protect-mcp 0.6.3 → 0.7.0

package/dist/index.mjs

@@ -1,8 +1,24 @@
+import {
+  formatReportMarkdown,
+  generateReport
+} from "./chunk-JQDVKZBN.mjs";
 import {
   formatSimulation,
   parseLogFile,
   simulate
-} from "./chunk-S4ICHNSP.mjs";
+} from "./chunk-ZBKJANP7.mjs";
+import {
+  ProtectGateway,
+  buildDecisionContext,
+  evaluateTier,
+  listCredentialLabels,
+  meetsMinTier,
+  parseNotificationConfigFromEnv,
+  queryExternalPDP,
+  resolveCredential,
+  sendApprovalNotification,
+  validateCredentials
+} from "./chunk-OHUTUFTC.mjs";
 import {
   createSandboxServer
 } from "./chunk-J6L4XCTE.mjs";
@@ -17,23 +33,7 @@ import {
   forwardReceipt,
   getScopeBlindBridge,
   startHookServer
-} from "./chunk-3YCKR72H.mjs";
-import {
-  collectSignedReceipts,
-  createAuditBundle
-} from "./chunk-5JXFV37Y.mjs";
-import {
-  ProtectGateway,
-  buildDecisionContext,
-  evaluateTier,
-  listCredentialLabels,
-  meetsMinTier,
-  parseNotificationConfigFromEnv,
-  queryExternalPDP,
-  resolveCredential,
-  sendApprovalNotification,
-  validateCredentials
-} from "./chunk-PLKRTBDR.mjs";
+} from "./chunk-X63ELMU4.mjs";
 import {
   checkRateLimit,
   evaluateCedar,
@@ -45,36 +45,43 @@ import {
   loadCedarPolicies,
   loadPolicy,
   parseRateLimit,
+  policySetFromSource,
+  runEvaluatorSelfTest,
   signDecision
-} from "./chunk-UV53U6D4.mjs";
+} from "./chunk-546U3A7R.mjs";
 import {
-  formatReportMarkdown,
-  generateReport
-} from "./chunk-JQDVKZBN.mjs";
+  ed25519,
+  sha256
+} from "./chunk-LYKNULYU.mjs";
+import {
+  bytesToHex,
+  hexToBytes,
+  randomBytes
+} from "./chunk-D733KAPG.mjs";
+import {
+  collectSignedReceipts,
+  createAuditBundle
+} from "./chunk-5JXFV37Y.mjs";
 import "./chunk-PQJP2ZCI.mjs";
 
-// src/signing-committed.ts
-import { ed25519 } from "@noble/curves/ed25519";
-import { sha256 as sha2563 } from "@noble/hashes/sha256";
-import { bytesToHex as bytesToHex3, hexToBytes as hexToBytes3, randomBytes as randomBytes2 } from "@noble/hashes/utils";
+// node_modules/@noble/hashes/esm/sha256.js
+var sha2562 = sha256;
 
 // src/commitments/merkle.ts
-import { sha256 } from "@noble/hashes/sha256";
-import { bytesToHex, hexToBytes } from "@noble/hashes/utils";
 var DOMAIN_LEAF = 0;
 var DOMAIN_INTERNAL = 1;
 function hashLeaf(leafBytes) {
   const buf = new Uint8Array(leafBytes.length + 1);
   buf[0] = DOMAIN_LEAF;
   buf.set(leafBytes, 1);
-  return sha256(buf);
+  return sha2562(buf);
 }
 function hashInternal(left, right) {
   const buf = new Uint8Array(left.length + right.length + 1);
   buf[0] = DOMAIN_INTERNAL;
   buf.set(left, 1);
   buf.set(right, 1 + left.length);
-  return sha256(buf);
+  return sha2562(buf);
 }
 function merkleRoot(leafHashes) {
   if (leafHashes.length === 0) {
@@ -128,9 +135,6 @@ function largestPowerOfTwoLessThan(n) {
 }
 
 // src/commitments/primitives.ts
-import { sha256 as sha2562 } from "@noble/hashes/sha256";
-import { hmac } from "@noble/hashes/hmac";
-import { bytesToHex as bytesToHex2, hexToBytes as hexToBytes2, randomBytes } from "@noble/hashes/utils";
 function jcs(value) {
   if (value === null || value === void 0) return "null";
   if (typeof value === "boolean" || typeof value === "number")
@@ -181,7 +185,7 @@ function leavesFromFields(fields) {
 
