protect-mcp 0.3.2 → 0.4.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Tom Farley / ScopeBlind
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -210,8 +210,48 @@ Use `createAuditBundle()` around your own collected signed receipts.
 - **Keep the claims tight.** The default CLI path does not yet do everything the long-term architecture will support.
 - **Layer on top of existing auth.** Don't rip out your stack just to add control and evidence.
 
+## Incident-Anchored Policy Packs
+
+Ship with protect-mcp — each prevents a real attack:
+
+| Policy | Incident | OWASP Categories |
+|--------|----------|-----------------|
+| `clinejection.json` | CVE-2025-6514: MCP OAuth proxy hijack (437K environments) | A01, A03 |
+| `terraform-destroy.json` | Autonomous Terraform agent destroys production | A05, A06 |
+| `github-mcp-hijack.json` | Prompt injection via crafted GitHub issue | A01, A02, A03 |
+| `data-exfiltration.json` | Agent data theft via outbound tool abuse | A02, A04 |
+| `financial-safe.json` | Unauthorized financial transaction | A05, A06 |
+
+```bash
+npx protect-mcp --policy node_modules/protect-mcp/policies/clinejection.json -- node server.js
+```
+
+Full OWASP Agentic Top 10 mapping: [scopeblind.com/docs/owasp](https://scopeblind.com/docs/owasp)
+
+## BYOPE: External Policy Engines
+
+Supports OPA, Cerbos, Cedar (AWS AgentCore), and generic HTTP endpoints:
+
+```json
+{
+  "policy_engine": "hybrid",
+  "external": {
+    "endpoint": "http://localhost:8181/v1/data/mcp/allow",
+    "format": "cedar",
+    "timeout_ms": 200,
+    "fallback": "deny"
+  }
+}
+```
+
+## Standards & IP
+
+- **IETF Internet-Draft**: [draft-farley-acta-signed-receipts-00](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/) — Signed Decision Receipts for Machine-to-Machine Access Control
+- **Patent Status**: 4 Australian provisional patents pending (2025-2026) covering decision receipts with configurable disclosure, tool-calling gateway, agent manifests, and portable identity
+- **Verification**: MIT-licensed — `npx @veritasacta/verify --self-test`
+
 ## License
 
-FSL-1.1-MIT — free to use, converts to full MIT after 2 years.
+MIT — free to use, modify, distribute, and build upon without restriction.
 
-[scopeblind.com](https://scopeblind.com) · [npm](https://www.npmjs.com/package/protect-mcp) · [GitHub](https://github.com/tomjwxf/scopeblind-gateway)
+[scopeblind.com](https://scopeblind.com) · [npm](https://www.npmjs.com/package/protect-mcp) · [GitHub](https://github.com/tomjwxf/scopeblind-gateway) · [IETF Draft](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)

