npm - protect-mcp - Versions diffs - 0.2.2 → 0.3.1 - Mend

protect-mcp 0.2.2 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +11 -1
package/dist/bundle-TXOTFJIJ.mjs +8 -0
package/dist/chunk-5JXFV37Y.mjs +53 -0
package/dist/chunk-U7TMVD3E.mjs +1105 -0
package/dist/cli.js +1176 -172
package/dist/cli.mjs +462 -5
package/dist/demo-server.d.mts +1 -0
package/dist/demo-server.d.ts +1 -0
package/dist/demo-server.js +137 -0
package/dist/demo-server.mjs +136 -0
package/dist/index.d.mts +83 -61
package/dist/index.d.ts +83 -61
package/dist/index.js +637 -271
package/dist/index.mjs +7 -172
package/package.json +3 -3
package/dist/chunk-ZCKNFULF.mjs +0 -613

package/dist/index.mjs CHANGED Viewed

@@ -1,5 +1,6 @@
 import {
   ProtectGateway,
+  buildDecisionContext,
   checkRateLimit,
   evaluateTier,
   getSignerInfo,
@@ -10,181 +11,15 @@ import {
   loadPolicy,
   meetsMinTier,
   parseRateLimit,
+  queryExternalPDP,
   resolveCredential,
   signDecision,
   validateCredentials
-} from "./chunk-ZCKNFULF.mjs";
-// src/external-pdp.ts
-async function queryExternalPDP(context, config) {
-  const timeout = config.timeout_ms || 500;
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), timeout);
-  try {
-    const body = formatRequest(context, config.format || "generic");
-    const response = await fetch(config.endpoint, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify(body),
-      signal: controller.signal
-    });
-    clearTimeout(timer);
-    if (!response.ok) {
-      return fallbackDecision(config, `PDP returned HTTP ${response.status}`);
-    }
-    const result = await response.json();
-    return parseResponse(result, config.format || "generic");
-  } catch (err) {
-    clearTimeout(timer);
-    if (err instanceof Error && err.name === "AbortError") {
-      return fallbackDecision(config, `PDP timeout after ${timeout}ms`);
-    }
-    return fallbackDecision(config, `PDP error: ${err instanceof Error ? err.message : "unknown"}`);
-  }
-}
-function formatRequest(context, format) {
-  switch (format) {
-    case "opa":
-      return {
-        input: {
-          actor: context.actor,
-          action: context.action,
-          target: context.target,
-          credential_ref: context.credential_ref,
-          mode: context.mode,
-          metadata: context.request_metadata
-        }
-      };
-    case "cerbos":
-      return {
-        principal: {
-          id: context.actor.id || "unknown",
-          roles: [context.actor.tier],
-          attr: {
-            manifest_hash: context.actor.manifest_hash
-          }
-        },
-        resource: {
-          kind: "tool",
-          id: context.action.tool,
-          attr: context.target
-        },
-        actions: [context.action.operation || "call"]
-      };
-    case "generic":
-    default:
-      return context;
-  }
-}
-function parseResponse(result, format) {
-  switch (format) {
-    case "opa":
-      if (typeof result.result === "boolean") {
-        return { allowed: result.result };
-      }
-      if (result.result && typeof result.result === "object") {
-        const r = result.result;
-        return {
-          allowed: Boolean(r.allow),
-          reason: r.reason,
-          metadata: r
-        };
-      }
-      return { allowed: false, reason: "unrecognized OPA response" };
-    case "cerbos":
-      if (Array.isArray(result.results) && result.results.length > 0) {
-        const actions = result.results[0].actions;
-        if (actions) {
-          const effect = Object.values(actions)[0];
-          return { allowed: effect === "EFFECT_ALLOW" };
-        }
-      }
-      return { allowed: false, reason: "unrecognized Cerbos response" };
-    case "generic":
-    default:
-      return {
-        allowed: Boolean(result.allowed),
-        reason: result.reason,
-        metadata: result.metadata
-      };
-  }
-}
-function fallbackDecision(config, reason) {
-  const fallback = config.fallback || "deny";
-  return {
-    allowed: fallback === "allow",
-    reason: `fallback_${fallback}: ${reason}`
-  };
-}
-function buildDecisionContext(toolName, tier, opts) {
-  return {
-    v: 1,
-    actor: {
-      id: opts.agentId,
-      tier,
-      manifest_hash: opts.manifestHash
-    },
-    action: {
-      tool: toolName,
-      operation: "call"
-    },
-    target: {
-      service: opts.slug || "default"
-    },
-    credential_ref: opts.credentialRef,
-    mode: opts.mode,
-    request_metadata: opts.requestMetadata || {}
-  };
-}
-// src/bundle.ts
-function createAuditBundle(opts) {
-  const receipts = opts.receipts.filter(
-    (r) => r && typeof r === "object" && typeof r.signature === "string"
-  );
-  if (receipts.length === 0) {
-    throw new Error("Audit bundle requires at least one signed receipt");
-  }
-  const keyMap = /* @__PURE__ */ new Map();
-  for (const key of opts.signingKeys) {
-    if (!keyMap.has(key.kid)) {
-      keyMap.set(key.kid, key);
-    }
-  }
-  let timeRange = opts.timeRange || null;
-  if (!timeRange) {
-    const timestamps = receipts.map((r) => r.issued_at || r.timestamp).filter(Boolean).sort();
-    if (timestamps.length > 0) {
-      timeRange = {
-        from: timestamps[0],
-        to: timestamps[timestamps.length - 1]
-      };
-    }
-  }
-  return {
-    format: "scopeblind:audit-bundle",
-    version: 1,
-    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
-    tenant: opts.tenant,
-    time_range: timeRange,
-    receipts,
-    anchors: opts.anchors || [],
-    verification: {
-      algorithm: "ed25519",
-      signing_keys: Array.from(keyMap.values()),
-      instructions: `Verify each receipt by: (1) remove the "signature" field, (2) canonicalize the remaining object with JCS (sorted keys at every level), (3) encode as UTF-8 bytes, (4) verify the Ed25519 signature using the signing key matching the receipt's "kid" field. CLI: npx @veritasacta/verify bundle.json --bundle`
-    }
-  };
-}
-function collectSignedReceipts(logs) {
-  return logs.filter((log) => log.v === 2).map((log) => {
-    const logRecord = log;
-    if (logRecord.receipt) {
-      return logRecord.receipt;
-    }
-    return logRecord;
-  }).filter((r) => typeof r.signature === "string");
-}
+} from "./chunk-U7TMVD3E.mjs";
+import {
+  collectSignedReceipts,
+  createAuditBundle
+} from "./chunk-5JXFV37Y.mjs";
 // src/manifest.ts
 function isAgentId(s) {

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "protect-mcp",
-  "version": "0.2.2",
-  "description": "Security gateway for MCP servers. Shadow-mode logs by default, per-tool policies, optional local signing, and offline-verifiable receipts.",
+  "version": "0.3.1",
+  "description": "Security gateway for MCP servers. Shadow-mode logs, per-tool policies, optional local Ed25519-signed receipts. Programmatic hooks for trust tiers, credential config, and external policy engines.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "module": "dist/index.mjs",
@@ -16,7 +16,7 @@
     }
   },
   "scripts": {
-    "build": "tsup src/index.ts src/cli.ts --format cjs,esm --dts --clean",
+    "build": "tsup src/index.ts src/cli.ts src/demo-server.ts --format cjs,esm --dts --clean",
     "test": "vitest run",
     "prepublishOnly": "npm run build"
   },