protect-mcp 0.4.4 → 0.4.6

package/dist/index.mjs

@@ -5,7 +5,7 @@ import {
 } from "./chunk-VIA2B65K.mjs";
 import {
   createSandboxServer
-} from "./chunk-U76JZVH6.mjs";
+} from "./chunk-SU2FZH7U.mjs";
 import {
   collectSignedReceipts,
   createAuditBundle
@@ -34,6 +34,7 @@ import {
   formatReportMarkdown,
   generateReport
 } from "./chunk-JQDVKZBN.mjs";
+import "./chunk-PQJP2ZCI.mjs";
 
 // src/manifest.ts
 function isAgentId(s) {

package/dist/{report-ENQ3KUI2.mjs → report-5XCNW6FB.mjs}

@@ -2,6 +2,7 @@ import {
   formatReportMarkdown,
   generateReport
 } from "./chunk-JQDVKZBN.mjs";
+import "./chunk-PQJP2ZCI.mjs";
 export {
   formatReportMarkdown,
   generateReport

package/dist/{utils-IDWBSHJU.mjs → utils-6AYZFE5A.mjs}

@@ -36,6 +36,7 @@ import {
   wrapConstructorWithOpts,
   wrapXOFConstructorWithOpts
 } from "./chunk-D733KAPG.mjs";
+import "./chunk-PQJP2ZCI.mjs";
 export {
   Hash,
   abytes,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "protect-mcp",
-  "version": "0.4.4",
+  "version": "0.4.6",
   "mcpName": "io.github.tomjwxf/protect-mcp",
   "description": "Security gateway for MCP servers. Shadow-mode logs, per-tool policies, optional local Ed25519-signed receipts. Programmatic hooks for trust tiers, credential config, and external policy engines.",
   "main": "dist/index.js",
@@ -63,6 +63,7 @@
   },
   "optionalDependencies": {
     "@cedar-policy/cedar-wasm": "^4.9.1",
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "@noble/curves": "^1.8.0",
     "@noble/hashes": "^1.7.0"
   },

package/policies/cedar/spending-authority.cedar

@@ -0,0 +1,134 @@
+// ============================================================
+// Spending Authority — Cedar Edition
+//
+// AI agents spending money on behalf of humans is the highest-
+// stakes MCP action class. Without cryptographic proof of
+// authorization, merchants cannot distinguish legitimate agent
+// purchases from unauthorized ones, and organizations cannot
+// enforce budget controls across autonomous agent fleets.
+//
+// The receipt proves authorization; it never touches money.
+// The merchant settles through their existing payment rail.
+//
+// Controls: SOC2-CC6.1, SOC2-CC6.3, SOC2-CC6.6, SOC2-CC8.1
+//           EU-AI-Art.9, EU-AI-Art.14, EU-AI-Art.52
+//           OWASP-A01, OWASP-A04
+//           MCP-01, MCP-05, MCP-06
+//           NIST-GOVERN-1.1, NIST-GOVERN-1.2, NIST-MAP-3.1
+//           NIST-MEASURE-2.1, NIST-MANAGE-2.3
+// ============================================================
+
+// ─── Auto-approve: low-value transactions under threshold ────
+// Threshold is configurable per scope (default: $25.00 / 2500 cents)
+@id("sb-spending-001")
+permit (
+  principal,
+  action == Action::"MCP::Spend::authorize",
+  resource
+)
+when {
+  resource.amount_cents < context.auto_approve_threshold_cents &&
+  context.budget_utilization != "exceeded" &&
+  context.category_allowed == true
+};
+
+// ─── Require human approval: high-value transactions ─────────
+// Amounts at or above the auto-approve threshold require explicit
+// human confirmation before a receipt is issued.
+@id("sb-spending-002")
+forbid (
+  principal,
+  action == Action::"MCP::Spend::authorize",
+  resource
+)
+when {
+  resource.amount_cents >= context.auto_approve_threshold_cents &&
+  context.approval_method != "human_confirmed"
+};
+
+// ─── Block: budget exhausted ─────────────────────────────────
+// When cumulative spend reaches or exceeds the ceiling, all
+// spending is blocked regardless of amount or approval method.
+@id("sb-spending-003")
+forbid (
+  principal,
+  action == Action::"MCP::Spend::authorize",
+  resource
+)
+when {
+  context.budget_utilization == "exceeded"
+};
+
+// ─── Block: disallowed merchant category ─────────────────────
+// Organizations configure allowed merchant category codes.
+// Any transaction to a disallowed category is rejected.
+@id("sb-spending-004")
+forbid (
+  principal,
+  action == Action::"MCP::Spend::authorize",
+  resource
+)
+when {
+  context.category_allowed == false
+};
+
+// ─── Per-agent-tier spending limits ──────────────────────────
+// Unknown agents: $5 max per transaction (500 cents)
+@id("sb-spending-005")
+forbid (
+  principal == Agent::"unknown",
+  action == Action::"MCP::Spend::authorize",
+  resource
+)
+when {
+  resource.amount_cents > 500
+};
+
+// Signed-known agents: $50 max per transaction (5000 cents)
+@id("sb-spending-006")
+forbid (
+  principal == Agent::"signed-known",
+  action == Action::"MCP::Spend::authorize",
+  resource
+)
+when {
+  resource.amount_cents > 5000
+};
+
+// Evidenced agents: $500 max per transaction (50000 cents)
+@id("sb-spending-007")
+forbid (
+  principal == Agent::"evidenced",
+  action == Action::"MCP::Spend::authorize",
+  resource
+)
+when {
+  resource.amount_cents > 50000
+};
+
+// Privileged agents: $5000 max per transaction (500000 cents)
+// Even the highest trust tier has a ceiling — no unlimited spend.
+@id("sb-spending-008")
+forbid (
+  principal == Agent::"privileged",
+  action == Action::"MCP::Spend::authorize",
+  resource
+)
+when {
+  resource.amount_cents > 500000
+};
+
+// ─── Block: high utilization + large transaction ─────────────
+// When budget is 75%+ consumed, block any single transaction
+// that exceeds 10% of the original ceiling. Prevents a single
+// large purchase from blowing through the remaining budget.
+@id("sb-spending-009")
+forbid (
+  principal,
+  action == Action::"MCP::Spend::authorize",
+  resource
+)
+when {
+  context.budget_utilization == "high" &&
+  resource.amount_cents > context.ceiling_tenth_cents
+};