 // src/signing-committed.ts
 function freshSalt() {
-  return randomBytes2(32);
+  return randomBytes(32);
 }
 function signCommittedDecision(entry, committedFieldNames, signingKey, publicKey, kid, issuer) {
   const allFields = {
@@ -221,7 +225,7 @@ function signCommittedDecision(entry, committedFieldNames, signingKey, publicKey
     const { sorted, leafBytes } = leavesFromFields(committedFields);
     const leafHashes = leafBytes.map(hashLeaf);
     const root = merkleRoot(leafHashes);
-    committedFieldsRoot = bytesToHex3(root);
+    committedFieldsRoot = bytesToHex(root);
     sorted.forEach((f, i) => {
       openings[f.name] = { name: f.name, value: f.value, salt: f.salt, index: i };
     });
@@ -238,8 +242,8 @@ function signCommittedDecision(entry, committedFieldNames, signingKey, publicKey
     payload.committed_field_names = committedFields.map((f) => f.name);
   }
   const canonical = jcs(payload);
-  const messageHash = sha2563(new TextEncoder().encode(canonical));
-  const signatureBytes = ed25519.sign(messageHash, hexToBytes3(signingKey));
+  const messageHash = sha2562(new TextEncoder().encode(canonical));
+  const signatureBytes = ed25519.sign(messageHash, hexToBytes(signingKey));
   const signedReceipt = {
     ...payload,
     signature: {
@@ -252,7 +256,7 @@ function signCommittedDecision(entry, committedFieldNames, signingKey, publicKey
     }
   };
   const signedJson = JSON.stringify(signedReceipt);
-  const receiptHash = bytesToHex3(sha2563(new TextEncoder().encode(jcs(signedReceipt))));
+  const receiptHash = bytesToHex(sha2562(new TextEncoder().encode(jcs(signedReceipt))));
   return {
     signed: signedJson,
     artifact_type: "decision_receipt_committed_v1",
@@ -787,7 +791,7 @@ function createLogAnchorField(anchor) {
 }
 
 // src/selective-disclosure.ts
-import { createHash as createHash2, randomBytes as randomBytes3 } from "crypto";
+import { createHash as createHash2, randomBytes as randomBytes2 } from "crypto";
 function redactFields(receipt, fieldsToRedact) {
   const redacted = JSON.parse(JSON.stringify(receipt));
   const salts = [];
@@ -803,7 +807,7 @@ function redactFields(receipt, fieldsToRedact) {
       if (i === parts.length - 1) {
         if (key in current) {
           const originalValue = current[key];
-          const salt = randomBytes3(16).toString("hex");
+          const salt = randomBytes2(16).toString("hex");
           const commitment = computeCommitment(salt, originalValue);
           salts.push({ field: fieldPath, salt, originalValue });
           current[key] = `sha256(salt + ${typeof originalValue === "string" ? "..." : JSON.stringify(originalValue).slice(0, 20) + "..."})`;
@@ -1020,13 +1024,9 @@ MIT
 }
 
