salmon-loop 0.3.0 → 0.3.1

package/dist/core/mcp/host/sampling-provider.js

@@ -0,0 +1,170 @@
+import { redactSensitiveValue } from '../../security/redaction.js';
+export class McpSamplingDeniedError extends Error {
+    audit;
+    code = 'MCP_SAMPLING_DENIED';
+    constructor(message, audit) {
+        super(message);
+        this.audit = audit;
+        this.name = 'McpSamplingDeniedError';
+    }
+}
+const DEFAULT_MAX_TOKENS = 1024;
+const DEFAULT_MAX_DEPTH = 6;
+const SECRET_KEY_PATTERN = /(api[-_]?key|apikey|authorization|token|secret|password|cookie)/i;
+function isSamplingOptions(value) {
+    return !value || (typeof value === 'object' && !('decideSampling' in value));
+}
+function assertDepth(value, maxDepth, depth = 0) {
+    if (value === null || value === undefined)
+        return;
+    if (typeof value !== 'object')
+        return;
+    if (depth > maxDepth) {
+        throw new McpSamplingDeniedError('MCP sampling request exceeds maxDepth.', {
+            event: 'mcp.sampling.deny',
+            reason: 'max_depth_exceeded',
+            maxDepth,
+        });
+    }
+    if (Array.isArray(value)) {
+        for (const item of value)
+            assertDepth(item, maxDepth, depth + 1);
+        return;
+    }
+    for (const item of Object.values(value)) {
+        assertDepth(item, maxDepth, depth + 1);
+    }
+}
+function contentToText(content) {
+    const parts = Array.isArray(content) ? content : [content];
+    return parts
+        .map((part) => {
+        if (part.type === 'text' && typeof part.text === 'string')
+            return part.text;
+        return `[unsupported MCP sampling content: ${part.type}]`;
+    })
+        .join('\n');
+}
+function toLlmMessages(params) {
+    const messages = [];
+    if (params.systemPrompt) {
+        messages.push({ role: 'system', content: params.systemPrompt });
+    }
+    for (const message of params.messages) {
+        messages.push({
+            role: message.role,
+            content: contentToText(message.content),
+        });
+    }
+    return messages;
+}
+function sanitizeForAudit(value, maxDepth, depth = 0, seen = new WeakSet()) {
+    if (value === null || value === undefined)
+        return value;
+    if (typeof value === 'string') {
+        return redactSensitiveValue(value, { maxDepth }).value;
+    }
+    if (typeof value === 'number' || typeof value === 'boolean')
+        return value;
+    if (typeof value !== 'object')
+        return '[Unserializable]';
+    if (depth >= maxDepth)
+        return '[MaxDepth]';
+    if (seen.has(value))
+        return '[Circular]';
+    seen.add(value);
+    if (Array.isArray(value)) {
+        return value.map((item) => sanitizeForAudit(item, maxDepth, depth + 1, seen));
+    }
+    return Object.fromEntries(Object.entries(value).map(([key, item]) => [
+        key,
+        SECRET_KEY_PATTERN.test(key)
+            ? '[REDACTED]'
+            : sanitizeForAudit(item, maxDepth, depth + 1, seen),
+    ]));
+}
+export class McpSamplingProvider {
+    policy;
+    llm;
+    enabled;
+    gateway;
+    maxTokens;
+    maxDepth;
+    constructor(optionsOrPolicy, llm) {
+        if (isSamplingOptions(optionsOrPolicy)) {
+            const options = optionsOrPolicy ?? {};
+            this.enabled = options.enabled ?? false;
+            this.gateway = options.gateway;
+            this.maxTokens = options.maxTokens ?? DEFAULT_MAX_TOKENS;
+            this.maxDepth = options.maxDepth ?? DEFAULT_MAX_DEPTH;
+            return;
+        }
+        this.policy = optionsOrPolicy;
+        this.llm = llm;
+        this.enabled = false;
+        this.maxTokens = DEFAULT_MAX_TOKENS;
+        this.maxDepth = DEFAULT_MAX_DEPTH;
+    }
+    async sample(input) {
+        if (!this.policy)
+            throw new Error('MCP_SAMPLING_POLICY_UNAVAILABLE');
+        const decision = this.policy.decideSampling(input.server);
+        if (!decision.allowed || decision.grant?.kind !== 'sampling') {
+            throw new Error(decision.denyReason ?? 'MCP_SAMPLING_DENIED');
+        }
+        if (!this.llm)
+            throw new Error('MCP_SAMPLING_LLM_UNAVAILABLE');
+        if (input.depth > decision.grant.maxDepth)
+            throw new Error('MCP_SAMPLING_DEPTH_EXCEEDED');
+        if (input.maxTokens > decision.grant.maxTokens) {
+            throw new Error('MCP_SAMPLING_TOKEN_LIMIT_EXCEEDED');
+        }
+        const result = await this.llm.chat([{ role: 'user', content: input.prompt }]);
+        return typeof result === 'string' ? result : String(result?.content ?? '');
+    }
+    async createMessage(params, options = {}) {
+        const sanitizedParams = sanitizeForAudit(params, this.maxDepth);
+        if (!this.enabled) {
+            throw new McpSamplingDeniedError('MCP sampling is disabled by default.', {
+                event: 'mcp.sampling.deny',
+                reason: 'disabled',
+                request: sanitizedParams,
+            });
+        }
+        if (!this.gateway) {
+            throw new McpSamplingDeniedError('MCP sampling gateway is not configured.', {
+                event: 'mcp.sampling.deny',
+                reason: 'gateway_missing',
+                request: sanitizedParams,
+            });
+        }
+        assertDepth(params, this.maxDepth);
+        const requestedMaxTokens = params.maxTokens;
+        const effectiveMaxTokens = Math.min(requestedMaxTokens, this.maxTokens);
+        const chatOptions = {
+            temperature: params.temperature,
+            maxTokens: effectiveMaxTokens,
+            stop: params.stopSequences,
+            signal: options.signal,
+        };
+        const response = await this.gateway.chat(toLlmMessages(params), chatOptions);
+        return {
+            model: this.gateway.getModelId?.() ?? 'salmon-loop-host-gateway',
+            role: 'assistant',
+            content: {
+                type: 'text',
+                text: response.content,
+            },
+            stopReason: requestedMaxTokens > effectiveMaxTokens ? 'maxTokens' : 'endTurn',
+            _meta: {
+                audit: {
+                    event: 'mcp.sampling.createMessage',
+                    maxTokens: effectiveMaxTokens,
+                    requestedMaxTokens,
+                    maxDepth: this.maxDepth,
+                },
+            },
+        };
+    }
+}
+//# sourceMappingURL=sampling-provider.js.map

