protect-mcp 0.6.3 → 0.7.0

package/CHANGELOG.md

@@ -0,0 +1,47 @@
+# Changelog
+
+## 0.7.0 (security release): the gate now fails closed and actually evaluates
+
+This release fixes the way the Cedar policy gate behaves when anything goes
+wrong, and a separate defect that meant Cedar policies were not being evaluated
+at all against the pinned engine. If you rely on protect-mcp to enforce a Cedar
+policy, upgrade.
+
+### Security
+
+- **Fail closed, not open.** Before 0.7.0, if the Cedar engine was unavailable,
+  the result was malformed, evaluation threw, or a policy errored, the evaluator
+  returned ALLOW. A security gate must do the opposite. Every error and
+  uncertainty path now DENIES. The allow-on-error behavior is reachable only by
+  explicitly passing `{ failClosed: false }` (observe mode), and even then the
+  decision is flagged `would_deny: true` so a failure is never silent.
+- **An errored policy can no longer permit-all.** Cedar silently discards a
+  policy that errors at evaluation (for example the `context.<string> in [list]`
+  type error in the 0.5.x and 0.6.x advisory), which could leave a residual
+  permit standing. The evaluator now treats any per-policy error as an
+  evaluation error and denies under enforcement.
+- **Cedar policies are actually evaluated now.** The `isAuthorized` call passed
+  the policy text as a bare string, but `@cedar-policy/cedar-wasm@4.x` requires a
+  structured `PolicySet`. As a result every Cedar evaluation errored against the
+  pinned engine and (with the old fail-open default) allowed everything. The call
+  shape and the response parser are corrected, so a `forbid` rule actually denies
+  and a `permit` actually allows.
+
+### Added
+
+- **`protect-mcp evaluate`** and **`protect-mcp sign`**: one-shot per-call verbs
+  for PreToolUse and PostToolUse hooks. `evaluate` loads a Cedar policy, evaluates
+  one tool call fail-closed, and exits 2 on deny (so the tool is blocked) and 0 on
+  allow; a missing or unloadable policy denies unless `--fail-on-missing-policy
+  false` is set. This makes hook configs that invoke these verbs work as written.
+- **`runEvaluatorSelfTest()`** plus a startup gate: `serve --enforce` runs the
+  self-test before arming and refuses to start if the engine cannot prove it
+  denies a known-forbidden vector. `protect-mcp doctor` reports the same, so the
+  gate verifies its own restraint before it is trusted.
+- A CI tripwire test that fails the build if the discarded `in`-on-String pattern
+  is ever reintroduced into a shipped policy.
+
+### Affected versions
+
+The fail-open behavior and the unevaluated-Cedar defect are present in the
+0.5.x and 0.6.x lines. Upgrade to 0.7.0.

package/README.md

@@ -401,6 +401,17 @@ npx @veritasacta/verify receipt.json --key <public-key-hex>
 - **Patent Status**: 4 Australian provisional patents pending (2025-2026)
 - **Cedar WASM**: [PR #64](https://github.com/cedar-policy/cedar-for-agents/pull/64) merged + [PR #73](https://github.com/cedar-policy/cedar-for-agents/pull/73) (RequestGenerator, pending review)
 
+## What's New in v0.7.0 (security release)
+
+The gate now fails closed. On any policy-evaluation error, a missing engine, or a
+policy that errored, the decision is DENY, not allow. Cedar is also evaluated
+correctly against cedar-wasm 4.x (earlier versions passed the policy in a shape the
+engine rejected, so evaluation errored and the old fail-open default allowed
+everything). `serve --enforce` now runs a restraint self-test before arming and
+refuses to start if it cannot prove it denies a forbidden vector, `doctor` reports
+that self-test, and one-shot `evaluate` and `sign` verbs are available for hooks.
+Upgrade from any 0.5.x or 0.6.x. See CHANGELOG.md.
+
 ## What's New in v0.5.3
 
