protect-mcp 0.6.0 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.ts CHANGED
@@ -803,9 +803,9 @@ declare function validateCredentials(credentials: Record<string, CredentialConfi
803
803
  * Produces signed v2 artifact receipts for tool call decisions.
804
804
  * Uses @veritasacta/artifacts as a required dependency (Sprint 2+).
805
805
  *
806
- * If signing is configured, every decision produces a signed artifact.
807
- * If signing fails, the receipt is emitted unsigned with signature: null
808
- * and a warning never crashes, never silently drops.
806
+ * If signing is configured, every decision must produce a signed artifact.
807
+ * Initialization and signing failures are returned as explicit errors so the
808
+ * enforce path can deny rather than silently proceeding without evidence.
809
809
  */
810
810
 
811
811
  /**
@@ -827,9 +827,11 @@ declare function initSigning(config: SigningConfig | undefined): Promise<string[
827
827
  * @standard RFC 8032 (Ed25519), RFC 8785 (JCS)
828
828
  */
829
829
  declare function signDecision(entry: DecisionLog): {
830
+ ok: boolean;
830
831
  signed: string | null;
831
832
  artifact_type: string;
832
833
  warning?: string;
834
+ error?: string;
833
835
  };
834
836
  /**
835
837
  * Get the signer's public key info for discovery/verification.
@@ -2017,6 +2019,29 @@ interface ApprovalResult {
2017
2019
  contextHash: string;
2018
2020
  /** Timestamp of approval */
2019
2021
  approvedAt: string;
2022
+ /** On failure, a machine-readable reason (e.g. 'invalid_signature'). */
2023
+ reason?: string;
2024
+ }
2025
+ /**
2026
+ * The registered credential public key, extracted from the COSE_Key at
2027
+ * registration. ES256 keys are an uncompressed P-256 point; EdDSA keys are a
2028
+ * 32-byte Ed25519 public key.
2029
+ */
2030
+ interface CredentialPublicKey {
2031
+ /** COSE algorithm: -7 = ES256 (P-256 / ECDSA), -8 = EdDSA (Ed25519). */
2032
+ alg: -7 | -8;
2033
+ /** Public key, hex. ES256: 65-byte uncompressed point (0x04 || x || y). EdDSA: 32-byte key. */
2034
+ publicKeyHex: string;
2035
+ }
2036
+ interface VerifyAssertionOptions {
2037
+ /** Allowed origin(s) the assertion must come from, e.g. 'https://app.scopeblind.com'. Defaults to https://<rpId>. */
2038
+ expectedOrigin?: string | string[];
2039
+ /** Require the UV (user-verified / biometric or PIN) flag. Default true. */
2040
+ requireUserVerification?: boolean;
2041
+ /** The signCount stored from the previous assertion; a non-increasing counter signals a cloned authenticator. */
2042
+ prevSignCount?: number;
2043
+ /** Override 'now' (ms) for testing. */
2044
+ now?: number;
2020
2045
  }
2021
2046
  /**
2022
2047
  * Create a WebAuthn challenge for approving a tool call.
@@ -2053,17 +2078,22 @@ declare function toCredentialRequestOptions(challenge: ApprovalChallenge, allowC
2053
2078
  };
2054
2079
  };
2055
2080
  /**
2056
- * Verify a WebAuthn assertion from the client.
2057
- *
2058
- * This is a simplified verification that checks the structure
2059
- * and extracts the authenticator data. For production use with
2060
- * full signature verification, use the @simplewebauthn/server package.
2081
+ * Verify a WebAuthn assertion: full, fail-closed verification of a passkey or
2082
+ * security-key co-sign. This proves a SPECIFIC human authorized a SPECIFIC
2083
+ * action with a hardware-held key the host operator cannot exfiltrate. It
2084
+ * checks, in order: challenge freshness; clientDataJSON type, challenge, and
2085
+ * origin; the rpIdHash; the UP (and, by default, UV) flags; the authenticator
2086
+ * signature over authenticatorData || SHA-256(clientDataJSON) using the
2087
+ * registered credential public key (ES256 or EdDSA); and signCount monotonicity
2088
+ * (clone detection) when a previous count is supplied. Any failure returns
2089
+ * valid:false with a reason; nothing is trusted on a partial check.
