salmon-loop 0.2.16 → 0.3.1

package/dist/core/mcp/policy/grants.js

@@ -0,0 +1,356 @@
+import { classifyMcpTool } from './classifier.js';
+import { evaluateMcpUriPolicy, matchesMcpPattern, McpUriPolicy, } from './uri-policy.js';
+export function decideMcpApprovalPolicy(input) {
+    const risk = input.remote ? raiseRisk(input.risk) : input.risk;
+    if (input.capability === 'sampling') {
+        return {
+            outcome: input.defaultOutcome ?? 'deny',
+            reason: input.defaultOutcome
+                ? 'MCP_SAMPLING_EXPLICIT_GRANT'
+                : 'MCP_SAMPLING_DENIED_BY_DEFAULT',
+            risk,
+        };
+    }
+    if (input.capability === 'elicitation') {
+        return {
+            outcome: input.defaultOutcome ?? 'ask',
+            reason: 'MCP_ELICITATION_APPROVAL_REQUIRED_BY_DEFAULT',
+            risk,
+        };
+    }
+    if (risk === 'high') {
+        return {
+            outcome: input.defaultOutcome ?? 'ask',
+            reason: 'MCP_HIGH_RISK_APPROVAL_REQUIRED',
+            risk,
+        };
+    }
+    return {
+        outcome: input.defaultOutcome ?? 'allow',
+        reason: 'MCP_GRANTED',
+        risk,
+    };
+}
+export class McpPolicyEngine {
+    uriPolicy = new McpUriPolicy();
+    grants;
+    constructor(input = []) {
+        this.grants = Array.isArray(input) ? input : (input.grants ?? []);
+    }
+    decide(request) {
+        if (request.capability === 'tools') {
+            return this.decideTool({
+                server: request.server.name,
+                toolName: request.target ?? request.tool?.name ?? '',
+                phase: request.phase,
+                classification: request.tool
+                    ? classifyMcpTool(request.tool, { trust: request.server.trust ?? 'local' })
+                    : undefined,
+                remote: request.server.trust === 'remote' || request.server.transport === 'http',
+            });
+        }
+        if (request.capability === 'resources') {
+            return this.decideResource({
+                server: request.server.name,
+                uri: request.target ?? '',
+            });
+        }
+        if (request.capability === 'prompts') {
+            return this.decidePrompt({
+                server: request.server.name,
+                name: request.target ?? '',
+            });
+        }
+        if (request.capability === 'roots') {
+            return this.decideRoots(request.server.name, request.target);
+        }
+        if (request.capability === 'sampling') {
+            return this.decideSampling(request.server.name, request.target);
+        }
+        return this.decideElicitation(request.server.name, request.target);
+    }
+    decideTool(input) {
+        const grant = this.grants.find((item) => 'kind' in item &&
+            item.kind === 'tool' &&
+            matchesServer(item.server, input.server) &&
+            matchesMcpPattern(input.toolName, item.namePattern));
+        const genericGrant = this.findGenericGrant('tools', input.server, 'call', input.toolName, input.phase);
+        const matchedGrant = grant ?? genericGrant;
+        if (!matchedGrant) {
+            return deny('MCP_TOOL_NOT_GRANTED', {
+                server: input.server,
+                capability: 'tools',
+                action: 'call',
+            });
+        }
+        const phaseAllowed = grant
+            ? input.phase !== undefined && grant.phases.includes(input.phase)
+            : matchesPhase(genericGrant?.phase, input.phase);
+        if (!phaseAllowed) {
+            return deny('MCP_TOOL_PHASE_DENIED', {
+                grant: matchedGrant,
+                server: input.server,
+                capability: 'tools',
+                action: 'call',
+                phase: input.phase,
+            });
+        }
+        const hasWriteRisk = input.classification?.riskLevel === 'high' ||
+            input.classification?.sideEffects.some((effect) => ['fs_write', 'git_write', 'process', 'network'].includes(effect));
+        const risk = input.remote
+            ? raiseRisk(input.classification?.riskLevel ?? 'medium')
+            : (input.classification?.riskLevel ?? 'medium');
+        const outcome = grant
+            ? legacyToolOutcome(grant.approval, Boolean(hasWriteRisk))
+            : (genericGrant?.outcome ??