package/dist/chunk-UW2SGWCJ.mjs

@@ -0,0 +1,143 @@
+import {
+  checkRateLimit,
+  getToolPolicy,
+  meetsMinTier,
+  parseRateLimit
+} from "./chunk-XMZWJOC3.mjs";
+
+// src/simulate.ts
+import { readFileSync } from "fs";
+function parseLogFile(path) {
+  const raw = readFileSync(path, "utf-8");
+  const entries = [];
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const jsonStr = trimmed.replace(/^\[PROTECT_MCP\]\s*/, "");
+    try {
+      const parsed = JSON.parse(jsonStr);
+      if (parsed.tool && parsed.decision) {
+        entries.push(parsed);
+      }
+    } catch {
+    }
+  }
+  return entries;
+}
+function simulate(entries, policy, tier = "unknown") {
+  const rateLimitStore = /* @__PURE__ */ new Map();
+  const toolResults = /* @__PURE__ */ new Map();
+  const totals = {
+    allow: 0,
+    block: 0,
+    rate_limited: 0,
+    require_approval: 0,
+    tier_insufficient: 0
+  };
+  const originalTotals = { allow: 0, deny: 0 };
+  const changes = [];
+  for (const entry of entries) {
+    const toolName = entry.tool;
+    const toolPolicy = getToolPolicy(toolName, policy);
+    if (entry.decision === "allow") {
+      originalTotals.allow++;
+    } else {
+      originalTotals.deny++;
+    }
+    let newDecision;
+    if (toolPolicy.block) {
+      newDecision = "block";
+    } else if (toolPolicy.min_tier && !meetsMinTier(tier, toolPolicy.min_tier)) {
+      newDecision = "tier_insufficient";
+    } else if (toolPolicy.require_approval) {
+      newDecision = "require_approval";
+    } else if (toolPolicy.rate_limit) {
+      const limit = parseRateLimit(toolPolicy.rate_limit);
+      const result = checkRateLimit(toolName, limit, rateLimitStore);
+      newDecision = result.allowed ? "allow" : "rate_limited";
+    } else {
+      newDecision = "allow";
+    }
+    totals[newDecision]++;
+    if (!toolResults.has(toolName)) {
+      toolResults.set(toolName, {
+        tool: toolName,
+        calls: 0,
+        results: { allow: 0, block: 0, rate_limited: 0, require_approval: 0, tier_insufficient: 0 },
+        original: { allow: 0, deny: 0 }
+      });
+    }
+    const tr = toolResults.get(toolName);
+    tr.calls++;
+    tr.results[newDecision]++;
+    if (entry.decision === "allow") {
+      tr.original.allow++;
+    } else {
+      tr.original.deny++;
+    }
+  }
+  for (const [tool, result] of toolResults) {
+    const wasAllBlocked = result.original.allow === 0;
+    const nowAllBlocked = result.results.allow === 0;
+    const wasAllAllowed = result.original.deny === 0;
+    if (wasAllAllowed && result.results.block > 0) {
+      changes.push(`${tool}: ${result.results.block} calls would be blocked (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.rate_limited > 0) {
+      changes.push(`${tool}: ${result.results.rate_limited} calls would be rate-limited (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.require_approval > 0) {
+      changes.push(`${tool}: ${result.results.require_approval} calls would require approval (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.tier_insufficient > 0) {
+      changes.push(`${tool}: ${result.results.tier_insufficient} calls would fail tier check (was: all allowed)`);
+    }
+    if (wasAllBlocked && result.results.allow > 0 && !nowAllBlocked) {
+      changes.push(`${tool}: ${result.results.allow} calls would now be allowed (was: all blocked)`);
+    }
+  }
+  return {
+    policy_file: "",
+    log_file: "",
+    total_calls: entries.length,
+    results: totals,
+    original: originalTotals,
+    tool_breakdown: Array.from(toolResults.values()).sort((a, b) => b.calls - a.calls),
+    changes
+  };
+}
+function formatSimulation(summary) {
+  const lines = [];
+  lines.push(`Simulating ${summary.policy_file} against ${summary.total_calls} recorded tool calls:
+`);
+  const maxToolLen = Math.max(...summary.tool_breakdown.map((t) => t.tool.length), 4);
+  for (const tr of summary.tool_breakdown) {
+    const parts = [];
+    if (tr.results.allow > 0) parts.push(`${tr.results.allow} allow`);
+    if (tr.results.block > 0) parts.push(`\x1B[31m${tr.results.block} blocked\x1B[0m`);
+    if (tr.results.rate_limited > 0) parts.push(`\x1B[33m${tr.results.rate_limited} rate_limited\x1B[0m`);
+    if (tr.results.require_approval > 0) parts.push(`\x1B[36m${tr.results.require_approval} require_approval\x1B[0m`);
+    if (tr.results.tier_insufficient > 0) parts.push(`\x1B[35m${tr.results.tier_insufficient} tier_insufficient\x1B[0m`);
+    const originalParts = [];
+    if (tr.original.allow > 0) originalParts.push(`${tr.original.allow} allow`);
+    if (tr.original.deny > 0) originalParts.push(`${tr.original.deny} deny`);
+    lines.push(`  ${tr.tool.padEnd(maxToolLen)}  \xD7 ${String(tr.calls).padStart(3)} \u2192 ${parts.join(", ")}  (was: ${originalParts.join(", ")})`);
+  }
+  lines.push("");
+  lines.push(`Summary: ${summary.results.allow} allow, ${summary.results.block} blocked, ${summary.results.rate_limited} rate_limited, ${summary.results.require_approval} require_approval, ${summary.results.tier_insufficient} tier_insufficient`);
+  lines.push(`  vs original: ${summary.original.allow} allow, ${summary.original.deny} deny`);
+  if (summary.changes.length > 0) {
+    lines.push("");
+    lines.push("Changes:");
+    for (const change of summary.changes) {
+      lines.push(`  \u2022 ${change}`);
+    }
+  }
+  return lines.join("\n");
+}
+
+export {
+  parseLogFile,
+  simulate,
+  formatSimulation
+};

