protect-mcp 0.3.1 → 0.3.3

package/LICENSE

@@ -0,0 +1,68 @@
+SPDX-License-Identifier: LicenseRef-FSL-1.1-MIT
+
+# Functional Source License, Version 1.1, MIT Future License
+
+## Abbreviation
+
+FSL-1.1-MIT
+
+## Notice
+
+Copyright 2026 Tom Farley
+
+## Terms and Conditions
+
+### Licensor ("We")
+
+The party offering the Software under these Terms and Conditions.
+
+### The Software
+
+The "Software" is each version of the software that we make available under these Terms and Conditions, as indicated by our inclusion of these Terms and Conditions with the Software.
+
+### License Grant
+
+Subject to your compliance with this License Grant and the Patents, Redistribution and Trademark clauses below, we hereby grant you the right to use, copy, modify, create derivative works, publicly perform, publicly display and redistribute the Software for any Permitted Purpose identified below.
+
+### Permitted Purpose
+
+A Permitted Purpose is any purpose other than a Competing Use. A Competing Use means making the Software available to others in a commercial product or service that:
+
+1. substitutes for the Software;
+2. substitutes for any other product or service we offer using the Software that exists as of the date we make the Software available; or
+3. offers the same or substantially similar functionality as the Software.
+
+Permitted Purposes specifically include using the Software:
+
+1. for your internal use and access;
+2. for non-commercial education;
+3. for non-commercial research; and
+4. in connection with professional services that you provide to a licensee using the Software in accordance with these Terms and Conditions.
+
+### Patents
+
+To the extent your use for a Permitted Purpose would necessarily infringe our patents, the license grant above includes a license under our patents. If you make a claim against any party that the Software infringes or contributes to the infringement of any patent, then your patent license to the Software ends immediately.
+
+### Redistribution
+
+The Terms and Conditions apply to all copies, modifications and derivatives of the Software. If you redistribute any copies, modifications or derivatives of the Software, you must include a copy of or a link to these Terms and Conditions and not remove any copyright notices provided in or with the Software.
+
+### Disclaimer
+
+THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, TITLE OR NON-INFRINGEMENT. IN NO EVENT WILL WE HAVE ANY LIABILITY TO YOU ARISING OUT OF OR RELATED TO THE SOFTWARE, INCLUDING INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF WE HAVE BEEN INFORMED OF THEIR POSSIBILITY IN ADVANCE.
+
+### Trademarks
+
+Except for displaying the License Details and identifying us as the origin of the Software, you have no right under these Terms and Conditions to use our trademarks, trade names, service marks or product names.
+
+## Grant of Future License
+
+We hereby irrevocably grant you an additional license to use the Software under the MIT license that is effective on the second anniversary of the date we make the Software available.
+
+On or after that date, you may use the Software under the MIT license, in which case the following will apply:
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -210,8 +210,48 @@ Use `createAuditBundle()` around your own collected signed receipts.
 - **Keep the claims tight.** The default CLI path does not yet do everything the long-term architecture will support.
 - **Layer on top of existing auth.** Don't rip out your stack just to add control and evidence.
 
+## Incident-Anchored Policy Packs
+
+Ship with protect-mcp — each prevents a real attack:
+
+| Policy | Incident | OWASP Categories |
+|--------|----------|-----------------|
+| `clinejection.json` | CVE-2025-6514: MCP OAuth proxy hijack (437K environments) | A01, A03 |
+| `terraform-destroy.json` | Autonomous Terraform agent destroys production | A05, A06 |
+| `github-mcp-hijack.json` | Prompt injection via crafted GitHub issue | A01, A02, A03 |
+| `data-exfiltration.json` | Agent data theft via outbound tool abuse | A02, A04 |
+| `financial-safe.json` | Unauthorized financial transaction | A05, A06 |
+
+```bash
+npx protect-mcp --policy node_modules/protect-mcp/policies/clinejection.json -- node server.js
+```
+
+Full OWASP Agentic Top 10 mapping: [scopeblind.com/docs/owasp](https://scopeblind.com/docs/owasp)
+
+## BYOPE: External Policy Engines
+
+Supports OPA, Cerbos, Cedar (AWS AgentCore), and generic HTTP endpoints:
+
+```json
+{
+  "policy_engine": "hybrid",
+  "external": {
+    "endpoint": "http://localhost:8181/v1/data/mcp/allow",
+    "format": "cedar",
+    "timeout_ms": 200,
+    "fallback": "deny"
+  }
+}
+```
+
+## Standards & IP
+
+- **IETF Internet-Draft**: [draft-farley-acta-signed-receipts-00](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/) — Signed Decision Receipts for Machine-to-Machine Access Control
+- **Patent Status**: 4 Australian provisional patents pending (2025-2026) covering decision receipts with configurable disclosure, tool-calling gateway, agent manifests, and portable identity
+- **Verification**: MIT-licensed — `npx @veritasacta/verify --self-test`
+
 ## License
 
-FSL-1.1-MIT — free to use, converts to full MIT after 2 years.
+FSL-1.1-MIT — free to use, modify, and self-host. Cannot be offered as a competing hosted service. Converts to full MIT after 2 years per version.
 
