protect-mcp 0.3.2 → 0.4.0

package/dist/cli.mjs

@@ -1,13 +1,15 @@
 #!/usr/bin/env node
 import {
-  ProtectGateway,
   formatSimulation,
+  parseLogFile,
+  simulate
+} from "./chunk-UW2SGWCJ.mjs";
+import {
+  ProtectGateway,
   initSigning,
   loadPolicy,
-  parseLogFile,
-  simulate,
   validateCredentials
-} from "./chunk-GV7N53QE.mjs";
+} from "./chunk-XMZWJOC3.mjs";
 
 // src/cli.ts
 function printHelp() {
@@ -31,6 +33,8 @@ Options:
   --policy <path>   Policy/config JSON file (default: allow-all)
   --slug <slug>     ScopeBlind tenant slug (optional)
   --enforce         Enable enforcement mode (default: shadow mode)
+  --http            Start HTTP/SSE server instead of stdio proxy
+  --port <port>     HTTP server port (default: 3000, requires --http)
   --verbose         Enable debug logging to stderr
   --help            Show this help
 
@@ -1020,6 +1024,14 @@ async function main() {
     signing,
     credentials
   };
+  const useHttp = args.includes("--http");
+  if (useHttp) {
+    const portIdx = args.indexOf("--port");
+    const httpPort = portIdx >= 0 && args[portIdx + 1] ? parseInt(args[portIdx + 1]) : 3e3;
+    const { startHttpTransport } = await import("./http-transport-S7YXXMD3.mjs");
+    startHttpTransport({ port: httpPort, config, serverCommand: childCommand });
+    return;
+  }
   const gateway = new ProtectGateway(config);
   await gateway.start();
 }

package/dist/http-transport-S7YXXMD3.mjs

@@ -0,0 +1,131 @@
+import {
+  ProtectGateway
+} from "./chunk-XMZWJOC3.mjs";
+
+// src/http-transport.ts
+import { createServer } from "http";
+function startHttpTransport(options) {
+  const { port, config, serverCommand } = options;
+  const sseClients = /* @__PURE__ */ new Set();
+  const gateway = new ProtectGateway(config);
+  const server = createServer(async (req, res) => {
+    const origin = req.headers.origin || "*";
+    res.setHeader("Access-Control-Allow-Origin", origin);
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+    res.setHeader("Access-Control-Allow-Credentials", "true");
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    const url = new URL(req.url || "/", `http://localhost:${port}`);
+    if (url.pathname === "/health" && req.method === "GET") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({
+        status: "ok",
+        server: "protect-mcp",
+        version: "0.3.3",
+        transport: "http",
+        mode: config.policy ? config.enforce ? "enforce" : "shadow" : "shadow"
+      }));
+      return;
+    }
+    if (url.pathname === "/mcp/sse" && req.method === "GET") {
+      res.writeHead(200, {
+        "Content-Type": "text/event-stream",
+        "Cache-Control": "no-cache",
+        "Connection": "keep-alive"
+      });
+      res.write(`data: ${JSON.stringify({ type: "connected", server: "protect-mcp" })}
+
+`);
+      sseClients.add(res);
+      req.on("close", () => sseClients.delete(res));
+      return;
+    }
+    if (url.pathname === "/mcp" && req.method === "POST") {
+      let body = "";
+      req.on("data", (chunk) => {
+        body += chunk;
+      });
+      req.on("end", async () => {
+        try {
+          const jsonRpc = JSON.parse(body);
+          const acceptSSE = (req.headers.accept || "").includes("text/event-stream");
+          if (acceptSSE) {
+            res.writeHead(200, {
+              "Content-Type": "text/event-stream",
+              "Cache-Control": "no-cache"
+            });
+            const response = await processJsonRpc(gateway, jsonRpc, config, serverCommand);
+            res.write(`data: ${JSON.stringify(response)}
+
+`);
+            res.end();
+          } else {
+            const response = await processJsonRpc(gateway, jsonRpc, config, serverCommand);
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify(response));
+          }
+          for (const client of sseClients) {
+            try {
+              client.write(`data: ${JSON.stringify({ type: "decision", request: jsonRpc, timestamp: (/* @__PURE__ */ new Date()).toISOString() })}
+
+`);
+            } catch {
+              sseClients.delete(client);
+            }
+          }
+        } catch (err) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({
+            jsonrpc: "2.0",
+            error: { code: -32700, message: "Parse error" },
+            id: null
+          }));
+        }
+      });
+      return;
+    }
+    res.writeHead(404, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "not_found", endpoints: ["/mcp", "/mcp/sse", "/health"] }));
+  });
+  server.listen(port, () => {
+    process.stderr.write(`
+protect-mcp HTTP server listening on port ${port}
+`);
+    process.stderr.write(`  POST /mcp          \u2014 JSON-RPC endpoint (Streamable HTTP)
+`);
+    process.stderr.write(`  GET  /mcp/sse      \u2014 Server-Sent Events stream
+`);
+    process.stderr.write(`  GET  /health       \u2014 Health check
+
+`);
+  });
+  gateway.start(serverCommand[0], serverCommand.slice(1));
+  process.on("SIGINT", () => {
+    process.stderr.write("\nShutting down HTTP transport...\n");
+    for (const client of sseClients) {
+      try {
+        client.end();
+      } catch {
+      }
+    }
+    server.close();
+    process.exit(0);
+  });
+}
+async function processJsonRpc(gateway, request, config, serverCommand) {
+  return {
+    jsonrpc: "2.0",
+    result: {
+      message: "Request processed by protect-mcp HTTP transport",
+      mode: config.enforce ? "enforce" : "shadow"
+    },
+    id: request.id || null
+  };
+}
+export {
+  startHttpTransport
+};

