protect-mcp 0.4.1 → 0.4.3

package/README.md

@@ -254,4 +254,4 @@ Supports OPA, Cerbos, Cedar (AWS AgentCore), and generic HTTP endpoints:
 
 MIT — free to use, modify, distribute, and build upon without restriction.
 
-[scopeblind.com](https://scopeblind.com) · [npm](https://www.npmjs.com/package/protect-mcp) · [GitHub](https://github.com/tomjwxf/scopeblind-gateway) · [IETF Draft](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)
+[scopeblind.com](https://scopeblind.com) · [npm](https://www.npmjs.com/package/protect-mcp) · [GitHub](https://github.com/scopeblind/ScopeBlindD2) · [IETF Draft](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)

package/dist/{chunk-7HBHIKLN.mjs → chunk-VF3OCG4D.mjs}

@@ -564,17 +564,366 @@ function buildDecisionContext(toolName, tier, opts) {
   };
 }
 
+// src/cedar-evaluator.ts
+import { createHash as createHash2 } from "crypto";
+import { readFileSync as readFileSync4, readdirSync, existsSync as existsSync3 } from "fs";
+import { join as join2, extname } from "path";
+var cedarWasm = null;
+var loadAttempted = false;
+async function ensureCedarWasm() {
+  if (cedarWasm) return true;
+  if (loadAttempted) return false;
+  loadAttempted = true;
+  try {
+    const moduleName = "@cedar-policy/cedar-wasm";
+    cedarWasm = await import(
+      /* @vite-ignore */
+      moduleName
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function loadCedarPolicies(dirPath) {
+  if (!existsSync3(dirPath)) {
+    throw new Error(`Cedar policy directory not found: ${dirPath}`);
+  }
+  const entries = readdirSync(dirPath).filter((f) => extname(f) === ".cedar").sort();
+  if (entries.length === 0) {
+    throw new Error(`No .cedar files found in: ${dirPath}`);
+  }
+  const sources = [];
+  for (const file of entries) {
+    const content = readFileSync4(join2(dirPath, file), "utf-8");
+    sources.push(content);
+  }
+  const concatenated = sources.join("\n\n");
+  const digest = createHash2("sha256").update(concatenated).digest("hex").slice(0, 16);
+  return {
+    source: concatenated,
+    digest,
+    fileCount: entries.length,
+    files: entries
+  };
+}
+function buildEntities(req) {
+  const agentId = req.agentId || req.tier;
+  return [
+    {
+      uid: { type: "Agent", id: agentId },
+      attrs: {
+        tier: req.tier,
+        ...req.agentId ? { agent_id: req.agentId } : {}
+      },
+      parents: []
+    },
+    {
+      uid: { type: "Tool", id: req.tool },
+      attrs: {},
+      parents: []
+    }
+  ];
+}
+async function evaluateCedar(policySet, req) {
+  const available = await ensureCedarWasm();
+  if (!available) {
+    return {
+      allowed: true,
+      reason: "cedar_wasm_not_available",
+      metadata: { fallback: true }
+    };
+  }
+  try {
+    const agentId = req.agentId || req.tier;
+    const authRequest = {
+      principal: { type: "Agent", id: agentId },
+      action: { type: "Action", id: "MCP::Tool::call" },
+      resource: { type: "Tool", id: req.tool },
+      context: {
+        tier: req.tier,
+        ...req.context || {}
+      }
+    };
+    const entities = buildEntities(req);
+    let result;
+    if (typeof cedarWasm.isAuthorized === "function") {
+      result = cedarWasm.isAuthorized({
+        policies: policySet.source,
+        entities,
+        principal: authRequest.principal,
+        action: authRequest.action,
+        resource: authRequest.resource,
+        context: authRequest.context,
+        schema: null
+        // No schema enforcement — Cedar still evaluates correctly
+      });
+    } else if (typeof cedarWasm.checkAuthorization === "function") {
+      result = cedarWasm.checkAuthorization(
+        policySet.source,
+        JSON.stringify(entities),
+        JSON.stringify(authRequest)
+      );
+    } else {
+      const cedarEngine = cedarWasm.default || cedarWasm;