2061
2090
  *
2062
- * @param challenge - The original challenge
2063
- * @param assertion - The assertion from navigator.credentials.get()
2064
- * @returns ApprovalResult with verification details
2091
+ * @param challenge - the original challenge
2092
+ * @param assertion - the assertion from navigator.credentials.get()
2093
+ * @param credentialPublicKey - the registered public key for assertion.credentialId
2094
+ * @param opts - origin / UV / signCount / clock options
2065
2095
  */
2066
- declare function verifyApprovalAssertion(challenge: ApprovalChallenge, assertion: ApprovalAssertion): ApprovalResult;
2096
+ declare function verifyApprovalAssertion(challenge: ApprovalChallenge, assertion: ApprovalAssertion, credentialPublicKey?: CredentialPublicKey, opts?: VerifyAssertionOptions): ApprovalResult;
2067
2097
  /**
2068
2098
  * Create the approval receipt payload for embedding in an Acta receipt.
2069
2099
  *
@@ -2911,4 +2941,73 @@ declare function confidentialInference(_prompt: string, _config: ConfidentialInf
2911
2941
  receipt: Record<string, unknown>;
2912
2942
  }>;
2913
2943
 
2914
- export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };
2944
+ /**
2945
+ * scopeblind-bridge.ts
2946
+ *
2947
+ * Optional bridge between protect-mcp (local, MIT) and a paid ScopeBlind
2948
+ * tenant. When SCOPEBLIND_TOKEN is set in the environment, every signed
2949
+ * receipt that protect-mcp emits also gets forwarded to the tenant's
2950
+ * dashboard at https://scopeblind.com/console/<slug>.
2951
+ *
2952
+ * Lifecycle:
2953
+ * 1. On first use, exchange SCOPEBLIND_TOKEN for a short-lived BRASS-v2
2954
+ * auth proof from /fn/brass/issue. Cache the proof in memory until
2955
+ * ~5 minutes before expiry, then refresh.
2956
+ * 2. As receipts are emitted by hook-server.ts, push them into an
2957
+ * in-memory batch queue.
2958
+ * 3. Flush the queue every 5s (or when it reaches 128 receipts) by POSTing
2959
+ * to /fn/console/<slug>/receipts with Bearer SCOPEBLIND_TOKEN.
2960
+ *
2961
+ * Failure mode: forward errors NEVER throw upstream. protect-mcp continues
2962
+ * to mint and persist receipts locally regardless of dashboard availability.
2963
+ * The bridge logs failures to stderr (best-effort) and retries on the next
2964
+ * flush.
2965
+ *
2966
+ * Configuration:
2967
+ * SCOPEBLIND_TOKEN Tenant bearer token (from welcome email).
2968
+ * SCOPEBLIND_TENANT Optional slug override. By default we discover
2969
+ * the slug from the BRASS proof's tenant_id.
2970
+ * SCOPEBLIND_BASE Defaults to https://scopeblind.com.
2971
+ *
2972
+ * @license MIT
2973
+ */
2974
+ interface BridgeStats {
2975
+ enabled: boolean;
2976
+ tenant_slug: string | null;
2977
+ forwarded_total: number;
2978
+ rejected_total: number;
2979
+ last_flush_at: string | null;
2980
+ last_error: string | null;
2981
+ }
2982
+ declare class ScopeBlindBridge {
2983
+ private readonly token;
2984
+ private readonly base;
2985
+ private readonly tenantOverride;
2986
+ private cachedProof;
2987
+ private queue;
2988
+ private flushTimer;
2989
+ private stats;
2990
+ private shuttingDown;
2991
+ constructor(env?: Record<string, string | undefined>);
2992
+ enabled(): boolean;
2993
+ /** Push a signed receipt into the queue. Non-blocking. */
2994
+ forward(signedReceipt: any): void;
2995
+ /** Flush the queue. Safe to call concurrently. */
2996
+ flush(): Promise<void>;
2997
+ /** Exchange SCOPEBLIND_TOKEN for a BRASS-v2 proof; refresh near expiry. */
2998
+ private ensureBrassProof;
2999
+ /**
3000
+ * Return a snapshot of bridge stats. Useful for `protect-mcp scopeblind status`.
3001
+ */
3002
+ getStats(): BridgeStats & {
3003
+ queued: number;
3004
+ brass_proof_expires_at: string | null;
3005
+ };
3006
+ /** Flush remaining receipts and stop the interval. Called on process exit. */
3007
+ shutdown(): Promise<void>;
3008
+ }
3009
+ declare function getScopeBlindBridge(): ScopeBlindBridge;
3010
+ /** Convenience: forward a signed receipt without instantiating yourself. */
3011
+ declare function forwardReceipt(signedReceipt: any): void;
3012
+
3013
+ export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, ScopeBlindBridge, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, forwardReceipt, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getScopeBlindBridge, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };