protect-mcp 0.4.1 → 0.4.3

package/dist/cli.mjs

@@ -3,13 +3,15 @@ import {
   formatSimulation,
   parseLogFile,
   simulate
-} from "./chunk-VWUN6AI6.mjs";
+} from "./chunk-VIA2B65K.mjs";
 import {
   ProtectGateway,
   initSigning,
+  isCedarAvailable,
+  loadCedarPolicies,
   loadPolicy,
   validateCredentials
-} from "./chunk-7HBHIKLN.mjs";
+} from "./chunk-VF3OCG4D.mjs";
 
 // src/cli.ts
 function printHelp() {
@@ -31,6 +33,7 @@ Usage:
 
 Options:
   --policy <path>   Policy/config JSON file (default: allow-all)
+  --cedar <dir>     Cedar policy directory (alternative to --policy, evaluates locally via WASM)
   --slug <slug>     ScopeBlind tenant slug (optional)
   --enforce         Enable enforcement mode (default: shadow mode)
   --http            Start HTTP/SSE server instead of stdio proxy
@@ -42,6 +45,7 @@ Commands:
   quickstart        Zero-config onboarding: init + demo + show receipts in one command
   init              Generate config template, Ed25519 keypair, and sample policy
   demo              Start a demo server wrapped with protect-mcp (see receipts instantly)
+  doctor            Check your setup: keys, policies, verifier, API connectivity
   trace <id>        Visualize the receipt DAG from a given receipt_id (ASCII tree)
   status            Show tool call statistics from the local decision log
   digest            Generate a human-readable summary of agent activity
@@ -64,6 +68,7 @@ Examples:
 }
 function parseArgs(argv) {
   let policyPath;
+  let cedarDir;
   let slug;
   let enforce = false;
   let verbose = false;
@@ -88,6 +93,8 @@ function parseArgs(argv) {
       process.exit(0);
     } else if (arg === "--policy" && i + 1 < options.length) {
       policyPath = options[++i];
+    } else if (arg === "--cedar" && i + 1 < options.length) {
+      cedarDir = options[++i];
     } else if (arg === "--slug" && i + 1 < options.length) {
       slug = options[++i];
     } else if (arg === "--enforce") {
@@ -99,7 +106,7 @@ function parseArgs(argv) {
 `);
     }
   }
-  return { policyPath, slug, enforce, verbose, childCommand };
+  return { policyPath, cedarDir, slug, enforce, verbose, childCommand };
 }
 async function handleInit(argv) {
   const { writeFileSync, existsSync, mkdirSync } = await import("fs");
@@ -217,8 +224,14 @@ Add --enforce when ready to block policy violations.
 async function handleDemo() {
   const { existsSync } = await import("fs");
   const { join, dirname, resolve } = await import("path");
+  const { realpathSync } = await import("fs");
   const cliPath = resolve(process.argv[1] || "dist/cli.js");
-  const cliDir = dirname(cliPath);
+  let cliDir;
+  try {
+    cliDir = dirname(realpathSync(cliPath));
+  } catch {
+    cliDir = dirname(cliPath);
+  }
   const demoServerPath = join(cliDir, "demo-server.js");
   const configPath = join(process.cwd(), "protect-mcp.json");
   const hasConfig = existsSync(configPath);
@@ -727,7 +740,7 @@ async function handleTrace(argv) {
     process.stderr.write("[PROTECT_MCP] Usage: protect-mcp trace <receipt_id> [--endpoint <url>] [--depth <n>]\n");
     process.exit(1);
   }
-  let endpoint = "https://evidence-indexer.tomjwxf.workers.dev";
+  let endpoint = "https://api.scopeblind.com/evidence";
   let depth = 3;
   for (let i = 1; i < argv.length; i++) {
     if (argv[i] === "--endpoint" && argv[i + 1]) {
@@ -977,12 +990,57 @@ async function main() {
     await handleReport(args.slice(1));
     process.exit(0);
   }
-  const { policyPath, slug, enforce, verbose, childCommand } = parseArgs(args);
+  if (args[0] === "doctor") {
+    await handleDoctor();
+    process.exit(0);
+  }
+  const { policyPath, cedarDir, slug, enforce, verbose, childCommand } = parseArgs(args);
   let policy = null;
   let policyDigest = "none";
   let credentials;
   let signing;