 - `quickstart --connect`: Auto-create dashboard sandbox and configure receipt upload

package/dist/{chunk-UV53U6D4.mjs → chunk-546U3A7R.mjs}

@@ -289,14 +289,18 @@ function buildEntities(req) {
     }
   ];
 }
-async function evaluateCedar(policySet, req, schema) {
+function onEvalError(reason, failClosed, extra) {
+  return {
+    allowed: !failClosed,
+    reason: failClosed ? reason : `${reason} (observe mode; would DENY under enforcement)`,
+    metadata: { error: true, fail_closed: failClosed, would_deny: true, ...extra || {} }
+  };
+}
+async function evaluateCedar(policySet, req, schema, options) {
+  const failClosed = options?.failClosed ?? true;
   const available = await ensureCedarWasm();
   if (!available) {
-    return {
-      allowed: true,
-      reason: "cedar_wasm_not_available",
-      metadata: { fallback: true }
-    };
+    return onEvalError("cedar_wasm_not_available", failClosed, { fallback: true });
   }
   try {
     const agentId = req.agentId || req.tier;
@@ -318,7 +322,7 @@ async function evaluateCedar(policySet, req, schema) {
     let result;
     if (typeof cedarWasm.isAuthorized === "function") {
       result = cedarWasm.isAuthorized({
-        policies: policySet.source,
+        policies: { staticPolicies: policySet.source },
         entities,
         principal: authRequest.principal,
         action: authRequest.action,
@@ -336,7 +340,7 @@ async function evaluateCedar(policySet, req, schema) {
       const cedarEngine = cedarWasm.default || cedarWasm;
       if (typeof cedarEngine.isAuthorized === "function") {
         result = cedarEngine.isAuthorized({
-          policies: policySet.source,
+          policies: { staticPolicies: policySet.source },
           entities,
           principal: authRequest.principal,
           action: authRequest.action,
@@ -345,61 +349,87 @@ async function evaluateCedar(policySet, req, schema) {
           schema: cedarSchema
         });
       } else {
-        return {
-          allowed: true,
-          reason: "cedar_wasm_api_unsupported",
-          metadata: { fallback: true, exports: Object.keys(cedarWasm) }
-        };
+        return onEvalError("cedar_wasm_api_unsupported", failClosed, { exports: Object.keys(cedarWasm) });
       }
     }
-    const decision = parseWasmResult(result);
+    const parsed = parseWasmResult(result);
+    const policyErrors = extractPolicyErrors(result);
+    if (parsed.kind === "error") {
+      return onEvalError(`cedar_unparseable_result: ${parsed.diagnostics}`, failClosed);
+    }
+    if (policyErrors.length > 0) {
+      return onEvalError(
+        `cedar_policy_errored: ${policyErrors.length} policy error(s); decision is unsound`,
+        failClosed,
+        { policy_errors: policyErrors.slice(0, 5), policy_digest: policySet.digest }
+      );
+    }
     return {
-      allowed: decision.allowed,
-      reason: decision.allowed ? void 0 : `cedar_deny${decision.diagnostics ? ": " + decision.diagnostics : ""}`,
+      allowed: parsed.kind === "allow",
+      reason: parsed.kind === "allow" ? void 0 : `cedar_deny${parsed.diagnostics ? ": " + parsed.diagnostics : ""}`,
       metadata: {
         policy_digest: policySet.digest,
-        ...decision.matchedPolicies ? { matched_policies: decision.matchedPolicies } : {}
+        ...parsed.matchedPolicies ? { matched_policies: parsed.matchedPolicies } : {}
       }
     };
   } catch (err) {
-    return {
-      allowed: true,
-      reason: `cedar_eval_error: ${err instanceof Error ? err.message : "unknown"}`,
-      metadata: { fallback: true, error: true }
-    };
+    return onEvalError(`cedar_eval_error: ${err instanceof Error ? err.message : "unknown"}`, failClosed);
   }
 }
 function parseWasmResult(result) {
-  if (!result) {