-[scopeblind.com](https://scopeblind.com) · [npm](https://www.npmjs.com/package/protect-mcp) · [GitHub](https://github.com/tomjwxf/scopeblind-gateway)
+[scopeblind.com](https://scopeblind.com) · [npm](https://www.npmjs.com/package/protect-mcp) · [GitHub](https://github.com/tomjwxf/scopeblind-gateway) · [IETF Draft](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)

package/dist/chunk-JQDVKZBN.mjs

@@ -0,0 +1,165 @@
+// src/report.ts
+import { readFileSync, existsSync } from "fs";
+function generateReport(logPath, receiptPath, periodDays) {
+  const now = /* @__PURE__ */ new Date();
+  const from = new Date(now.getTime() - periodDays * 864e5);
+  const entries = [];
+  if (existsSync(logPath)) {
+    const raw = readFileSync(logPath, "utf-8");
+    for (const line of raw.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      const jsonStr = trimmed.replace(/^\[PROTECT_MCP\]\s*/, "");
+      try {
+        const parsed = JSON.parse(jsonStr);
+        if (parsed.tool && parsed.decision && parsed.timestamp) {
+          const entryTime = typeof parsed.timestamp === "number" && parsed.timestamp > 1e12 ? parsed.timestamp : parsed.timestamp * 1e3;
+          if (entryTime >= from.getTime()) {
+            entries.push(parsed);
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  let receiptsSigned = 0;
+  let signerKid = "";
+  let signerIssuer = "";
+  if (existsSync(receiptPath)) {
+    const raw = readFileSync(receiptPath, "utf-8");
+    for (const line of raw.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      try {
+        const parsed = JSON.parse(trimmed);
+        if (parsed.signature) {
+          receiptsSigned++;
+          if (parsed.kid && !signerKid) signerKid = parsed.kid;
+          if (parsed.issuer && !signerIssuer) signerIssuer = parsed.issuer;
+        }
+      } catch {
+      }
+    }
+  }
+  const toolMap = /* @__PURE__ */ new Map();
+  const tiers = /* @__PURE__ */ new Set();
+  const policyDigests = /* @__PURE__ */ new Map();
+  let allowed = 0;
+  let blocked = 0;
+  let rateLimited = 0;
+  let approvalRequired = 0;
+  for (const entry of entries) {
+    const tool = entry.tool;
+    if (!toolMap.has(tool)) {
+      toolMap.set(tool, { total: 0, allowed: 0, blocked: 0, rate_limited: 0, approval_required: 0 });
+    }
+    const tm = toolMap.get(tool);
+    tm.total++;
+    if (entry.decision === "allow") {
+      allowed++;
+      tm.allowed++;
+    } else if (entry.decision === "deny" && entry.reason_code === "rate_limit_exceeded") {
+      rateLimited++;
+      tm.rate_limited++;
+    } else if (entry.decision === "deny" && entry.reason_code === "require_approval") {
+      approvalRequired++;
+      tm.approval_required++;
+    } else {
+      blocked++;
+      tm.blocked++;
+    }
+    if (entry.tier) tiers.add(entry.tier);
+    if (entry.policy_digest && !policyDigests.has(entry.policy_digest)) {
+      policyDigests.set(entry.policy_digest, new Date(entry.timestamp).toISOString());
+    }
+  }
+  const policyChanges = Array.from(policyDigests.entries()).map(([digest, at]) => ({
+    at,
+    policy_digest: digest
+  })).sort((a, b) => a.at.localeCompare(b.at));
+  return {
+    generated_at: now.toISOString(),
+    period: { from: from.toISOString(), to: now.toISOString() },
