engine || "built-in",
+    ...parsed.external ? { external: parsed.external } : {}
+  };
+  const digest = computePolicyDigest(policy);
+  return {
+    policy,
+    digest,
+    credentials: parsed.credentials,
+    signing: parsed.signing
+  };
+}
+function computePolicyDigest(policy) {
+  const canonical = JSON.stringify(sortKeysDeep(policy));
+  return createHash("sha256").update(canonical).digest("hex").slice(0, 16);
+}
+function sortKeysDeep(obj) {
+  if (obj === null || typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map(sortKeysDeep);
+  const sorted = {};
+  for (const key of Object.keys(obj).sort()) {
+    sorted[key] = sortKeysDeep(obj[key]);
+  }
+  return sorted;
+}
+function getToolPolicy(toolName, policy) {
+  if (!policy) {
+    return { require: "any" };
+  }
+  if (policy.tools[toolName]) {
+    return policy.tools[toolName];
+  }
+  if (policy.tools["*"]) {
+    return policy.tools["*"];
+  }
+  return { require: "any" };
+}
+function parseRateLimit(spec) {
+  const match = spec.match(/^(\d+)\/(second|minute|hour|day)$/);
+  if (!match) {
+    throw new Error(`Invalid rate limit format: "${spec}". Expected "N/unit" (e.g. "5/hour")`);
+  }
+  const count = parseInt(match[1], 10);
+  const unit = match[2];
+  const windowMs = {
+    second: 1e3,
+    minute: 6e4,
+    hour: 36e5,
+    day: 864e5
+  };
+  return { count, windowMs: windowMs[unit] };
+}
+function checkRateLimit(key, limit, store) {
+  const now = Date.now();
+  const windowStart = now - limit.windowMs;
+  const timestamps = (store.get(key) || []).filter((t) => t > windowStart);
+  if (timestamps.length >= limit.count) {
+    store.set(key, timestamps);
+    return { allowed: false, remaining: 0 };
+  }
+  timestamps.push(now);
+  store.set(key, timestamps);
+  return { allowed: true, remaining: limit.count - timestamps.length };
+}
+
+// src/evidence-store.ts
+import { readFileSync as readFileSync2, writeFileSync, existsSync } from "fs";
+import { join } from "path";
+var DEFAULT_THRESHOLDS = {
+  min_receipts: 10,
+  min_epoch_span: 3,
+  min_issuers: 2
+};
+var EvidenceStore = class {
+  agents = /* @__PURE__ */ new Map();
+  filePath;
+  dirty = false;
+  constructor(dir) {
+    this.filePath = join(dir || process.cwd(), ".protect-mcp-evidence.json");
+    this.load();
+  }
+  /**
+   * Record a receipt observation for an agent.
+   */
+  record(agentId, issuer, timestamp) {
+    const ts = timestamp || (/* @__PURE__ */ new Date()).toISOString();
+    const epochHour = Math.floor(new Date(ts).getTime() / (3600 * 1e3));
+    const existing = this.agents.get(agentId);
+    const observation = {
+      issuer,
+      timestamp: ts,
+      epoch_hour: epochHour
+    };
+    if (existing) {
+      existing.receipts.push(observation);
+      existing.last_seen = ts;
+      if (existing.receipts.length > 200) {
+        existing.receipts = existing.receipts.slice(-200);
+      }
+    } else {
+      this.agents.set(agentId, {
+        agent_id: agentId,
+        receipts: [observation],
+        first_seen: ts,
+        last_seen: ts
+      });
+    }
+    this.dirty = true;
+  }
+  /**
+   * Get the evidence summary for an agent.
+   */
+  getSummary(agentId) {
+    const record = this.agents.get(agentId);
+    if (!record || record.receipts.length === 0) {
+      return { receipt_count: 0, epoch_span: 0, issuer_count: 0 };
+    }
+    const uniqueIssuers = new Set(record.receipts.map((r) => r.issuer));
+    const uniqueEpochs = new Set(record.receipts.map((r) => r.epoch_hour));
+    return {
+      receipt_count: record.receipts.length,
+      epoch_span: uniqueEpochs.size,
+      issuer_count: uniqueIssuers.size
+    };
+  }
+  /**
+   * Check if an agent meets the evidenced tier thresholds.
+   */
+  meetsEvidencedThreshold(agentId, thresholds = DEFAULT_THRESHOLDS) {
+    const summary = this.getSummary(agentId);
+    return summary.receipt_count >= thresholds.min_receipts && summary.epoch_span >= thresholds.min_epoch_span && summary.issuer_count >= thresholds.min_issuers;
+  }
+  /**
+   * Persist to disk (call periodically or on shutdown).