+      if (typeof cedarEngine.isAuthorized === "function") {
+        result = cedarEngine.isAuthorized({
+          policies: policySet.source,
+          entities,
+          principal: authRequest.principal,
+          action: authRequest.action,
+          resource: authRequest.resource,
+          context: authRequest.context,
+          schema: null
+        });
+      } else {
+        return {
+          allowed: true,
+          reason: "cedar_wasm_api_unsupported",
+          metadata: { fallback: true, exports: Object.keys(cedarWasm) }
+        };
+      }
+    }
+    const decision = parseWasmResult(result);
+    return {
+      allowed: decision.allowed,
+      reason: decision.allowed ? void 0 : `cedar_deny${decision.diagnostics ? ": " + decision.diagnostics : ""}`,
+      metadata: {
+        policy_digest: policySet.digest,
+        ...decision.matchedPolicies ? { matched_policies: decision.matchedPolicies } : {}
+      }
+    };
+  } catch (err) {
+    return {
+      allowed: true,
+      reason: `cedar_eval_error: ${err instanceof Error ? err.message : "unknown"}`,
+      metadata: { fallback: true, error: true }
+    };
+  }
+}
+function parseWasmResult(result) {
+  if (!result) {
+    return { allowed: true, diagnostics: "null result from Cedar WASM" };
+  }
+  if (result.type === "allow" || result.type === "Allow") {
+    return { allowed: true };
+  }
+  if (result.type === "deny" || result.type === "Deny") {
+    return {
+      allowed: false,
+      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0,
+      matchedPolicies: result.diagnostics?.reasons
+    };
+  }
+  if (result.decision === "Allow") {
+    return { allowed: true };
+  }
+  if (result.decision === "Deny") {
+    return {
+      allowed: false,
+      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0
+    };
+  }
+  if (typeof result === "boolean") {
+    return { allowed: result };
+  }
+  return { allowed: true, diagnostics: `unknown result format: ${JSON.stringify(result)}` };
+}
+async function isCedarAvailable() {
+  return ensureCedarWasm();
+}
+
+// src/notifications.ts
+async function sendApprovalNotification(config, notification) {
+  const promises = [];
+  if (config.sms) {
+    promises.push(sendSms(config.sms, notification));
+  }
+  if (config.webhook) {
+    promises.push(sendWebhook(config.webhook, notification));
+  }
+  if (config.email) {
+    promises.push(sendEmail(config.email, notification));
+  }
+  const results = await Promise.allSettled(promises);
+  for (const result of results) {
+    if (result.status === "rejected") {
+      console.error(`[protect-mcp] Notification failed: ${result.reason}`);
+    }
+  }
+}
+async function sendSms(config, notification) {
+  const body = [
+    `\u{1F512} Approval Required`,
+    `Tool: ${notification.toolName}`,
+    notification.agentId ? `Agent: ${notification.agentId}` : null,
+    `Reason: ${notification.reason}`,
+    notification.approveUrl ? `Approve: ${notification.approveUrl}` : null,
+    notification.traceUrl ? `Trace: ${notification.traceUrl}` : null
+  ].filter(Boolean).join("\n");
+  const params = new URLSearchParams({
+    To: config.to,
+    From: config.from,
+    Body: body
+  });
+  const response = await fetch(
+    `https://api.twilio.com/2010-04-01/Accounts/${config.accountSid}/Messages.json`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Basic ${Buffer.from(`${config.accountSid}:${config.authToken}`).toString("base64")}`,
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: params.toString()
+    }
+  );
+  if (!response.ok) {
+    throw new Error(`Twilio SMS failed: ${response.status} ${await response.text()}`);
+  }
+}
+async function sendWebhook(config, notification) {
+  let payload;
+  if (config.template === "slack") {
+    payload = {
+      blocks: [
+        {