+    signing_identity: signerKid ? { kid: signerKid, issuer: signerIssuer } : null,
+    summary: {
+      total_decisions: entries.length,
+      allowed,
+      blocked,
+      rate_limited: rateLimited,
+      approval_required: approvalRequired,
+      unique_tools: toolMap.size,
+      unique_tiers: tiers.size
+    },
+    tool_breakdown: Array.from(toolMap.entries()).map(([tool, stats]) => ({ tool, ...stats })).sort((a, b) => b.total - a.total),
+    policy_changes: policyChanges,
+    verification: {
+      receipts_signed: receiptsSigned,
+      receipts_unsigned: entries.length - receiptsSigned,
+      verify_command: "npx @veritasacta/verify audit-bundle.json --bundle"
+    }
+  };
+}
+function formatReportMarkdown(report) {
+  const lines = [];
+  lines.push("# ScopeBlind Compliance Report");
+  lines.push("");
+  lines.push(`**Generated:** ${report.generated_at}`);
+  lines.push(`**Period:** ${report.period.from.split("T")[0]} to ${report.period.to.split("T")[0]}`);
+  if (report.signing_identity) {
+    lines.push(`**Signing identity:** kid \`${report.signing_identity.kid}\`, issuer \`${report.signing_identity.issuer}\``);
+  }
+  lines.push("");
+  lines.push("## Summary");
+  lines.push("");
+  lines.push(`| Metric | Value |`);
+  lines.push(`|--------|-------|`);
+  lines.push(`| Total decisions | ${report.summary.total_decisions} |`);
+  lines.push(`| Allowed | ${report.summary.allowed} |`);
+  lines.push(`| Blocked | ${report.summary.blocked} |`);
+  lines.push(`| Rate-limited | ${report.summary.rate_limited} |`);
+  lines.push(`| Approval required | ${report.summary.approval_required} |`);
+  lines.push(`| Unique tools | ${report.summary.unique_tools} |`);
+  lines.push(`| Unique tiers | ${report.summary.unique_tiers} |`);
+  lines.push("");
+  if (report.tool_breakdown.length > 0) {
+    lines.push("## Tool Breakdown");
+    lines.push("");
+    lines.push("| Tool | Total | Allowed | Blocked | Rate-limited | Approval |");
+    lines.push("|------|-------|---------|---------|--------------|----------|");
+    for (const t of report.tool_breakdown) {
+      lines.push(`| \`${t.tool}\` | ${t.total} | ${t.allowed} | ${t.blocked} | ${t.rate_limited} | ${t.approval_required} |`);
+    }
+    lines.push("");
+  }
+  if (report.policy_changes.length > 0) {
+    lines.push("## Policy History");
+    lines.push("");
+    lines.push("| Timestamp | Policy Digest |");
+    lines.push("|-----------|--------------|");
+    for (const pc of report.policy_changes) {
+      lines.push(`| ${pc.at} | \`${pc.policy_digest}\` |`);
+    }
+    lines.push("");
+  }
+  lines.push("## Verification");
+  lines.push("");
+  lines.push(`- Receipts signed: **${report.verification.receipts_signed}**`);
+  lines.push(`- Receipts unsigned: **${report.verification.receipts_unsigned}**`);
+  lines.push("");
+  lines.push("Verify the audit bundle:");
+  lines.push("");
+  lines.push("```bash");
+  lines.push(report.verification.verify_command);
+  lines.push("```");
+  lines.push("");
+  lines.push("The verifier is MIT-licensed and works offline. No ScopeBlind account required.");
+  lines.push("");
+  lines.push("---");
+  lines.push("*Generated by protect-mcp \xB7 scopeblind.com*");
+  return lines.join("\n");
+}
+
+export {
+  generateReport,
+  formatReportMarkdown
+};