package/dist/chunk-U76JZVH6.mjs

@@ -1,144 +0,0 @@
-// src/demo-server.ts
-import { createInterface } from "readline";
-var TOOLS = [
-  {
-    name: "read_file",
-    description: "Read the contents of a file",
-    inputSchema: {
-      type: "object",
-      properties: { path: { type: "string", description: "File path to read" } },
-      required: ["path"]
-    }
-  },
-  {
-    name: "write_file",
-    description: "Write content to a file",
-    inputSchema: {
-      type: "object",
-      properties: {
-        path: { type: "string", description: "File path to write" },
-        content: { type: "string", description: "Content to write" }
-      },
-      required: ["path", "content"]
-    }
-  },
-  {
-    name: "delete_file",
-    description: "Delete a file from the filesystem",
-    inputSchema: {
-      type: "object",
-      properties: { path: { type: "string", description: "File path to delete" } },
-      required: ["path"]
-    }
-  },
-  {
-    name: "web_search",
-    description: "Search the web for information",
-    inputSchema: {
-      type: "object",
-      properties: { query: { type: "string", description: "Search query" } },
-      required: ["query"]
-    }
-  },
-  {
-    name: "deploy",
-    description: "Deploy the application to production",
-    inputSchema: {
-      type: "object",
-      properties: {
-        environment: { type: "string", description: "Target environment", enum: ["staging", "production"] },
-        reason: { type: "string", description: "Deployment reason" }
-      },
-      required: ["environment"]
-    }
-  }
-];
-function handleRequest(request) {
-  if (request.method === "initialize") {
-    return JSON.stringify({
-      jsonrpc: "2.0",
-      id: request.id,
-      result: {
-        protocolVersion: "2024-11-05",
-        serverInfo: { name: "protect-mcp-demo", version: "0.2.0" },
-        capabilities: { tools: {} }
-      }
-    });
-  }
-  if (request.method === "notifications/initialized") {
-    return "";
-  }
-  if (request.method === "tools/list") {
-    return JSON.stringify({
-      jsonrpc: "2.0",
-      id: request.id,
-      result: { tools: TOOLS }
-    });
-  }
-  if (request.method === "tools/call") {
-    const toolName = request.params?.name || "unknown";
-    const args = request.params?.arguments || {};
-    let resultText;
-    switch (toolName) {
-      case "read_file":
-        resultText = `[demo] Read file: ${args.path || "/example.txt"}
-Contents: Hello from protect-mcp demo server!`;
-        break;
-      case "write_file":
-        resultText = `[demo] Wrote ${String(args.content || "").length} bytes to ${args.path || "/example.txt"}`;
-        break;
-      case "delete_file":
-        resultText = `[demo] Deleted file: ${args.path || "/example.txt"}`;
-        break;
-      case "web_search":
-        resultText = `[demo] Search results for "${args.query || "test"}":
-1. Example result \u2014 scopeblind.com
-2. MCP security \u2014 modelcontextprotocol.io`;
-        break;
-      case "deploy":
-        resultText = `[demo] Deployed to ${args.environment || "staging"}${args.reason ? ` (reason: ${args.reason})` : ""}`;
-        break;
-      default:
-        resultText = `[demo] Unknown tool: ${toolName}`;
-    }
-    return JSON.stringify({
-      jsonrpc: "2.0",
-      id: request.id,
-      result: {
-        content: [{ type: "text", text: resultText }]
-      }
-    });
-  }
-  if (request.id !== void 0) {
-    return JSON.stringify({
-      jsonrpc: "2.0",
-      id: request.id,
-      error: { code: -32601, message: `Method not found: ${request.method}` }
-    });
-  }
-  return "";
-}
-var rl = createInterface({ input: process.stdin, crlfDelay: Infinity });
-rl.on("line", (line) => {
-  const trimmed = line.trim();
-  if (!trimmed) return;
-  try {
-    const request = JSON.parse(trimmed);
-    const response = handleRequest(request);
-    if (response) {
-      process.stdout.write(response + "\n");
-    }
-  } catch {
-  }
-});
-process.stderr.write("[DEMO_SERVER] protect-mcp demo server started \u2014 5 tools registered\n");
-function createSandboxServer() {
-  return {
-    tools: TOOLS,
-    handleRequest
-  };
-}
-
-export {
-  createSandboxServer
-};