bizteamai-smcp 1.13.1__py3-none-any.whl

bizteamai_smcp-1.13.1.dist-info/METADATA

@@ -0,0 +1,117 @@
+Metadata-Version: 2.4
+Name: bizteamai-smcp
+Version: 1.13.1
+Summary: Secure Model Context Protocol - Security layers for MCP servers
+Author: SMCP Contributors
+License: MIT
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+Requires-Dist: mcp
+Requires-Dist: fastmcp
+Requires-Dist: cryptography
+Requires-Dist: pyyaml
+Provides-Extra: dev
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: pytest-asyncio; extra == "dev"
+Requires-Dist: black; extra == "dev"
+Requires-Dist: isort; extra == "dev"
+Requires-Dist: mypy; extra == "dev"
+
+# SMCP - Secure Model Context Protocol
+
+A security-focused wrapper library for MCP (Model Context Protocol) servers, providing multiple layers of protection through conditional guards that activate only when needed.
+
+## Features
+
+- **Conditional Security Guards**: Each security layer activates only when its required configuration is present
+- **Mutual TLS Support**: Automatic certificate-based authentication
+- **Host Allowlisting**: Outbound connection validation
+- **Input Sanitization**: Prompt and parameter filtering
+- **Destructive Action Confirmation**: Queue-based approval system for dangerous operations
+- **Tamper-proof Logging**: SHA-chained append-only audit logs
+- **Universal Coverage**: Same decorator factory works for tools, prompts, and retrieval
+
+## Quick Start
+
+```python
+from smcp import FastSMCP as FastMCP
+from smcp import tool, prompt
+
+# Configure security features (all optional)
+cfg = {
+    "ca_path": "ca.pem",
+    "cert_path": "server.pem", 
+    "key_path": "server.key",
+    "ALLOWED_HOSTS": ["api.internal.local", "10.0.0.5"],
+    "SAFE_RE": r"^[\w\s.,:;!?-]{1,2048}$",
+    "LOG_PATH": "/var/log/smcp.log"
+}
+
+app = FastMCP("myserver", smcp_cfg=cfg)
+
+@tool(confirm=True)  # Requires approval
+def delete_user(uid: str):
+    ...
+
+@prompt()  # Auto-filtered if SAFE_RE present
+def chat(prompt: str):
+    ...
+```
+
+## Security Guards
+
+| Feature | Activation Trigger | Purpose |
+|---------|-------------------|---------|
+| Mutual TLS | `ca_path`, `cert_path`, `key_path` in config | Certificate-based authentication |
+| Host Allowlist | Non-empty `ALLOWED_HOSTS` | Outbound connection validation |
+| Input Filtering | `SAFE_RE` or `MAX_LEN` defined | Sanitize prompts and parameters |
+| Action Confirmation | `confirm=True` on decorator | Queue destructive operations for approval |
+| Audit Logging | `LOG_PATH` set | Tamper-proof operation logging |
+
+## CLI Tools
+
+```bash
+# Generate certificates
+smcp-mkcert --ca-name "MyCA" --server-name "myserver.local"
+
+# Approve queued actions  
+smcp-approve <action-id>
+```
+
+## Installation
+
+### From PyPI.org (Public)
+
+```bash
+pip install bizteam-smcp
+```
+
+### From Private PyPI Server
+
+```bash
+# Using private PyPI server
+pip install --extra-index-url https://bizteamai.com/pypi/simple/ bizteam-smcp
+```
+
+### Upgrading to Business Edition
+
+For additional features and enterprise support, a business edition is available:
+
+```bash
+pip install --extra-index-url https://bizteamai.com/pypi/simple/ bizteam-smcp-biz
+```
+
+**Contact**: [business@bizteamai.com](mailto:business@bizteamai.com) for more information.
+
+## License
+
+MIT License

