protect-mcp 0.3.3 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/LICENSE +21 -68
  2. package/README.md +1 -1
  3. package/dist/chunk-UW2SGWCJ.mjs +143 -0
  4. package/dist/{chunk-WDCPUM2O.mjs → chunk-XMZWJOC3.mjs} +1 -135
  5. package/dist/cli.js +3891 -3686
  6. package/dist/cli.mjs +16 -4
  7. package/dist/http-transport-S7YXXMD3.mjs +131 -0
  8. package/dist/index.mjs +10 -8
  9. package/package.json +2 -2
package/dist/cli.mjs CHANGED
@@ -1,13 +1,15 @@
1
1
  #!/usr/bin/env node
2
2
  import {
3
- ProtectGateway,
4
3
  formatSimulation,
4
+ parseLogFile,
5
+ simulate
6
+ } from "./chunk-UW2SGWCJ.mjs";
7
+ import {
8
+ ProtectGateway,
5
9
  initSigning,
6
10
  loadPolicy,
7
- parseLogFile,
8
- simulate,
9
11
  validateCredentials
10
- } from "./chunk-WDCPUM2O.mjs";
12
+ } from "./chunk-XMZWJOC3.mjs";
11
13
 
12
14
  // src/cli.ts
13
15
  function printHelp() {
@@ -31,6 +33,8 @@ Options:
31
33
  --policy <path> Policy/config JSON file (default: allow-all)
32
34
  --slug <slug> ScopeBlind tenant slug (optional)
33
35
  --enforce Enable enforcement mode (default: shadow mode)
36
+ --http Start HTTP/SSE server instead of stdio proxy
37
+ --port <port> HTTP server port (default: 3000, requires --http)
34
38
  --verbose Enable debug logging to stderr
35
39
  --help Show this help
36
40
 
@@ -1020,6 +1024,14 @@ async function main() {
1020
1024
  signing,
1021
1025
  credentials
1022
1026
  };
1027
+ const useHttp = args.includes("--http");
1028
+ if (useHttp) {
1029
+ const portIdx = args.indexOf("--port");
1030
+ const httpPort = portIdx >= 0 && args[portIdx + 1] ? parseInt(args[portIdx + 1]) : 3e3;
1031
+ const { startHttpTransport } = await import("./http-transport-S7YXXMD3.mjs");
1032
+ startHttpTransport({ port: httpPort, config, serverCommand: childCommand });
1033
+ return;
1034
+ }
1023
1035
  const gateway = new ProtectGateway(config);
1024
1036
  await gateway.start();
1025
1037
  }
package/dist/http-transport-S7YXXMD3.mjs ADDED
@@ -0,0 +1,131 @@
1
+ import {
2
+ ProtectGateway
3
+ } from "./chunk-XMZWJOC3.mjs";
4
+
5
+ // src/http-transport.ts
6
+ import { createServer } from "http";
7
+ function startHttpTransport(options) {
8
+ const { port, config, serverCommand } = options;
9
+ const sseClients = /* @__PURE__ */ new Set();
10
+ const gateway = new ProtectGateway(config);
11
+ const server = createServer(async (req, res) => {
12
+ const origin = req.headers.origin || "*";
13
+ res.setHeader("Access-Control-Allow-Origin", origin);
14
+ res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
15
+ res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
16
+ res.setHeader("Access-Control-Allow-Credentials", "true");
17
+ if (req.method === "OPTIONS") {
18
+ res.writeHead(204);
19
+ res.end();
20
+ return;
21
+ }
22
+ const url = new URL(req.url || "/", `http://localhost:${port}`);
23
+ if (url.pathname === "/health" && req.method === "GET") {
24
+ res.writeHead(200, { "Content-Type": "application/json" });
25
+ res.end(JSON.stringify({
26
+ status: "ok",
27
+ server: "protect-mcp",
28
+ version: "0.3.3",
29
+ transport: "http",
30
+ mode: config.policy ? config.enforce ? "enforce" : "shadow" : "shadow"
31
+ }));
32
+ return;
33
+ }
34
+ if (url.pathname === "/mcp/sse" && req.method === "GET") {
35
+ res.writeHead(200, {
36
+ "Content-Type": "text/event-stream",
37
+ "Cache-Control": "no-cache",
38
+ "Connection": "keep-alive"
39
+ });
40
+ res.write(`data: ${JSON.stringify({ type: "connected", server: "protect-mcp" })}
41
+
42
+ `);
43
+ sseClients.add(res);
44
+ req.on("close", () => sseClients.delete(res));
45
+ return;
46
+ }
47
+ if (url.pathname === "/mcp" && req.method === "POST") {
48
+ let body = "";
49
+ req.on("data", (chunk) => {
50
+ body += chunk;
51
+ });
52
+ req.on("end", async () => {
53
+ try {
54
+ const jsonRpc = JSON.parse(body);
55
+ const acceptSSE = (req.headers.accept || "").includes("text/event-stream");
