protect-mcp 0.3.2 → 0.3.3

package/LICENSE

@@ -0,0 +1,68 @@
+SPDX-License-Identifier: LicenseRef-FSL-1.1-MIT
+
+# Functional Source License, Version 1.1, MIT Future License
+
+## Abbreviation
+
+FSL-1.1-MIT
+
+## Notice
+
+Copyright 2026 Tom Farley
+
+## Terms and Conditions
+
+### Licensor ("We")
+
+The party offering the Software under these Terms and Conditions.
+
+### The Software
+
+The "Software" is each version of the software that we make available under these Terms and Conditions, as indicated by our inclusion of these Terms and Conditions with the Software.
+
+### License Grant
+
+Subject to your compliance with this License Grant and the Patents, Redistribution and Trademark clauses below, we hereby grant you the right to use, copy, modify, create derivative works, publicly perform, publicly display and redistribute the Software for any Permitted Purpose identified below.
+
+### Permitted Purpose
+
+A Permitted Purpose is any purpose other than a Competing Use. A Competing Use means making the Software available to others in a commercial product or service that:
+
+1. substitutes for the Software;
+2. substitutes for any other product or service we offer using the Software that exists as of the date we make the Software available; or
+3. offers the same or substantially similar functionality as the Software.
+
+Permitted Purposes specifically include using the Software:
+
+1. for your internal use and access;
+2. for non-commercial education;
+3. for non-commercial research; and
+4. in connection with professional services that you provide to a licensee using the Software in accordance with these Terms and Conditions.
+
+### Patents
+
+To the extent your use for a Permitted Purpose would necessarily infringe our patents, the license grant above includes a license under our patents. If you make a claim against any party that the Software infringes or contributes to the infringement of any patent, then your patent license to the Software ends immediately.
+
+### Redistribution
+
+The Terms and Conditions apply to all copies, modifications and derivatives of the Software. If you redistribute any copies, modifications or derivatives of the Software, you must include a copy of or a link to these Terms and Conditions and not remove any copyright notices provided in or with the Software.
+
+### Disclaimer
+
+THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, TITLE OR NON-INFRINGEMENT. IN NO EVENT WILL WE HAVE ANY LIABILITY TO YOU ARISING OUT OF OR RELATED TO THE SOFTWARE, INCLUDING INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF WE HAVE BEEN INFORMED OF THEIR POSSIBILITY IN ADVANCE.
+
+### Trademarks
+
+Except for displaying the License Details and identifying us as the origin of the Software, you have no right under these Terms and Conditions to use our trademarks, trade names, service marks or product names.
+
+## Grant of Future License
+
+We hereby irrevocably grant you an additional license to use the Software under the MIT license that is effective on the second anniversary of the date we make the Software available.
+
+On or after that date, you may use the Software under the MIT license, in which case the following will apply:
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -210,8 +210,48 @@ Use `createAuditBundle()` around your own collected signed receipts.
 - **Keep the claims tight.** The default CLI path does not yet do everything the long-term architecture will support.
 - **Layer on top of existing auth.** Don't rip out your stack just to add control and evidence.
 
+## Incident-Anchored Policy Packs
+
+Ship with protect-mcp — each prevents a real attack:
+
+| Policy | Incident | OWASP Categories |
+|--------|----------|-----------------|
+| `clinejection.json` | CVE-2025-6514: MCP OAuth proxy hijack (437K environments) | A01, A03 |
+| `terraform-destroy.json` | Autonomous Terraform agent destroys production | A05, A06 |
+| `github-mcp-hijack.json` | Prompt injection via crafted GitHub issue | A01, A02, A03 |
+| `data-exfiltration.json` | Agent data theft via outbound tool abuse | A02, A04 |
+| `financial-safe.json` | Unauthorized financial transaction | A05, A06 |
+
+```bash
+npx protect-mcp --policy node_modules/protect-mcp/policies/clinejection.json -- node server.js
+```
+
+Full OWASP Agentic Top 10 mapping: [scopeblind.com/docs/owasp](https://scopeblind.com/docs/owasp)
+
+## BYOPE: External Policy Engines
+
+Supports OPA, Cerbos, Cedar (AWS AgentCore), and generic HTTP endpoints:
+
+```json
+{
+  "policy_engine": "hybrid",
+  "external": {
+    "endpoint": "http://localhost:8181/v1/data/mcp/allow",
+    "format": "cedar",
+    "timeout_ms": 200,
+    "fallback": "deny"
+  }
+}
+```
+
+## Standards & IP
+
+- **IETF Internet-Draft**: [draft-farley-acta-signed-receipts-00](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/) — Signed Decision Receipts for Machine-to-Machine Access Control
+- **Patent Status**: 4 Australian provisional patents pending (2025-2026) covering decision receipts with configurable disclosure, tool-calling gateway, agent manifests, and portable identity
+- **Verification**: MIT-licensed — `npx @veritasacta/verify --self-test`
+
 ## License
 
