protect-mcp 0.6.0 → 0.6.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +42 -1
- package/dist/{chunk-SPHLVRJ2.mjs → chunk-3YCKR72H.mjs} +223 -4
- package/dist/{chunk-BYYWYSHM.mjs → chunk-PLKRTBDR.mjs} +15 -3
- package/dist/{chunk-GQWJCHQV.mjs → chunk-S4ICHNSP.mjs} +2 -2
- package/dist/{chunk-YTBC72JJ.mjs → chunk-UV53U6D4.mjs} +69 -25
- package/dist/cli.js +329 -2676
- package/dist/cli.mjs +10 -10
- package/dist/hook-server.js +283 -28
- package/dist/hook-server.mjs +2 -2
- package/dist/{http-transport-LNBENGXD.mjs → http-transport-MO32ESHZ.mjs} +2 -2
- package/dist/index.d.mts +112 -13
- package/dist/index.d.ts +112 -13
- package/dist/index.js +783 -2582
- package/dist/index.mjs +119 -66
- package/package.json +4 -2
- package/dist/chunk-D733KAPG.mjs +0 -252
- package/dist/chunk-LYKNULYU.mjs +0 -2446
- package/dist/ed25519-DZMMNNVE.mjs +0 -38
- package/dist/utils-6AYZFE5A.mjs +0 -77
package/dist/index.d.ts
CHANGED
|
@@ -803,9 +803,9 @@ declare function validateCredentials(credentials: Record<string, CredentialConfi
|
|
|
803
803
|
* Produces signed v2 artifact receipts for tool call decisions.
|
|
804
804
|
* Uses @veritasacta/artifacts as a required dependency (Sprint 2+).
|
|
805
805
|
*
|
|
806
|
-
* If signing is configured, every decision
|
|
807
|
-
*
|
|
808
|
-
*
|
|
806
|
+
* If signing is configured, every decision must produce a signed artifact.
|
|
807
|
+
* Initialization and signing failures are returned as explicit errors so the
|
|
808
|
+
* enforce path can deny rather than silently proceeding without evidence.
|
|
809
809
|
*/
|
|
810
810
|
|
|
811
811
|
/**
|
|
@@ -827,9 +827,11 @@ declare function initSigning(config: SigningConfig | undefined): Promise<string[
|
|
|
827
827
|
* @standard RFC 8032 (Ed25519), RFC 8785 (JCS)
|
|
828
828
|
*/
|
|
829
829
|
declare function signDecision(entry: DecisionLog): {
|
|
830
|
+
ok: boolean;
|
|
830
831
|
signed: string | null;
|
|
831
832
|
artifact_type: string;
|
|
832
833
|
warning?: string;
|
|
834
|
+
error?: string;
|
|
833
835
|
};
|
|
834
836
|
/**
|
|
835
837
|
* Get the signer's public key info for discovery/verification.
|
|
@@ -2017,6 +2019,29 @@ interface ApprovalResult {
|
|
|
2017
2019
|
contextHash: string;
|
|
2018
2020
|
/** Timestamp of approval */
|
|
2019
2021
|
approvedAt: string;
|
|
2022
|
+
/** On failure, a machine-readable reason (e.g. 'invalid_signature'). */
|
|
2023
|
+
reason?: string;
|
|
2024
|
+
}
|
|
2025
|
+
/**
|
|
2026
|
+
* The registered credential public key, extracted from the COSE_Key at
|
|
2027
|
+
* registration. ES256 keys are an uncompressed P-256 point; EdDSA keys are a
|
|
2028
|
+
* 32-byte Ed25519 public key.