package/dist/{chunk-GV7N53QE.mjs → chunk-XMZWJOC3.mjs}

@@ -460,6 +460,28 @@ function formatRequest(context, format) {
         },
         actions: [context.action.operation || "call"]
       };
+    case "cedar":
+      return {
+        principal: {
+          type: "Agent",
+          id: context.actor.id || "unknown"
+        },
+        action: {
+          type: "Action",
+          id: `MCP::Tool::${context.action.operation || "call"}`
+        },
+        resource: {
+          type: "Tool",
+          id: context.action.tool
+        },
+        context: {
+          tier: context.actor.tier,
+          manifest_hash: context.actor.manifest_hash || null,
+          service: context.target.service || "default",
+          mode: context.mode,
+          credential_ref: context.credential_ref || null
+        }
+      };
     case "generic":
     default:
       return context;
@@ -489,6 +511,22 @@ function parseResponse(result, format) {
         }
       }
       return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "cedar":
+      if (typeof result.decision === "string") {
+        return {
+          allowed: result.decision === "Allow",
+          reason: result.decision === "Deny" ? `cedar_deny${result.diagnostics ? ": " + JSON.stringify(result.diagnostics) : ""}` : void 0,
+          metadata: result.diagnostics
+        };
+      }
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const first = result.results[0];
+        return {
+          allowed: first.decision === "Allow",
+          reason: first.decision === "Deny" ? "cedar_deny" : void 0
+        };
+      }
+      return { allowed: false, reason: "unrecognized Cedar response" };
     case "generic":
     default:
       return {
@@ -1112,137 +1150,6 @@ var ProtectGateway = class {
   }
 };
 
