sovr-mcp-proxy 6.0.1 → 7.0.0

package/dist/whitelistEngine.mjs

@@ -0,0 +1,403 @@
+// src/whitelistEngine.ts
+import { readFileSync, existsSync } from "fs";
+import { join } from "path";
+var PRESET_READONLY = {
+  version: "1.0",
+  mode: "whitelist",
+  rules: [
+    { pattern: "ls *", allow: true, description: "List directory" },
+    { pattern: "cat *", allow: true, description: "Read file" },
+    { pattern: "head *", allow: true, description: "Read file head" },
+    { pattern: "tail *", allow: true, description: "Read file tail" },
+    { pattern: "find *", allow: true, description: "Find files", max_args: 10 },
+    { pattern: "grep *", allow: true, description: "Search in files" },
+    { pattern: "wc *", allow: true, description: "Word count" },
+    { pattern: "file *", allow: true, description: "File type" },
+    { pattern: "pwd", allow: true, description: "Print working directory" },
+    { pattern: "whoami", allow: true, description: "Current user" },
+    { pattern: "date", allow: true, description: "Current date" },
+    { pattern: "echo *", allow: true, description: "Echo text" }
+  ],
+  settings: {
+    max_command_length: 500,
+    allow_env_expansion: false,
+    allow_subshell: false,
+    allow_pipes: true,
+    allow_chains: false,
+    allow_redirects: false
+  }
+};
+var PRESET_DEVELOPER = {
+  version: "1.0",
+  mode: "whitelist",
+  rules: [
+    // Read operations
+    ...PRESET_READONLY.rules,
+    // Git (safe operations)
+    { pattern: "git status", allow: true, description: "Git status" },
+    { pattern: "git diff *", allow: true, description: "Git diff" },
+    { pattern: "git log *", allow: true, description: "Git log" },
+    { pattern: "git branch *", allow: true, description: "Git branch" },
+    { pattern: "git add *", allow: true, description: "Git add" },
+    { pattern: "git commit *", allow: true, description: "Git commit" },
+    { pattern: "git push *", allow: true, require_approval: true, description: "Git push (requires approval)" },
+    { pattern: "git pull *", allow: true, description: "Git pull" },
+    { pattern: "git checkout *", allow: true, description: "Git checkout" },
+    { pattern: "git stash *", allow: true, description: "Git stash" },
+    // Node.js / npm
+    { pattern: "node *", allow: true, description: "Run Node.js" },
+    { pattern: "npm run *", allow: true, description: "Run npm script" },
+    { pattern: "npm test", allow: true, description: "Run tests" },
+    { pattern: "npm install *", allow: true, description: "Install packages" },
+    { pattern: "npx *", allow: true, description: "Run npx" },
+    { pattern: "pnpm *", allow: true, description: "Run pnpm" },
+    { pattern: "yarn *", allow: true, description: "Run yarn" },
+    // Python
+    { pattern: "python3 *", allow: true, description: "Run Python", max_args: 20 },
+    { pattern: "pip install *", allow: true, description: "Install Python packages" },
+    { pattern: "pip3 install *", allow: true, description: "Install Python packages" },
+    // Build tools
+    { pattern: "make *", allow: true, description: "Run make" },
+    { pattern: "cargo *", allow: true, description: "Run cargo" },
+    // File operations (limited)
+    { pattern: "mkdir *", allow: true, description: "Create directory" },
+    { pattern: "cp *", allow: true, description: "Copy files" },
+    { pattern: "mv *", allow: true, description: "Move files" },
+    { pattern: "touch *", allow: true, description: "Create empty file" },
+    // Dangerous operations — require approval
+    { pattern: "rm *", allow: true, require_approval: true, description: "Delete files (requires approval)" },
+    { pattern: "npm publish *", allow: true, require_approval: true, description: "Publish package (requires approval)" },
+    { pattern: "docker *", allow: true, require_approval: true, description: "Docker operations (requires approval)" }
+  ],
+  settings: {
+    max_command_length: 2e3,
+    allow_env_expansion: true,
+    allow_subshell: false,
+    allow_pipes: true,
+    allow_chains: true,
+    allow_redirects: true
+  }
+};
+var PRESET_PRODUCTION = {
+  version: "1.0",
+  mode: "whitelist",
+  rules: [
+    { pattern: "echo *", allow: true, description: "Echo" },
+    { pattern: "date", allow: true, description: "Date" },
+    { pattern: "uptime", allow: true, description: "Uptime" },
+    { pattern: "df *", allow: true, description: "Disk usage" },
+    { pattern: "free *", allow: true, description: "Memory usage" },
+    { pattern: "ps *", allow: true, description: "Process list" },
+    { pattern: "curl *", allow: true, require_approval: true, description: "HTTP request (requires approval)" }
+  ],
+  default_action: "deny",
+  settings: {
+    max_command_length: 500,
+    allow_env_expansion: false,
+    allow_subshell: false,
+    allow_pipes: false,
+    allow_chains: false,
+    allow_redirects: false
+  }
+};
+var PRESETS = {
+  readonly: PRESET_READONLY,
+  developer: PRESET_DEVELOPER,
+  production: PRESET_PRODUCTION
+};
+var WhitelistEngine = class {
+  policy;
+  constructor(policy) {
+    this.policy = policy;
+    this.policy.rules.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+  }
+  /**
+   * Evaluate a command against the whitelist policy.