+   */
+  save() {
+    if (!this.dirty) return;
+    const data = {};
+    for (const [id, record] of this.agents) {
+      data[id] = record;
+    }
+    try {
+      writeFileSync(this.filePath, JSON.stringify({ v: 1, agents: data }, null, 2) + "\n");
+      this.dirty = false;
+    } catch {
+    }
+  }
+  /**
+   * Load from disk.
+   */
+  load() {
+    if (!existsSync(this.filePath)) return;
+    try {
+      const raw = readFileSync2(this.filePath, "utf-8");
+      const parsed = JSON.parse(raw);
+      if (parsed.agents && typeof parsed.agents === "object") {
+        for (const [id, record] of Object.entries(parsed.agents)) {
+          this.agents.set(id, record);
+        }
+      }
+    } catch {
+    }
+  }
+  /**
+   * Get total agent count (for status display).
+   */
+  agentCount() {
+    return this.agents.size;
+  }
+  /**
+   * Get all agent summaries (for status display).
+   */
+  allSummaries() {
+    const result = [];
+    for (const [id] of this.agents) {
+      result.push({ agent_id: id, summary: this.getSummary(id) });
+    }
+    return result;
+  }
+};
+
+// src/admission.ts
+function evaluateTier(manifest, opts) {
+  const options = opts && ("evidenceStore" in opts || "overrides" in opts || "thresholds" in opts) ? opts : { overrides: opts };
+  const { overrides, evidenceStore, thresholds } = options;
+  if (!manifest) {
+    return {
+      tier: "unknown",
+      reason: "no_manifest_presented"
+    };
+  }
+  if (overrides && manifest.agent_id && overrides[manifest.agent_id]) {
+    return {
+      tier: overrides[manifest.agent_id],
+      agent_id: manifest.agent_id,
+      manifest_hash: manifest.manifest_hash,
+      reason: "operator_override"
+    };
+  }
+  if (manifest.signature_valid === false) {
+    return {
+      tier: "unknown",
+      agent_id: manifest.agent_id,
+      manifest_hash: manifest.manifest_hash,
+      reason: "invalid_manifest_signature"
+    };
+  }
+  if (manifest.signature_valid === true) {
+    if (manifest.evidence_summary) {
+      const es = manifest.evidence_summary;
+      const t = thresholds || DEFAULT_THRESHOLDS;
+      if (es.receipt_count >= t.min_receipts && es.epoch_span >= t.min_epoch_span && es.issuer_count >= t.min_issuers) {
+        return {
+          tier: "evidenced",
+          agent_id: manifest.agent_id,
+          manifest_hash: manifest.manifest_hash,
+          reason: "evidence_threshold_met"
+        };
+      }
+    }
+    if (evidenceStore && manifest.agent_id) {
+      if (evidenceStore.meetsEvidencedThreshold(manifest.agent_id, thresholds)) {
+        return {
+          tier: "evidenced",
+          agent_id: manifest.agent_id,
+          manifest_hash: manifest.manifest_hash,
+          reason: "evidence_store_threshold_met"
+        };
+      }
+    }
+    return {
+      tier: "signed-known",
+      agent_id: manifest.agent_id,
+      manifest_hash: manifest.manifest_hash,
+      reason: "valid_signed_manifest"
+    };
+  }
+  return {
+    tier: "unknown",
+    agent_id: manifest.agent_id,
+    manifest_hash: manifest.manifest_hash,
+    reason: "manifest_unverified"
+  };
+}
+function meetsMinTier(actual, required) {
+  const order = ["unknown", "signed-known", "evidenced", "privileged"];
+  return order.indexOf(actual) >= order.indexOf(required);
+}
+
+// src/credentials.ts
+function resolveCredential(label, credentials) {
+  if (!credentials || !credentials[label]) {
+    return {
+      resolved: false,
+      label,
+      error: `credential "${label}" not configured`
+    };
+  }
+  const config = credentials[label];
+  const value = process.env[config.value_env];
+  if (!value) {
+    return {
+      resolved: false,
+      label,
+      error: `environment variable "${config.value_env}" for credential "${label}" is not set`
+    };
+  }
+  return {
+    resolved: true,
+    label,
+    value,
+    inject: config.inject,
+    name: config.name
+  };
+}
+function listCredentialLabels(credentials) {
+  if (!credentials) return [];
+  return Object.keys(credentials);
+}
+function validateCredentials(credentials) {
+  const warnings = [];
+  if (!credentials) return warnings;
+  for (const [label, config] of Object.entries(credentials)) {
+    if (!config.value_env) {
+      warnings.push(`credential "${label}": missing value_env`);
+      continue;
+    }
+    if (!config.inject) {
+      warnings.push(`credential "${label}": missing inject type`);
+      continue;
+    }
+    if (!process.env[config.value_env]) {
+      warnings.push(`credential "${label}": env var "${config.value_env}" not set`);
+    }
+  }
+  return warnings;
+}
+
+// src/signing.ts
+import { readFileSync as readFileSync3, existsSync as existsSync2 } from "fs";