bizteamai_smcp-1.13.1.dist-info/RECORD

@@ -0,0 +1,21 @@
+smcp/__init__.py,sha256=VUcL_NuIkyGPPZaqNeQLsuxd1e6SlhP9U3J5SlJ9dMA,894
+smcp/allowlist.py,sha256=hitqBxRi-_I3LJm_w2a-QCLQdCllWtJVd7IIR1RSSKU,4474
+smcp/app_wrapper.py,sha256=miqt_MOwQRDszwlPXyxd96XV6LUCvcZBNo8VL1GUghA,7435
+smcp/confirm.py,sha256=74OluC4kyW1GIc2cGWa19m7q4wTbAOkiDtoJtoY3EXk,7725
+smcp/cpu.py,sha256=0_sCaj1sixt9K7DTAcdWnmeZlCgaBIlkndwOOQ1E7UM,2126
+smcp/decorators.py,sha256=8kAHBch9trJEsRXcCl2AlolUYmyM5MZG1QB1wsRZ1tc,3426
+smcp/enforce.py,sha256=mZpQq7poWrQs-PHYY3jG8pPoQZn81gXDEKCQzRnRU90,3821
+smcp/filters.py,sha256=8YHWUj-pYoFZyNrQymyGcoL9TUyPz_YyXcuWa3zPhvg,6054
+smcp/license.py,sha256=CMrSYDAHdaC7xV7ARVupYqbf7Fk5t59mIeC_3_zvvCM,3766
+smcp/logchain.py,sha256=SI-UQ5cMQuufS2-5ONdRomGuSoaMx4aNz3zE0CNRO6c,8353
+smcp/tls.py,sha256=w8LtI--lHV2XMxXKRAfEL2sqQOi-1zaAPFg0RUSp-JY,4965
+smcp/cli/__init__.py,sha256=D-dTgVCOE7e3QNZdPj_hoj2VOIlgNRvF728ldPQ0fKE,40
+smcp/cli/approve.py,sha256=i3d-kgPX6lp-5vCZzxrhletYoZvSDx3dRLxqHeauPJ4,8815
+smcp/cli/gen_key.py,sha256=WGYWfiplQgbHqTki8KxQzFsXjdVFXSmQmxYYOT4P9xQ,2558
+smcp/cli/mkcert.py,sha256=JI12e3OJGa_HwkVBfzDAxTarUV_bAujOfSj1TPd_Tqw,10161
+smcp/cli/revoke.py,sha256=hfTwR8tH1pH6MtBJv8EB5pZUj1cetFaZcDGENerpgm0,2413
+bizteamai_smcp-1.13.1.dist-info/METADATA,sha256=5UN_JqzKKr4F72h8rrMnrXiG7ZmxmE1WROy4JH7GQbs,3584
+bizteamai_smcp-1.13.1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+bizteamai_smcp-1.13.1.dist-info/entry_points.txt,sha256=Ol5RQFBMTxosIsEfDJDA4R1MoAp0eGpysmIpvBv2cdw,90
+bizteamai_smcp-1.13.1.dist-info/top_level.txt,sha256=NC_CT8OBJEqtDZkUDD9oM8UTD_COXbkff6feQ3E82hw,5
+bizteamai_smcp-1.13.1.dist-info/RECORD,,

bizteamai_smcp-1.13.1.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.9.0)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

bizteamai_smcp-1.13.1.dist-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+smcp-approve = smcp.cli.approve:main
+smcp-mkcert = smcp.cli.mkcert:main

bizteamai_smcp-1.13.1.dist-info/top_level.txt

@@ -0,0 +1 @@
+smcp

smcp/__init__.py

@@ -0,0 +1,29 @@
+"""
+SMCP - Secure Model Context Protocol
+
+A security-focused wrapper library for MCP servers providing conditional
+security guards that activate only when their required configuration is present.
+"""
+
+import logging
+
+from .app_wrapper import FastSMCP
+from .decorators import tool, prompt, retrieval
+
+__version__ = "0.1.0"
+__all__ = ["FastSMCP", "tool", "prompt", "retrieval"]
+
+# Non-intrusive watermark for community edition
+def _show_watermark():
+    """Display a subtle watermark message for the community edition."""
+    logger = logging.getLogger(__name__)
+    logger.info("SMCP Community Edition - For commercial licensing visit: https://smcp.dev/business")
+
+# Show watermark on import (only once)
+try:
+    if not hasattr(_show_watermark, '_shown'):
+        _show_watermark()
+        _show_watermark._shown = True
+except Exception:
+    # Silently fail if logging isn't configured
+    pass