package/dist/index.d.mts

@@ -36,8 +36,8 @@ type PolicyEngineMode = 'built-in' | 'external' | 'hybrid';
 interface ExternalPDPConfig {
     /** HTTP endpoint for the external policy decision point */
     endpoint: string;
-    /** Response format: 'opa' | 'cerbos' | 'generic' */
-    format?: 'opa' | 'cerbos' | 'generic';
+    /** Response format: 'opa' | 'cerbos' | 'cedar' | 'generic' */
+    format?: 'opa' | 'cerbos' | 'cedar' | 'generic';
     /** Timeout in milliseconds (default: 500) */
     timeout_ms?: number;
     /** Fallback decision when external PDP is unreachable */
@@ -480,7 +480,7 @@ declare function isSigningEnabled(): boolean;
  * BYOPE (Bring Your Own Policy Engine) — sends decision context
  * to an external Policy Decision Point via HTTP webhook.
  *
- * Supports OPA, Cerbos, and generic JSON formats.
+ * Supports OPA, Cerbos, Cedar (AWS), and generic JSON formats.
  * ScopeBlind always signs the receipt regardless of who made the decision.
  *
  * Sprint 2: One HTTP webhook adapter. More adapters later.

package/dist/index.d.ts

@@ -36,8 +36,8 @@ type PolicyEngineMode = 'built-in' | 'external' | 'hybrid';
 interface ExternalPDPConfig {
     /** HTTP endpoint for the external policy decision point */
     endpoint: string;
-    /** Response format: 'opa' | 'cerbos' | 'generic' */
-    format?: 'opa' | 'cerbos' | 'generic';
+    /** Response format: 'opa' | 'cerbos' | 'cedar' | 'generic' */
+    format?: 'opa' | 'cerbos' | 'cedar' | 'generic';
     /** Timeout in milliseconds (default: 500) */
     timeout_ms?: number;
     /** Fallback decision when external PDP is unreachable */
@@ -480,7 +480,7 @@ declare function isSigningEnabled(): boolean;
  * BYOPE (Bring Your Own Policy Engine) — sends decision context
  * to an external Policy Decision Point via HTTP webhook.
  *
- * Supports OPA, Cerbos, and generic JSON formats.
+ * Supports OPA, Cerbos, Cedar (AWS), and generic JSON formats.
  * ScopeBlind always signs the receipt regardless of who made the decision.
  *
  * Sprint 2: One HTTP webhook adapter. More adapters later.

package/dist/index.js

@@ -521,6 +521,28 @@ function formatRequest(context, format) {
         },
         actions: [context.action.operation || "call"]
       };
+    case "cedar":
+      return {
+        principal: {
+          type: "Agent",
+          id: context.actor.id || "unknown"
+        },
+        action: {
+          type: "Action",
+          id: `MCP::Tool::${context.action.operation || "call"}`
+        },
+        resource: {
+          type: "Tool",
+          id: context.action.tool
+        },
+        context: {
+          tier: context.actor.tier,
+          manifest_hash: context.actor.manifest_hash || null,
+          service: context.target.service || "default",
+          mode: context.mode,
+          credential_ref: context.credential_ref || null
+        }
+      };
     case "generic":
     default:
       return context;
@@ -550,6 +572,22 @@ function parseResponse(result, format) {
         }
       }
       return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "cedar":
+      if (typeof result.decision === "string") {
+        return {
+          allowed: result.decision === "Allow",
+          reason: result.decision === "Deny" ? `cedar_deny${result.diagnostics ? ": " + JSON.stringify(result.diagnostics) : ""}` : void 0,
+          metadata: result.diagnostics
+        };
+      }
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const first = result.results[0];
+        return {
+          allowed: first.decision === "Allow",
+          reason: first.decision === "Deny" ? "cedar_deny" : void 0
+        };
+      }
+      return { allowed: false, reason: "unrecognized Cedar response" };
     case "generic":
     default:
       return {