+          type: "header",
+          text: { type: "plain_text", text: "\u{1F512} Agent Approval Required" }
+        },
+        {
+          type: "section",
+          fields: [
+            { type: "mrkdwn", text: `*Tool:*
+\`${notification.toolName}\`` },
+            { type: "mrkdwn", text: `*Agent:*
+${notification.agentId || "unknown"}` },
+            { type: "mrkdwn", text: `*Policy:*
+${notification.policyName || "default"}` },
+            { type: "mrkdwn", text: `*Time:*
+${notification.timestamp}` }
+          ]
+        },
+        {
+          type: "section",
+          text: { type: "mrkdwn", text: `*Reason:* ${notification.reason}` }
+        },
+        ...notification.approveUrl || notification.traceUrl ? [
+          {
+            type: "actions",
+            elements: [
+              ...notification.approveUrl ? [{ type: "button", text: { type: "plain_text", text: "\u2705 Approve" }, url: notification.approveUrl, style: "primary" }] : [],
+              ...notification.traceUrl ? [{ type: "button", text: { type: "plain_text", text: "\u{1F50D} View Trace" }, url: notification.traceUrl }] : []
+            ]
+          }
+        ] : []
+      ]
+    };
+  } else if (config.template === "pagerduty") {
+    payload = {
+      routing_key: config.headers?.["X-Routing-Key"] || "",
+      event_action: "trigger",
+      payload: {
+        summary: `Agent approval required: ${notification.toolName}`,
+        source: "protect-mcp",
+        severity: "warning",
+        custom_details: {
+          tool: notification.toolName,
+          agent: notification.agentId,
+          policy: notification.policyName,
+          reason: notification.reason,
+          trace_url: notification.traceUrl,
+          approve_url: notification.approveUrl
+        }
+      }
+    };
+  } else {
+    payload = notification;
+  }
+  const response = await fetch(config.url, {
+    method: config.method || "POST",
+    headers: {
+      "Content-Type": "application/json",
+      ...config.headers
+    },
+    body: JSON.stringify(payload)
+  });
+  if (!response.ok) {
+    throw new Error(`Webhook failed: ${response.status}`);
+  }
+}
+async function sendEmail(config, notification) {
+  if (!config.resendApiKey) {
+    console.warn("[protect-mcp] Email notification skipped: no resendApiKey configured");
+    return;
+  }
+  const html = `
+    <div style="font-family: monospace; padding: 20px; background: #0d1117; color: #c9d1d9; border-radius: 8px;">
+      <h2 style="color: #10b981;">\u{1F512} Agent Approval Required</h2>
+      <table style="font-size: 14px; margin: 16px 0;">
+        <tr><td style="color: #8b949e; padding: 4px 16px 4px 0;">Tool:</td><td>${notification.toolName}</td></tr>
+        <tr><td style="color: #8b949e; padding: 4px 16px 4px 0;">Agent:</td><td>${notification.agentId || "unknown"}</td></tr>
+        <tr><td style="color: #8b949e; padding: 4px 16px 4px 0;">Reason:</td><td>${notification.reason}</td></tr>
+        <tr><td style="color: #8b949e; padding: 4px 16px 4px 0;">Time:</td><td>${notification.timestamp}</td></tr>
+      </table>
+      ${notification.approveUrl ? `<a href="${notification.approveUrl}" style="background: #10b981; color: white; padding: 8px 16px; border-radius: 6px; text-decoration: none; margin-right: 8px;">\u2705 Approve</a>` : ""}
+      ${notification.traceUrl ? `<a href="${notification.traceUrl}" style="background: #1f2937; color: #c9d1d9; padding: 8px 16px; border-radius: 6px; text-decoration: none; border: 1px solid #374151;">\u{1F50D} View Trace</a>` : ""}
+    </div>
+  `;
+  const response = await fetch("https://api.resend.com/emails", {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${config.resendApiKey}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      from: "ScopeBlind <noreply@scopeblind.com>",
