npm - protect-mcp - Versions diffs - 0.4.2 → 0.4.3 - Mend

protect-mcp 0.4.2 → 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md +1 -1
package/dist/{chunk-7HBHIKLN.mjs → chunk-VF3OCG4D.mjs} +422 -9
package/dist/{chunk-VWUN6AI6.mjs → chunk-VIA2B65K.mjs} +1 -1
package/dist/cli.js +690 -93
package/dist/cli.mjs +183 -7
package/dist/{http-transport-RIVV2RVQ.mjs → http-transport-VLIPOPIC.mjs} +1 -1
package/dist/index.d.mts +1429 -2
package/dist/index.d.ts +1429 -2
package/dist/index.js +1728 -25
package/dist/index.mjs +1273 -3
package/package.json +4 -3
package/policies/cedar/clinejection.cedar +50 -0
package/policies/cedar/terraform-destroy.cedar +44 -0
package/policies/clinejection.json +6 -0
package/policies/data-exfiltration.json +6 -0
package/policies/financial-safe.json +8 -0
package/policies/github-mcp-hijack.json +6 -0
package/policies/terraform-destroy.json +6 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "protect-mcp",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "mcpName": "io.github.tomjwxf/protect-mcp",
   "description": "Security gateway for MCP servers. Shadow-mode logs, per-tool policies, optional local Ed25519-signed receipts. Programmatic hooks for trust tiers, credential config, and external policy engines.",
   "main": "dist/index.js",
@@ -53,15 +53,16 @@
   "homepage": "https://www.scopeblind.com",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/tomjwxf/scopeblind-gateway.git"
+    "url": "git+https://github.com/scopeblind/scopeblind-gateway.git"
   },
   "bugs": {
-    "url": "https://github.com/tomjwxf/scopeblind-gateway/issues"
+    "url": "https://github.com/scopeblind/scopeblind-gateway/issues"
   },
   "dependencies": {
     "@veritasacta/protocol": "^0.1.0"
   },
   "optionalDependencies": {
+    "@cedar-policy/cedar-wasm": "^4.9.1",
     "@noble/curves": "^1.8.0",
     "@noble/hashes": "^1.7.0"
   },

package/policies/cedar/clinejection.cedar ADDED Viewed

@@ -0,0 +1,50 @@
+// ============================================================
+// Clinejection Protection — Cedar Edition
+//
+// CVE-2025-6514: Clinejection MCP OAuth Proxy Hijack
+// A prompt injection in a GitHub issue title caused an AI agent
+// to publish backdoored npm packages. 437,000+ developer
+// environments compromised in 8 hours.
+//
+// Controls: SOC2-CC6.1, SOC2-CC6.8, SOC2-CC7.2, SOC2-CC8.1
+//           EU-AI-Art.9, EU-AI-Art.12, EU-AI-Art.14
+//           OWASP-A01, OWASP-A03
+//           MCP-01, MCP-03, MCP-04
+//           NIST-GOVERN-1.1, NIST-MAP-3.1, NIST-MEASURE-2.1
+// ============================================================
+// Block all shell execution tools
+@id("sb-clinejection-001")
+forbid (
+  principal,
+  action == Action::"MCP::Tool::call",
+  resource == Tool::"execute_command"
+);
+@id("sb-clinejection-002")
+forbid (
+  principal,
+  action == Action::"MCP::Tool::call",
+  resource == Tool::"run_command"
+);
+@id("sb-clinejection-003")
+forbid (
+  principal,
+  action == Action::"MCP::Tool::call",
+  resource == Tool::"shell"
+);
+@id("sb-clinejection-004")
+forbid (
+  principal,
+  action == Action::"MCP::Tool::call",
+  resource == Tool::"bash"
+);
+@id("sb-clinejection-005")
+forbid (
+  principal,
+  action == Action::"MCP::Tool::call",
+  resource == Tool::"terminal"
+);

package/policies/cedar/terraform-destroy.cedar ADDED Viewed

@@ -0,0 +1,44 @@
+// ============================================================
+// Terraform Destroy Protection — Cedar Edition
+//
+// CVE-2026-XXXX: AI Agent Terraform Destroy Incident
+// An AI agent unpacked old Terraform configs and ran
+// terraform destroy, wiping a production VPC, RDS database
+// and ECS cluster.
+//
+// Controls: SOC2-CC6.1, SOC2-CC6.6, SOC2-CC8.1
+//           EU-AI-Art.9, EU-AI-Art.14
+//           OWASP-A06, OWASP-A09
+//           MCP-02, MCP-06
+//           NIST-GOVERN-1.2, NIST-MAP-3.1
+// ============================================================
+// Block bash/shell (primary vector for terraform commands)
+@id("sb-terraform-001")
+forbid (
+  principal,
+  action == Action::"MCP::Tool::call",
+  resource == Tool::"bash"
+);
+@id("sb-terraform-002")
+forbid (
+  principal,
+  action == Action::"MCP::Tool::call",
+  resource == Tool::"execute_command"
+);
+@id("sb-terraform-003")
+forbid (
+  principal,
+  action == Action::"MCP::Tool::call",
+  resource == Tool::"run_command"
+);
+// Block destructive file operations
+@id("sb-terraform-004")
+forbid (
+  principal,
+  action == Action::"MCP::Tool::call",
+  resource == Tool::"delete_file"
+);