+var signerState = null;
+var artifactsModule = null;
+async function initSigning(config) {
+  const warnings = [];
+  if (!config || config.enabled === false) {
+    return warnings;
+  }
+  try {
+    artifactsModule = await import("@veritasacta/artifacts");
+  } catch {
+    warnings.push("signing: @veritasacta/artifacts not available \u2014 receipts will be unsigned");
+    return warnings;
+  }
+  if (config.key_path) {
+    if (!existsSync2(config.key_path)) {
+      warnings.push(`signing: key file not found at ${config.key_path} \u2014 run "protect-mcp init" to generate`);
+      return warnings;
+    }
+    try {
+      const keyData = JSON.parse(readFileSync3(config.key_path, "utf-8"));
+      if (!keyData.privateKey || !keyData.publicKey) {
+        warnings.push("signing: key file missing privateKey or publicKey fields");
+        return warnings;
+      }
+      signerState = {
+        privateKey: keyData.privateKey,
+        publicKey: keyData.publicKey,
+        kid: keyData.kid || artifactsModule.computeKid(keyData.publicKey),
+        issuer: config.issuer || keyData.issuer || "protect-mcp"
+      };
+    } catch (err) {
+      warnings.push(`signing: failed to load key file: ${err instanceof Error ? err.message : err}`);
+    }
+  }
+  return warnings;
+}
+function signDecision(entry) {
+  if (!signerState || !artifactsModule) {
+    return { signed: null, artifact_type: "none" };
+  }
+  const artifactType = entry.decision === "deny" ? "gateway_restraint" : "decision_receipt";
+  try {
+    const payload = {
+      tool: entry.tool,
+      decision: entry.decision,
+      reason_code: entry.reason_code,
+      policy_digest: entry.policy_digest,
+      scope: entry.request_id,
+      // request scope
+      mode: entry.mode,
+      request_id: entry.request_id
+    };
+    if (entry.tier) payload.tier = entry.tier;
+    if (entry.credential_ref) payload.credential_ref = entry.credential_ref;
+    if (entry.rate_limit_remaining !== void 0) {
+      payload.rate_limit_remaining = entry.rate_limit_remaining;
+    }
+    if (entry.policy_engine) payload.policy_engine = entry.policy_engine;
+    const result = artifactsModule.createSignedArtifact(
+      artifactType,
+      payload,
+      signerState.privateKey,
+      {
+        kid: signerState.kid,
+        issuer: signerState.issuer
+      }
+    );
+    return {
+      signed: JSON.stringify(result.artifact),
+      artifact_type: artifactType
+    };
+  } catch (err) {
+    return {
+      signed: null,
+      artifact_type: artifactType,
+      warning: `signing failed: ${err instanceof Error ? err.message : "unknown error"}`
+    };
+  }
+}
+function getSignerInfo() {
+  if (!signerState) return null;
+  return {
+    publicKey: signerState.publicKey,
+    kid: signerState.kid,
+    issuer: signerState.issuer
+  };
+}
+function isSigningEnabled() {
+  return signerState !== null && artifactsModule !== null;
+}
+
+// src/external-pdp.ts
+async function queryExternalPDP(context, config) {
+  const timeout = config.timeout_ms || 500;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeout);
+  try {
+    const body = formatRequest(context, config.format || "generic");
+    const response = await fetch(config.endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!response.ok) {
+      return fallbackDecision(config, `PDP returned HTTP ${response.status}`);
+    }
+    const result = await response.json();
+    return parseResponse(result, config.format || "generic");
+  } catch (err) {
+    clearTimeout(timer);
+    if (err instanceof Error && err.name === "AbortError") {
+      return fallbackDecision(config, `PDP timeout after ${timeout}ms`);
+    }
+    return fallbackDecision(config, `PDP error: ${err instanceof Error ? err.message : "unknown"}`);
+  }
+}
+function formatRequest(context, format) {
+  switch (format) {
+    case "opa":
+      return {
+        input: {
+          actor: context.actor,
+          action: context.action,
+          target: context.target,
+          credential_ref: context.credential_ref,
+          mode: context.mode,
+          metadata: context.request_metadata
+        }
+      };
+    case "cerbos":
+      return {
+        principal: {
+          id: context.actor.id || "unknown",
+          roles: [context.actor.tier],
+          attr: {
+            manifest_hash: context.actor.manifest_hash
+          }
+        },
+        resource: {
+          kind: "tool",
+          id: context.action.tool,
+          attr: context.target
+        },
+        actions: [context.action.operation || "call"]
+      };
+    case "generic":
+    default:
+      return context;
+  }
+}