+      to: config.to,
+      subject: `\u{1F512} Approval required: ${notification.toolName}`,
+      html
+    })
+  });
+  if (!response.ok) {
+    throw new Error(`Resend email failed: ${response.status}`);
+  }
+}
+function parseNotificationConfigFromEnv() {
+  const config = {};
+  let hasConfig = false;
+  const smsTo = process.env.SCOPEBLIND_SMS_TO;
+  const twilioSid = process.env.TWILIO_ACCOUNT_SID;
+  const twilioToken = process.env.TWILIO_AUTH_TOKEN;
+  const twilioFrom = process.env.TWILIO_FROM_NUMBER;
+  if (smsTo && twilioSid && twilioToken && twilioFrom) {
+    config.sms = { accountSid: twilioSid, authToken: twilioToken, from: twilioFrom, to: smsTo };
+    hasConfig = true;
+  }
+  const webhookUrl = process.env.SCOPEBLIND_WEBHOOK_URL;
+  if (webhookUrl) {
+    config.webhook = {
+      url: webhookUrl,
+      template: process.env.SCOPEBLIND_WEBHOOK_TEMPLATE || "custom"
+    };
+    hasConfig = true;
+  }
+  const emailTo = process.env.SCOPEBLIND_EMAIL_TO;
+  if (emailTo) {
+    config.email = { to: emailTo, resendApiKey: process.env.RESEND_API_KEY };
+    hasConfig = true;
+  }
+  return hasConfig ? config : null;
+}
+
 // src/gateway.ts
 import { spawn } from "child_process";
 import { randomUUID, randomBytes } from "crypto";
 import { createInterface } from "readline";
 import { appendFileSync } from "fs";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 
 // src/http-server.ts
 import { createServer } from "http";
-import { readFileSync as readFileSync4, existsSync as existsSync3 } from "fs";
-import { join as join2 } from "path";
+import { readFileSync as readFileSync5, existsSync as existsSync4 } from "fs";
+import { join as join3 } from "path";
 var LOG_FILE = ".protect-mcp-log.jsonl";
 var MAX_RECEIPTS = 100;
 var ReceiptBuffer = class {
@@ -667,13 +1016,13 @@ function handleHealth(res, startTime, config) {
   }));
 }
 function handleStatus(res, logDir) {
-  const logPath = join2(logDir, LOG_FILE);
-  if (!existsSync3(logPath)) {
+  const logPath = join3(logDir, LOG_FILE);
+  if (!existsSync4(logPath)) {
     res.writeHead(200);
     res.end(JSON.stringify({ entries: 0, message: "no log file yet" }));
     return;
   }
-  const raw = readFileSync4(logPath, "utf-8");
+  const raw = readFileSync5(logPath, "utf-8");
   const lines = raw.trim().split("\n").filter(Boolean);
   const entries = [];
   for (const line of lines) {
@@ -814,15 +1163,27 @@ var ProtectGateway = class {
   approvalNonce = randomBytes(16).toString("hex");
   currentTier = "unknown";
   admissionResult = null;
+  /** Notification config for approval gates (SMS, webhook, email) */
+  notificationConfig = null;
   /** HTTP transport mode: pending response resolvers keyed by JSON-RPC id */
   pendingResponses = /* @__PURE__ */ new Map();
   httpMode = false;
+  /** Loaded Cedar policy set (when policy_engine is "cedar") */
+  cedarPolicySet = null;
   constructor(config) {
     this.config = config;
-    this.logFilePath = join3(process.cwd(), LOG_FILE2);
-    this.receiptFilePath = join3(process.cwd(), RECEIPTS_FILE);
+    this.logFilePath = join4(process.cwd(), LOG_FILE2);
+    this.receiptFilePath = join4(process.cwd(), RECEIPTS_FILE);
     this.evidenceStore = new EvidenceStore();
     this.receiptBuffer = new ReceiptBuffer();
+    this.notificationConfig = parseNotificationConfigFromEnv();
+  }
+  /**
+   * Set the Cedar policy set for local evaluation.
+   * Called during CLI startup when --cedar flag is used.
+   */
+  setCedarPolicies(policySet) {
+    this.cedarPolicySet = policySet;
   }
   async start() {
     const { command, args, verbose } = this.config;
@@ -991,6 +1352,27 @@ var ProtectGateway = class {
         }
       }
     }
+    if (this.config.policy?.policy_engine === "cedar" && this.cedarPolicySet) {
+      try {
+        const cedarDecision = await evaluateCedar(this.cedarPolicySet, {