|
|
2029
|
+
*/
|
|
2030
|
+
interface CredentialPublicKey {
|
|
2031
|
+
/** COSE algorithm: -7 = ES256 (P-256 / ECDSA), -8 = EdDSA (Ed25519). */
|
|
2032
|
+
alg: -7 | -8;
|
|
2033
|
+
/** Public key, hex. ES256: 65-byte uncompressed point (0x04 || x || y). EdDSA: 32-byte key. */
|
|
2034
|
+
publicKeyHex: string;
|
|
2035
|
+
}
|
|
2036
|
+
interface VerifyAssertionOptions {
|
|
2037
|
+
/** Allowed origin(s) the assertion must come from, e.g. 'https://app.scopeblind.com'. Defaults to https://<rpId>. */
|
|
2038
|
+
expectedOrigin?: string | string[];
|
|
2039
|
+
/** Require the UV (user-verified / biometric or PIN) flag. Default true. */
|
|
2040
|
+
requireUserVerification?: boolean;
|
|
2041
|
+
/** The signCount stored from the previous assertion; a non-increasing counter signals a cloned authenticator. */
|
|
2042
|
+
prevSignCount?: number;
|
|
2043
|
+
/** Override 'now' (ms) for testing. */
|
|
2044
|
+
now?: number;
|
|
2020
2045
|
}
|
|
2021
2046
|
/**
|
|
2022
2047
|
* Create a WebAuthn challenge for approving a tool call.
|
|
@@ -2053,17 +2078,22 @@ declare function toCredentialRequestOptions(challenge: ApprovalChallenge, allowC
|
|
|
2053
2078
|
};
|
|
2054
2079
|
};
|
|
2055
2080
|
/**
|
|
2056
|
-
* Verify a WebAuthn assertion
|
|
2057
|
-
*
|
|
2058
|
-
*
|
|
2059
|
-
*
|
|
2060
|
-
*
|
|
2081
|
+
* Verify a WebAuthn assertion: full, fail-closed verification of a passkey or
|
|
2082
|
+
* security-key co-sign. This proves a SPECIFIC human authorized a SPECIFIC
|
|
2083
|
+
* action with a hardware-held key the host operator cannot exfiltrate. It
|
|
2084
|
+
* checks, in order: challenge freshness; clientDataJSON type, challenge, and
|
|
2085
|
+
* origin; the rpIdHash; the UP (and, by default, UV) flags; the authenticator
|
|
2086
|
+
* signature over authenticatorData || SHA-256(clientDataJSON) using the
|
|
2087
|
+
* registered credential public key (ES256 or EdDSA); and signCount monotonicity
|
|
2088
|
+
* (clone detection) when a previous count is supplied. Any failure returns
|
|
2089
|
+
* valid:false with a reason; nothing is trusted on a partial check.
|
|
2061
2090
|
*
|
|
2062
|
-
* @param challenge -
|
|
2063
|
-
* @param assertion -
|
|
2064
|
-
* @
|
|
2091
|
+
* @param challenge - the original challenge
|
|
2092
|
+
* @param assertion - the assertion from navigator.credentials.get()
|
|
2093
|
+
* @param credentialPublicKey - the registered public key for assertion.credentialId
|
|
2094
|
+
* @param opts - origin / UV / signCount / clock options
|
|
2065
2095
|
*/
|
|
2066
|
-
declare function verifyApprovalAssertion(challenge: ApprovalChallenge, assertion: ApprovalAssertion): ApprovalResult;
|
|
2096
|
+
declare function verifyApprovalAssertion(challenge: ApprovalChallenge, assertion: ApprovalAssertion, credentialPublicKey?: CredentialPublicKey, opts?: VerifyAssertionOptions): ApprovalResult;
|
|
2067
2097
|
/**
|
|
2068
2098
|
* Create the approval receipt payload for embedding in an Acta receipt.
|
|
2069
2099
|
*
|
|
@@ -2911,4 +2941,73 @@ declare function confidentialInference(_prompt: string, _config: ConfidentialInf
|
|
|
2911
2941
|
receipt: Record<string, unknown>;
|
|
2912
2942
|
}>;
|
|
2913
2943
|
|
|
2914
|
-
|
|
2944
|
+
/**
|
|
2945
|
+
* scopeblind-bridge.ts
|
|
2946
|
+
*
|
|
2947
|
+
* Optional bridge between protect-mcp (local, MIT) and a paid ScopeBlind
|
|
2948
|
+
* tenant. When SCOPEBLIND_TOKEN is set in the environment, every signed
|
|
2949
|
+
* receipt that protect-mcp emits also gets forwarded to the tenant's
|
|
2950
|
+
* dashboard at https://scopeblind.com/console/<slug>.