-    return { allowed: true, diagnostics: "null result from Cedar WASM" };
-  }
-  if (result.type === "allow" || result.type === "Allow") {
-    return { allowed: true };
-  }
-  if (result.type === "deny" || result.type === "Deny") {
-    return {
-      allowed: false,
-      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0,
-      matchedPolicies: result.diagnostics?.reasons
-    };
-  }
-  if (result.decision === "Allow") {
-    return { allowed: true };
-  }
-  if (result.decision === "Deny") {
-    return {
-      allowed: false,
-      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0
-    };
-  }
-  if (typeof result === "boolean") {
-    return { allowed: result };
+  if (!result) return { kind: "error", diagnostics: "null result from Cedar WASM" };
+  if (result.type === "failure") {
+    return { kind: "error", diagnostics: `cedar failure: ${JSON.stringify(result.errors ?? [])}` };
+  }
+  if (result.type === "success" && result.response) {
+    const dec = result.response.decision;
+    const reasons = result.response.diagnostics?.reason;
+    if (dec === "allow" || dec === "Allow") return { kind: "allow", matchedPolicies: reasons };
+    if (dec === "deny" || dec === "Deny") {
+      return { kind: "deny", diagnostics: result.response.diagnostics ? JSON.stringify(result.response.diagnostics) : void 0, matchedPolicies: reasons };
+    }
   }
-  return { allowed: true, diagnostics: `unknown result format: ${JSON.stringify(result)}` };
+  if (result.type === "allow" || result.decision === "Allow") return { kind: "allow" };
+  if (result.type === "deny" || result.decision === "Deny") return { kind: "deny" };
+  if (typeof result === "boolean") return result ? { kind: "allow" } : { kind: "deny" };
+  return { kind: "error", diagnostics: `unknown result format: ${JSON.stringify(result)}` };
+}
+function extractPolicyErrors(result) {
+  if (!result || typeof result !== "object") return [];
+  const raw = result.errors ?? result.response?.diagnostics?.errors ?? result.diagnostics?.errors ?? [];
+  if (!Array.isArray(raw)) return [];
+  return raw.map((e) => typeof e === "string" ? e : e?.message ?? e?.error ?? JSON.stringify(e)).filter(Boolean);
 }
 async function isCedarAvailable() {
   return ensureCedarWasm();
 }
+function policySetFromSource(source, name = "inline") {
+  const digest = createHash2("sha256").update(source).digest("hex").slice(0, 16);
+  return { source, digest, fileCount: 1, files: [name] };
+}
+async function runEvaluatorSelfTest() {
+  const wasmAvailable = await isCedarAvailable();
+  const cases = [];
+  const run = async (name, expected, policy, context) => {
+    const d = await evaluateCedar(policy, { tool: "Bash", tier: "unknown", context }, void 0, { failClosed: true });
+    const actual = d.allowed ? "ALLOW" : "DENY";
+    cases.push({ name, expected, actual, pass: actual === expected, reason: d.reason });
+  };
+  if (!wasmAvailable) {
+    await run("engine unavailable denies", "DENY", policySetFromSource("permit(principal, action, resource);"), {});
+    return { wasmAvailable, passed: cases.every((c) => c.pass), cases };
+  }
+  const correct = policySetFromSource(
+    'forbid(principal, action, resource) when { ["rm", "dd", "mkfs"].contains(context.command) };\npermit(principal, action, resource);'
+  );
+  await run("forbid denies rm", "DENY", correct, { command: "rm" });
+  await run("permit allows ls", "ALLOW", correct, { command: "ls" });
+  const broken = policySetFromSource(
+    'forbid(principal, action, resource) when { context.command in ["rm", "dd"] };\npermit(principal, action, resource);'
+  );
+  await run("in-on-String forbid does not permit-all", "DENY", broken, { command: "rm" });
+  return { wasmAvailable, passed: cases.every((c) => c.pass), cases };
+}
 