 // src/webauthn-approval.ts
-import { createHash as createHash3, randomBytes as randomBytes4, timingSafeEqual } from "crypto";
-import { p256 } from "@noble/curves/p256";
-import { ed25519 as ed255192 } from "@noble/curves/ed25519";
-import { sha256 as sha2564 } from "@noble/hashes/sha256";
-import { hexToBytes as hexToBytes4 } from "@noble/hashes/utils";
+import { createHash as createHash3, randomBytes as randomBytes3 } from "crypto";
 function createApprovalChallenge(requestId, toolName, agentId, rpId = "scopeblind.com", timeoutSeconds = 300) {
-  const challengeBytes = randomBytes4(32);
+  const challengeBytes = randomBytes3(32);
   const contextHash = createHash3("sha256").update(JSON.stringify({ requestId, toolName, agentId, timestamp: Date.now() })).digest("hex");
   return {
     challenge: base64urlEncode(challengeBytes),
@@ -1056,72 +1056,43 @@ function toCredentialRequestOptions(challenge, allowCredentials) {
     }
   };
 }
-function verifyApprovalAssertion(challenge, assertion, credentialPublicKey, opts = {}) {
-  const now = opts.now ?? Date.now();
-  const fail = (reason, partial = {}) => ({
-    valid: false,
-    reason,
-    credentialId: assertion.credentialId,
-    authenticatorType: "unknown",
-    userVerified: false,
-    signCount: 0,
-    contextHash: challenge.contextHash,
-    approvedAt: new Date(now).toISOString(),
-    ...partial
-  });
+function verifyApprovalAssertion(challenge, assertion) {
   const createdAt = new Date(challenge.createdAt).getTime();
-  if (now - createdAt > challenge.timeoutSeconds * 1e3) return fail("challenge_expired");
-  if (!credentialPublicKey?.publicKeyHex) return fail("missing_credential_public_key");
-  const clientDataBytes = base64urlDecode(assertion.clientDataJSON);
-  let clientData;
-  try {
-    clientData = JSON.parse(Buffer.from(clientDataBytes).toString("utf8"));
-  } catch {
-    return fail("client_data_parse_error");
+  const now = Date.now();
+  if (now - createdAt > challenge.timeoutSeconds * 1e3) {
+    return {
+      valid: false,
+      credentialId: assertion.credentialId,
+      authenticatorType: "unknown",
+      userVerified: false,
+      signCount: 0,
+      contextHash: challenge.contextHash,
+      approvedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
   }
-  if (clientData.type !== "webauthn.get") return fail("wrong_client_data_type");
-  if (!constantTimeStrEqual(clientData.challenge ?? "", challenge.challenge)) return fail("challenge_mismatch");
-  const allowedOrigins = opts.expectedOrigin ? Array.isArray(opts.expectedOrigin) ? opts.expectedOrigin : [opts.expectedOrigin] : [`https://${challenge.rpId}`];
-  if (!clientData.origin || !allowedOrigins.includes(clientData.origin)) return fail("origin_mismatch");
   const authData = base64urlDecode(assertion.authenticatorData);
-  if (authData.length < 37) return fail("authenticator_data_too_short");
-  const rpIdHash = authData.slice(0, 32);
-  const expectedRpIdHash = sha2564(new TextEncoder().encode(challenge.rpId));
-  if (!bytesEqual(rpIdHash, expectedRpIdHash)) return fail("rp_id_hash_mismatch");
   const flags = authData[32];
   const userPresent = !!(flags & 1);
   const userVerified = !!(flags & 4);
-  if (!userPresent) return fail("user_not_present");
-  if ((opts.requireUserVerification ?? true) && !userVerified) return fail("user_verification_required", { userVerified });
-  const signCount = authData[33] << 24 | authData[34] << 16 | authData[35] << 8 | authData[36];
-  if (typeof opts.prevSignCount === "number" && signCount !== 0 && signCount <= opts.prevSignCount) {
-    return fail("sign_count_regression", { userVerified, signCount });
-  }
-  const signedData = concatBytes(authData, sha2564(clientDataBytes));
-  const sigBytes = base64urlDecode(assertion.signature);
-  let sigOk = false;
+  const attestedCredData = !!(flags & 64);
+  const signCount = authData.length >= 37 ? authData[33] << 24 | authData[34] << 16 | authData[35] << 8 | authData[36] : 0;
+  let authenticatorType = "unknown";
   try {
-    if (credentialPublicKey.alg === -7) {
-      sigOk = p256.verify(sigBytes, sha2564(signedData), hexToBytes4(credentialPublicKey.publicKeyHex), { format: "der" });
-    } else if (credentialPublicKey.alg === -8) {
-      sigOk = ed255192.verify(sigBytes, signedData, hexToBytes4(credentialPublicKey.publicKeyHex));
-    } else {
-      return fail("unsupported_algorithm", { userVerified, signCount });
+    const clientData = JSON.parse(Buffer.from(base64urlDecode(assertion.clientDataJSON)).toString());
+    if (clientData.type === "webauthn.get") {
+      authenticatorType = "platform";
     }
   } catch {
-    sigOk = false;
   }
-  if (!sigOk) return fail("invalid_signature", { userVerified, signCount });
   return {
-    valid: true,
+    valid: userPresent,
+    // At minimum, user must be present
     credentialId: assertion.credentialId,
-    // Heuristic: platform authenticators (TouchID/FaceID/Hello) report UV; roaming
-    // keys without a PIN are UP-only. Attachment is authoritative only at registration.
-    authenticatorType: userVerified ? "platform" : "cross-platform",
+    authenticatorType,
     userVerified,
     signCount,
     contextHash: challenge.contextHash,
-    approvedAt: new Date(now).toISOString()
+    approvedAt: (/* @__PURE__ */ new Date()).toISOString()
   };
 }
 function createApprovalReceiptPayload(challenge, result) {
@@ -1147,22 +1118,6 @@ function base64urlDecode(str) {
   const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
   return new Uint8Array(Buffer.from(padded, "base64"));
 }
-function concatBytes(a, b) {
-  const out = new Uint8Array(a.length + b.length);
-  out.set(a, 0);
-  out.set(b, a.length);
-  return out;
-}
-function bytesEqual(a, b) {
-  if (a.length !== b.length) return false;
-  return timingSafeEqual(Buffer.from(a), Buffer.from(b));
-}
-function constantTimeStrEqual(a, b) {
-  const ab = Buffer.from(a, "utf8");
-  const bb = Buffer.from(b, "utf8");
-  if (ab.length !== bb.length) return false;
-  return timingSafeEqual(ab, bb);
-}
 