smcp/allowlist.py

@@ -0,0 +1,169 @@
+"""
+Host allowlist validation for outbound connections.
+"""
+
+import ipaddress
+import re
+from typing import Dict, List, Union
+from urllib.parse import urlparse
+
+
+class HostValidationError(Exception):
+    """Raised when a host fails allowlist validation."""
+    pass
+
+
+def validate_host(target: str, cfg: Dict[str, Union[str, List[str]]]) -> None:
+    """
+    Validate that a target host is in the allowlist.
+    
+    Args:
+        target: Target host, URL, or IP address to validate
+        cfg: Configuration dictionary containing ALLOWED_HOSTS
+        
+    Raises:
+        HostValidationError: If the host is not in the allowlist
+    """
+    allowed_hosts = cfg.get("ALLOWED_HOSTS", [])
+    if not allowed_hosts:
+        return  # No allowlist configured, allow all
+    
+    # Extract hostname from URL if needed
+    hostname = _extract_hostname(target)
+    
+    # Check against allowlist
+    if not _is_host_allowed(hostname, allowed_hosts):
+        raise HostValidationError(f"Host '{hostname}' not in allowlist")
+
+
+def _extract_hostname(target: str) -> str:
+    """
+    Extract hostname from a target string (URL, hostname, or IP).
+    
+    Args:
+        target: Target string to parse
+        
+    Returns:
+        Extracted hostname or IP address
+    """
+    # If it looks like a URL, parse it
+    if "://" in target:
+        parsed = urlparse(target)
+        return parsed.hostname or parsed.netloc
+    
+    # If it contains a port, strip it
+    if ":" in target and not _is_ipv6(target):
+        return target.split(":")[0]
+    
+    return target
+
+
+def _is_ipv6(address: str) -> bool:
+    """Check if a string is an IPv6 address."""
+    try:
+        ipaddress.IPv6Address(address)
+        return True
+    except ipaddress.AddressValueError:
+        return False
+
+
+def _is_host_allowed(hostname: str, allowed_hosts: List[str]) -> bool:
+    """
+    Check if a hostname is in the allowlist.
+    
+    Args:
+        hostname: Hostname to check
+        allowed_hosts: List of allowed hosts (can include patterns)
+        
+    Returns:
+        True if the hostname is allowed
+    """
+    for allowed in allowed_hosts:
+        if _host_matches(hostname, allowed):
+            return True
+    return False
+
+
+def _host_matches(hostname: str, pattern: str) -> bool:
+    """
+    Check if a hostname matches an allowlist pattern.
+    
+    Supports:
+    - Exact matches: "api.example.com"
+    - Wildcard subdomains: "*.example.com"
+    - IP addresses: "192.168.1.1"
+    - IP ranges: "192.168.1.0/24"
+    
+    Args:
+        hostname: Hostname to check
+        pattern: Pattern to match against
+        
+    Returns:
+        True if the hostname matches the pattern
+    """
+    # Exact match
+    if hostname == pattern:
+        return True
+    
+    # Wildcard subdomain match
+    if pattern.startswith("*."):
+        domain = pattern[2:]
+        return hostname.endswith(f".{domain}") or hostname == domain
+    
+    # IP range match
+    if "/" in pattern:
+        try:
+            network = ipaddress.ip_network(pattern, strict=False)
+            address = ipaddress.ip_address(hostname)
+            return address in network
+        except (ipaddress.AddressValueError, ValueError):
+            pass
+    
+    # Regex pattern match (if pattern contains regex characters)
+    if any(char in pattern for char in r"[](){}+?^$|\\"):
+        try:
+            return bool(re.match(pattern, hostname))
+        except re.error:
+            pass
+    
+    return False
+
+
+def add_host_to_allowlist(cfg: Dict[str, List[str]], host: str) -> None:
+    """
+    Add a host to the allowlist configuration.
+    
+    Args:
+        cfg: Configuration dictionary to modify
+        host: Host to add to the allowlist
+    """
+    if "ALLOWED_HOSTS" not in cfg:
+        cfg["ALLOWED_HOSTS"] = []
+    
+    if host not in cfg["ALLOWED_HOSTS"]:
+        cfg["ALLOWED_HOSTS"].append(host)
+
+
+def remove_host_from_allowlist(cfg: Dict[str, List[str]], host: str) -> None:
+    """
+    Remove a host from the allowlist configuration.
+    
+    Args:
+        cfg: Configuration dictionary to modify
+        host: Host to remove from the allowlist
+    """
+    if "ALLOWED_HOSTS" in cfg and host in cfg["ALLOWED_HOSTS"]:
+        cfg["ALLOWED_HOSTS"].remove(host)
+
+
+def get_allowed_hosts(cfg: Dict[str, List[str]]) -> List[str]:
+    """
+    Get the current allowlist.
+    
+    Args:
+        cfg: Configuration dictionary
+        
+    Returns:
+        List of allowed hosts
+    """
+    return cfg.get("ALLOWED_HOSTS", [])