-  if (policyPath) {
+  let cedarPolicySet = null;
+  let effectiveCedarDir = cedarDir;
+  if (!effectiveCedarDir && !policyPath) {
+    const { existsSync, readdirSync } = await import("fs");
+    for (const candidate of ["cedar", "policies", "."]) {
+      try {
+        if (existsSync(candidate) && readdirSync(candidate).some((f) => f.endsWith(".cedar"))) {
+          effectiveCedarDir = candidate;
+          process.stderr.write(`[PROTECT_MCP] Auto-detected Cedar policies in ./${candidate}/
+`);
+          break;
+        }
+      } catch {
+      }
+    }
+  }
+  if (effectiveCedarDir) {
+    try {
+      const cedarAvailable = await isCedarAvailable();
+      if (!cedarAvailable) {
+        process.stderr.write("[PROTECT_MCP] Warning: @cedar-policy/cedar-wasm not installed. Install with: npm install @cedar-policy/cedar-wasm\n");
+        process.stderr.write("[PROTECT_MCP] Cedar policies will be loaded but evaluated with fallback (allow-all).\n");
+      }
+      cedarPolicySet = loadCedarPolicies(effectiveCedarDir);
+      policyDigest = cedarPolicySet.digest;
+      policy = {
+        tools: { "*": { require: "any" } },
+        policy_engine: "cedar",
+        cedar_dir: effectiveCedarDir
+      };
+      process.stderr.write(`[PROTECT_MCP] Cedar policy engine: loaded ${cedarPolicySet.fileCount} policies from ${effectiveCedarDir} (digest: ${policyDigest})
+`);
+      if (verbose) {
+        process.stderr.write(`[PROTECT_MCP] Cedar files: ${cedarPolicySet.files.join(", ")}
+`);
+      }
+    } catch (err) {
+      process.stderr.write(`[PROTECT_MCP] Error loading Cedar policies: ${err instanceof Error ? err.message : err}
+`);
+      process.exit(1);
+    }
+  } else if (policyPath) {
     try {
       const loaded = loadPolicy(policyPath);
       policy = loaded.policy;
@@ -1028,11 +1086,14 @@ async function main() {
   if (useHttp) {
     const portIdx = args.indexOf("--port");
     const httpPort = portIdx >= 0 && args[portIdx + 1] ? parseInt(args[portIdx + 1]) : 3e3;
-    const { startHttpTransport } = await import("./http-transport-RIVV2RVQ.mjs");
+    const { startHttpTransport } = await import("./http-transport-VLIPOPIC.mjs");
     startHttpTransport({ port: httpPort, config, serverCommand: childCommand });
     return;
   }
   const gateway = new ProtectGateway(config);
+  if (cedarPolicySet) {
+    gateway.setCedarPolicies(cedarPolicySet);
+  }
   await gateway.start();
 }
 async function handleSimulate(args) {
@@ -1077,6 +1138,127 @@ async function handleSimulate(args) {
     process.stdout.write(formatSimulation(summary) + "\n");
   }
 }
+async function handleDoctor() {
+  const { existsSync, readFileSync, readdirSync } = await import("fs");
+  const { join } = await import("path");
+  const { execSync } = await import("child_process");
+  const green2 = (s) => `\x1B[32m\u2713\x1B[0m ${s}`;
+  const red2 = (s) => `\x1B[31m\u2717\x1B[0m ${s}`;
+  const yellow2 = (s) => `\x1B[33m\u26A0\x1B[0m ${s}`;
+  const dim2 = (s) => `\x1B[2m${s}\x1B[0m`;
+  process.stdout.write("\n\x1B[1mprotect-mcp doctor\x1B[0m\n");
+  process.stdout.write(dim2("Checking your ScopeBlind setup...\n\n"));
+  let issues = 0;
+  const nodeVersion = process.version;
+  const major = parseInt(nodeVersion.slice(1));
+  if (major >= 18) {
+    process.stdout.write(green2(`Node.js ${nodeVersion}
+`));
+  } else {
+    process.stdout.write(red2(`Node.js ${nodeVersion} \u2014 requires >= 18
+`));
+    issues++;
+  }
+  const configPath = join(process.cwd(), "scopeblind.config.json");
+  if (existsSync(configPath)) {
+    try {
+      const config = JSON.parse(readFileSync(configPath, "utf-8"));
+      if (config.signing?.private_key || config.signing?.key_file) {
+        process.stdout.write(green2("Signing keys configured\n"));
+      } else {
