protect-mcp 0.3.1 → 0.3.3

package/dist/index.mjs

@@ -3,6 +3,7 @@ import {
   buildDecisionContext,
   checkRateLimit,
   evaluateTier,
+  formatSimulation,
   getSignerInfo,
   getToolPolicy,
   initSigning,
@@ -10,16 +11,22 @@ import {
   listCredentialLabels,
   loadPolicy,
   meetsMinTier,
+  parseLogFile,
   parseRateLimit,
   queryExternalPDP,
   resolveCredential,
   signDecision,
+  simulate,
   validateCredentials
-} from "./chunk-U7TMVD3E.mjs";
+} from "./chunk-WDCPUM2O.mjs";
 import {
   collectSignedReceipts,
   createAuditBundle
 } from "./chunk-5JXFV37Y.mjs";
+import {
+  formatReportMarkdown,
+  generateReport
+} from "./chunk-JQDVKZBN.mjs";
 
 // src/manifest.ts
 function isAgentId(s) {
@@ -182,6 +189,9 @@ export {
   collectSignedReceipts,
   createAuditBundle,
   evaluateTier,
+  formatReportMarkdown,
+  formatSimulation,
+  generateReport,
   getSignerInfo,
   getToolPolicy,
   initSigning,
@@ -193,10 +203,12 @@ export {
   listCredentialLabels,
   loadPolicy,
   meetsMinTier,
+  parseLogFile,
   parseRateLimit,
   queryExternalPDP,
   resolveCredential,
   signDecision,
+  simulate,
   validateCredentials,
   validateEvidenceReceipt,
   validateManifest

package/dist/report-ENQ3KUI2.mjs

@@ -0,0 +1,8 @@
+import {
+  formatReportMarkdown,
+  generateReport
+} from "./chunk-JQDVKZBN.mjs";
+export {
+  formatReportMarkdown,
+  generateReport
+};

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "protect-mcp",
-  "version": "0.3.1",
+  "version": "0.3.3",
+  "mcpName": "io.github.tomjwxf/protect-mcp",
   "description": "Security gateway for MCP servers. Shadow-mode logs, per-tool policies, optional local Ed25519-signed receipts. Programmatic hooks for trust tiers, credential config, and external policy engines.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -22,6 +23,7 @@
   },
   "files": [
     "dist",
+    "policies",
     "README.md"
   ],
   "keywords": [
@@ -36,7 +38,15 @@
     "decision-log",
     "tool-protection",
     "ai-agent",
-    "llm-gateway"
+    "llm-gateway",
+    "owasp",
+    "cedar",
+    "opa",
+    "ed25519",
+    "receipts",
+    "trust-tiers",
+    "agent-governance",
+    "claude-code"
   ],
   "author": "Tom Farley <tommy@scopeblind.com>",
   "license": "FSL-1.1-MIT",
@@ -49,7 +59,7 @@
     "url": "https://github.com/tomjwxf/scopeblind-gateway/issues"
   },
   "dependencies": {
-    "@veritasacta/artifacts": "^0.2.0"
+    "@veritasacta/protocol": "^0.1.0"
   },
   "optionalDependencies": {
     "@noble/curves": "^1.8.0",

package/policies/claude-code-hooks.json

@@ -0,0 +1,18 @@
+{
+  "$comment": "Claude Code hooks configuration. Add this to your .claude/settings.json to integrate protect-mcp as a pre-tool-use hook for Claude Code. Every tool call will be evaluated against your protect-mcp policy and produce a signed receipt.",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": ".*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "npx protect-mcp hook-eval --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\"",
+            "timeout": 5000,
+            "on_failure": "allow"
+          }
+        ]
+      }
+    ]
+  }
+}

package/policies/clinejection.json

@@ -0,0 +1,45 @@
+{
+  "$comment": "CVE-2025-6514: Clinejection — Malicious MCP OAuth proxy hijacked 437,000+ developer environments. Blocks shell execution, restricts file access to non-sensitive paths, requires approval for any write operation.",
+  "incident": "CVE-2025-6514",
+  "incident_name": "Clinejection MCP OAuth Proxy Hijack",
+  "incident_date": "2025-07-15",
+  "owasp_categories": ["A01-Prompt-Injection", "A03-Supply-Chain"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute"
+    },
+    "execute_command": {
+      "block": true
+    },
+    "run_command": {
+      "block": true
+    },
+    "shell": {
+      "block": true
+    },
+    "bash": {
+      "block": true
+    },
+    "terminal": {
+      "block": true
+    },
+    "write_file": {
+      "require_approval": true,
+      "rate_limit": "10/minute"
+    },
+    "edit_file": {
+      "require_approval": true,
+      "rate_limit": "10/minute"
+    },
+    "read_file": {
+      "rate_limit": "30/minute",
+      "min_tier": "signed-known"
+    },
+    "list_files": {
+      "rate_limit": "60/minute"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/data-exfiltration.json