+                decideMcpApprovalPolicy({ capability: 'tools', risk, remote: input.remote }).outcome);
+        return allowOrAsk(outcome, matchedGrant.reason ?? 'MCP_TOOL_GRANTED', {
+            grant: matchedGrant,
+            risk,
+            server: input.server,
+            capability: 'tools',
+            action: 'call',
+            phase: input.phase,
+        });
+    }
+    decideResource(input) {
+        const grant = this.grants.find((item) => 'kind' in item &&
+            item.kind === 'resource' &&
+            matchesServer(item.server, input.server) &&
+            this.uriPolicy.isAllowed(input.uri, [item.uriPattern]));
+        const genericGrant = grant ?? this.findGenericGrant('resources', input.server, 'read', input.uri);
+        if (!genericGrant) {
+            return deny('MCP_RESOURCE_URI_DENIED', {
+                server: input.server,
+                capability: 'resources',
+                action: 'read',
+            });
+        }
+        if (!('kind' in genericGrant)) {
+            const rules = Array.isArray(genericGrant.target)
+                ? genericGrant.target
+                : genericGrant.target
+                    ? [genericGrant.target]
+                    : [];
+            const uriDecision = evaluateMcpUriPolicy(input.uri, rules);
+            if (!uriDecision.allowed) {
+                return deny(uriDecision.reason, {
+                    grant: genericGrant,
+                    server: input.server,
+                    capability: 'resources',
+                    action: 'read',
+                });
+            }
+        }
+        return allowOrAsk('allow', genericGrant.reason ?? 'MCP_RESOURCE_GRANTED', {
+            grant: genericGrant,
+            risk: 'low',
+            server: input.server,
+            capability: 'resources',
+            action: 'read',
+        });
+    }
+    decidePrompt(input) {
+        const grant = this.grants.find((item) => 'kind' in item &&
+            item.kind === 'prompt' &&
+            matchesServer(item.server, input.server) &&
+            matchesMcpPattern(input.name, item.namePattern) &&
+            item.exposeAs !== 'none');
+        const genericGrant = grant ?? this.findGenericGrant('prompts', input.server, 'read', input.name);
+        return genericGrant
+            ? allowOrAsk('allow', genericGrant.reason ?? 'MCP_PROMPT_GRANTED', {
+                grant: genericGrant,
+                risk: 'low',
+                server: input.server,
+                capability: 'prompts',
+                action: 'read',
+            })
+            : deny('MCP_PROMPT_DENIED', {
+                server: input.server,
+                capability: 'prompts',
+                action: 'read',
+            });
+    }
+    decideRoots(server, target) {
+        const grant = this.grants.find((item) => 'kind' in item &&
+            item.kind === 'roots' &&
+            matchesServer(item.server, server) &&
+            item.mode !== 'none');
+        const genericGrant = grant ?? this.findGenericGrant('roots', server, 'read', target);
+        return genericGrant
+            ? allowOrAsk('allow', genericGrant.reason ?? 'MCP_ROOTS_GRANTED', {
+                grant: genericGrant,
+                risk: 'low',
+                server,
+                capability: 'roots',
+                action: 'read',
+            })
+            : deny('MCP_ROOTS_DENIED', { server, capability: 'roots', action: 'read' });
+    }
+    decideSampling(server, target) {
+        const grant = this.grants.find((item) => 'kind' in item &&
+            item.kind === 'sampling' &&
+            matchesServer(item.server, server) &&
+            item.enabled);
+        const genericGrant = grant ?? this.findGenericGrant('sampling', server, 'request', target);