-FSL-1.1-MIT — free to use, converts to full MIT after 2 years.
+FSL-1.1-MIT — free to use, modify, and self-host. Cannot be offered as a competing hosted service. Converts to full MIT after 2 years per version.
 
-[scopeblind.com](https://scopeblind.com) · [npm](https://www.npmjs.com/package/protect-mcp) · [GitHub](https://github.com/tomjwxf/scopeblind-gateway)
+[scopeblind.com](https://scopeblind.com) · [npm](https://www.npmjs.com/package/protect-mcp) · [GitHub](https://github.com/tomjwxf/scopeblind-gateway) · [IETF Draft](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)

package/dist/{chunk-GV7N53QE.mjs → chunk-WDCPUM2O.mjs}

@@ -460,6 +460,28 @@ function formatRequest(context, format) {
         },
         actions: [context.action.operation || "call"]
       };
+    case "cedar":
+      return {
+        principal: {
+          type: "Agent",
+          id: context.actor.id || "unknown"
+        },
+        action: {
+          type: "Action",
+          id: `MCP::Tool::${context.action.operation || "call"}`
+        },
+        resource: {
+          type: "Tool",
+          id: context.action.tool
+        },
+        context: {
+          tier: context.actor.tier,
+          manifest_hash: context.actor.manifest_hash || null,
+          service: context.target.service || "default",
+          mode: context.mode,
+          credential_ref: context.credential_ref || null
+        }
+      };
     case "generic":
     default:
       return context;
@@ -489,6 +511,22 @@ function parseResponse(result, format) {
         }
       }
       return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "cedar":
+      if (typeof result.decision === "string") {
+        return {
+          allowed: result.decision === "Allow",
+          reason: result.decision === "Deny" ? `cedar_deny${result.diagnostics ? ": " + JSON.stringify(result.diagnostics) : ""}` : void 0,
+          metadata: result.diagnostics
+        };
+      }
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const first = result.results[0];
+        return {
+          allowed: first.decision === "Allow",
+          reason: first.decision === "Deny" ? "cedar_deny" : void 0
+        };
+      }
+      return { allowed: false, reason: "unrecognized Cedar response" };
     case "generic":
     default:
       return {

package/dist/cli.js

@@ -3326,6 +3326,28 @@ function formatRequest(context, format) {
         },
         actions: [context.action.operation || "call"]
       };
+    case "cedar":
+      return {
+        principal: {
+          type: "Agent",
+          id: context.actor.id || "unknown"
+        },
+        action: {
+          type: "Action",
+          id: `MCP::Tool::${context.action.operation || "call"}`
+        },
+        resource: {
+          type: "Tool",
+          id: context.action.tool
+        },
+        context: {
+          tier: context.actor.tier,
+          manifest_hash: context.actor.manifest_hash || null,
+          service: context.target.service || "default",
+          mode: context.mode,
+          credential_ref: context.credential_ref || null
+        }
+      };
     case "generic":
     default:
       return context;
@@ -3355,6 +3377,22 @@ function parseResponse(result, format) {
         }
       }
       return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "cedar":
+      if (typeof result.decision === "string") {
+        return {
+          allowed: result.decision === "Allow",
+          reason: result.decision === "Deny" ? `cedar_deny${result.diagnostics ? ": " + JSON.stringify(result.diagnostics) : ""}` : void 0,
+          metadata: result.diagnostics
+        };
+      }
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const first = result.results[0];
+        return {
+          allowed: first.decision === "Allow",
+          reason: first.decision === "Deny" ? "cedar_deny" : void 0
+        };
+      }
+      return { allowed: false, reason: "unrecognized Cedar response" };
     case "generic":
     default:
       return {

package/dist/cli.mjs

@@ -7,7 +7,7 @@ import {
   parseLogFile,
   simulate,
   validateCredentials
-} from "./chunk-GV7N53QE.mjs";
+} from "./chunk-WDCPUM2O.mjs";
 
