bizteamai-smcp 1.13.1__tar.gz

bizteamai_smcp-1.13.1/PKG-INFO

@@ -0,0 +1,117 @@
+Metadata-Version: 2.4
+Name: bizteamai-smcp
+Version: 1.13.1
+Summary: Secure Model Context Protocol - Security layers for MCP servers
+Author: SMCP Contributors
+License: MIT
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+Requires-Dist: mcp
+Requires-Dist: fastmcp
+Requires-Dist: cryptography
+Requires-Dist: pyyaml
+Provides-Extra: dev
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: pytest-asyncio; extra == "dev"
+Requires-Dist: black; extra == "dev"
+Requires-Dist: isort; extra == "dev"
+Requires-Dist: mypy; extra == "dev"
+
+# SMCP - Secure Model Context Protocol
+
+A security-focused wrapper library for MCP (Model Context Protocol) servers, providing multiple layers of protection through conditional guards that activate only when needed.
+
+## Features
+
+- **Conditional Security Guards**: Each security layer activates only when its required configuration is present
+- **Mutual TLS Support**: Automatic certificate-based authentication
+- **Host Allowlisting**: Outbound connection validation
+- **Input Sanitization**: Prompt and parameter filtering
+- **Destructive Action Confirmation**: Queue-based approval system for dangerous operations
+- **Tamper-proof Logging**: SHA-chained append-only audit logs
+- **Universal Coverage**: Same decorator factory works for tools, prompts, and retrieval
+
+## Quick Start
+
+```python
+from smcp import FastSMCP as FastMCP
+from smcp import tool, prompt
+
+# Configure security features (all optional)
+cfg = {
+    "ca_path": "ca.pem",
+    "cert_path": "server.pem", 
+    "key_path": "server.key",
+    "ALLOWED_HOSTS": ["api.internal.local", "10.0.0.5"],
+    "SAFE_RE": r"^[\w\s.,:;!?-]{1,2048}$",
+    "LOG_PATH": "/var/log/smcp.log"
+}
+
+app = FastMCP("myserver", smcp_cfg=cfg)
+
+@tool(confirm=True)  # Requires approval
+def delete_user(uid: str):
+    ...
+
+@prompt()  # Auto-filtered if SAFE_RE present
+def chat(prompt: str):
+    ...
+```
+
+## Security Guards
+
+| Feature | Activation Trigger | Purpose |
+|---------|-------------------|---------|
+| Mutual TLS | `ca_path`, `cert_path`, `key_path` in config | Certificate-based authentication |
+| Host Allowlist | Non-empty `ALLOWED_HOSTS` | Outbound connection validation |
+| Input Filtering | `SAFE_RE` or `MAX_LEN` defined | Sanitize prompts and parameters |
+| Action Confirmation | `confirm=True` on decorator | Queue destructive operations for approval |
+| Audit Logging | `LOG_PATH` set | Tamper-proof operation logging |
+
+## CLI Tools
+
+```bash
+# Generate certificates
+smcp-mkcert --ca-name "MyCA" --server-name "myserver.local"
+
+# Approve queued actions  
+smcp-approve <action-id>
+```
+
+## Installation
+
+### From PyPI.org (Public)
+
+```bash
+pip install bizteam-smcp
+```
+
+### From Private PyPI Server
+
+```bash
+# Using private PyPI server
+pip install --extra-index-url https://bizteamai.com/pypi/simple/ bizteam-smcp
+```
+
+### Upgrading to Business Edition
+
+For additional features and enterprise support, a business edition is available:
+
+```bash
+pip install --extra-index-url https://bizteamai.com/pypi/simple/ bizteam-smcp-biz
+```
+
+**Contact**: [business@bizteamai.com](mailto:business@bizteamai.com) for more information.
+
+## License
+
+MIT License

