protect-mcp 0.3.3 → 0.4.1

package/LICENSE

@@ -1,68 +1,21 @@
-SPDX-License-Identifier: LicenseRef-FSL-1.1-MIT
-
-# Functional Source License, Version 1.1, MIT Future License
-
-## Abbreviation
-
-FSL-1.1-MIT
-
-## Notice
-
-Copyright 2026 Tom Farley
-
-## Terms and Conditions
-
-### Licensor ("We")
-
-The party offering the Software under these Terms and Conditions.
-
-### The Software
-
-The "Software" is each version of the software that we make available under these Terms and Conditions, as indicated by our inclusion of these Terms and Conditions with the Software.
-
-### License Grant
-
-Subject to your compliance with this License Grant and the Patents, Redistribution and Trademark clauses below, we hereby grant you the right to use, copy, modify, create derivative works, publicly perform, publicly display and redistribute the Software for any Permitted Purpose identified below.
-
-### Permitted Purpose
-
-A Permitted Purpose is any purpose other than a Competing Use. A Competing Use means making the Software available to others in a commercial product or service that:
-
-1. substitutes for the Software;
-2. substitutes for any other product or service we offer using the Software that exists as of the date we make the Software available; or
-3. offers the same or substantially similar functionality as the Software.
-
-Permitted Purposes specifically include using the Software:
-
-1. for your internal use and access;
-2. for non-commercial education;
-3. for non-commercial research; and
-4. in connection with professional services that you provide to a licensee using the Software in accordance with these Terms and Conditions.
-
-### Patents
-
-To the extent your use for a Permitted Purpose would necessarily infringe our patents, the license grant above includes a license under our patents. If you make a claim against any party that the Software infringes or contributes to the infringement of any patent, then your patent license to the Software ends immediately.
-
-### Redistribution
-
-The Terms and Conditions apply to all copies, modifications and derivatives of the Software. If you redistribute any copies, modifications or derivatives of the Software, you must include a copy of or a link to these Terms and Conditions and not remove any copyright notices provided in or with the Software.
-
-### Disclaimer
-
-THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, TITLE OR NON-INFRINGEMENT. IN NO EVENT WILL WE HAVE ANY LIABILITY TO YOU ARISING OUT OF OR RELATED TO THE SOFTWARE, INCLUDING INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF WE HAVE BEEN INFORMED OF THEIR POSSIBILITY IN ADVANCE.
-
-### Trademarks
-
-Except for displaying the License Details and identifying us as the origin of the Software, you have no right under these Terms and Conditions to use our trademarks, trade names, service marks or product names.
-
-## Grant of Future License
-
-We hereby irrevocably grant you an additional license to use the Software under the MIT license that is effective on the second anniversary of the date we make the Software available.
-
-On or after that date, you may use the Software under the MIT license, in which case the following will apply:
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+MIT License
+
+Copyright (c) 2026 Tom Farley / ScopeBlind
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -252,6 +252,6 @@ Supports OPA, Cerbos, Cedar (AWS AgentCore), and generic HTTP endpoints:
 
 ## License
 
-FSL-1.1-MIT — free to use, modify, and self-host. Cannot be offered as a competing hosted service. Converts to full MIT after 2 years per version.
+MIT — free to use, modify, distribute, and build upon without restriction.
 
 [scopeblind.com](https://scopeblind.com) · [npm](https://www.npmjs.com/package/protect-mcp) · [GitHub](https://github.com/tomjwxf/scopeblind-gateway) · [IETF Draft](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)