smcp/app_wrapper.py

@@ -0,0 +1,216 @@
+"""
+FastSMCP subclass with integrated security features.
+"""
+
+from typing import Any, Dict, Optional
+
+try:
+    from fastmcp import FastMCP as SDKFastMCP
+except ImportError:
+    # Fallback for testing or when fastmcp is not available
+    class SDKFastMCP:
+        def __init__(self, *args, **kwargs):
+            self.name = args[0] if args else "unknown"
+        
+        def run(self, **kwargs):
+            print(f"Running {self.name} with transport")
+
+from .tls import TLSContextFactory, tls_configured
+
+
+class FastSMCP(SDKFastMCP):
+    """
+    Security-enhanced FastMCP server with conditional TLS and configuration injection.
+    
+    Automatically enables TLS when certificates are configured and injects
+    security configuration into all decorated functions.
+    """
+    
+    def __init__(self, *args, **kwargs):
+        """
+        Initialize FastSMCP with security configuration.
+        
+        Args:
+            *args: Positional arguments passed to FastMCP
+            **kwargs: Keyword arguments, including optional smcp_cfg
+        """
+        # Extract SMCP configuration
+        self.smcp_cfg = kwargs.pop("smcp_cfg", {})
+        
+        # Initialize base FastMCP
+        super().__init__(*args, **kwargs)
+        
+        # Setup TLS if configured
+        if tls_configured(self.smcp_cfg):
+            self._setup_tls()
+    
+    def _setup_tls(self) -> None:
+        """Setup TLS context if certificates are configured."""
+        try:
+            self._tls_context = TLSContextFactory.server_context(self.smcp_cfg)
+        except Exception as e:
+            print(f"Warning: Failed to setup TLS: {e}")
+            self._tls_context = None
+    
+    def run(self, transport: str = "tcp", **kwargs) -> None:
+        """
+        Run the server with security enhancements.
+        
+        Args:
+            transport: Transport protocol to use
+            **kwargs: Additional keyword arguments for the server
+        """
+        # Inject SMCP configuration for decorators
+        kwargs["_smcp_cfg"] = self.smcp_cfg
+        
+        # Enable TLS if configured
+        if hasattr(self, "_tls_context") and self._tls_context:
+            kwargs["ssl_context"] = self._tls_context
+            if not transport.endswith("+tls"):
+                transport = f"{transport}+tls"
+            print(f"Starting server with TLS on {transport}")
+        else:
+            print(f"Starting server without TLS on {transport}")
+        
+        # Log security configuration status
+        self._log_security_status()
+        
+        # Run the server
+        super().run(transport=transport, **kwargs)
+    
+    def _log_security_status(self) -> None:
+        """Log the status of security features."""
+        from .logchain import log_security_event
+        
+        features = {
+            "tls_enabled": hasattr(self, "_tls_context") and self._tls_context is not None,
+            "host_allowlist_configured": bool(self.smcp_cfg.get("ALLOWED_HOSTS")),
+            "input_filtering_configured": bool(self.smcp_cfg.get("SAFE_RE")),
+            "confirmation_enabled": self.smcp_cfg.get("CONFIRMATION_ENABLED", True),
+            "logging_enabled": bool(self.smcp_cfg.get("LOG_PATH")),
+        }
+        
+        log_security_event("server_startup", features, self.smcp_cfg)
+        
+        # Print security status
+        print("Security Features Status:")
+        for feature, enabled in features.items():
+            status = "✓" if enabled else "✗"
+            print(f"  {status} {feature.replace('_', ' ').title()}")
+    
+    def get_security_config(self) -> Dict[str, Any]:
+        """
+        Get the current security configuration.
+        
+        Returns:
+            Dictionary containing the current security configuration