package/policies/clinejection.json CHANGED Viewed

@@ -4,6 +4,12 @@
   "incident_name": "Clinejection MCP OAuth Proxy Hijack",
   "incident_date": "2025-07-15",
   "owasp_categories": ["A01-Prompt-Injection", "A03-Supply-Chain"],
+  "controls": {
+    "soc2": ["CC6.1", "CC6.8", "CC7.2", "CC8.1"],
+    "eu_ai_act": ["Art.9", "Art.12", "Art.14"],
+    "owasp_mcp": ["MCP-01", "MCP-03", "MCP-04"],
+    "nist_ai_rmf": ["GOVERN-1.1", "MAP-3.1", "MEASURE-2.1"]
+  },
   "tools": {
     "*": {
       "rate_limit": "30/minute"

package/policies/data-exfiltration.json CHANGED Viewed

@@ -3,6 +3,12 @@
   "incident": "agent-data-exfiltration-pattern",
   "incident_name": "AI Agent Data Exfiltration via Tool Abuse",
   "owasp_categories": ["A02-Sensitive-Data-Exposure", "A04-Tool-Call-Injection"],
+  "controls": {
+    "soc2": ["CC6.1", "CC6.3", "CC6.6", "CC7.1", "CC7.2"],
+    "eu_ai_act": ["Art.9", "Art.12", "Art.13"],
+    "owasp_mcp": ["MCP-02", "MCP-04", "MCP-08", "MCP-09"],
+    "nist_ai_rmf": ["GOVERN-1.1", "MAP-3.1", "MEASURE-2.1"]
+  },
   "tools": {
     "*": {
       "rate_limit": "60/minute"

package/policies/financial-safe.json CHANGED Viewed

@@ -3,6 +3,14 @@
   "incident": "agent-unauthorized-transaction-pattern",
   "incident_name": "Unauthorized Financial Transaction via AI Agent",
   "owasp_categories": ["A05-Insufficient-Access-Control", "A06-Excessive-Autonomy"],
+  "controls": {
+    "soc2": ["CC6.1", "CC6.2", "CC6.3", "CC6.6", "CC6.8", "CC7.1", "CC7.2", "CC8.1"],
+    "eu_ai_act": ["Art.9", "Art.12", "Art.13", "Art.14", "Art.15"],
+    "owasp_mcp": ["MCP-03", "MCP-07", "MCP-08", "MCP-09"],
+    "nist_ai_rmf": ["GOVERN-1.1", "GOVERN-6.1", "MAP-3.1", "MEASURE-2.1", "MANAGE-2.1"],
+    "pci_dss": ["Req-7", "Req-10"],
+    "iso_27001": ["A.9.2", "A.12.4"]
+  },
   "tools": {
     "*": {
       "rate_limit": "30/minute",

package/policies/github-mcp-hijack.json CHANGED Viewed

@@ -4,6 +4,12 @@
   "incident_name": "GitHub MCP Server Prompt Injection via Crafted Issue",
   "incident_date": "2025-08-20",
   "owasp_categories": ["A01-Prompt-Injection", "A02-Sensitive-Data-Exposure", "A03-Supply-Chain"],
+  "controls": {
+    "soc2": ["CC6.1", "CC6.3", "CC6.6", "CC7.1", "CC7.2"],
+    "eu_ai_act": ["Art.9", "Art.12", "Art.13", "Art.14"],
+    "owasp_mcp": ["MCP-01", "MCP-02", "MCP-04", "MCP-08"],
+    "nist_ai_rmf": ["GOVERN-1.1", "MAP-3.1", "MEASURE-2.1", "MANAGE-2.1"]
+  },
   "tools": {
     "*": {
       "rate_limit": "30/minute"

package/policies/terraform-destroy.json CHANGED Viewed

@@ -4,6 +4,12 @@
   "incident_name": "Autonomous Terraform Agent Destroys Production",
   "incident_date": "2025-09-01",
   "owasp_categories": ["A06-Excessive-Autonomy", "A05-Insufficient-Access-Control"],
+  "controls": {
+    "soc2": ["CC6.1", "CC6.6", "CC6.8", "CC7.2", "CC8.1"],
+    "eu_ai_act": ["Art.9", "Art.12", "Art.14", "Art.15"],
+    "owasp_mcp": ["MCP-03", "MCP-07", "MCP-09"],
+    "nist_ai_rmf": ["GOVERN-1.1", "GOVERN-6.1", "MAP-3.1", "MANAGE-2.1"]
+  },
   "tools": {
     "*": {
       "rate_limit": "30/minute"