+   */
+  evaluate(command) {
+    const violations = [];
+    const structuralCheck = this.checkStructural(command);
+    violations.push(...structuralCheck.violations);
+    if (structuralCheck.blocked) {
+      return {
+        allowed: false,
+        require_approval: false,
+        reason: `Structural violation: ${violations.join(", ")}`,
+        risk: "critical",
+        violations
+      };
+    }
+    const enabledRules = this.policy.rules.filter((r) => r.enabled !== false);
+    for (const rule of enabledRules) {
+      if (matchPattern(command, rule.pattern)) {
+        if (rule.max_args !== void 0) {
+          const argCount = command.split(/\s+/).length - 1;
+          if (argCount > rule.max_args) {
+            violations.push(`Too many arguments: ${argCount} > ${rule.max_args}`);
+            return {
+              allowed: false,
+              require_approval: false,
+              matched_rule: rule,
+              reason: `Argument limit exceeded for pattern "${rule.pattern}"`,
+              risk: "high",
+              violations
+            };
+          }
+        }
+        if (rule.allow) {
+          return {
+            allowed: true,
+            require_approval: rule.require_approval ?? false,
+            matched_rule: rule,
+            reason: rule.description || `Matched whitelist pattern: ${rule.pattern}`,
+            risk: rule.require_approval ? "medium" : "low",
+            violations
+          };
+        } else {
+          return {
+            allowed: false,
+            require_approval: false,
+            matched_rule: rule,
+            reason: rule.description || `Matched blacklist pattern: ${rule.pattern}`,
+            risk: "high",
+            violations
+          };
+        }
+      }
+    }
+    switch (this.policy.mode) {
+      case "whitelist":
+        return {
+          allowed: false,
+          require_approval: false,
+          reason: `No whitelist rule matches command. In whitelist mode, unlisted commands are DENIED.`,
+          risk: "high",
+          violations
+        };
+      case "blacklist":
+        return {
+          allowed: true,
+          require_approval: false,
+          reason: "No blacklist rule matches. Command allowed by default.",
+          risk: "medium",
+          violations
+        };
+      case "hybrid": {
+        const defaultAction = this.policy.default_action || "deny";
+        return {
+          allowed: defaultAction === "allow",
+          require_approval: defaultAction === "escalate",
+          reason: `No rule matches. Hybrid mode default: ${defaultAction}`,
+          risk: defaultAction === "allow" ? "medium" : "high",
+          violations
+        };
+      }
+    }
+  }
+  /**
+   * Check structural constraints (pipes, chains, subshells, etc.)
+   */
+  checkStructural(command) {
+    const violations = [];
+    const settings = this.policy.settings || {};
+    if (settings.max_command_length && command.length > settings.max_command_length) {
+      violations.push(`Command too long: ${command.length} > ${settings.max_command_length}`);
+    }
+    if (settings.allow_subshell === false) {
+      if (/\$\(/.test(command) || /`[^`]+`/.test(command)) {
+        violations.push("Subshell execution not allowed");
+      }
+    }
+    if (settings.allow_pipes === false) {
+      if (/\|(?!\|)/.test(command)) {
+        violations.push("Pipe chains not allowed");
+      }
+    }
+    if (settings.allow_chains === false) {
+      if (/[;&]|&&|\|\|/.test(command)) {
+        violations.push("Command chaining not allowed");
+      }
+    }
+    if (settings.allow_redirects === false) {
+      if (/[<>]|>>/.test(command)) {
+        violations.push("Output redirection not allowed");
+      }
+    }
+    if (settings.allow_env_expansion === false) {
+      if (/\$[A-Za-z_]/.test(command) || /\$\{/.test(command)) {
+        violations.push("Environment variable expansion not allowed");
+      }
+    }
+    return {
+      blocked: violations.length > 0,
+      violations
+    };
+  }
+  /**
+   * Get the current policy.