+function parseResponse(result, format) {
+  switch (format) {
+    case "opa":
+      if (typeof result.result === "boolean") {
+        return { allowed: result.result };
+      }
+      if (result.result && typeof result.result === "object") {
+        const r = result.result;
+        return {
+          allowed: Boolean(r.allow),
+          reason: r.reason,
+          metadata: r
+        };
+      }
+      return { allowed: false, reason: "unrecognized OPA response" };
+    case "cerbos":
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const actions = result.results[0].actions;
+        if (actions) {
+          const effect = Object.values(actions)[0];
+          return { allowed: effect === "EFFECT_ALLOW" };
+        }
+      }
+      return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "generic":
+    default:
+      return {
+        allowed: Boolean(result.allowed),
+        reason: result.reason,
+        metadata: result.metadata
+      };
+  }
+}
+function fallbackDecision(config, reason) {
+  const fallback = config.fallback || "deny";
+  return {
+    allowed: fallback === "allow",
+    reason: `fallback_${fallback}: ${reason}`
+  };
+}
+function buildDecisionContext(toolName, tier, opts) {
+  return {
+    v: 1,
+    actor: {
+      id: opts.agentId,
+      tier,
+      manifest_hash: opts.manifestHash
+    },
+    action: {
+      tool: toolName,
+      operation: "call"
+    },
+    target: {
+      service: opts.slug || "default"
+    },
+    credential_ref: opts.credentialRef,
+    mode: opts.mode,
+    request_metadata: opts.requestMetadata || {}
+  };
+}
+
+// src/gateway.ts
+import { spawn } from "child_process";
+import { randomUUID, randomBytes } from "crypto";
+import { createInterface } from "readline";
+import { appendFileSync } from "fs";
+import { join as join3 } from "path";
+
+// src/http-server.ts
+import { createServer } from "http";
+import { readFileSync as readFileSync4, existsSync as existsSync3 } from "fs";
+import { join as join2 } from "path";
+var LOG_FILE = ".protect-mcp-log.jsonl";
+var MAX_RECEIPTS = 100;
+var ReceiptBuffer = class {
+  receipts = [];
+  add(requestId, receipt) {
+    this.receipts.push({
+      request_id: requestId,
+      receipt,
+      timestamp: Date.now()
+    });
+    if (this.receipts.length > MAX_RECEIPTS) {
+      this.receipts = this.receipts.slice(-MAX_RECEIPTS);
+    }
+  }
+  getAll() {
+    return [...this.receipts].reverse();
+  }
+  getById(requestId) {
+    return this.receipts.find((r) => r.request_id === requestId);
+  }
+  count() {
+    return this.receipts.length;
+  }
+  getLatest() {
+    return this.receipts.length > 0 ? this.receipts[this.receipts.length - 1] : void 0;
+  }
+};
+function startStatusServer(config, receiptBuffer, approvalStore, approvalNonce) {
+  const startTime = Date.now();
+  const logDir = process.cwd();
+  const server = createServer((req, res) => {
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+    res.setHeader("Content-Type", "application/json");
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    const url = new URL(req.url || "/", `http://localhost:${config.port}`);
+    const path = url.pathname;
+    try {
+      if (path === "/health") {
+        handleHealth(res, startTime, config);
+      } else if (path === "/status") {
+        handleStatus(res, logDir);
+      } else if (path === "/receipts") {
+        handleReceipts(res, receiptBuffer, url);
+      } else if (path === "/receipts/latest") {
+        handleReceiptLatest(res, receiptBuffer);
+      } else if (path.startsWith("/receipts/")) {
+        const id = path.slice("/receipts/".length);
+        handleReceiptById(res, receiptBuffer, id);
+      } else if (path === "/approve" && req.method === "POST") {
+        handleApprove(req, res, approvalStore, approvalNonce);
+      } else if (path === "/approvals" && req.method === "GET") {
+        handleListApprovals(res, approvalStore);
+      } else {
+        res.writeHead(404);
+        res.end(JSON.stringify({ error: "not_found", endpoints: ["/health", "/status", "/receipts", "/receipts/latest", "/receipts/:id", "/approve", "/approvals"] }));
+      }
+    } catch (err) {
+      res.writeHead(500);
+      res.end(JSON.stringify({ error: "internal_error" }));
+    }
+  });
+  server.on("error", (err) => {
+    if (config.verbose) {
+      process.stderr.write(`[PROTECT_MCP] HTTP status server error: ${err.message}
+`);
+    }
+  });
+  server.listen(config.port, "127.0.0.1", () => {
+    if (config.verbose) {
+      process.stderr.write(`[PROTECT_MCP] HTTP status server listening on http://127.0.0.1:${config.port}
+`);
+    }
+  });
+  server.unref();
+  return server;
+}