 // src/cli.ts
 function printHelp() {

package/dist/index.d.mts

@@ -36,8 +36,8 @@ type PolicyEngineMode = 'built-in' | 'external' | 'hybrid';
 interface ExternalPDPConfig {
     /** HTTP endpoint for the external policy decision point */
     endpoint: string;
-    /** Response format: 'opa' | 'cerbos' | 'generic' */
-    format?: 'opa' | 'cerbos' | 'generic';
+    /** Response format: 'opa' | 'cerbos' | 'cedar' | 'generic' */
+    format?: 'opa' | 'cerbos' | 'cedar' | 'generic';
     /** Timeout in milliseconds (default: 500) */
     timeout_ms?: number;
     /** Fallback decision when external PDP is unreachable */
@@ -480,7 +480,7 @@ declare function isSigningEnabled(): boolean;
  * BYOPE (Bring Your Own Policy Engine) — sends decision context
  * to an external Policy Decision Point via HTTP webhook.
  *
- * Supports OPA, Cerbos, and generic JSON formats.
+ * Supports OPA, Cerbos, Cedar (AWS), and generic JSON formats.
  * ScopeBlind always signs the receipt regardless of who made the decision.
  *
  * Sprint 2: One HTTP webhook adapter. More adapters later.

package/dist/index.d.ts

@@ -36,8 +36,8 @@ type PolicyEngineMode = 'built-in' | 'external' | 'hybrid';
 interface ExternalPDPConfig {
     /** HTTP endpoint for the external policy decision point */
     endpoint: string;
-    /** Response format: 'opa' | 'cerbos' | 'generic' */
-    format?: 'opa' | 'cerbos' | 'generic';
+    /** Response format: 'opa' | 'cerbos' | 'cedar' | 'generic' */
+    format?: 'opa' | 'cerbos' | 'cedar' | 'generic';
     /** Timeout in milliseconds (default: 500) */
     timeout_ms?: number;
     /** Fallback decision when external PDP is unreachable */
@@ -480,7 +480,7 @@ declare function isSigningEnabled(): boolean;
  * BYOPE (Bring Your Own Policy Engine) — sends decision context
  * to an external Policy Decision Point via HTTP webhook.
  *
- * Supports OPA, Cerbos, and generic JSON formats.
+ * Supports OPA, Cerbos, Cedar (AWS), and generic JSON formats.
  * ScopeBlind always signs the receipt regardless of who made the decision.
  *
  * Sprint 2: One HTTP webhook adapter. More adapters later.

package/dist/index.js

@@ -521,6 +521,28 @@ function formatRequest(context, format) {
         },
         actions: [context.action.operation || "call"]
       };
+    case "cedar":
+      return {
+        principal: {
+          type: "Agent",
+          id: context.actor.id || "unknown"
+        },
+        action: {
+          type: "Action",
+          id: `MCP::Tool::${context.action.operation || "call"}`
+        },
+        resource: {
+          type: "Tool",
+          id: context.action.tool
+        },
+        context: {
+          tier: context.actor.tier,
+          manifest_hash: context.actor.manifest_hash || null,
+          service: context.target.service || "default",
+          mode: context.mode,
+          credential_ref: context.credential_ref || null
+        }
+      };
     case "generic":
     default:
       return context;
@@ -550,6 +572,22 @@ function parseResponse(result, format) {
         }
       }
       return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "cedar":
+      if (typeof result.decision === "string") {
+        return {
+          allowed: result.decision === "Allow",
+          reason: result.decision === "Deny" ? `cedar_deny${result.diagnostics ? ": " + JSON.stringify(result.diagnostics) : ""}` : void 0,
+          metadata: result.diagnostics
+        };
+      }
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const first = result.results[0];
+        return {
+          allowed: first.decision === "Allow",
+          reason: first.decision === "Deny" ? "cedar_deny" : void 0
+        };
+      }
+      return { allowed: false, reason: "unrecognized Cedar response" };
     case "generic":
     default:
       return {

package/dist/index.mjs

@@ -18,7 +18,7 @@ import {
   signDecision,
   simulate,
   validateCredentials
-} from "./chunk-GV7N53QE.mjs";
+} from "./chunk-WDCPUM2O.mjs";
 import {
   collectSignedReceipts,
   createAuditBundle