package/dist/{chunk-U7TMVD3E.mjs → chunk-WDCPUM2O.mjs}

@@ -317,7 +317,11 @@ async function initSigning(config) {
     return warnings;
   }
   try {
-    artifactsModule = await import("@veritasacta/artifacts");
+    const moduleName = "@veritasacta/artifacts";
+    artifactsModule = await import(
+      /* @vite-ignore */
+      moduleName
+    );
   } catch {
     warnings.push("signing: @veritasacta/artifacts not available \u2014 receipts will be unsigned");
     return warnings;
@@ -456,6 +460,28 @@ function formatRequest(context, format) {
         },
         actions: [context.action.operation || "call"]
       };
+    case "cedar":
+      return {
+        principal: {
+          type: "Agent",
+          id: context.actor.id || "unknown"
+        },
+        action: {
+          type: "Action",
+          id: `MCP::Tool::${context.action.operation || "call"}`
+        },
+        resource: {
+          type: "Tool",
+          id: context.action.tool
+        },
+        context: {
+          tier: context.actor.tier,
+          manifest_hash: context.actor.manifest_hash || null,
+          service: context.target.service || "default",
+          mode: context.mode,
+          credential_ref: context.credential_ref || null
+        }
+      };
     case "generic":
     default:
       return context;
@@ -485,6 +511,22 @@ function parseResponse(result, format) {
         }
       }
       return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "cedar":
+      if (typeof result.decision === "string") {
+        return {
+          allowed: result.decision === "Allow",
+          reason: result.decision === "Deny" ? `cedar_deny${result.diagnostics ? ": " + JSON.stringify(result.diagnostics) : ""}` : void 0,
+          metadata: result.diagnostics
+        };
+      }
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const first = result.results[0];
+        return {
+          allowed: first.decision === "Allow",
+          reason: first.decision === "Deny" ? "cedar_deny" : void 0
+        };
+      }
+      return { allowed: false, reason: "unrecognized Cedar response" };
     case "generic":
     default:
       return {
@@ -909,8 +951,31 @@ var ProtectGateway = class {
   async interceptToolCall(request) {
     const toolName = request.params?.name || "unknown";
     const requestId = randomUUID().slice(0, 12);
-    const toolPolicy = getToolPolicy(toolName, this.config.policy);
     const mode = this.config.enforce ? "enforce" : "shadow";
+    let resolvedAgentKid = this.admissionResult?.agent_id;
+    let effectiveToolPolicy;
+    if (this.config.multiAgent?.enabled) {
+      const paramKid = request.params?._passport_kid;
+      if (paramKid) resolvedAgentKid = paramKid;
+      const agentOverrides = resolvedAgentKid ? this.config.multiAgent.agentPolicies?.[resolvedAgentKid] : void 0;
+      if (agentOverrides && agentOverrides[toolName]) {
+        effectiveToolPolicy = { ...getToolPolicy(toolName, this.config.policy), ...agentOverrides[toolName] };
+      } else if (!resolvedAgentKid && this.config.multiAgent.unknownAgentPolicy === "deny") {
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "unknown_agent_denied", request_id: requestId, tier: this.currentTier });
+        if (this.config.enforce) {
+          return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" denied: unidentified agent`);
+        }
+        return null;
+      } else {
+        effectiveToolPolicy = getToolPolicy(toolName, this.config.policy);
+      }
+      if (this.config.verbose && resolvedAgentKid) {
+        this.log(`Multi-agent: resolved kid=${resolvedAgentKid} for tool=${toolName}`);
+      }
+    } else {
+      effectiveToolPolicy = getToolPolicy(toolName, this.config.policy);
+    }
+    const toolPolicy = effectiveToolPolicy;
     let credentialRef;
     if (this.config.credentials) {
       const cred = resolveCredential(toolName, this.config.credentials);
@@ -1085,6 +1150,137 @@ var ProtectGateway = class {
   }
 };
 