package/dist/index.mjs

@@ -1,9 +1,17 @@
+import {
+  formatSimulation,
+  parseLogFile,
+  simulate
+} from "./chunk-UW2SGWCJ.mjs";
+import {
+  collectSignedReceipts,
+  createAuditBundle
+} from "./chunk-5JXFV37Y.mjs";
 import {
   ProtectGateway,
   buildDecisionContext,
   checkRateLimit,
   evaluateTier,
-  formatSimulation,
   getSignerInfo,
   getToolPolicy,
   initSigning,
@@ -11,18 +19,12 @@ import {
   listCredentialLabels,
   loadPolicy,
   meetsMinTier,
-  parseLogFile,
   parseRateLimit,
   queryExternalPDP,
   resolveCredential,
   signDecision,
-  simulate,
   validateCredentials
-} from "./chunk-GV7N53QE.mjs";
-import {
-  collectSignedReceipts,
-  createAuditBundle
-} from "./chunk-5JXFV37Y.mjs";
+} from "./chunk-XMZWJOC3.mjs";
 import {
   formatReportMarkdown,
   generateReport

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "protect-mcp",
-  "version": "0.3.2",
+  "version": "0.4.0",
+  "mcpName": "io.github.tomjwxf/protect-mcp",
   "description": "Security gateway for MCP servers. Shadow-mode logs, per-tool policies, optional local Ed25519-signed receipts. Programmatic hooks for trust tiers, credential config, and external policy engines.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -22,6 +23,7 @@
   },
   "files": [
     "dist",
+    "policies",
     "README.md"
   ],
   "keywords": [
@@ -36,10 +38,18 @@
     "decision-log",
     "tool-protection",
     "ai-agent",
-    "llm-gateway"
+    "llm-gateway",
+    "owasp",
+    "cedar",
+    "opa",
+    "ed25519",
+    "receipts",
+    "trust-tiers",
+    "agent-governance",
+    "claude-code"
   ],
   "author": "Tom Farley <tommy@scopeblind.com>",
-  "license": "FSL-1.1-MIT",
+  "license": "MIT",
   "homepage": "https://www.scopeblind.com",
   "repository": {
     "type": "git",

package/policies/claude-code-hooks.json

@@ -0,0 +1,18 @@
+{
+  "$comment": "Claude Code hooks configuration. Add this to your .claude/settings.json to integrate protect-mcp as a pre-tool-use hook for Claude Code. Every tool call will be evaluated against your protect-mcp policy and produce a signed receipt.",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": ".*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "npx protect-mcp hook-eval --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\"",
+            "timeout": 5000,
+            "on_failure": "allow"
+          }
+        ]
+      }
+    ]
+  }
+}

package/policies/clinejection.json

@@ -0,0 +1,45 @@
+{
+  "$comment": "CVE-2025-6514: Clinejection — Malicious MCP OAuth proxy hijacked 437,000+ developer environments. Blocks shell execution, restricts file access to non-sensitive paths, requires approval for any write operation.",
+  "incident": "CVE-2025-6514",
+  "incident_name": "Clinejection MCP OAuth Proxy Hijack",
+  "incident_date": "2025-07-15",
+  "owasp_categories": ["A01-Prompt-Injection", "A03-Supply-Chain"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute"
+    },
+    "execute_command": {
+      "block": true
+    },
+    "run_command": {
+      "block": true
+    },
+    "shell": {
+      "block": true
+    },
+    "bash": {
+      "block": true
+    },
+    "terminal": {
+      "block": true
+    },
+    "write_file": {
+      "require_approval": true,
+      "rate_limit": "10/minute"
+    },
+    "edit_file": {
+      "require_approval": true,
+      "rate_limit": "10/minute"
+    },
+    "read_file": {
+      "rate_limit": "30/minute",
+      "min_tier": "signed-known"
+    },
+    "list_files": {
+      "rate_limit": "60/minute"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/data-exfiltration.json