@@ -0,0 +1,52 @@
+{
+  "$comment": "Prevents data exfiltration via AI agents. Blocks all outbound data channels (email, webhooks, uploads, HTTP). Restricts file reads. Requires approval for any external communication.",
+  "incident": "agent-data-exfiltration-pattern",
+  "incident_name": "AI Agent Data Exfiltration via Tool Abuse",
+  "owasp_categories": ["A02-Sensitive-Data-Exposure", "A04-Tool-Call-Injection"],
+  "tools": {
+    "*": {
+      "rate_limit": "60/minute"
+    },
+    "send_email": {
+      "block": true
+    },
+    "send_message": {
+      "block": true
+    },
+    "upload_file": {
+      "block": true
+    },
+    "http_request": {
+      "block": true
+    },
+    "http_post": {
+      "block": true
+    },
+    "webhook": {
+      "block": true
+    },
+    "publish": {
+      "block": true
+    },
+    "post_to_api": {
+      "block": true
+    },
+    "execute_command": {
+      "block": true
+    },
+    "read_file": {
+      "rate_limit": "20/minute",
+      "min_tier": "signed-known"
+    },
+    "search": {
+      "rate_limit": "30/minute"
+    },
+    "database_query": {
+      "rate_limit": "10/minute",
+      "min_tier": "signed-known"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/financial-safe.json

@@ -0,0 +1,49 @@
+{
+  "$comment": "Financial services safety policy. Every financial action requires human approval with evidenced trust tier. All reads are rate-limited. Destructive operations blocked entirely.",
+  "incident": "agent-unauthorized-transaction-pattern",
+  "incident_name": "Unauthorized Financial Transaction via AI Agent",
+  "owasp_categories": ["A05-Insufficient-Access-Control", "A06-Excessive-Autonomy"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute",
+      "min_tier": "signed-known"
+    },
+    "transfer_funds": {
+      "require_approval": true,
+      "min_tier": "privileged"
+    },
+    "create_payment": {
+      "require_approval": true,
+      "min_tier": "privileged"
+    },
+    "approve_transaction": {
+      "require_approval": true,
+      "min_tier": "privileged"
+    },
+    "modify_account": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "delete_account": {
+      "block": true
+    },
+    "close_account": {
+      "block": true
+    },
+    "read_balance": {
+      "rate_limit": "10/minute",
+      "min_tier": "evidenced"
+    },
+    "read_transactions": {
+      "rate_limit": "10/minute",
+      "min_tier": "evidenced"
+    },
+    "generate_report": {
+      "rate_limit": "5/hour",
+      "min_tier": "signed-known"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/github-mcp-hijack.json

@@ -0,0 +1,54 @@
+{
+  "$comment": "GitHub MCP server hijacked via crafted issue containing prompt injection (2025). Agent exfiltrated private repo data. Blocks outbound data tools, restricts git operations, requires approval for any push/publish.",
+  "incident": "github-mcp-issue-hijack-2025",
+  "incident_name": "GitHub MCP Server Prompt Injection via Crafted Issue",
+  "incident_date": "2025-08-20",
+  "owasp_categories": ["A01-Prompt-Injection", "A02-Sensitive-Data-Exposure", "A03-Supply-Chain"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute"
+    },
+    "git_push": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "git_commit": {
+      "rate_limit": "10/minute"
+    },
+    "create_pull_request": {
+      "require_approval": true
+    },
+    "publish": {
+      "block": true
+    },
+    "npm_publish": {
+      "block": true
+    },
+    "send_email": {
+      "block": true
+    },
+    "send_message": {
+      "block": true
+    },
+    "upload_file": {
+      "require_approval": true,
+      "min_tier": "signed-known"
+    },
+    "http_request": {
+      "require_approval": true,
+      "rate_limit": "5/minute"
+    },
+    "webhook": {
+      "block": true
+    },
+    "read_file": {
+      "rate_limit": "30/minute"
+    },
+    "search_code": {
+      "rate_limit": "20/minute"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/terraform-destroy.json

@@ -0,0 +1,50 @@
+{
+  "$comment": "Terraform agent destroyed production infrastructure (2025). Blocks all destructive infrastructure operations, requires human approval for any apply/deploy, rate-limits plan operations.",
+  "incident": "terraform-prod-destroy-2025",
+  "incident_name": "Autonomous Terraform Agent Destroys Production",
+  "incident_date": "2025-09-01",
+  "owasp_categories": ["A06-Excessive-Autonomy", "A05-Insufficient-Access-Control"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute"
+    },
+    "terraform_apply": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "terraform_destroy": {
+      "block": true
+    },
+    "terraform_plan": {
+      "rate_limit": "10/minute",
+      "min_tier": "signed-known"
+    },
+    "deploy": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "kubectl_apply": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "kubectl_delete": {
+      "block": true
+    },
+    "aws_cli": {
+      "require_approval": true,
+      "rate_limit": "5/minute"
+    },
+    "delete_resource": {
+      "block": true
+    },
+    "drop_database": {
+      "block": true
+    },
+    "truncate_table": {
+      "block": true
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}