+function handleHealth(res, startTime, config) {
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    status: "ok",
+    uptime_ms: Date.now() - startTime,
+    mode: config.mode,
+    version: "0.3.1"
+  }));
+}
+function handleStatus(res, logDir) {
+  const logPath = join2(logDir, LOG_FILE);
+  if (!existsSync3(logPath)) {
+    res.writeHead(200);
+    res.end(JSON.stringify({ entries: 0, message: "no log file yet" }));
+    return;
+  }
+  const raw = readFileSync4(logPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  const entries = [];
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {
+    }
+  }
+  const toolCounts = {};
+  let allowCount = 0, denyCount = 0;
+  const tierCounts = {};
+  for (const e of entries) {
+    toolCounts[e.tool] = (toolCounts[e.tool] || 0) + 1;
+    if (e.decision === "allow") allowCount++;
+    else denyCount++;
+    if (e.tier) tierCounts[e.tier] = (tierCounts[e.tier] || 0) + 1;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    entries: entries.length,
+    allow: allowCount,
+    deny: denyCount,
+    tools: toolCounts,
+    tiers: tierCounts,
+    first_timestamp: entries.length > 0 ? entries[0].timestamp : null,
+    last_timestamp: entries.length > 0 ? entries[entries.length - 1].timestamp : null
+  }));
+}
+function handleReceipts(res, buffer, url) {
+  const limit = parseInt(url.searchParams.get("limit") || "20", 10);
+  const receipts = buffer.getAll().slice(0, Math.min(limit, MAX_RECEIPTS));
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    count: receipts.length,
+    total: buffer.count(),
+    receipts
+  }));
+}
+function handleReceiptLatest(res, buffer) {
+  const latest = buffer.getLatest();
+  if (!latest) {
+    res.writeHead(404);
+    res.end(JSON.stringify({ error: "no_receipts", message: "No receipts yet. Make a tool call through protect-mcp first." }));
+    return;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify(latest));
+}
+function handleReceiptById(res, buffer, id) {
+  const receipt = buffer.getById(id);
+  if (!receipt) {
+    res.writeHead(404);
+    res.end(JSON.stringify({ error: "receipt_not_found", request_id: id }));
+    return;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify(receipt));
+}
+function handleApprove(req, res, approvalStore, expectedNonce) {
+  if (!approvalStore) {
+    res.writeHead(503);
+    res.end(JSON.stringify({ error: "approval_store_not_available" }));
+    return;
+  }
+  let body = "";
+  req.on("data", (chunk) => {
+    body += chunk.toString();
+  });
+  req.on("end", () => {
+    try {
+      const { request_id, tool, mode, nonce } = JSON.parse(body);
+      if (expectedNonce && nonce !== expectedNonce) {
+        res.writeHead(403);
+        res.end(JSON.stringify({ error: "invalid_nonce", message: "Approval nonce does not match. Check stderr output for the correct nonce." }));
+        return;
+      }
+      if (!tool || typeof tool !== "string") {
+        res.writeHead(400);
+        res.end(JSON.stringify({ error: "missing_tool", usage: '{"request_id":"abc123","tool":"send_email","mode":"once|always","nonce":"..."}' }));
+        return;
+      }
+      const grantMode = mode === "always" ? "always" : "once";
+      const ttlMs = grantMode === "once" ? 5 * 60 * 1e3 : 24 * 60 * 60 * 1e3;
+      const grantEntry = { tool, mode: grantMode, expires_at: Date.now() + ttlMs };
+      if (grantMode === "always") {
+        approvalStore.set(`always:${tool}`, grantEntry);
+      } else if (request_id) {
+        approvalStore.set(request_id, grantEntry);
+      } else {
+        approvalStore.set(tool, grantEntry);
+      }
+      res.writeHead(200);
+      res.end(JSON.stringify({
+        approved: true,
+        request_id: request_id || null,
+        tool,
+        mode: grantMode,
+        expires_in_seconds: ttlMs / 1e3
+      }));
+    } catch {
+      res.writeHead(400);
+      res.end(JSON.stringify({ error: "invalid_json", usage: '{"request_id":"abc123","tool":"send_email","mode":"once","nonce":"..."}' }));
+    }
+  });
+}
+function handleListApprovals(res, approvalStore) {
+  if (!approvalStore) {
+    res.writeHead(200);
+    res.end(JSON.stringify({ grants: [] }));
+    return;
+  }
+  const now = Date.now();
+  const grants = [];
+  for (const [key, grant] of approvalStore) {
+    if (now < grant.expires_at) {
+      grants.push({ key, tool: grant.tool, mode: grant.mode, expires_in_seconds: Math.round((grant.expires_at - now) / 1e3) });
+    }
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify({ grants }));
+}
+
+// src/gateway.ts
+var LOG_FILE2 = ".protect-mcp-log.jsonl";
+var RECEIPTS_FILE = ".protect-mcp-receipts.jsonl";
+var ProtectGateway = class {
+  child = null;
+  config;