@@ -0,0 +1,52 @@
+{
+  "$comment": "Prevents data exfiltration via AI agents. Blocks all outbound data channels (email, webhooks, uploads, HTTP). Restricts file reads. Requires approval for any external communication.",
+  "incident": "agent-data-exfiltration-pattern",
+  "incident_name": "AI Agent Data Exfiltration via Tool Abuse",
+  "owasp_categories": ["A02-Sensitive-Data-Exposure", "A04-Tool-Call-Injection"],
+  "tools": {
+    "*": {
+      "rate_limit": "60/minute"
+    },
+    "send_email": {
+      "block": true
+    },
+    "send_message": {
+      "block": true
+    },
+    "upload_file": {
+      "block": true
+    },
+    "http_request": {
+      "block": true
+    },
+    "http_post": {
+      "block": true
+    },
+    "webhook": {
+      "block": true
+    },
+    "publish": {
+      "block": true
+    },
+    "post_to_api": {
+      "block": true
+    },
+    "execute_command": {
+      "block": true
+    },
+    "read_file": {
+      "rate_limit": "20/minute",
+      "min_tier": "signed-known"
+    },
+    "search": {
+      "rate_limit": "30/minute"
+    },
+    "database_query": {
+      "rate_limit": "10/minute",
+      "min_tier": "signed-known"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/financial-safe.json

@@ -0,0 +1,49 @@
+{
+  "$comment": "Financial services safety policy. Every financial action requires human approval with evidenced trust tier. All reads are rate-limited. Destructive operations blocked entirely.",
+  "incident": "agent-unauthorized-transaction-pattern",
+  "incident_name": "Unauthorized Financial Transaction via AI Agent",
+  "owasp_categories": ["A05-Insufficient-Access-Control", "A06-Excessive-Autonomy"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute",
+      "min_tier": "signed-known"
+    },
+    "transfer_funds": {
+      "require_approval": true,
+      "min_tier": "privileged"
+    },
+    "create_payment": {
+      "require_approval": true,
+      "min_tier": "privileged"
+    },
+    "approve_transaction": {
+      "require_approval": true,
+      "min_tier": "privileged"
+    },
+    "modify_account": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "delete_account": {
+      "block": true
+    },
+    "close_account": {
+      "block": true
+    },
+    "read_balance": {
+      "rate_limit": "10/minute",
+      "min_tier": "evidenced"
+    },
+    "read_transactions": {
+      "rate_limit": "10/minute",
+      "min_tier": "evidenced"
+    },
+    "generate_report": {
+      "rate_limit": "5/hour",
+      "min_tier": "signed-known"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/github-mcp-hijack.json

@@ -0,0 +1,54 @@
+{
+  "$comment": "GitHub MCP server hijacked via crafted issue containing prompt injection (2025). Agent exfiltrated private repo data. Blocks outbound data tools, restricts git operations, requires approval for any push/publish.",
+  "incident": "github-mcp-issue-hijack-2025",
+  "incident_name": "GitHub MCP Server Prompt Injection via Crafted Issue",
+  "incident_date": "2025-08-20",
+  "owasp_categories": ["A01-Prompt-Injection", "A02-Sensitive-Data-Exposure", "A03-Supply-Chain"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute"
+    },
+    "git_push": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "git_commit": {
+      "rate_limit": "10/minute"
+    },
+    "create_pull_request": {
+      "require_approval": true
+    },
+    "publish": {
+      "block": true
+    },
+    "npm_publish": {
+      "block": true
+    },
+    "send_email": {
+      "block": true
+    },
+    "send_message": {
+      "block": true
+    },
+    "upload_file": {
+      "require_approval": true,
+      "min_tier": "signed-known"
+    },
+    "http_request": {
+      "require_approval": true,
+      "rate_limit": "5/minute"
+    },
+    "webhook": {
+      "block": true
+    },
+    "read_file": {
+      "rate_limit": "30/minute"
+    },
+    "search_code": {
+      "rate_limit": "20/minute"
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}

package/policies/terraform-destroy.json

@@ -0,0 +1,50 @@
+{
+  "$comment": "Terraform agent destroyed production infrastructure (2025). Blocks all destructive infrastructure operations, requires human approval for any apply/deploy, rate-limits plan operations.",
+  "incident": "terraform-prod-destroy-2025",
+  "incident_name": "Autonomous Terraform Agent Destroys Production",
+  "incident_date": "2025-09-01",
+  "owasp_categories": ["A06-Excessive-Autonomy", "A05-Insufficient-Access-Control"],
+  "tools": {
+    "*": {
+      "rate_limit": "30/minute"
+    },
+    "terraform_apply": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "terraform_destroy": {
+      "block": true
+    },
+    "terraform_plan": {
+      "rate_limit": "10/minute",
+      "min_tier": "signed-known"
+    },
+    "deploy": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "kubectl_apply": {
+      "require_approval": true,
+      "min_tier": "evidenced"
+    },
+    "kubectl_delete": {
+      "block": true
+    },
+    "aws_cli": {
+      "require_approval": true,
+      "rate_limit": "5/minute"
+    },
+    "delete_resource": {
+      "block": true
+    },
+    "drop_database": {
+      "block": true
+    },
+    "truncate_table": {
+      "block": true
+    }
+  },
+  "signing": {
+    "enabled": true
+  }
+}