+        process.stdout.write(yellow2("Config found but no signing keys \u2014 run: protect-mcp init\n"));
+        issues++;
+      }
+    } catch {
+      process.stdout.write(red2("Invalid scopeblind.config.json\n"));
+      issues++;
+    }
+  } else {
+    process.stdout.write(yellow2("No scopeblind.config.json \u2014 run: protect-mcp init\n"));
+  }
+  let policyFound = false;
+  for (const dir of ["cedar", "policies", "."]) {
+    try {
+      if (existsSync(dir) && readdirSync(dir).some((f) => f.endsWith(".cedar"))) {
+        process.stdout.write(green2(`Cedar policies found in ./${dir}/
+`));
+        policyFound = true;
+        break;
+      }
+    } catch {
+    }
+  }
+  if (!policyFound) {
+    for (const name of ["policy.json", "protect-mcp.policy.json", "scopeblind-policy.json"]) {
+      if (existsSync(name)) {
+        process.stdout.write(green2(`JSON policy found: ${name}
+`));
+        policyFound = true;
+        break;
+      }
+    }
+  }
+  if (!policyFound) {
+    process.stdout.write(yellow2("No policy files found \u2014 running in shadow mode (allow all)\n"));
+  }
+  try {
+    const cedarAvailable = await isCedarAvailable();
+    if (cedarAvailable) {
+      process.stdout.write(green2("Cedar WASM engine available\n"));
+    } else {
+      process.stdout.write(dim2("  Cedar WASM not installed \u2014 install: npm install @cedar-policy/cedar-wasm\n"));
+    }
+  } catch {
+    process.stdout.write(dim2("  Cedar WASM not installed\n"));
+  }
+  const logFile = join(process.cwd(), "protect-mcp-decisions.jsonl");
+  const receiptFile = join(process.cwd(), "protect-mcp-receipts.jsonl");
+  if (existsSync(logFile)) {
+    try {
+      const lines = readFileSync(logFile, "utf-8").trim().split("\n").length;
+      process.stdout.write(green2(`Decision log: ${lines} entries
+`));
+    } catch {
+      process.stdout.write(green2("Decision log exists\n"));
+    }
+  } else {
+    process.stdout.write(dim2("  No decision log yet \u2014 will be created on first tool call\n"));
+  }
+  if (existsSync(receiptFile)) {
+    try {
+      const lines = readFileSync(receiptFile, "utf-8").trim().split("\n").length;
+      process.stdout.write(green2(`Receipt file: ${lines} signed receipts
+`));
+    } catch {
+      process.stdout.write(green2("Receipt file exists\n"));
+    }
+  }
+  try {
+    execSync("npx @veritasacta/verify --version 2>/dev/null", { stdio: "pipe", timeout: 1e4 });
+    process.stdout.write(green2("Verifier available: @veritasacta/verify\n"));
+  } catch {
+    process.stdout.write(dim2("  Verifier not cached \u2014 install: npm install -g @veritasacta/verify\n"));
+  }
+  try {
+    const res = await fetch("https://api.scopeblind.com/health", { signal: AbortSignal.timeout(5e3) });
+    if (res.ok) {
+      process.stdout.write(green2("ScopeBlind API reachable\n"));
+    } else {
+      process.stdout.write(yellow2("ScopeBlind API returned non-200 \u2014 receipts will be stored locally\n"));
+    }
+  } catch {
+    process.stdout.write(dim2("  ScopeBlind API not reachable \u2014 offline mode (receipts stored locally)\n"));
+  }
+  process.stdout.write("\n");
+  if (issues === 0) {
+    process.stdout.write("\x1B[32m\x1B[1mAll checks passed.\x1B[0m Ready to wrap MCP servers.\n");
+    process.stdout.write(dim2("\n  npx protect-mcp -- node your-server.js\n\n"));
+  } else {
+    process.stdout.write(`\x1B[33m\x1B[1m${issues} issue(s) found.\x1B[0m Fix them and run doctor again.
+
+`);
+  }
+}
 async function handleReport(args) {
   let period = 30;
   let format = "json";

package/dist/{http-transport-RIVV2RVQ.mjs → http-transport-VLIPOPIC.mjs}

@@ -1,6 +1,6 @@
 import {
   ProtectGateway
-} from "./chunk-7HBHIKLN.mjs";
+} from "./chunk-VF3OCG4D.mjs";
 
 // src/http-transport.ts
 import { createServer } from "http";