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "protect-mcp",
-  "version": "0.3.2",
+  "version": "0.3.3",
+  "mcpName": "io.github.tomjwxf/protect-mcp",
   "description": "Security gateway for MCP servers. Shadow-mode logs, per-tool policies, optional local Ed25519-signed receipts. Programmatic hooks for trust tiers, credential config, and external policy engines.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -22,6 +23,7 @@
   },
   "files": [
     "dist",
+    "policies",
     "README.md"
   ],
   "keywords": [
@@ -36,7 +38,15 @@
     "decision-log",
     "tool-protection",
     "ai-agent",
-    "llm-gateway"
+    "llm-gateway",
+    "owasp",
+    "cedar",
+    "opa",
+    "ed25519",
+    "receipts",
+    "trust-tiers",
+    "agent-governance",
+    "claude-code"
   ],
   "author": "Tom Farley <tommy@scopeblind.com>",
   "license": "FSL-1.1-MIT",

package/policies/claude-code-hooks.json

@@ -0,0 +1,18 @@
+{
+  "$comment": "Claude Code hooks configuration. Add this to your .claude/settings.json to integrate protect-mcp as a pre-tool-use hook for Claude Code. Every tool call will be evaluated against your protect-mcp policy and produce a signed receipt.",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": ".*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "npx protect-mcp hook-eval --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\"",
+            "timeout": 5000,
+            "on_failure": "allow"
+          }
+        ]
+      }
+    ]
+  }
+}

package/policies/clinejection.json

@@ -0,0 +1,45 @@
+{
+  "$comment": "CVE-2025-6514: Clinejection — Malicious MCP OAuth proxy hijacked 437,000+ developer environments. Blocks shell execution, restricts file access to non-sensitive paths, requires approval for any write operation.",
+  "incident": "CVE-2025-6514",
+  "incident_name": "Clinejection MCP OAuth Proxy Hijack",
+  "incident_date": "2025-07-15",
+  "owasp_categories": ["A01-Prompt-Injection", "A03-Supply-Chain"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute"
+    },
+    "execute_command": {
+      "block": true
+    },
+    "run_command": {
+      "block": true
+    },
+    "shell": {
+      "block": true
+    },
+    "bash": {
+      "block": true
+    },
+    "terminal": {
+      "block": true
+    },
+    "write_file": {
+      "require_approval": true,
+      "rate_limit": "10/minute"
+    },
+    "edit_file": {
+      "require_approval": true,
+      "rate_limit": "10/minute"
+    },
+    "read_file": {
+      "rate_limit": "30/minute",
+      "min_tier": "signed-known"
+    },
+    "list_files": {
+      "rate_limit": "60/minute"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/data-exfiltration.json

@@ -0,0 +1,52 @@
+{
+  "$comment": "Prevents data exfiltration via AI agents. Blocks all outbound data channels (email, webhooks, uploads, HTTP). Restricts file reads. Requires approval for any external communication.",
+  "incident": "agent-data-exfiltration-pattern",
+  "incident_name": "AI Agent Data Exfiltration via Tool Abuse",
+  "owasp_categories": ["A02-Sensitive-Data-Exposure", "A04-Tool-Call-Injection"],
+  "tools": {
+    "*": {
+      "rate_limit": "60/minute"
+    },
+    "send_email": {
+      "block": true
+    },
+    "send_message": {
+      "block": true
+    },
+    "upload_file": {
+      "block": true
+    },
+    "http_request": {
+      "block": true
+    },
+    "http_post": {
+      "block": true
+    },
+    "webhook": {
+      "block": true
+    },
+    "publish": {
+      "block": true
+    },
+    "post_to_api": {
+      "block": true
+    },
+    "execute_command": {
+      "block": true
+    },
+    "read_file": {
+      "rate_limit": "20/minute",
+      "min_tier": "signed-known"
+    },
+    "search": {
+      "rate_limit": "30/minute"
+    },
+    "database_query": {
+      "rate_limit": "10/minute",
+      "min_tier": "signed-known"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/financial-safe.json

