protect-mcp 0.3.0 → 0.3.2

package/dist/index.mjs

@@ -3,6 +3,7 @@ import {
   buildDecisionContext,
   checkRateLimit,
   evaluateTier,
+  formatSimulation,
   getSignerInfo,
   getToolPolicy,
   initSigning,
@@ -10,61 +11,22 @@ import {
   listCredentialLabels,
   loadPolicy,
   meetsMinTier,
+  parseLogFile,
   parseRateLimit,
   queryExternalPDP,
   resolveCredential,
   signDecision,
+  simulate,
   validateCredentials
-} from "./chunk-3WCA7O4D.mjs";
-
-// src/bundle.ts
-function createAuditBundle(opts) {
-  const receipts = opts.receipts.filter(
-    (r) => r && typeof r === "object" && typeof r.signature === "string"
-  );
-  if (receipts.length === 0) {
-    throw new Error("Audit bundle requires at least one signed receipt");
-  }
-  const keyMap = /* @__PURE__ */ new Map();
-  for (const key of opts.signingKeys) {
-    if (!keyMap.has(key.kid)) {
-      keyMap.set(key.kid, key);
-    }
-  }
-  let timeRange = opts.timeRange || null;
-  if (!timeRange) {
-    const timestamps = receipts.map((r) => r.issued_at || r.timestamp).filter(Boolean).sort();
-    if (timestamps.length > 0) {
-      timeRange = {
-        from: timestamps[0],
-        to: timestamps[timestamps.length - 1]
-      };
-    }
-  }
-  return {
-    format: "scopeblind:audit-bundle",
-    version: 1,
-    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
-    tenant: opts.tenant,
-    time_range: timeRange,
-    receipts,
-    anchors: opts.anchors || [],
-    verification: {
-      algorithm: "ed25519",
-      signing_keys: Array.from(keyMap.values()),
-      instructions: `Verify each receipt by: (1) remove the "signature" field, (2) canonicalize the remaining object with JCS (sorted keys at every level), (3) encode as UTF-8 bytes, (4) verify the Ed25519 signature using the signing key matching the receipt's "kid" field. CLI: npx @veritasacta/verify bundle.json --bundle`
-    }
-  };
-}
-function collectSignedReceipts(logs) {
-  return logs.filter((log) => log.v === 2).map((log) => {
-    const logRecord = log;
-    if (logRecord.receipt) {
-      return logRecord.receipt;
-    }
-    return logRecord;
-  }).filter((r) => typeof r.signature === "string");
-}
+} from "./chunk-GV7N53QE.mjs";
+import {
+  collectSignedReceipts,
+  createAuditBundle
+} from "./chunk-5JXFV37Y.mjs";
+import {
+  formatReportMarkdown,
+  generateReport
+} from "./chunk-JQDVKZBN.mjs";
 
 // src/manifest.ts
 function isAgentId(s) {
@@ -227,6 +189,9 @@ export {
   collectSignedReceipts,
   createAuditBundle,
   evaluateTier,
+  formatReportMarkdown,
+  formatSimulation,
+  generateReport,
   getSignerInfo,
   getToolPolicy,
   initSigning,
@@ -238,10 +203,12 @@ export {
   listCredentialLabels,
   loadPolicy,
   meetsMinTier,
+  parseLogFile,
   parseRateLimit,
   queryExternalPDP,
   resolveCredential,
   signDecision,
+  simulate,
   validateCredentials,
   validateEvidenceReceipt,
   validateManifest

package/dist/report-ENQ3KUI2.mjs

@@ -0,0 +1,8 @@
+import {
+  formatReportMarkdown,
+  generateReport
+} from "./chunk-JQDVKZBN.mjs";
+export {
+  formatReportMarkdown,
+  generateReport
+};

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "protect-mcp",
-  "version": "0.3.0",
-  "description": "Security gateway for MCP servers. Shadow-mode logs by default, per-tool policies, trust-tier gating, credential isolation, BYOPE (OPA/Cerbos), signed receipts, offline verification.",
+  "version": "0.3.2",
+  "description": "Security gateway for MCP servers. Shadow-mode logs, per-tool policies, optional local Ed25519-signed receipts. Programmatic hooks for trust tiers, credential config, and external policy engines.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "module": "dist/index.mjs",
@@ -49,7 +49,7 @@
     "url": "https://github.com/tomjwxf/scopeblind-gateway/issues"
   },
   "dependencies": {
-    "@veritasacta/artifacts": "^0.2.0"
+    "@veritasacta/protocol": "^0.1.0"
   },
   "optionalDependencies": {
     "@noble/curves": "^1.8.0",