 // src/http-server.ts
 import { createServer } from "http";
@@ -638,6 +668,8 @@ export {
   loadCedarPolicies,
   evaluateCedar,
   isCedarAvailable,
+  policySetFromSource,
+  runEvaluatorSelfTest,
   ReceiptBuffer,
   startStatusServer
 };

package/dist/chunk-D733KAPG.mjs

@@ -0,0 +1,252 @@
+// node_modules/@noble/hashes/esm/cryptoNode.js
+import * as nc from "crypto";
+var crypto = nc && typeof nc === "object" && "webcrypto" in nc ? nc.webcrypto : nc && typeof nc === "object" && "randomBytes" in nc ? nc : void 0;
+
+// node_modules/@noble/hashes/esm/utils.js
+function isBytes(a) {
+  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+}
+function anumber(n) {
+  if (!Number.isSafeInteger(n) || n < 0)
+    throw new Error("positive integer expected, got " + n);
+}
+function abytes(b, ...lengths) {
+  if (!isBytes(b))
+    throw new Error("Uint8Array expected");
+  if (lengths.length > 0 && !lengths.includes(b.length))
+    throw new Error("Uint8Array expected of length " + lengths + ", got length=" + b.length);
+}
+function ahash(h) {
+  if (typeof h !== "function" || typeof h.create !== "function")
+    throw new Error("Hash should be wrapped by utils.createHasher");
+  anumber(h.outputLen);
+  anumber(h.blockLen);
+}
+function aexists(instance, checkFinished = true) {
+  if (instance.destroyed)
+    throw new Error("Hash instance has been destroyed");
+  if (checkFinished && instance.finished)
+    throw new Error("Hash#digest() has already been called");
+}
+function aoutput(out, instance) {
+  abytes(out);
+  const min = instance.outputLen;
+  if (out.length < min) {
+    throw new Error("digestInto() expects output buffer of length at least " + min);
+  }
+}
+function u8(arr) {
+  return new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+function u32(arr) {
+  return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+}
+function clean(...arrays) {
+  for (let i = 0; i < arrays.length; i++) {
+    arrays[i].fill(0);
+  }
+}
+function createView(arr) {
+  return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+function rotr(word, shift) {
+  return word << 32 - shift | word >>> shift;
+}
+function rotl(word, shift) {
+  return word << shift | word >>> 32 - shift >>> 0;
+}
+var isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68)();
+function byteSwap(word) {
+  return word << 24 & 4278190080 | word << 8 & 16711680 | word >>> 8 & 65280 | word >>> 24 & 255;
+}
+var swap8IfBE = isLE ? (n) => n : (n) => byteSwap(n);
+var byteSwapIfBE = swap8IfBE;
+function byteSwap32(arr) {
+  for (let i = 0; i < arr.length; i++) {
+    arr[i] = byteSwap(arr[i]);
+  }
+  return arr;
+}
+var swap32IfBE = isLE ? (u) => u : byteSwap32;
+var hasHexBuiltin = /* @__PURE__ */ (() => (
+  // @ts-ignore
+  typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function"
+))();
+var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
+function bytesToHex(bytes) {
+  abytes(bytes);
+  if (hasHexBuiltin)
+    return bytes.toHex();
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += hexes[bytes[i]];
+  }
+  return hex;
+}
+var asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+function asciiToBase16(ch) {
+  if (ch >= asciis._0 && ch <= asciis._9)
+    return ch - asciis._0;
+  if (ch >= asciis.A && ch <= asciis.F)
+    return ch - (asciis.A - 10);
+  if (ch >= asciis.a && ch <= asciis.f)
+    return ch - (asciis.a - 10);
+  return;
+}
+function hexToBytes(hex) {
+  if (typeof hex !== "string")
+    throw new Error("hex string expected, got " + typeof hex);
+  if (hasHexBuiltin)
+    return Uint8Array.fromHex(hex);
+  const hl = hex.length;
+  const al = hl / 2;
+  if (hl % 2)
+    throw new Error("hex string expected, got unpadded hex of length " + hl);