+   */
+  getPolicy() {
+    return { ...this.policy };
+  }
+  /**
+   * Add a rule dynamically.
+   */
+  addRule(rule) {
+    this.policy.rules.push(rule);
+    this.policy.rules.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+  }
+  /**
+   * Remove a rule by pattern.
+   */
+  removeRule(pattern) {
+    const idx = this.policy.rules.findIndex((r) => r.pattern === pattern);
+    if (idx >= 0) {
+      this.policy.rules.splice(idx, 1);
+      return true;
+    }
+    return false;
+  }
+  /**
+   * List all rules.
+   */
+  listRules() {
+    return [...this.policy.rules];
+  }
+};
+function matchPattern(command, pattern) {
+  const normalizedCmd = command.trim().replace(/\s+/g, " ");
+  const normalizedPattern = pattern.trim().replace(/\s+/g, " ");
+  const regexStr = "^" + normalizedPattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".") + "$";
+  try {
+    return new RegExp(regexStr).test(normalizedCmd);
+  } catch {
+    return false;
+  }
+}
+function loadPolicy(filePath) {
+  if (!existsSync(filePath)) {
+    throw new Error(`Policy file not found: ${filePath}`);
+  }
+  const raw = readFileSync(filePath, "utf-8");
+  try {
+    return JSON.parse(raw);
+  } catch {
+  }
+  return parseSimpleYaml(raw);
+}
+function autoLoadPolicy(projectDir) {
+  const candidates = [
+    join(projectDir, ".sovr", "policy.json"),
+    join(projectDir, ".sovr", "policy.yaml"),
+    join(projectDir, ".sovr", "policy.yml"),
+    join(projectDir, "sovr.policy.json")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) {
+      return loadPolicy(candidate);
+    }
+  }
+  return null;
+}
+function parseSimpleYaml(raw) {
+  const lines = raw.split("\n");
+  const policy = {
+    version: "1.0",
+    mode: "whitelist",
+    rules: []
+  };
+  let currentRule = null;
+  let inRules = false;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    if (trimmed.startsWith("version:")) {
+      policy.version = trimmed.split(":").slice(1).join(":").trim().replace(/['"]/g, "");
+    } else if (trimmed.startsWith("mode:")) {
+      policy.mode = trimmed.split(":").slice(1).join(":").trim().replace(/['"]/g, "");
+    } else if (trimmed === "rules:") {
+      inRules = true;
+    } else if (inRules && trimmed.startsWith("- pattern:")) {
+      if (currentRule?.pattern) {
+        policy.rules.push(currentRule);
+      }
+      currentRule = {
+        pattern: trimmed.replace("- pattern:", "").trim().replace(/['"]/g, ""),
+        allow: true,
+        enabled: true
+      };
+    } else if (inRules && currentRule) {
+      if (trimmed.startsWith("allow:")) {
+        currentRule.allow = trimmed.includes("true");
+      } else if (trimmed.startsWith("description:")) {
+        currentRule.description = trimmed.split(":").slice(1).join(":").trim().replace(/['"]/g, "");
+      } else if (trimmed.startsWith("require_approval:")) {
+        currentRule.require_approval = trimmed.includes("true");
+      } else if (trimmed.startsWith("max_args:")) {
+        currentRule.max_args = parseInt(trimmed.split(":")[1].trim());
+      } else if (trimmed.startsWith("priority:")) {
+        currentRule.priority = parseInt(trimmed.split(":")[1].trim());
+      }
+    }
+  }
+  if (currentRule?.pattern) {
+    policy.rules.push(currentRule);
+  }
+  return policy;
+}
+function generatePolicyFile(preset, format = "yaml") {
+  const policy = PRESETS[preset];
+  if (!policy) {
+    throw new Error(`Unknown preset: ${preset}. Available: ${Object.keys(PRESETS).join(", ")}`);
+  }
+  if (format === "json") {
+    return JSON.stringify(policy, null, 2);
+  }
+  let yaml = `# SOVR Whitelist Policy
+`;
+  yaml += `# Preset: ${preset}
+`;
+  yaml += `# Generated: ${(/* @__PURE__ */ new Date()).toISOString()}
+
+`;