+  rateLimitStore = /* @__PURE__ */ new Map();
+  clientReader = null;
+  logFilePath;
+  receiptFilePath;
+  evidenceStore;
+  receiptBuffer;
+  /** Approval grants keyed by request_id (scoped to the specific action that was requested) */
+  approvalStore = /* @__PURE__ */ new Map();
+  /** Random nonce generated at startup — required for approval endpoint authentication */
+  approvalNonce = randomBytes(16).toString("hex");
+  currentTier = "unknown";
+  admissionResult = null;
+  constructor(config) {
+    this.config = config;
+    this.logFilePath = join3(process.cwd(), LOG_FILE2);
+    this.receiptFilePath = join3(process.cwd(), RECEIPTS_FILE);
+    this.evidenceStore = new EvidenceStore();
+    this.receiptBuffer = new ReceiptBuffer();
+  }
+  async start() {
+    const { command, args, verbose } = this.config;
+    const mode = this.config.enforce ? "enforce" : "shadow";
+    if (verbose) {
+      this.log(`Starting gateway in ${mode} mode`);
+      this.log(`Wrapping: ${command} ${args.join(" ")}`);
+      if (this.config.policy) {
+        this.log(`Policy digest: ${this.config.policyDigest}`);
+      }
+      if (isSigningEnabled()) {
+        this.log("Signing: enabled (receipts will be signed)");
+      }
+      if (this.config.credentials) {
+        const labels = Object.keys(this.config.credentials);
+        this.log(`Credential vault: ${labels.length} credential(s) configured [${labels.join(", ")}]`);
+      }
+      if (this.config.policy?.policy_engine === "external" || this.config.policy?.policy_engine === "hybrid") {
+        this.log(`External PDP: ${this.config.policy.external?.endpoint || "not configured"}`);
+      }
+    }
+    this.log(`Approval nonce: ${this.approvalNonce}`);
+    const httpPort = parseInt(process.env.PROTECT_MCP_HTTP_PORT || "9876", 10);
+    if (httpPort > 0) {
+      try {
+        startStatusServer(
+          { port: httpPort, mode, verbose },
+          this.receiptBuffer,
+          this.approvalStore,
+          this.approvalNonce
+        );
+      } catch {
+        if (verbose) this.log(`HTTP status server could not start on port ${httpPort}`);
+      }
+    }
+    const childEnv = { ...process.env };
+    if (this.config.credentials) {
+      for (const [label, credConfig] of Object.entries(this.config.credentials)) {
+        if (credConfig.inject === "env" && credConfig.name && credConfig.value_env) {
+          const envValue = process.env[credConfig.value_env];
+          if (envValue) {
+            childEnv[credConfig.name] = envValue;
+            if (verbose) this.log(`Credential "${label}": injected as env var "${credConfig.name}"`);
+          }
+        }
+      }
+    }
+    this.child = spawn(command, args, { stdio: ["pipe", "pipe", "pipe"], env: childEnv });
+    if (!this.child.stdin || !this.child.stdout || !this.child.stderr) {
+      throw new Error("Failed to create pipes to child process");
+    }
+    this.child.stderr.on("data", (data) => {
+      process.stderr.write(data);
+    });
+    const childReader = createInterface({ input: this.child.stdout, crlfDelay: Infinity });
+    childReader.on("line", (line) => {
+      this.handleServerMessage(line);
+    });
+    this.clientReader = createInterface({ input: process.stdin, crlfDelay: Infinity });
+    this.clientReader.on("line", (line) => {
+      this.handleClientMessage(line);
+    });
+    this.child.on("exit", (code, signal) => {
+      if (verbose) this.log(`Child process exited (code=${code}, signal=${signal})`);
+      this.evidenceStore.save();
+      process.exit(code ?? 1);
+    });
+    this.child.on("error", (err) => {
+      this.log(`Child process error: ${err.message}`);
+      process.exit(1);
+    });
+    process.on("SIGINT", () => this.stop());
+    process.on("SIGTERM", () => this.stop());
+    process.stdin.on("end", () => {
+      if (verbose) this.log("Client stdin closed, closing child stdin");
+      if (this.child?.stdin?.writable) this.child.stdin.end();
+    });
+  }
+  setManifest(manifest) {
+    this.admissionResult = evaluateTier(manifest, { evidenceStore: this.evidenceStore });
+    this.currentTier = this.admissionResult.tier;
+    if (this.config.verbose) {
+      this.log(`Admission: tier=${this.currentTier} agent=${this.admissionResult.agent_id || "none"}`);
+    }
+    return this.admissionResult;
+  }
+  handleClientMessage(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed) return;
+    let message;
+    try {
+      message = JSON.parse(trimmed);
+    } catch {
+      this.sendToChild(trimmed);
+      return;
+    }
+    if (message.method === "tools/call" && message.id !== void 0) {
+      this.interceptToolCallAsync(message, trimmed);
+      return;