+        if (!genericGrant) {
+            return deny('MCP_SAMPLING_DENIED', { server, capability: 'sampling', action: 'request' });
+        }
+        const outcome = 'kind' in genericGrant ? 'ask' : (genericGrant.outcome ?? 'deny');
+        return allowOrAsk(outcome, genericGrant.reason ?? 'MCP_SAMPLING_GRANTED', {
+            grant: genericGrant,
+            risk: 'high',
+            server,
+            capability: 'sampling',
+            action: 'request',
+        });
+    }
+    decideElicitation(server, target) {
+        const grant = this.grants.find((item) => 'kind' in item &&
+            item.kind === 'elicitation' &&
+            matchesServer(item.server, server) &&
+            item.enabled);
+        const genericGrant = grant ?? this.findGenericGrant('elicitation', server, 'request', target);
+        if (!genericGrant) {
+            return allowOrAsk('ask', 'MCP_ELICITATION_APPROVAL_REQUIRED_BY_DEFAULT', {
+                risk: 'medium',
+                server,
+                capability: 'elicitation',
+                action: 'request',
+            });
+        }
+        const outcome = 'kind' in genericGrant ? 'ask' : (genericGrant.outcome ?? 'ask');
+        return allowOrAsk(outcome, genericGrant.reason ?? 'MCP_ELICITATION_GRANTED', {
+            grant: genericGrant,
+            risk: 'medium',
+            server,
+            capability: 'elicitation',
+            action: 'request',
+        });
+    }
+    findGenericGrant(capability, server, action, target, phase) {
+        return this.grants.find((grant) => !('kind' in grant) &&
+            grant.capability === capability &&
+            matchesServer(grant.server, server) &&
+            matchesAction(grant.actions, action) &&
+            matchesGenericTarget(grant.target, target) &&
+            matchesPhase(grant.phase, phase));
+    }
+}
+export function buildMcpGrantsFromCapabilities(server, capabilities) {
+    const grants = [];
+    for (const namePattern of capabilities.tools.allow) {
+        grants.push({
+            kind: 'tool',
+            server,
+            namePattern,
+            phases: capabilities.tools.phases,
+            approval: capabilities.tools.approval,
+        });
+    }
+    for (const uriPattern of capabilities.resources.allowUris) {
+        grants.push({
+            kind: 'resource',
+            server,
+            uriPattern,
+            autoInclude: capabilities.resources.autoInclude,
+        });
+    }
+    for (const namePattern of capabilities.prompts.allow) {
+        grants.push({
+            kind: 'prompt',
+            server,
+            namePattern,
+            exposeAs: capabilities.prompts.exposeAs,
+        });
+    }
+    grants.push({ kind: 'roots', server, mode: capabilities.roots.mode });
+    grants.push({
+        kind: 'sampling',
+        server,
+        enabled: capabilities.sampling.enabled,
+        maxTokens: capabilities.sampling.maxTokens,
+        maxDepth: capabilities.sampling.maxDepth,
+    });
+    grants.push({ kind: 'elicitation', server, enabled: capabilities.elicitation.enabled });
+    return grants;
+}
+export function getCapabilityKindForGrant(grant) {
+    if ('capability' in grant)
+        return grant.capability;
+    if (grant.kind === 'tool')
+        return 'tools';
+    if (grant.kind === 'resource')
+        return 'resources';
+    if (grant.kind === 'prompt')
+        return 'prompts';
+    return grant.kind;
+}
+export function getGrantServer(grant) {
+    return grant.server;
+}
+export function grantOutcomeToApprovalMode(outcome) {
+    if (outcome === 'ask')
+        return 'ask';
+    return 'never';
+}
+function legacyToolOutcome(approval, hasWriteRisk) {