+  const array = new Uint8Array(al);
+  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+    const n1 = asciiToBase16(hex.charCodeAt(hi));
+    const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
+    if (n1 === void 0 || n2 === void 0) {
+      const char = hex[hi] + hex[hi + 1];
+      throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+    }
+    array[ai] = n1 * 16 + n2;
+  }
+  return array;
+}
+var nextTick = async () => {
+};
+async function asyncLoop(iters, tick, cb) {
+  let ts = Date.now();
+  for (let i = 0; i < iters; i++) {
+    cb(i);
+    const diff = Date.now() - ts;
+    if (diff >= 0 && diff < tick)
+      continue;
+    await nextTick();
+    ts += diff;
+  }
+}
+function utf8ToBytes(str) {
+  if (typeof str !== "string")
+    throw new Error("string expected");
+  return new Uint8Array(new TextEncoder().encode(str));
+}
+function bytesToUtf8(bytes) {
+  return new TextDecoder().decode(bytes);
+}
+function toBytes(data) {
+  if (typeof data === "string")
+    data = utf8ToBytes(data);
+  abytes(data);
+  return data;
+}
+function kdfInputToBytes(data) {
+  if (typeof data === "string")
+    data = utf8ToBytes(data);
+  abytes(data);
+  return data;
+}
+function concatBytes(...arrays) {
+  let sum = 0;
+  for (let i = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    abytes(a);
+    sum += a.length;
+  }
+  const res = new Uint8Array(sum);
+  for (let i = 0, pad = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    res.set(a, pad);
+    pad += a.length;
+  }
+  return res;
+}
+function checkOpts(defaults, opts) {
+  if (opts !== void 0 && {}.toString.call(opts) !== "[object Object]")
+    throw new Error("options should be object or undefined");
+  const merged = Object.assign(defaults, opts);
+  return merged;
+}
+var Hash = class {
+};
+function createHasher(hashCons) {
+  const hashC = (msg) => hashCons().update(toBytes(msg)).digest();
+  const tmp = hashCons();
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = () => hashCons();
+  return hashC;
+}
+function createOptHasher(hashCons) {
+  const hashC = (msg, opts) => hashCons(opts).update(toBytes(msg)).digest();
+  const tmp = hashCons({});
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = (opts) => hashCons(opts);
+  return hashC;
+}
+function createXOFer(hashCons) {
+  const hashC = (msg, opts) => hashCons(opts).update(toBytes(msg)).digest();
+  const tmp = hashCons({});
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = (opts) => hashCons(opts);
+  return hashC;
+}
+var wrapConstructor = createHasher;
+var wrapConstructorWithOpts = createOptHasher;
+var wrapXOFConstructorWithOpts = createXOFer;
+function randomBytes(bytesLength = 32) {
+  if (crypto && typeof crypto.getRandomValues === "function") {
+    return crypto.getRandomValues(new Uint8Array(bytesLength));
+  }
+  if (crypto && typeof crypto.randomBytes === "function") {
+    return Uint8Array.from(crypto.randomBytes(bytesLength));
+  }
+  throw new Error("crypto.getRandomValues must be defined");
+}
+
+export {
+  isBytes,
+  anumber,
+  abytes,
+  ahash,
+  aexists,
+  aoutput,
+  u8,
+  u32,
+  clean,
+  createView,
+  rotr,
+  rotl,
+  isLE,
+  byteSwap,
+  swap8IfBE,
+  byteSwapIfBE,
+  byteSwap32,
+  swap32IfBE,
+  bytesToHex,
+  hexToBytes,
+  nextTick,
+  asyncLoop,
+  utf8ToBytes,
+  bytesToUtf8,
+  toBytes,
+  kdfInputToBytes,
+  concatBytes,
+  checkOpts,
+  Hash,
+  createHasher,
+  createOptHasher,
+  createXOFer,
+  wrapConstructor,
+  wrapConstructorWithOpts,
+  wrapXOFConstructorWithOpts,
+  randomBytes
+};
+/*! Bundled license information:
+
+@noble/hashes/esm/utils.js:
+  (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+*/