-// src/simulate.ts
-import { readFileSync as readFileSync5 } from "fs";
-function parseLogFile(path) {
-  const raw = readFileSync5(path, "utf-8");
-  const entries = [];
-  for (const line of raw.split("\n")) {
-    const trimmed = line.trim();
-    if (!trimmed) continue;
-    const jsonStr = trimmed.replace(/^\[PROTECT_MCP\]\s*/, "");
-    try {
-      const parsed = JSON.parse(jsonStr);
-      if (parsed.tool && parsed.decision) {
-        entries.push(parsed);
-      }
-    } catch {
-    }
-  }
-  return entries;
-}
-function simulate(entries, policy, tier = "unknown") {
-  const rateLimitStore = /* @__PURE__ */ new Map();
-  const toolResults = /* @__PURE__ */ new Map();
-  const totals = {
-    allow: 0,
-    block: 0,
-    rate_limited: 0,
-    require_approval: 0,
-    tier_insufficient: 0
-  };
-  const originalTotals = { allow: 0, deny: 0 };
-  const changes = [];
-  for (const entry of entries) {
-    const toolName = entry.tool;
-    const toolPolicy = getToolPolicy(toolName, policy);
-    if (entry.decision === "allow") {
-      originalTotals.allow++;
-    } else {
-      originalTotals.deny++;
-    }
-    let newDecision;
-    if (toolPolicy.block) {
-      newDecision = "block";
-    } else if (toolPolicy.min_tier && !meetsMinTier(tier, toolPolicy.min_tier)) {
-      newDecision = "tier_insufficient";
-    } else if (toolPolicy.require_approval) {
-      newDecision = "require_approval";
-    } else if (toolPolicy.rate_limit) {
-      const limit = parseRateLimit(toolPolicy.rate_limit);
-      const result = checkRateLimit(toolName, limit, rateLimitStore);
-      newDecision = result.allowed ? "allow" : "rate_limited";
-    } else {
-      newDecision = "allow";
-    }
-    totals[newDecision]++;
-    if (!toolResults.has(toolName)) {
-      toolResults.set(toolName, {
-        tool: toolName,
-        calls: 0,
-        results: { allow: 0, block: 0, rate_limited: 0, require_approval: 0, tier_insufficient: 0 },
-        original: { allow: 0, deny: 0 }
-      });
-    }
-    const tr = toolResults.get(toolName);
-    tr.calls++;
-    tr.results[newDecision]++;
-    if (entry.decision === "allow") {
-      tr.original.allow++;
-    } else {
-      tr.original.deny++;
-    }
-  }
-  for (const [tool, result] of toolResults) {
-    const wasAllBlocked = result.original.allow === 0;
-    const nowAllBlocked = result.results.allow === 0;
-    const wasAllAllowed = result.original.deny === 0;
-    if (wasAllAllowed && result.results.block > 0) {
-      changes.push(`${tool}: ${result.results.block} calls would be blocked (was: all allowed)`);
-    }
-    if (wasAllAllowed && result.results.rate_limited > 0) {
-      changes.push(`${tool}: ${result.results.rate_limited} calls would be rate-limited (was: all allowed)`);
-    }
-    if (wasAllAllowed && result.results.require_approval > 0) {
-      changes.push(`${tool}: ${result.results.require_approval} calls would require approval (was: all allowed)`);
-    }
-    if (wasAllAllowed && result.results.tier_insufficient > 0) {
-      changes.push(`${tool}: ${result.results.tier_insufficient} calls would fail tier check (was: all allowed)`);
-    }
-    if (wasAllBlocked && result.results.allow > 0 && !nowAllBlocked) {
-      changes.push(`${tool}: ${result.results.allow} calls would now be allowed (was: all blocked)`);
-    }
-  }
-  return {
-    policy_file: "",
-    log_file: "",
-    total_calls: entries.length,
-    results: totals,
-    original: originalTotals,
-    tool_breakdown: Array.from(toolResults.values()).sort((a, b) => b.calls - a.calls),
-    changes
-  };
-}
-function formatSimulation(summary) {
-  const lines = [];
-  lines.push(`Simulating ${summary.policy_file} against ${summary.total_calls} recorded tool calls:
-`);
-  const maxToolLen = Math.max(...summary.tool_breakdown.map((t) => t.tool.length), 4);
-  for (const tr of summary.tool_breakdown) {
-    const parts = [];
-    if (tr.results.allow > 0) parts.push(`${tr.results.allow} allow`);
-    if (tr.results.block > 0) parts.push(`\x1B[31m${tr.results.block} blocked\x1B[0m`);
-    if (tr.results.rate_limited > 0) parts.push(`\x1B[33m${tr.results.rate_limited} rate_limited\x1B[0m`);
-    if (tr.results.require_approval > 0) parts.push(`\x1B[36m${tr.results.require_approval} require_approval\x1B[0m`);
-    if (tr.results.tier_insufficient > 0) parts.push(`\x1B[35m${tr.results.tier_insufficient} tier_insufficient\x1B[0m`);
-    const originalParts = [];
-    if (tr.original.allow > 0) originalParts.push(`${tr.original.allow} allow`);
-    if (tr.original.deny > 0) originalParts.push(`${tr.original.deny} deny`);
-    lines.push(`  ${tr.tool.padEnd(maxToolLen)}  \xD7 ${String(tr.calls).padStart(3)} \u2192 ${parts.join(", ")}  (was: ${originalParts.join(", ")})`);
-  }
-  lines.push("");
-  lines.push(`Summary: ${summary.results.allow} allow, ${summary.results.block} blocked, ${summary.results.rate_limited} rate_limited, ${summary.results.require_approval} require_approval, ${summary.results.tier_insufficient} tier_insufficient`);
-  lines.push(`  vs original: ${summary.original.allow} allow, ${summary.original.deny} deny`);
-  if (summary.changes.length > 0) {
-    lines.push("");
-    lines.push("Changes:");
-    for (const change of summary.changes) {
-      lines.push(`  \u2022 ${change}`);
-    }
-  }
-  return lines.join("\n");
-}
-
 export {
   loadPolicy,
   getToolPolicy,
@@ -1259,8 +1166,5 @@ export {
   isSigningEnabled,
   queryExternalPDP,
   buildDecisionContext,
-  ProtectGateway,
-  parseLogFile,
-  simulate,
-  formatSimulation
+  ProtectGateway
 };