bizteamai_smcp-1.13.1/README.md

@@ -0,0 +1,89 @@
+# SMCP - Secure Model Context Protocol
+
+A security-focused wrapper library for MCP (Model Context Protocol) servers, providing multiple layers of protection through conditional guards that activate only when needed.
+
+## Features
+
+- **Conditional Security Guards**: Each security layer activates only when its required configuration is present
+- **Mutual TLS Support**: Automatic certificate-based authentication
+- **Host Allowlisting**: Outbound connection validation
+- **Input Sanitization**: Prompt and parameter filtering
+- **Destructive Action Confirmation**: Queue-based approval system for dangerous operations
+- **Tamper-proof Logging**: SHA-chained append-only audit logs
+- **Universal Coverage**: Same decorator factory works for tools, prompts, and retrieval
+
+## Quick Start
+
+```python
+from smcp import FastSMCP as FastMCP
+from smcp import tool, prompt
+
+# Configure security features (all optional)
+cfg = {
+    "ca_path": "ca.pem",
+    "cert_path": "server.pem", 
+    "key_path": "server.key",
+    "ALLOWED_HOSTS": ["api.internal.local", "10.0.0.5"],
+    "SAFE_RE": r"^[\w\s.,:;!?-]{1,2048}$",
+    "LOG_PATH": "/var/log/smcp.log"
+}
+
+app = FastMCP("myserver", smcp_cfg=cfg)
+
+@tool(confirm=True)  # Requires approval
+def delete_user(uid: str):
+    ...
+
+@prompt()  # Auto-filtered if SAFE_RE present
+def chat(prompt: str):
+    ...
+```
+
+## Security Guards
+
+| Feature | Activation Trigger | Purpose |
+|---------|-------------------|---------|
+| Mutual TLS | `ca_path`, `cert_path`, `key_path` in config | Certificate-based authentication |
+| Host Allowlist | Non-empty `ALLOWED_HOSTS` | Outbound connection validation |
+| Input Filtering | `SAFE_RE` or `MAX_LEN` defined | Sanitize prompts and parameters |
+| Action Confirmation | `confirm=True` on decorator | Queue destructive operations for approval |
+| Audit Logging | `LOG_PATH` set | Tamper-proof operation logging |
+
+## CLI Tools
+
+```bash
+# Generate certificates
+smcp-mkcert --ca-name "MyCA" --server-name "myserver.local"
+
+# Approve queued actions  
+smcp-approve <action-id>
+```
+
+## Installation
+
+### From PyPI.org (Public)
+
+```bash
+pip install bizteam-smcp
+```
+
+### From Private PyPI Server
+
+```bash
+# Using private PyPI server
+pip install --extra-index-url https://bizteamai.com/pypi/simple/ bizteam-smcp
+```
+
+### Upgrading to Business Edition
+
+For additional features and enterprise support, a business edition is available:
+
+```bash
+pip install --extra-index-url https://bizteamai.com/pypi/simple/ bizteam-smcp-biz
+```
+
+**Contact**: [business@bizteamai.com](mailto:business@bizteamai.com) for more information.
+
+## License
+
+MIT License