package/dist/{chunk-WDCPUM2O.mjs → chunk-7HBHIKLN.mjs}

@@ -814,6 +814,9 @@ var ProtectGateway = class {
   approvalNonce = randomBytes(16).toString("hex");
   currentTier = "unknown";
   admissionResult = null;
+  /** HTTP transport mode: pending response resolvers keyed by JSON-RPC id */
+  pendingResponses = /* @__PURE__ */ new Map();
+  httpMode = false;
   constructor(config) {
     this.config = config;
     this.logFilePath = join3(process.cwd(), LOG_FILE2);
@@ -1133,8 +1136,108 @@ var ProtectGateway = class {
     if (this.child?.stdin?.writable) this.child.stdin.write(message + "\n");
   }
   sendToClient(message) {
+    if (this.httpMode) {
+      try {
+        const parsed = JSON.parse(message);
+        if (parsed.id !== void 0 && parsed.id !== null) {
+          const pending = this.pendingResponses.get(parsed.id);
+          if (pending) {
+            clearTimeout(pending.timeout);
+            this.pendingResponses.delete(parsed.id);
+            pending.resolve(message);
+            return;
+          }
+        }
+      } catch {
+      }
+    }
     process.stdout.write(message + "\n");
   }
+  /**
+   * Enable HTTP transport mode.
+   * In this mode, sendToClient resolves pending promises instead of
+   * writing to stdout, and start() skips stdin reading.
+   */
+  enableHttpMode() {
+    this.httpMode = true;
+  }
+  /**
+   * Start in HTTP mode — spawns child process but does NOT read from
+   * process.stdin. Requests come in via processRequest() instead.
+   */
+  async startForHttp() {
+    this.httpMode = true;
+    const { command, args, verbose } = this.config;
+    const mode = this.config.enforce ? "enforce" : "shadow";
+    if (verbose) {
+      this.log(`Starting gateway in ${mode} mode (HTTP transport)`);
+      this.log(`Wrapping: ${command} ${args.join(" ")}`);
+    }
+    this.log(`Approval nonce: ${this.approvalNonce}`);
+    const childEnv = { ...process.env };
+    if (this.config.credentials) {
+      for (const [label, credConfig] of Object.entries(this.config.credentials)) {
+        if (credConfig.inject === "env" && credConfig.name && credConfig.value_env) {
+          const envValue = process.env[credConfig.value_env];
+          if (envValue) {
+            childEnv[credConfig.name] = envValue;
+            if (verbose) this.log(`Credential "${label}": injected as env var "${credConfig.name}"`);
+          }
+        }
+      }
+    }
+    this.child = spawn(command, args, { stdio: ["pipe", "pipe", "pipe"], env: childEnv });
+    if (!this.child.stdin || !this.child.stdout || !this.child.stderr) {
+      throw new Error("Failed to create pipes to child process");
+    }
+    this.child.stderr.on("data", (data) => {
+      process.stderr.write(data);
+    });
+    const childReader = createInterface({ input: this.child.stdout, crlfDelay: Infinity });
+    childReader.on("line", (line) => {
+      this.handleServerMessage(line);
+    });
+    this.child.on("exit", (code, signal) => {
+      if (verbose) this.log(`Child process exited (code=${code}, signal=${signal})`);
+      this.evidenceStore.save();
+    });
+    this.child.on("error", (err) => {
+      this.log(`Child process error: ${err.message}`);
+    });
+  }
+  /**
+   * Process a JSON-RPC request programmatically (for HTTP transport).
+   * Returns a promise that resolves with the JSON-RPC response string.
+   */
+  async processRequest(jsonRpc) {
+    const REQUEST_TIMEOUT_MS = 3e4;
+    if (jsonRpc.method === "tools/call" && jsonRpc.id !== void 0) {
+      const blocked = await this.interceptToolCall(jsonRpc);
+      if (blocked) {
+        return JSON.stringify(blocked);
+      }
+    }
+    return new Promise((resolve, reject) => {
+      const id = jsonRpc.id;
+      if (id === void 0 || id === null) {
+        const modified2 = this.injectParamsCredentials(jsonRpc);
+        this.sendToChild(JSON.stringify(modified2));
+        resolve(JSON.stringify({ jsonrpc: "2.0", result: {}, id: null }));
+        return;
+      }
+      const timeout = setTimeout(() => {
+        this.pendingResponses.delete(id);
+        resolve(JSON.stringify({
+          jsonrpc: "2.0",
+          error: { code: -32e3, message: "Request timeout (30s)" },
+          id
+        }));
+      }, REQUEST_TIMEOUT_MS);
+      this.pendingResponses.set(id, { resolve, timeout });
+      const modified = this.injectParamsCredentials(jsonRpc);
+      this.sendToChild(JSON.stringify(modified));
+    });
+  }
   log(message) {
     process.stderr.write(`[PROTECT_MCP] ${message}
 `);
@@ -1150,137 +1253,6 @@ var ProtectGateway = class {
   }
 };
 