+          tool: toolName,
+          tier: this.currentTier,
+          agentId: this.admissionResult?.agent_id
+        });
+        if (!cedarDecision.allowed) {
+          const reason = cedarDecision.reason || "cedar_deny";
+          this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: reason, request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+          if (this.config.enforce) {
+            return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" denied by Cedar policy`);
+          }
+          return null;
+        }
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "cedar_allow", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+        return null;
+      } catch (err) {
+        if (this.config.verbose) this.log(`Cedar evaluation error: ${err instanceof Error ? err.message : err}`);
+      }
+    }
     if (this.config.policy?.external && (this.config.policy.policy_engine === "external" || this.config.policy.policy_engine === "hybrid")) {
       try {
         const ctx = buildDecisionContext(toolName, this.currentTier, {
@@ -1038,6 +1420,20 @@ var ProtectGateway = class {
         return null;
       }
       this.emitDecisionLog({ tool: toolName, decision: "require_approval", reason_code: "requires_human_approval", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+      if (this.notificationConfig) {
+        sendApprovalNotification(this.notificationConfig, {
+          requestId,
+          toolName,
+          agentId: this.admissionResult?.agent_id,
+          policyName: "default",
+          reason: `Policy requires human approval for "${toolName}"`,
+          traceUrl: `https://scopeblind.com/trace`,
+          approveUrl: void 0,
+          // Approve URL provided when HTTP transport is active
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }).catch(() => {
+        });
+      }
       if (this.config.enforce) {
         return {
           jsonrpc: "2.0",
@@ -1085,8 +1481,19 @@ var ProtectGateway = class {
     }
     return policy.rate_limit;
   }
+  /**
+   * Emit a decision log entry with OTel-compatible trace IDs and optional
+   * signed receipt generation.
+   *
+   * @patent Patent-protected construction — decision receipts with configurable
+   * disclosure and issuer-blind properties. Covered by Apache 2.0 patent grant
+   * for users of this code. Clean-room reimplementation requires a patent license.
+   * @see {@link https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/}
+   */
   emitDecisionLog(entry) {
     const mode = this.config.enforce ? "enforce" : "shadow";
+    const otelTraceId = entry.otel_trace_id || randomBytes(16).toString("hex");
+    const otelSpanId = entry.otel_span_id || randomBytes(8).toString("hex");
     const log = {
       v: 2,
       tool: entry.tool || "unknown",
@@ -1099,7 +1506,9 @@ var ProtectGateway = class {
       mode,
       ...entry.rate_limit_remaining !== void 0 && { rate_limit_remaining: entry.rate_limit_remaining },
       ...entry.tier && { tier: entry.tier },
-      ...entry.credential_ref && { credential_ref: entry.credential_ref }
+      ...entry.credential_ref && { credential_ref: entry.credential_ref },
+      otel_trace_id: otelTraceId,
+      otel_span_id: otelSpanId
     };
     process.stderr.write(`[PROTECT_MCP] ${JSON.stringify(log)}
 `);
@@ -1269,5 +1678,9 @@ export {
   isSigningEnabled,
   queryExternalPDP,
   buildDecisionContext,
+  loadCedarPolicies,
+  isCedarAvailable,
+  sendApprovalNotification,
+  parseNotificationConfigFromEnv,
   ProtectGateway
 };

package/dist/{chunk-VWUN6AI6.mjs → chunk-VIA2B65K.mjs}

@@ -3,7 +3,7 @@ import {
   getToolPolicy,
   meetsMinTier,
   parseRateLimit
-} from "./chunk-7HBHIKLN.mjs";
+} from "./chunk-VF3OCG4D.mjs";
 
 // src/simulate.ts
 import { readFileSync } from "fs";