+    if (approval === 'ask')
+        return 'ask';
+    if (approval === 'write_requires_confirmation' && hasWriteRisk)
+        return 'ask';
+    return 'allow';
+}
+function allowOrAsk(outcome, reason, details) {
+    return {
+        ...details,
+        allowed: outcome === 'allow',
+        approvalRequired: outcome === 'ask',
+        needsApproval: outcome === 'ask',
+        outcome,
+        reason,
+        denyReason: outcome === 'deny' ? reason : undefined,
+    };
+}
+function deny(reason, details) {
+    return {
+        ...details,
+        allowed: false,
+        approvalRequired: false,
+        needsApproval: false,
+        outcome: 'deny',
+        reason,
+        denyReason: reason,
+    };
+}
+function matchesServer(pattern, server) {
+    return pattern === '*' || pattern === server;
+}
+function matchesAction(actions, action) {
+    return !actions?.length || actions.includes('*') || actions.includes(action);
+}
+function matchesPhase(grantPhase, requestPhase) {
+    if (!grantPhase)
+        return true;
+    if (!requestPhase)
+        return false;
+    return Array.isArray(grantPhase)
+        ? grantPhase.includes(requestPhase)
+        : grantPhase === requestPhase;
+}
+function matchesGenericTarget(target, requestedTarget) {
+    if (!target)
+        return true;
+    if (!requestedTarget)
+        return false;
+    const targets = Array.isArray(target) ? target : [target];
+    return targets.some((item) => typeof item === 'string'
+        ? matchesMcpPattern(requestedTarget, item)
+        : matchesMcpPattern(requestedTarget, item.pattern));
+}
+function raiseRisk(risk) {
+    if (risk === 'low')
+        return 'medium';
+    return 'high';
+}
+//# sourceMappingURL=grants.js.map

package/dist/core/mcp/policy/uri-policy.js

@@ -0,0 +1,60 @@
+export function matchesMcpPattern(value, pattern) {
+    return matchesUriRule(value, pattern);
+}
+export function evaluateMcpUriPolicy(uri, rules) {
+    if (rules.length === 0) {
+        return {
+            allowed: false,
+            reason: 'MCP_RESOURCE_URI_DENIED_NO_RULES',
+        };
+    }
+    for (const rule of rules) {
+        const normalized = normalizeUriRule(rule);
+        if (matchesUriRule(uri, normalized)) {
+            return {
+                allowed: true,
+                reason: `MCP_RESOURCE_URI_ALLOWED_${normalized.kind.toUpperCase()}`,
+                matchedPattern: normalized.pattern,
+                matchKind: normalized.kind,
+            };
+        }
+    }
+    return {
+        allowed: false,
+        reason: 'MCP_RESOURCE_URI_DENIED_NO_MATCH',
+    };
+}
+export function matchesUriRule(uri, rule) {
+    const normalized = normalizeUriRule(rule);
+    if (normalized.kind === 'exact')
+        return uri === normalized.pattern;
+    if (normalized.kind === 'prefix')
+        return uri.startsWith(normalized.pattern);
+    return globLikeToRegExp(normalized.pattern).test(uri);
+}
+export function normalizeUriRule(rule) {
+    if (typeof rule === 'string') {
+        return { pattern: rule, kind: inferUriRuleKind(rule) };
+    }
+    return { pattern: rule.pattern, kind: rule.kind ?? inferUriRuleKind(rule.pattern) };
+}
+export class McpUriPolicy {
+    isAllowed(uri, patterns) {
+        return evaluateMcpUriPolicy(uri, patterns).allowed;
+    }
+    decide(uri, patterns) {
+        return evaluateMcpUriPolicy(uri, patterns);
+    }
+}
+function inferUriRuleKind(pattern) {
+    if (pattern.includes('*'))
+        return 'glob';
+    if (pattern.endsWith('/'))
+        return 'prefix';
+    return 'exact';
+}
+function globLikeToRegExp(pattern) {
+    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*');
+    return new RegExp(`^${escaped}$`);
+}
+//# sourceMappingURL=uri-policy.js.map