bizteamai_smcp-1.13.1/bizteamai_smcp.egg-info/PKG-INFO

@@ -0,0 +1,117 @@
+Metadata-Version: 2.4
+Name: bizteamai-smcp
+Version: 1.13.1
+Summary: Secure Model Context Protocol - Security layers for MCP servers
+Author: SMCP Contributors
+License: MIT
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+Requires-Dist: mcp
+Requires-Dist: fastmcp
+Requires-Dist: cryptography
+Requires-Dist: pyyaml
+Provides-Extra: dev
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: pytest-asyncio; extra == "dev"
+Requires-Dist: black; extra == "dev"
+Requires-Dist: isort; extra == "dev"
+Requires-Dist: mypy; extra == "dev"
+
+# SMCP - Secure Model Context Protocol
+
+A security-focused wrapper library for MCP (Model Context Protocol) servers, providing multiple layers of protection through conditional guards that activate only when needed.
+
+## Features
+
+- **Conditional Security Guards**: Each security layer activates only when its required configuration is present
+- **Mutual TLS Support**: Automatic certificate-based authentication
+- **Host Allowlisting**: Outbound connection validation
+- **Input Sanitization**: Prompt and parameter filtering
+- **Destructive Action Confirmation**: Queue-based approval system for dangerous operations
+- **Tamper-proof Logging**: SHA-chained append-only audit logs
+- **Universal Coverage**: Same decorator factory works for tools, prompts, and retrieval
+
+## Quick Start
+
+```python
+from smcp import FastSMCP as FastMCP
+from smcp import tool, prompt
+
+# Configure security features (all optional)
+cfg = {
+    "ca_path": "ca.pem",
+    "cert_path": "server.pem", 
+    "key_path": "server.key",
+    "ALLOWED_HOSTS": ["api.internal.local", "10.0.0.5"],
+    "SAFE_RE": r"^[\w\s.,:;!?-]{1,2048}$",
+    "LOG_PATH": "/var/log/smcp.log"
+}
+
+app = FastMCP("myserver", smcp_cfg=cfg)
+
+@tool(confirm=True)  # Requires approval
+def delete_user(uid: str):
+    ...
+
+@prompt()  # Auto-filtered if SAFE_RE present
+def chat(prompt: str):
+    ...
+```
+
+## Security Guards
+
+| Feature | Activation Trigger | Purpose |
+|---------|-------------------|---------|
+| Mutual TLS | `ca_path`, `cert_path`, `key_path` in config | Certificate-based authentication |
+| Host Allowlist | Non-empty `ALLOWED_HOSTS` | Outbound connection validation |
+| Input Filtering | `SAFE_RE` or `MAX_LEN` defined | Sanitize prompts and parameters |
+| Action Confirmation | `confirm=True` on decorator | Queue destructive operations for approval |
+| Audit Logging | `LOG_PATH` set | Tamper-proof operation logging |
+
+## CLI Tools
+
+```bash
+# Generate certificates
+smcp-mkcert --ca-name "MyCA" --server-name "myserver.local"
+
+# Approve queued actions  
+smcp-approve <action-id>
+```
+
+## Installation
+
+### From PyPI.org (Public)
+
+```bash
+pip install bizteam-smcp
+```
+
+### From Private PyPI Server
+
+```bash
+# Using private PyPI server
+pip install --extra-index-url https://bizteamai.com/pypi/simple/ bizteam-smcp
+```
+
+### Upgrading to Business Edition
+
+For additional features and enterprise support, a business edition is available:
+
+```bash
+pip install --extra-index-url https://bizteamai.com/pypi/simple/ bizteam-smcp-biz
+```
+
+**Contact**: [business@bizteamai.com](mailto:business@bizteamai.com) for more information.
+
+## License
+
+MIT License

bizteamai_smcp-1.13.1/bizteamai_smcp.egg-info/SOURCES.txt

@@ -0,0 +1,27 @@
+README.md
+pyproject.toml
+bizteamai_smcp.egg-info/PKG-INFO
+bizteamai_smcp.egg-info/SOURCES.txt
+bizteamai_smcp.egg-info/dependency_links.txt
+bizteamai_smcp.egg-info/entry_points.txt
+bizteamai_smcp.egg-info/requires.txt
+bizteamai_smcp.egg-info/top_level.txt
+smcp/__init__.py
+smcp/allowlist.py
+smcp/app_wrapper.py
+smcp/confirm.py
+smcp/cpu.py
+smcp/decorators.py
+smcp/enforce.py
+smcp/filters.py
+smcp/license.py
+smcp/logchain.py
+smcp/tls.py
+smcp/cli/__init__.py
+smcp/cli/approve.py
+smcp/cli/gen_key.py
+smcp/cli/mkcert.py
+smcp/cli/revoke.py
+tests/test_app_wrapper.py
+tests/test_decorators.py
+tests/test_integration.py

bizteamai_smcp-1.13.1/bizteamai_smcp.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