56
+ if (acceptSSE) {
57
+ res.writeHead(200, {
58
+ "Content-Type": "text/event-stream",
59
+ "Cache-Control": "no-cache"
60
+ });
61
+ const response = await processJsonRpc(gateway, jsonRpc, config, serverCommand);
62
+ res.write(`data: ${JSON.stringify(response)}
63
+
64
+ `);
65
+ res.end();
66
+ } else {
67
+ const response = await processJsonRpc(gateway, jsonRpc, config, serverCommand);
68
+ res.writeHead(200, { "Content-Type": "application/json" });
69
+ res.end(JSON.stringify(response));
70
+ }
71
+ for (const client of sseClients) {
72
+ try {
73
+ client.write(`data: ${JSON.stringify({ type: "decision", request: jsonRpc, timestamp: (/* @__PURE__ */ new Date()).toISOString() })}
74
+
75
+ `);
76
+ } catch {
77
+ sseClients.delete(client);
78
+ }
79
+ }
80
+ } catch (err) {
81
+ res.writeHead(400, { "Content-Type": "application/json" });
82
+ res.end(JSON.stringify({
83
+ jsonrpc: "2.0",
84
+ error: { code: -32700, message: "Parse error" },
85
+ id: null
86
+ }));
87
+ }
88
+ });
89
+ return;
90
+ }
91
+ res.writeHead(404, { "Content-Type": "application/json" });
92
+ res.end(JSON.stringify({ error: "not_found", endpoints: ["/mcp", "/mcp/sse", "/health"] }));
93
+ });
94
+ server.listen(port, () => {
95
+ process.stderr.write(`
96
+ protect-mcp HTTP server listening on port ${port}
97
+ `);
98
+ process.stderr.write(` POST /mcp \u2014 JSON-RPC endpoint (Streamable HTTP)
99
+ `);
100
+ process.stderr.write(` GET /mcp/sse \u2014 Server-Sent Events stream
101
+ `);
102
+ process.stderr.write(` GET /health \u2014 Health check
103
+
104
+ `);
105
+ });
106
+ gateway.start(serverCommand[0], serverCommand.slice(1));
107
+ process.on("SIGINT", () => {
108
+ process.stderr.write("\nShutting down HTTP transport...\n");
109
+ for (const client of sseClients) {
110
+ try {
111
+ client.end();
112
+ } catch {
113
+ }
114
+ }
115
+ server.close();
116
+ process.exit(0);
117
+ });
118
+ }
119
+ async function processJsonRpc(gateway, request, config, serverCommand) {
120
+ return {
121
+ jsonrpc: "2.0",
122
+ result: {
123
+ message: "Request processed by protect-mcp HTTP transport",
124
+ mode: config.enforce ? "enforce" : "shadow"
125
+ },
126
+ id: request.id || null
127
+ };
128
+ }
129
+ export {
130
+ startHttpTransport
131
+ };
package/dist/index.mjs CHANGED
@@ -1,9 +1,17 @@
1
+ import {
2
+ formatSimulation,
3
+ parseLogFile,
4
+ simulate
5
+ } from "./chunk-UW2SGWCJ.mjs";
6
+ import {
7
+ collectSignedReceipts,
8
+ createAuditBundle
9
+ } from "./chunk-5JXFV37Y.mjs";
1
10
  import {
2
11
  ProtectGateway,
3
12
  buildDecisionContext,
4
13
  checkRateLimit,
5
14
  evaluateTier,
6
- formatSimulation,
7
15
  getSignerInfo,
8
16
  getToolPolicy,
9
17
  initSigning,
@@ -11,18 +19,12 @@ import {
11
19
  listCredentialLabels,
12
20
  loadPolicy,
13
21
  meetsMinTier,
14
- parseLogFile,
15
22
  parseRateLimit,
16
23
  queryExternalPDP,
17
24
  resolveCredential,
18
25
  signDecision,
19
- simulate,
20
26
  validateCredentials
21
- } from "./chunk-WDCPUM2O.mjs";
22
- import {
23
- collectSignedReceipts,
24
- createAuditBundle
25
- } from "./chunk-5JXFV37Y.mjs";
27
+ } from "./chunk-XMZWJOC3.mjs";
26
28
  import {
27
29
  formatReportMarkdown,
28
30
  generateReport
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "protect-mcp",
3
- "version": "0.3.3",
3
+ "version": "0.4.0",
4
4
  "mcpName": "io.github.tomjwxf/protect-mcp",
5
5
  "description": "Security gateway for MCP servers. Shadow-mode logs, per-tool policies, optional local Ed25519-signed receipts. Programmatic hooks for trust tiers, credential config, and external policy engines.",
6
6
  "main": "dist/index.js",
@@ -49,7 +49,7 @@
49
49
  "claude-code"
50
50
  ],
51
51
  "author": "Tom Farley <tommy@scopeblind.com>",
52
- "license": "FSL-1.1-MIT",
52
+ "license": "MIT",
53
53
  "homepage": "https://www.scopeblind.com",
54
54
  "repository": {
55
55
  "type": "git",