package/dist/core/mcp/index.js

@@ -0,0 +1,4 @@
+export * from './types.js';
+export * from './config/index.js';
+export * from './schema/json-schema-to-zod.js';
+//# sourceMappingURL=index.js.map

package/dist/core/mcp/observability/events.js

@@ -0,0 +1,19 @@
+export function buildMcpEvent(input) {
+    return { ...input, timestamp: new Date().toISOString() };
+}
+export function buildMcpPolicyEvent(input) {
+    return {
+        type: 'mcp.policy.decision',
+        server: input.server,
+        capability: input.capability,
+        action: input.action,
+        outcome: input.outcome,
+        reason: input.reason,
+        phase: input.phase,
+        risk: input.risk,
+        riskLevel: input.risk,
+        target: input.target,
+        timestamp: new Date().toISOString(),
+    };
+}
+//# sourceMappingURL=events.js.map

package/dist/core/mcp/policy/approval-policy.js

@@ -0,0 +1,2 @@
+export { McpPolicyEngine, decideMcpApprovalPolicy } from './grants.js';
+//# sourceMappingURL=approval-policy.js.map

package/dist/core/mcp/policy/classifier.js

@@ -0,0 +1,172 @@
+const RISK_SCORE = {
+    low: 0,
+    medium: 1,
+    high: 2,
+};
+const SCORE_RISK = ['low', 'medium', 'high'];
+const READ_PATTERN = /\b(read|get|list|search|find|status|query|fetch|inspect|show|lookup)\b/i;
+const WRITE_PATTERN = /\b(write|create|update|delete|remove|apply|run|exec|submit|merge|push|patch|install|set|edit)\b/i;
+const NETWORK_PATTERN = /\b(fetch|http|https|url|web|crawl|browser|request|download|upload|api|remote|network)\b/i;
+const PROCESS_PATTERN = /\b(exec|execute|run|shell|bash|sh|cmd|command|process|spawn|npm|pnpm|yarn|bun|node|python|ruby|go|cargo|git)\b/i;
+export function classifyMcpTool(inputOrTool, config = {}) {
+    const legacy = isLegacyInput(inputOrTool);
+    const tool = legacy ? inputOrTool.tool : inputOrTool;
+    const trust = legacy ? inputOrTool.trust : (config.trust ?? 'local');
+    const override = legacy
+        ? sideEffectOverrideToConfig(inputOrTool.override)
+        : mergeOverrides(config.override, config.overrides?.[tool.name]);
+    return classifyTool({ tool, trust, override });
+}
+function classifyTool(input) {
+    const facets = {
+        read: false,
+        write: false,
+        network: false,
+        process: false,
+    };
+    const reasons = [];
+    const text = normalizeClassificationText(`${input.tool.name ?? ''} ${input.tool.description ?? ''}`);
+    const annotations = input.tool.annotations ?? {};
+    if (READ_PATTERN.test(text)) {
+        facets.read = true;
+        reasons.push('name or description implies read access');
+    }
+    if (WRITE_PATTERN.test(text)) {
+        facets.write = true;
+        reasons.push('name or description implies write access');
+    }
+    if (NETWORK_PATTERN.test(text)) {
+        facets.network = true;
+        reasons.push('name or description implies network access');
+    }
+    if (PROCESS_PATTERN.test(text)) {
+        facets.process = true;
+        reasons.push('name or description implies process execution');
+    }
+    if (annotations.readOnlyHint === true) {
+        facets.read = true;
+        if (annotations.destructiveHint !== true) {
+            facets.write = false;
+            facets.process = false;
+        }
+        reasons.push('annotation marks tool read-only');
+    }
+    if (annotations.destructiveHint === true) {
+        facets.write = true;
+        reasons.push('annotation marks tool destructive');
+    }
+    if (annotations.openWorldHint === true) {
+        facets.network = true;
+        reasons.push('annotation marks tool open-world');
+    }
+    const baselineRisk = riskFromFacets(facets, input.trust);
+    if (input.override?.readOnly === true) {
+        facets.read = true;