-// src/simulate.ts
-import { readFileSync as readFileSync5 } from "fs";
-function parseLogFile(path) {
-  const raw = readFileSync5(path, "utf-8");
-  const entries = [];
-  for (const line of raw.split("\n")) {
-    const trimmed = line.trim();
-    if (!trimmed) continue;
-    const jsonStr = trimmed.replace(/^\[PROTECT_MCP\]\s*/, "");
-    try {
-      const parsed = JSON.parse(jsonStr);
-      if (parsed.tool && parsed.decision) {
-        entries.push(parsed);
-      }
-    } catch {
-    }
-  }
-  return entries;
-}
-function simulate(entries, policy, tier = "unknown") {
-  const rateLimitStore = /* @__PURE__ */ new Map();
-  const toolResults = /* @__PURE__ */ new Map();
-  const totals = {
-    allow: 0,
-    block: 0,
-    rate_limited: 0,
-    require_approval: 0,
-    tier_insufficient: 0
-  };
-  const originalTotals = { allow: 0, deny: 0 };
-  const changes = [];
-  for (const entry of entries) {
-    const toolName = entry.tool;
-    const toolPolicy = getToolPolicy(toolName, policy);
-    if (entry.decision === "allow") {
-      originalTotals.allow++;
-    } else {
-      originalTotals.deny++;
-    }
-    let newDecision;
-    if (toolPolicy.block) {
-      newDecision = "block";
-    } else if (toolPolicy.min_tier && !meetsMinTier(tier, toolPolicy.min_tier)) {
-      newDecision = "tier_insufficient";
-    } else if (toolPolicy.require_approval) {
-      newDecision = "require_approval";
-    } else if (toolPolicy.rate_limit) {
-      const limit = parseRateLimit(toolPolicy.rate_limit);
-      const result = checkRateLimit(toolName, limit, rateLimitStore);
-      newDecision = result.allowed ? "allow" : "rate_limited";
-    } else {
-      newDecision = "allow";
-    }
-    totals[newDecision]++;
-    if (!toolResults.has(toolName)) {
-      toolResults.set(toolName, {
-        tool: toolName,
-        calls: 0,
-        results: { allow: 0, block: 0, rate_limited: 0, require_approval: 0, tier_insufficient: 0 },
-        original: { allow: 0, deny: 0 }
-      });
-    }
-    const tr = toolResults.get(toolName);
-    tr.calls++;
-    tr.results[newDecision]++;
-    if (entry.decision === "allow") {
-      tr.original.allow++;
-    } else {
-      tr.original.deny++;
-    }
-  }
-  for (const [tool, result] of toolResults) {
-    const wasAllBlocked = result.original.allow === 0;
-    const nowAllBlocked = result.results.allow === 0;
-    const wasAllAllowed = result.original.deny === 0;
-    if (wasAllAllowed && result.results.block > 0) {
-      changes.push(`${tool}: ${result.results.block} calls would be blocked (was: all allowed)`);
-    }
-    if (wasAllAllowed && result.results.rate_limited > 0) {
-      changes.push(`${tool}: ${result.results.rate_limited} calls would be rate-limited (was: all allowed)`);
-    }