+    }
+    this.sendToChild(trimmed);
+  }
+  async interceptToolCallAsync(request, raw) {
+    const result = await this.interceptToolCall(request);
+    if (result) {
+      this.sendToClient(JSON.stringify(result));
+    } else {
+      const modified = this.injectParamsCredentials(request);
+      this.sendToChild(JSON.stringify(modified));
+    }
+  }
+  handleServerMessage(raw) {
+    this.sendToClient(raw);
+  }
+  injectParamsCredentials(request) {
+    if (!this.config.credentials) return request;
+    const injections = {};
+    for (const [label, credConfig] of Object.entries(this.config.credentials)) {
+      if (credConfig.inject === "header" || credConfig.inject === "query") {
+        const cred = resolveCredential(label, this.config.credentials);
+        if (cred.resolved && cred.value && cred.name) {
+          injections[cred.name] = cred.value;
+        }
+      }
+    }
+    if (Object.keys(injections).length === 0) return request;
+    return { ...request, params: { ...request.params, _credentials: injections } };
+  }
+  async interceptToolCall(request) {
+    const toolName = request.params?.name || "unknown";
+    const requestId = randomUUID().slice(0, 12);
+    const toolPolicy = getToolPolicy(toolName, this.config.policy);
+    const mode = this.config.enforce ? "enforce" : "shadow";
+    let credentialRef;
+    if (this.config.credentials) {
+      const cred = resolveCredential(toolName, this.config.credentials);
+      if (cred.resolved) {
+        credentialRef = cred.label;
+      } else if (cred.error && !cred.error.includes("not configured")) {
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "credential_error", request_id: requestId, tier: this.currentTier, credential_ref: toolName });
+        if (this.config.enforce) {
+          return this.makeErrorResponse(request.id, -32600, `Credential error for tool "${toolName}"`);
+        }
+      }
+    }
+    if (this.config.policy?.external && (this.config.policy.policy_engine === "external" || this.config.policy.policy_engine === "hybrid")) {
+      try {
+        const ctx = buildDecisionContext(toolName, this.currentTier, {
+          agentId: this.admissionResult?.agent_id,
+          manifestHash: this.admissionResult?.manifest_hash,
+          credentialRef,
+          mode,
+          slug: this.config.slug
+        });
+        const externalDecision = await queryExternalPDP(ctx, this.config.policy.external);
+        if (!externalDecision.allowed) {
+          const reason = `external_pdp_deny${externalDecision.reason ? ": " + externalDecision.reason : ""}`;
+          this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: reason, request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+          if (this.config.enforce) {
+            return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" denied by external policy engine`);
+          }
+          if (this.config.policy.policy_engine === "external") return null;
+        }
+      } catch (err) {
+        if (this.config.verbose) this.log(`External PDP error: ${err instanceof Error ? err.message : err}`);
+      }
+    }
+    if (toolPolicy.min_tier) {
+      if (!meetsMinTier(this.currentTier, toolPolicy.min_tier)) {
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "tier_insufficient", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+        if (this.config.enforce) {
+          return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" requires tier "${toolPolicy.min_tier}"`);
+        }
+        return null;
+      }
+    }
+    if (toolPolicy.block) {
+      this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "policy_block", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+      if (this.config.enforce) {
+        return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" is blocked by policy`);
+      }
+      return null;
+    }
+    if (toolPolicy.require_approval) {
+      const grant = this.approvalStore.get(requestId);
+      const alwaysGrant = this.approvalStore.get(`always:${toolName}`);
+      if (grant && Date.now() < grant.expires_at || alwaysGrant && Date.now() < alwaysGrant.expires_at) {
+        if (grant && grant.mode === "once") this.approvalStore.delete(requestId);
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "approval_granted", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+        return null;
+      }
+      this.emitDecisionLog({ tool: toolName, decision: "require_approval", reason_code: "requires_human_approval", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+      if (this.config.enforce) {
+        return {
+          jsonrpc: "2.0",
+          id: request.id,
+          result: {