@@ -0,0 +1,49 @@
+{
+  "$comment": "Financial services safety policy. Every financial action requires human approval with evidenced trust tier. All reads are rate-limited. Destructive operations blocked entirely.",
+  "incident": "agent-unauthorized-transaction-pattern",
+  "incident_name": "Unauthorized Financial Transaction via AI Agent",
+  "owasp_categories": ["A05-Insufficient-Access-Control", "A06-Excessive-Autonomy"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute",
+      "min_tier": "signed-known"
+    },
+    "transfer_funds": {
+      "require_approval": true,
+      "min_tier": "privileged"
+    },
+    "create_payment": {
+      "require_approval": true,
+      "min_tier": "privileged"
+    },
+    "approve_transaction": {
+      "require_approval": true,
+      "min_tier": "privileged"
+    },
+    "modify_account": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "delete_account": {
+      "block": true
+    },
+    "close_account": {
+      "block": true
+    },
+    "read_balance": {
+      "rate_limit": "10/minute",
+      "min_tier": "evidenced"
+    },
+    "read_transactions": {
+      "rate_limit": "10/minute",
+      "min_tier": "evidenced"
+    },
+    "generate_report": {
+      "rate_limit": "5/hour",
+      "min_tier": "signed-known"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/github-mcp-hijack.json

@@ -0,0 +1,54 @@
+{
+  "$comment": "GitHub MCP server hijacked via crafted issue containing prompt injection (2025). Agent exfiltrated private repo data. Blocks outbound data tools, restricts git operations, requires approval for any push/publish.",
+  "incident": "github-mcp-issue-hijack-2025",
+  "incident_name": "GitHub MCP Server Prompt Injection via Crafted Issue",
+  "incident_date": "2025-08-20",
+  "owasp_categories": ["A01-Prompt-Injection", "A02-Sensitive-Data-Exposure", "A03-Supply-Chain"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute"
+    },
+    "git_push": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "git_commit": {
+      "rate_limit": "10/minute"
+    },
+    "create_pull_request": {
+      "require_approval": true
+    },
+    "publish": {
+      "block": true
+    },
+    "npm_publish": {
+      "block": true
+    },
+    "send_email": {
+      "block": true
+    },
+    "send_message": {
+      "block": true
+    },
+    "upload_file": {
+      "require_approval": true,
+      "min_tier": "signed-known"
+    },
+    "http_request": {
+      "require_approval": true,
+      "rate_limit": "5/minute"
+    },
+    "webhook": {
+      "block": true
+    },
+    "read_file": {
+      "rate_limit": "30/minute"
+    },
+    "search_code": {
+      "rate_limit": "20/minute"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/terraform-destroy.json

@@ -0,0 +1,50 @@
+{
+  "$comment": "Terraform agent destroyed production infrastructure (2025). Blocks all destructive infrastructure operations, requires human approval for any apply/deploy, rate-limits plan operations.",
+  "incident": "terraform-prod-destroy-2025",
+  "incident_name": "Autonomous Terraform Agent Destroys Production",
+  "incident_date": "2025-09-01",
+  "owasp_categories": ["A06-Excessive-Autonomy", "A05-Insufficient-Access-Control"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute"
+    },
+    "terraform_apply": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "terraform_destroy": {
+      "block": true
+    },
+    "terraform_plan": {
+      "rate_limit": "10/minute",
+      "min_tier": "signed-known"
+    },
+    "deploy": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "kubectl_apply": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "kubectl_delete": {
+      "block": true
+    },
+    "aws_cli": {
+      "require_approval": true,
+      "rate_limit": "5/minute"
+    },
+    "delete_resource": {
+      "block": true
+    },
+    "drop_database": {
+      "block": true
+    },
+    "truncate_table": {
+      "block": true
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}