+        """
+        return self.smcp_cfg.copy()
+    
+    def update_security_config(self, updates: Dict[str, Any]) -> None:
+        """
+        Update the security configuration.
+        
+        Args:
+            updates: Dictionary of configuration updates
+        """
+        self.smcp_cfg.update(updates)
+        
+        # Re-setup TLS if configuration changed
+        if any(key in updates for key in ["ca_path", "cert_path", "key_path"]):
+            if tls_configured(self.smcp_cfg):
+                self._setup_tls()
+    
+    def add_allowed_host(self, host: str) -> None:
+        """
+        Add a host to the allowlist.
+        
+        Args:
+            host: Host to add to the allowlist
+        """
+        if "ALLOWED_HOSTS" not in self.smcp_cfg:
+            self.smcp_cfg["ALLOWED_HOSTS"] = []
+        
+        if host not in self.smcp_cfg["ALLOWED_HOSTS"]:
+            self.smcp_cfg["ALLOWED_HOSTS"].append(host)
+    
+    def remove_allowed_host(self, host: str) -> None:
+        """
+        Remove a host from the allowlist.
+        
+        Args:
+            host: Host to remove from the allowlist
+        """
+        if "ALLOWED_HOSTS" in self.smcp_cfg and host in self.smcp_cfg["ALLOWED_HOSTS"]:
+            self.smcp_cfg["ALLOWED_HOSTS"].remove(host)
+    
+    def enable_feature(self, feature: str, **kwargs) -> None:
+        """
+        Enable a security feature with configuration.
+        
+        Args:
+            feature: Name of the feature to enable
+            **kwargs: Feature-specific configuration
+        """
+        if feature == "input_filtering":
+            self.smcp_cfg["SAFE_RE"] = kwargs.get("pattern", r"^[\w\s.,:;!?-]{1,2048}$")
+            self.smcp_cfg["MAX_LEN"] = kwargs.get("max_length", 2048)
+        
+        elif feature == "confirmation":
+            self.smcp_cfg["CONFIRMATION_ENABLED"] = True
+            if "queue_file" in kwargs:
+                self.smcp_cfg["QUEUE_FILE"] = kwargs["queue_file"]
+        
+        elif feature == "logging":
+            if "log_path" not in kwargs:
+                raise ValueError("log_path required for logging feature")
+            self.smcp_cfg["LOG_PATH"] = kwargs["log_path"]
+        
+        elif feature == "host_allowlist":
+            self.smcp_cfg["ALLOWED_HOSTS"] = kwargs.get("hosts", [])
+        
+        else:
+            raise ValueError(f"Unknown feature: {feature}")
+    
+    def disable_feature(self, feature: str) -> None:
+        """
+        Disable a security feature.
+        
+        Args:
+            feature: Name of the feature to disable
+        """
+        if feature == "input_filtering":
+            self.smcp_cfg.pop("SAFE_RE", None)
+            self.smcp_cfg.pop("MAX_LEN", None)
+        
+        elif feature == "confirmation":
+            self.smcp_cfg["CONFIRMATION_ENABLED"] = False
+        
+        elif feature == "logging":
+            self.smcp_cfg.pop("LOG_PATH", None)
+        
+        elif feature == "host_allowlist":
+            self.smcp_cfg.pop("ALLOWED_HOSTS", None)
+        
+        elif feature == "tls":
+            for key in ["ca_path", "cert_path", "key_path"]:
+                self.smcp_cfg.pop(key, None)
+            if hasattr(self, "_tls_context"):
+                delattr(self, "_tls_context")
+        
+        else:
+            raise ValueError(f"Unknown feature: {feature}")
+
+
+def create_secure_app(name: str, **security_config) -> FastSMCP:
+    """
+    Create a FastSMCP app with security configuration.
+    
+    Args:
+        name: Name of the MCP server
+        **security_config: Security configuration options
+        
+    Returns:
+        Configured FastSMCP instance
+    """
+    return FastSMCP(name, smcp_cfg=security_config)

smcp/cli/__init__.py

@@ -0,0 +1,3 @@
+"""CLI tools for SMCP."""
+
+__all__ = []