-    if (wasAllAllowed && result.results.require_approval > 0) {
-      changes.push(`${tool}: ${result.results.require_approval} calls would require approval (was: all allowed)`);
-    }
-    if (wasAllAllowed && result.results.tier_insufficient > 0) {
-      changes.push(`${tool}: ${result.results.tier_insufficient} calls would fail tier check (was: all allowed)`);
-    }
-    if (wasAllBlocked && result.results.allow > 0 && !nowAllBlocked) {
-      changes.push(`${tool}: ${result.results.allow} calls would now be allowed (was: all blocked)`);
-    }
-  }
-  return {
-    policy_file: "",
-    log_file: "",
-    total_calls: entries.length,
-    results: totals,
-    original: originalTotals,
-    tool_breakdown: Array.from(toolResults.values()).sort((a, b) => b.calls - a.calls),
-    changes
-  };
-}
-function formatSimulation(summary) {
-  const lines = [];
-  lines.push(`Simulating ${summary.policy_file} against ${summary.total_calls} recorded tool calls:
-`);
-  const maxToolLen = Math.max(...summary.tool_breakdown.map((t) => t.tool.length), 4);
-  for (const tr of summary.tool_breakdown) {
-    const parts = [];
-    if (tr.results.allow > 0) parts.push(`${tr.results.allow} allow`);
-    if (tr.results.block > 0) parts.push(`\x1B[31m${tr.results.block} blocked\x1B[0m`);
-    if (tr.results.rate_limited > 0) parts.push(`\x1B[33m${tr.results.rate_limited} rate_limited\x1B[0m`);
-    if (tr.results.require_approval > 0) parts.push(`\x1B[36m${tr.results.require_approval} require_approval\x1B[0m`);
-    if (tr.results.tier_insufficient > 0) parts.push(`\x1B[35m${tr.results.tier_insufficient} tier_insufficient\x1B[0m`);
-    const originalParts = [];
-    if (tr.original.allow > 0) originalParts.push(`${tr.original.allow} allow`);
-    if (tr.original.deny > 0) originalParts.push(`${tr.original.deny} deny`);
-    lines.push(`  ${tr.tool.padEnd(maxToolLen)}  \xD7 ${String(tr.calls).padStart(3)} \u2192 ${parts.join(", ")}  (was: ${originalParts.join(", ")})`);
-  }
-  lines.push("");
-  lines.push(`Summary: ${summary.results.allow} allow, ${summary.results.block} blocked, ${summary.results.rate_limited} rate_limited, ${summary.results.require_approval} require_approval, ${summary.results.tier_insufficient} tier_insufficient`);
-  lines.push(`  vs original: ${summary.original.allow} allow, ${summary.original.deny} deny`);
-  if (summary.changes.length > 0) {
-    lines.push("");
-    lines.push("Changes:");
-    for (const change of summary.changes) {
-      lines.push(`  \u2022 ${change}`);
-    }
-  }
-  return lines.join("\n");
-}
-
 export {
   loadPolicy,
   getToolPolicy,
@@ -1297,8 +1269,5 @@ export {
   isSigningEnabled,
   queryExternalPDP,
   buildDecisionContext,
-  ProtectGateway,
-  parseLogFile,
-  simulate,
-  formatSimulation
+  ProtectGateway
 };