+        facets.write = false;
+        facets.process = false;
+        reasons.push(input.override.reason ?? 'config override marks tool read-only');
+    }
+    if (input.override?.facets) {
+        for (const facet of Object.keys(input.override.facets)) {
+            facets[facet] = Boolean(input.override.facets[facet]);
+        }
+        reasons.push(input.override.reason ?? 'config override adjusts risk facets');
+    }
+    if (input.override?.sideEffects) {
+        applySideEffectsToFacets(facets, input.override.sideEffects);
+        reasons.push(input.override.reason ?? 'config override adjusts side effects');
+    }
+    let risk = riskFromFacets(facets, input.trust);
+    if (input.override?.risk) {
+        risk = applyRiskOverride(baselineRisk, input.override);
+        reasons.push(input.override.reason ?? `config override sets risk to ${risk}`);
+    }
+    if (input.trust === 'remote') {
+        risk = raiseRisk(risk);
+        reasons.push('remote MCP server raises risk');
+    }
+    if (!reasons.length) {
+        reasons.push('no risk signals found');
+    }
+    const sideEffects = sideEffectsFromFacets(facets, input.trust);
+    const reason = reasons.join('; ');
+    return {
+        kind: 'classified',
+        risk,
+        riskLevel: risk,
+        facets,
+        sideEffects,
+        reasons,
+        reason,
+    };
+}
+function isLegacyInput(input) {
+    return 'tool' in input && 'trust' in input;
+}
+function sideEffectOverrideToConfig(sideEffects) {
+    return sideEffects && sideEffects.length > 0 ? { sideEffects } : undefined;
+}
+function applySideEffectsToFacets(facets, sideEffects) {
+    facets.read = sideEffects.some((effect) => effect === 'fs_read' || effect === 'git_read');
+    facets.write = sideEffects.some((effect) => effect === 'fs_write' || effect === 'git_write' || effect === 'snapshot_mutate');
+    facets.network = sideEffects.includes('network');
+    facets.process = sideEffects.includes('process');
+}
+function sideEffectsFromFacets(facets, trust) {
+    const effects = [];
+    if (facets.read)
+        effects.push('fs_read');
+    if (facets.write)
+        effects.push('fs_write');
+    if (facets.process)
+        effects.push('process');
+    if (facets.network || trust === 'remote')
+        effects.push('network');
+    return uniqueSideEffects(effects.length > 0 ? effects : ['none']);
+}
+function riskFromFacets(facets, trust) {
+    if (facets.process || facets.write || (facets.write && facets.network)) {
+        return 'high';
+    }
+    if (facets.network || trust === 'remote') {
+        return 'medium';
+    }
+    return 'low';
+}
+function applyRiskOverride(baselineRisk, override) {
+    const requestedRisk = override.risk;
+    if (!requestedRisk) {
+        return baselineRisk;
+    }
+    if (compareRisk(requestedRisk, baselineRisk) >= 0 || override.allowUnsafeDowngrade === true) {
+        return requestedRisk;
+    }
+    return (SCORE_RISK[Math.max(RISK_SCORE[baselineRisk] - 1, RISK_SCORE[requestedRisk])] ?? baselineRisk);
+}
+function raiseRisk(risk) {
+    return SCORE_RISK[Math.min(RISK_SCORE[risk] + 1, SCORE_RISK.length - 1)] ?? 'high';
+}
+function compareRisk(left, right) {
+    return RISK_SCORE[left] - RISK_SCORE[right];
+}
+function mergeOverrides(base, named) {
+    if (!base)
+        return named;
+    if (!named)
+        return base;
+    return {
+        ...base,
+        ...named,
+        facets: {
+            ...base.facets,
+            ...named.facets,
+        },
+    };
+}
+function uniqueSideEffects(values) {
+    return Array.from(new Set(values));
+}
+function normalizeClassificationText(value) {
+    return value.replace(/[^A-Za-z0-9]+/g, ' ');
+}
+//# sourceMappingURL=classifier.js.map