+// src/simulate.ts
+import { readFileSync as readFileSync5 } from "fs";
+function parseLogFile(path) {
+  const raw = readFileSync5(path, "utf-8");
+  const entries = [];
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const jsonStr = trimmed.replace(/^\[PROTECT_MCP\]\s*/, "");
+    try {
+      const parsed = JSON.parse(jsonStr);
+      if (parsed.tool && parsed.decision) {
+        entries.push(parsed);
+      }
+    } catch {
+    }
+  }
+  return entries;
+}
+function simulate(entries, policy, tier = "unknown") {
+  const rateLimitStore = /* @__PURE__ */ new Map();
+  const toolResults = /* @__PURE__ */ new Map();
+  const totals = {
+    allow: 0,
+    block: 0,
+    rate_limited: 0,
+    require_approval: 0,
+    tier_insufficient: 0
+  };
+  const originalTotals = { allow: 0, deny: 0 };
+  const changes = [];
+  for (const entry of entries) {
+    const toolName = entry.tool;
+    const toolPolicy = getToolPolicy(toolName, policy);
+    if (entry.decision === "allow") {
+      originalTotals.allow++;
+    } else {
+      originalTotals.deny++;
+    }
+    let newDecision;
+    if (toolPolicy.block) {
+      newDecision = "block";
+    } else if (toolPolicy.min_tier && !meetsMinTier(tier, toolPolicy.min_tier)) {
+      newDecision = "tier_insufficient";
+    } else if (toolPolicy.require_approval) {
+      newDecision = "require_approval";
+    } else if (toolPolicy.rate_limit) {
+      const limit = parseRateLimit(toolPolicy.rate_limit);
+      const result = checkRateLimit(toolName, limit, rateLimitStore);
+      newDecision = result.allowed ? "allow" : "rate_limited";
+    } else {
+      newDecision = "allow";
+    }
+    totals[newDecision]++;
+    if (!toolResults.has(toolName)) {
+      toolResults.set(toolName, {
+        tool: toolName,
+        calls: 0,
+        results: { allow: 0, block: 0, rate_limited: 0, require_approval: 0, tier_insufficient: 0 },
+        original: { allow: 0, deny: 0 }
+      });
+    }
+    const tr = toolResults.get(toolName);
+    tr.calls++;
+    tr.results[newDecision]++;
+    if (entry.decision === "allow") {
+      tr.original.allow++;
+    } else {
+      tr.original.deny++;
+    }
+  }
+  for (const [tool, result] of toolResults) {
+    const wasAllBlocked = result.original.allow === 0;
+    const nowAllBlocked = result.results.allow === 0;
+    const wasAllAllowed = result.original.deny === 0;
+    if (wasAllAllowed && result.results.block > 0) {
+      changes.push(`${tool}: ${result.results.block} calls would be blocked (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.rate_limited > 0) {
+      changes.push(`${tool}: ${result.results.rate_limited} calls would be rate-limited (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.require_approval > 0) {
+      changes.push(`${tool}: ${result.results.require_approval} calls would require approval (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.tier_insufficient > 0) {
+      changes.push(`${tool}: ${result.results.tier_insufficient} calls would fail tier check (was: all allowed)`);
+    }
+    if (wasAllBlocked && result.results.allow > 0 && !nowAllBlocked) {
+      changes.push(`${tool}: ${result.results.allow} calls would now be allowed (was: all blocked)`);
+    }
+  }
+  return {
+    policy_file: "",
+    log_file: "",
+    total_calls: entries.length,
+    results: totals,
+    original: originalTotals,
+    tool_breakdown: Array.from(toolResults.values()).sort((a, b) => b.calls - a.calls),
+    changes
+  };
+}
+function formatSimulation(summary) {
+  const lines = [];
+  lines.push(`Simulating ${summary.policy_file} against ${summary.total_calls} recorded tool calls:
+`);
+  const maxToolLen = Math.max(...summary.tool_breakdown.map((t) => t.tool.length), 4);
+  for (const tr of summary.tool_breakdown) {
+    const parts = [];
+    if (tr.results.allow > 0) parts.push(`${tr.results.allow} allow`);
+    if (tr.results.block > 0) parts.push(`\x1B[31m${tr.results.block} blocked\x1B[0m`);
+    if (tr.results.rate_limited > 0) parts.push(`\x1B[33m${tr.results.rate_limited} rate_limited\x1B[0m`);
+    if (tr.results.require_approval > 0) parts.push(`\x1B[36m${tr.results.require_approval} require_approval\x1B[0m`);
+    if (tr.results.tier_insufficient > 0) parts.push(`\x1B[35m${tr.results.tier_insufficient} tier_insufficient\x1B[0m`);
+    const originalParts = [];
+    if (tr.original.allow > 0) originalParts.push(`${tr.original.allow} allow`);
+    if (tr.original.deny > 0) originalParts.push(`${tr.original.deny} deny`);
+    lines.push(`  ${tr.tool.padEnd(maxToolLen)}  \xD7 ${String(tr.calls).padStart(3)} \u2192 ${parts.join(", ")}  (was: ${originalParts.join(", ")})`);
+  }
+  lines.push("");
+  lines.push(`Summary: ${summary.results.allow} allow, ${summary.results.block} blocked, ${summary.results.rate_limited} rate_limited, ${summary.results.require_approval} require_approval, ${summary.results.tier_insufficient} tier_insufficient`);
+  lines.push(`  vs original: ${summary.original.allow} allow, ${summary.original.deny} deny`);
+  if (summary.changes.length > 0) {
+    lines.push("");
+    lines.push("Changes:");
+    for (const change of summary.changes) {
+      lines.push(`  \u2022 ${change}`);
+    }
+  }
+  return lines.join("\n");
+}
+
 export {
   loadPolicy,
   getToolPolicy,
@@ -1101,5 +1297,8 @@ export {
   isSigningEnabled,
   queryExternalPDP,
   buildDecisionContext,
-  ProtectGateway
+  ProtectGateway,
+  parseLogFile,
+  simulate,
+  formatSimulation
 };