 // src/did-vc.ts
 function ed25519ToDIDKey(publicKeyHex) {
@@ -2042,12 +1997,14 @@ export {
   parseLogFile,
   parseNotificationConfigFromEnv,
   parseRateLimit,
+  policySetFromSource,
   queryExternalPDP,
   receiptToVP,
   receiptsToHFRows,
   redactFields,
   resolveCredential,
   revealField,
+  runEvaluatorSelfTest,
   runInSandbox,
   sendApprovalNotification,
   signCommittedDecision,

package/dist/utils-6AYZFE5A.mjs

@@ -0,0 +1,77 @@
+import {
+  Hash,
+  abytes,
+  aexists,
+  ahash,
+  anumber,
+  aoutput,
+  asyncLoop,
+  byteSwap,
+  byteSwap32,
+  byteSwapIfBE,
+  bytesToHex,
+  bytesToUtf8,
+  checkOpts,
+  clean,
+  concatBytes,
+  createHasher,
+  createOptHasher,
+  createView,
+  createXOFer,
+  hexToBytes,
+  isBytes,
+  isLE,
+  kdfInputToBytes,
+  nextTick,
+  randomBytes,
+  rotl,
+  rotr,
+  swap32IfBE,
+  swap8IfBE,
+  toBytes,
+  u32,
+  u8,
+  utf8ToBytes,
+  wrapConstructor,
+  wrapConstructorWithOpts,
+  wrapXOFConstructorWithOpts
+} from "./chunk-D733KAPG.mjs";
+import "./chunk-PQJP2ZCI.mjs";
+export {
+  Hash,
+  abytes,
+  aexists,
+  ahash,
+  anumber,
+  aoutput,
+  asyncLoop,
+  byteSwap,
+  byteSwap32,
+  byteSwapIfBE,
+  bytesToHex,
+  bytesToUtf8,
+  checkOpts,
+  clean,
+  concatBytes,
+  createHasher,
+  createOptHasher,
+  createView,
+  createXOFer,
+  hexToBytes,
+  isBytes,
+  isLE,
+  kdfInputToBytes,
+  nextTick,
+  randomBytes,
+  rotl,
+  rotr,
+  swap32IfBE,
+  swap8IfBE,
+  toBytes,
+  u32,
+  u8,
+  utf8ToBytes,
+  wrapConstructor,
+  wrapConstructorWithOpts,
+  wrapXOFConstructorWithOpts
+};

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "protect-mcp",
-  "version": "0.6.3",
+  "version": "0.7.0",
   "mcpName": "com.scopeblind/protect-mcp",
-  "description": "Cedar policy + Ed25519 signed receipts for AI agent decisions. The open gate behind Legate by ScopeBlind: enforce before action, verify offline. scopeblind.com",
+  "description": "Fail-closed Cedar policy gate + signed receipts for AI agent tool calls. Blocks what breaks the rules before it runs, denies on any policy error, and proves the gate is live with a startup self-test.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "module": "dist/index.mjs",
@@ -24,7 +24,8 @@
   "files": [
     "dist",
     "policies",
-    "README.md"
+    "README.md",
+    "CHANGELOG.md"
   ],
   "keywords": [
     "scopeblind",
@@ -62,8 +63,7 @@
     "url": "https://github.com/scopeblind/scopeblind-gateway/issues"
   },
   "dependencies": {
-    "@noble/curves": "^1.8.0",
-    "@noble/hashes": "^1.7.0",
+    "@veritasacta/artifacts": "^0.2.2",
     "@veritasacta/protocol": "^0.1.0"
   },
   "optionalDependencies": {