+  yaml += `version: "${policy.version}"
+`;
+  yaml += `mode: ${policy.mode}
+
+`;
+  yaml += `rules:
+`;
+  for (const rule of policy.rules) {
+    yaml += `  - pattern: "${rule.pattern}"
+`;
+    yaml += `    allow: ${rule.allow}
+`;
+    if (rule.description) yaml += `    description: "${rule.description}"
+`;
+    if (rule.require_approval) yaml += `    require_approval: true
+`;
+    if (rule.max_args !== void 0) yaml += `    max_args: ${rule.max_args}
+`;
+    yaml += `
+`;
+  }
+  if (policy.settings) {
+    yaml += `settings:
+`;
+    for (const [key, value] of Object.entries(policy.settings)) {
+      yaml += `  ${key}: ${value}
+`;
+    }
+  }
+  return yaml;
+}
+export {
+  PRESETS,
+  PRESET_DEVELOPER,
+  PRESET_PRODUCTION,
+  PRESET_READONLY,
+  WhitelistEngine,
+  autoLoadPolicy,
+  generatePolicyFile,
+  loadPolicy
+};

package/package.json

@@ -1,52 +1,57 @@
 {
   "name": "sovr-mcp-proxy",
-  "version": "6.0.1",
-  "description": "Responsibility Layer for AI agents. Transparent MCP Proxy that intercepts all agent tool calls with policy engine verification and audit trail before forwarding. Supports stdio, SSE, and Streamable HTTP transports.",
-  "keywords": [
-    "mcp",
-    "model-context-protocol",
-    "ai-responsibility",
-    "ai-governance",
-    "audit-trail",
-    "proxy",
-    "gate-check",
-    "audit",
-    "trust",
-    "sovr",
-    "mcp-proxy",
-    "sse",
-    "streamable-http",
-    "remote-mcp",
-    "responsibility-layer",
-    "decision-accountability"
-  ],
-  "homepage": "https://sovr.inc",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/xie38388/sovr.git"
-  },
-  "bugs": {
-    "url": "https://github.com/xie38388/sovr/issues"
-  },
-  "license": "BSL-1.1",
-  "author": "SOVR AI <contact@sovrapp.com>",
-  "type": "module",
+  "version": "7.0.0",
+  "description": "SOVR MCP Proxy — intercepts MCP tool calls and evaluates them against the unified Policy Engine",
   "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
   "bin": {
     "sovr-mcp-proxy": "dist/cli.js"
   },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    },
+    "./engine": {
+      "types": "./dist/engine-export.d.ts",
+      "import": "./dist/engine-export.mjs",
+      "require": "./dist/engine-export.js"
+    }
+  },
   "files": [
     "dist",
-    "README.md",
-    "LICENSE",
-    "server.json"
+    "README.md"
   ],
-  "engines": {
-    "node": ">=18.0.0"
+  "scripts": {
+    "build": "tsup src/index.ts src/cli.ts src/init.ts src/usageTracker.ts src/apiKeyManager.ts src/daemon.ts src/engine-export.ts src/toolReplacement.ts src/whitelistEngine.ts src/commandNormalizer.ts src/hooksAdapter.ts --format cjs,esm --dts --clean",
+    "test": "vitest run --config vitest.config.ts",
+    "lint": "tsc --noEmit",
+    "prepublishOnly": "pnpm build"
   },
-  "publishConfig": {
-    "access": "public"
+  "keywords": [
+    "sovr",
+    "mcp",
+    "proxy",
+    "ai-firewall",
+    "ai-safety",
+    "tool-call",
+    "model-context-protocol",
+    "whitelist",
+    "claude-code-hooks",
+    "command-normalizer"
+  ],
+  "author": "SOVR Inc. <sdk@sovr.inc>",
+  "license": "BSL-1.1",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/xie38388/sovr"
   },
-  "mcpName": "io.github.xie38388/sovr-proxy",
-  "scripts": {}
-}
+  "devDependencies": {
+    "@types/node": "^20.19.33",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3",
+    "vitest": "^1.0.0"
+  }
+}

package/server.json

@@ -1,14 +0,0 @@
-{
-  "name": "sovr-mcp-proxy",
-  "version": "2.5.5",
-  "description": "SOVR AI Responsibility Layer \u2014 Unbypassable MCP Proxy with dual-layer security",
-  "transport": [
-    "stdio",
-    "sse"
-  ],
-  "capabilities": {
-    "tools": true,
-    "resources": true,
-    "prompts": true
-  }
-}