|
|
2951
|
+
*
|
|
2952
|
+
* Lifecycle:
|
|
2953
|
+
* 1. On first use, exchange SCOPEBLIND_TOKEN for a short-lived BRASS-v2
|
|
2954
|
+
* auth proof from /fn/brass/issue. Cache the proof in memory until
|
|
2955
|
+
* ~5 minutes before expiry, then refresh.
|
|
2956
|
+
* 2. As receipts are emitted by hook-server.ts, push them into an
|
|
2957
|
+
* in-memory batch queue.
|
|
2958
|
+
* 3. Flush the queue every 5s (or when it reaches 128 receipts) by POSTing
|
|
2959
|
+
* to /fn/console/<slug>/receipts with Bearer SCOPEBLIND_TOKEN.
|
|
2960
|
+
*
|
|
2961
|
+
* Failure mode: forward errors NEVER throw upstream. protect-mcp continues
|
|
2962
|
+
* to mint and persist receipts locally regardless of dashboard availability.
|
|
2963
|
+
* The bridge logs failures to stderr (best-effort) and retries on the next
|
|
2964
|
+
* flush.
|
|
2965
|
+
*
|
|
2966
|
+
* Configuration:
|
|
2967
|
+
* SCOPEBLIND_TOKEN Tenant bearer token (from welcome email).
|
|
2968
|
+
* SCOPEBLIND_TENANT Optional slug override. By default we discover
|
|
2969
|
+
* the slug from the BRASS proof's tenant_id.
|
|
2970
|
+
* SCOPEBLIND_BASE Defaults to https://scopeblind.com.
|
|
2971
|
+
*
|
|
2972
|
+
* @license MIT
|
|
2973
|
+
*/
|
|
2974
|
+
interface BridgeStats {
|
|
2975
|
+
enabled: boolean;
|
|
2976
|
+
tenant_slug: string | null;
|
|
2977
|
+
forwarded_total: number;
|
|
2978
|
+
rejected_total: number;
|
|
2979
|
+
last_flush_at: string | null;
|
|
2980
|
+
last_error: string | null;
|
|
2981
|
+
}
|
|
2982
|
+
declare class ScopeBlindBridge {
|
|
2983
|
+
private readonly token;
|
|
2984
|
+
private readonly base;
|
|
2985
|
+
private readonly tenantOverride;
|
|
2986
|
+
private cachedProof;
|
|
2987
|
+
private queue;
|
|
2988
|
+
private flushTimer;
|
|
2989
|
+
private stats;
|
|
2990
|
+
private shuttingDown;
|
|
2991
|
+
constructor(env?: Record<string, string | undefined>);
|
|
2992
|
+
enabled(): boolean;
|
|
2993
|
+
/** Push a signed receipt into the queue. Non-blocking. */
|
|
2994
|
+
forward(signedReceipt: any): void;
|
|
2995
|
+
/** Flush the queue. Safe to call concurrently. */
|
|
2996
|
+
flush(): Promise<void>;
|
|
2997
|
+
/** Exchange SCOPEBLIND_TOKEN for a BRASS-v2 proof; refresh near expiry. */
|
|
2998
|
+
private ensureBrassProof;
|
|
2999
|
+
/**
|
|
3000
|
+
* Return a snapshot of bridge stats. Useful for `protect-mcp scopeblind status`.
|
|
3001
|
+
*/
|
|
3002
|
+
getStats(): BridgeStats & {
|
|
3003
|
+
queued: number;
|
|
3004
|
+
brass_proof_expires_at: string | null;
|
|
3005
|
+
};
|
|
3006
|
+
/** Flush remaining receipts and stop the interval. Called on process exit. */
|
|
3007
|
+
shutdown(): Promise<void>;
|
|
3008
|
+
}
|
|
3009
|
+
declare function getScopeBlindBridge(): ScopeBlindBridge;
|
|
3010
|
+
/** Convenience: forward a signed receipt without instantiating yourself. */
|
|
3011
|
+
declare function forwardReceipt(signedReceipt: any): void;
|
|
3012
|
+
|
|
3013
|
+
export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, ScopeBlindBridge, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, forwardReceipt, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getScopeBlindBridge, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };
|