+            content: [
+              {
+                type: "text",
+                text: `REQUIRES_APPROVAL: The tool "${toolName}" requires human approval before execution. Request ID: ${requestId}. Approval nonce: ${this.approvalNonce}. Tell the user you need their approval to use "${toolName}" and will retry when granted. Do NOT retry this tool call until the user explicitly approves it.`
+              }
+            ],
+            isError: true
+          }
+        };
+      }
+      return null;
+    }
+    const rateSpec = this.getTierRateLimit(toolPolicy, this.currentTier);
+    if (rateSpec) {
+      try {
+        const limit = parseRateLimit(rateSpec);
+        const key = `tool:${toolName}:${this.currentTier}`;
+        const { allowed, remaining } = checkRateLimit(key, limit, this.rateLimitStore);
+        if (!allowed) {
+          this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "rate_limit_exceeded", request_id: requestId, rate_limit_remaining: 0, tier: this.currentTier, credential_ref: credentialRef });
+          if (this.config.enforce) {
+            return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" rate limit exceeded (${rateSpec})`);
+          }
+          return null;
+        }
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "policy_allow", request_id: requestId, rate_limit_remaining: remaining, tier: this.currentTier, credential_ref: credentialRef });
+      } catch {
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "default_allow", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+      }
+    } else {
+      const reasonCode = this.config.enforce ? "policy_allow" : "observe_mode";
+      this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: reasonCode, request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+    }
+    return null;
+  }
+  getTierRateLimit(policy, tier) {
+    if (policy.rate_limits && policy.rate_limits[tier]) {
+      const tierLimit = policy.rate_limits[tier];
+      return `${tierLimit.max}/${tierLimit.window}`;
+    }
+    return policy.rate_limit;
+  }
+  emitDecisionLog(entry) {
+    const mode = this.config.enforce ? "enforce" : "shadow";
+    const log = {
+      v: 2,
+      tool: entry.tool || "unknown",
+      decision: entry.decision || "allow",
+      reason_code: entry.reason_code || "default_allow",
+      policy_digest: this.config.policyDigest,
+      policy_engine: this.config.policy?.policy_engine || "built-in",
+      request_id: entry.request_id || randomUUID().slice(0, 12),
+      timestamp: Date.now(),
+      mode,
+      ...entry.rate_limit_remaining !== void 0 && { rate_limit_remaining: entry.rate_limit_remaining },
+      ...entry.tier && { tier: entry.tier },
+      ...entry.credential_ref && { credential_ref: entry.credential_ref }
+    };
+    process.stderr.write(`[PROTECT_MCP] ${JSON.stringify(log)}
+`);
+    try {
+      appendFileSync(this.logFilePath, JSON.stringify(log) + "\n");
+    } catch {
+    }
+    if (isSigningEnabled()) {
+      const signed = signDecision(log);
+      if (signed.signed) {
+        process.stderr.write(`[PROTECT_MCP_RECEIPT] ${signed.signed}
+`);
+        try {
+          appendFileSync(this.receiptFilePath, signed.signed + "\n");
+        } catch {
+        }
+        this.receiptBuffer.add(log.request_id, signed.signed);
+        if (this.admissionResult?.agent_id) {
+          this.evidenceStore.record(this.admissionResult.agent_id, this.config.signing?.issuer || "protect-mcp");
+          if (this.evidenceStore.getSummary(this.admissionResult.agent_id).receipt_count % 10 === 0) {
+            this.evidenceStore.save();
+          }
+        }
+      } else if (signed.warning) {
+        process.stderr.write(`[PROTECT_MCP] Warning: ${signed.warning}
+`);
+      }
+    }
+  }
+  makeErrorResponse(id, code, message) {
+    return { jsonrpc: "2.0", id, error: { code, message } };
+  }
+  sendToChild(message) {
+    if (this.child?.stdin?.writable) this.child.stdin.write(message + "\n");
+  }
+  sendToClient(message) {
+    process.stdout.write(message + "\n");
+  }
+  log(message) {
+    process.stderr.write(`[PROTECT_MCP] ${message}
+`);
+  }
+  stop() {
+    this.evidenceStore.save();
+    if (this.clientReader) this.clientReader.close();
+    if (this.child) {
+      this.child.kill("SIGTERM");
+      this.child = null;
+    }
+    process.exit(0);
+  }
+};
+
+export {
+  loadPolicy,
+  getToolPolicy,
+  parseRateLimit,
+  checkRateLimit,
+  evaluateTier,
+  meetsMinTier,
+  resolveCredential,
+  listCredentialLabels,
+  validateCredentials,
+  initSigning,
+  signDecision,
+  getSignerInfo,
+  isSigningEnabled,
+  queryExternalPDP,
+  buildDecisionContext,
+  ProtectGateway
+};