package/dist/chunk-VWUN6AI6.mjs

@@ -0,0 +1,143 @@
+import {
+  checkRateLimit,
+  getToolPolicy,
+  meetsMinTier,
+  parseRateLimit
+} from "./chunk-7HBHIKLN.mjs";
+
+// src/simulate.ts
+import { readFileSync } from "fs";
+function parseLogFile(path) {
+  const raw = readFileSync(path, "utf-8");
+  const entries = [];
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const jsonStr = trimmed.replace(/^\[PROTECT_MCP\]\s*/, "");
+    try {
+      const parsed = JSON.parse(jsonStr);
+      if (parsed.tool && parsed.decision) {
+        entries.push(parsed);
+      }
+    } catch {
+    }
+  }
+  return entries;
+}
+function simulate(entries, policy, tier = "unknown") {
+  const rateLimitStore = /* @__PURE__ */ new Map();
+  const toolResults = /* @__PURE__ */ new Map();
+  const totals = {
+    allow: 0,
+    block: 0,
+    rate_limited: 0,
+    require_approval: 0,
+    tier_insufficient: 0
+  };
+  const originalTotals = { allow: 0, deny: 0 };
+  const changes = [];
+  for (const entry of entries) {
+    const toolName = entry.tool;
+    const toolPolicy = getToolPolicy(toolName, policy);
+    if (entry.decision === "allow") {
+      originalTotals.allow++;
+    } else {
+      originalTotals.deny++;
+    }
+    let newDecision;
+    if (toolPolicy.block) {
+      newDecision = "block";
+    } else if (toolPolicy.min_tier && !meetsMinTier(tier, toolPolicy.min_tier)) {
+      newDecision = "tier_insufficient";
+    } else if (toolPolicy.require_approval) {
+      newDecision = "require_approval";
+    } else if (toolPolicy.rate_limit) {
+      const limit = parseRateLimit(toolPolicy.rate_limit);
+      const result = checkRateLimit(toolName, limit, rateLimitStore);
+      newDecision = result.allowed ? "allow" : "rate_limited";
+    } else {
+      newDecision = "allow";
+    }
+    totals[newDecision]++;
+    if (!toolResults.has(toolName)) {
+      toolResults.set(toolName, {
+        tool: toolName,
+        calls: 0,
+        results: { allow: 0, block: 0, rate_limited: 0, require_approval: 0, tier_insufficient: 0 },
+        original: { allow: 0, deny: 0 }
+      });
+    }
+    const tr = toolResults.get(toolName);
+    tr.calls++;
+    tr.results[newDecision]++;
+    if (entry.decision === "allow") {
+      tr.original.allow++;
+    } else {
+      tr.original.deny++;
+    }
+  }
+  for (const [tool, result] of toolResults) {
+    const wasAllBlocked = result.original.allow === 0;
+    const nowAllBlocked = result.results.allow === 0;
+    const wasAllAllowed = result.original.deny === 0;
+    if (wasAllAllowed && result.results.block > 0) {
+      changes.push(`${tool}: ${result.results.block} calls would be blocked (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.rate_limited > 0) {
+      changes.push(`${tool}: ${result.results.rate_limited} calls would be rate-limited (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.require_approval > 0) {
+      changes.push(`${tool}: ${result.results.require_approval} calls would require approval (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.tier_insufficient > 0) {
+      changes.push(`${tool}: ${result.results.tier_insufficient} calls would fail tier check (was: all allowed)`);
+    }
+    if (wasAllBlocked && result.results.allow > 0 && !nowAllBlocked) {
+      changes.push(`${tool}: ${result.results.allow} calls would now be allowed (was: all blocked)`);
+    }
+  }
+  return {
+    policy_file: "",
+    log_file: "",
+    total_calls: entries.length,
+    results: totals,
+    original: originalTotals,
+    tool_breakdown: Array.from(toolResults.values()).sort((a, b) => b.calls - a.calls),
+    changes
+  };
+}
+function formatSimulation(summary) {
+  const lines = [];
+  lines.push(`Simulating ${summary.policy_file} against ${summary.total_calls} recorded tool calls:
+`);
+  const maxToolLen = Math.max(...summary.tool_breakdown.map((t) => t.tool.length), 4);
+  for (const tr of summary.tool_breakdown) {
+    const parts = [];
+    if (tr.results.allow > 0) parts.push(`${tr.results.allow} allow`);
+    if (tr.results.block > 0) parts.push(`\x1B[31m${tr.results.block} blocked\x1B[0m`);
+    if (tr.results.rate_limited > 0) parts.push(`\x1B[33m${tr.results.rate_limited} rate_limited\x1B[0m`);
+    if (tr.results.require_approval > 0) parts.push(`\x1B[36m${tr.results.require_approval} require_approval\x1B[0m`);
+    if (tr.results.tier_insufficient > 0) parts.push(`\x1B[35m${tr.results.tier_insufficient} tier_insufficient\x1B[0m`);
+    const originalParts = [];
+    if (tr.original.allow > 0) originalParts.push(`${tr.original.allow} allow`);
+    if (tr.original.deny > 0) originalParts.push(`${tr.original.deny} deny`);
+    lines.push(`  ${tr.tool.padEnd(maxToolLen)}  \xD7 ${String(tr.calls).padStart(3)} \u2192 ${parts.join(", ")}  (was: ${originalParts.join(", ")})`);
+  }
+  lines.push("");
+  lines.push(`Summary: ${summary.results.allow} allow, ${summary.results.block} blocked, ${summary.results.rate_limited} rate_limited, ${summary.results.require_approval} require_approval, ${summary.results.tier_insufficient} tier_insufficient`);
+  lines.push(`  vs original: ${summary.original.allow} allow, ${summary.original.deny} deny`);
+  if (summary.changes.length > 0) {
+    lines.push("");
+    lines.push("Changes:");
+    for (const change of summary.changes) {
+      lines.push(`  \u2022 ${change}`);
+    }
+  }
+  return lines.join("\n");
+}
+
+export {
+  parseLogFile,
+  simulate,
+  formatSimulation
+};