bizteamai_smcp-1.13.1/bizteamai_smcp.egg-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+smcp-approve = smcp.cli.approve:main
+smcp-mkcert = smcp.cli.mkcert:main

bizteamai_smcp-1.13.1/bizteamai_smcp.egg-info/requires.txt

@@ -0,0 +1,11 @@
+mcp
+fastmcp
+cryptography
+pyyaml
+
+[dev]
+pytest
+pytest-asyncio
+black
+isort
+mypy

bizteamai_smcp-1.13.1/bizteamai_smcp.egg-info/top_level.txt

@@ -0,0 +1 @@
+smcp

bizteamai_smcp-1.13.1/pyproject.toml

@@ -0,0 +1,53 @@
+[build-system]
+requires = ["setuptools>=61.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "bizteamai-smcp"
+version = "1.13.1"
+description = "Secure Model Context Protocol - Security layers for MCP servers"
+authors = [{name = "SMCP Contributors"}]
+license = {text = "MIT"}
+readme = "README.md"
+requires-python = ">=3.8"
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.8",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+]
+dependencies = [
+    "mcp",
+    "fastmcp",
+    "cryptography",
+    "pyyaml",
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest",
+    "pytest-asyncio",
+    "black",
+    "isort",
+    "mypy",
+]
+
+[project.scripts]
+smcp-mkcert = "smcp.cli.mkcert:main"
+smcp-approve = "smcp.cli.approve:main"
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["smcp*"]
+
+[tool.black]
+line-length = 88
+target-version = ['py38']
+
+[tool.isort]
+profile = "black"

bizteamai_smcp-1.13.1/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

bizteamai_smcp-1.13.1/smcp/__init__.py

@@ -0,0 +1,29 @@
+"""
+SMCP - Secure Model Context Protocol
+
+A security-focused wrapper library for MCP servers providing conditional
+security guards that activate only when their required configuration is present.
+"""
+
+import logging
+
+from .app_wrapper import FastSMCP
+from .decorators import tool, prompt, retrieval
+
+__version__ = "0.1.0"
+__all__ = ["FastSMCP", "tool", "prompt", "retrieval"]
+
+# Non-intrusive watermark for community edition
+def _show_watermark():
+    """Display a subtle watermark message for the community edition."""
+    logger = logging.getLogger(__name__)
+    logger.info("SMCP Community Edition - For commercial licensing visit: https://smcp.dev/business")
+
+# Show watermark on import (only once)
+try:
+    if not hasattr(_show_watermark, '_shown'):
+        _show_watermark()
+        _show_watermark._shown = True
+except Exception:
+    # Silently fail if logging isn't configured
+    pass

bizteamai_smcp-1.13.1/smcp/allowlist.py

@@ -0,0 +1,169 @@
+"""
+Host allowlist validation for outbound connections.
+"""
+
+import ipaddress
+import re
+from typing import Dict, List, Union
+from urllib.parse import urlparse
+
+
+class HostValidationError(Exception):
+    """Raised when a host fails allowlist validation."""
+    pass
+
+
+def validate_host(target: str, cfg: Dict[str, Union[str, List[str]]]) -> None:
+    """
+    Validate that a target host is in the allowlist.
+    
+    Args:
+        target: Target host, URL, or IP address to validate
+        cfg: Configuration dictionary containing ALLOWED_HOSTS
+        
+    Raises:
+        HostValidationError: If the host is not in the allowlist
+    """
+    allowed_hosts = cfg.get("ALLOWED_HOSTS", [])
+    if not allowed_hosts:
+        return  # No allowlist configured, allow all
+    
+    # Extract hostname from URL if needed
+    hostname = _extract_hostname(target)
+    
+    # Check against allowlist
+    if not _is_host_allowed(hostname, allowed_hosts):
+        raise HostValidationError(f"Host '{hostname}' not in allowlist")
+
+
+def _extract_hostname(target: str) -> str:
+    """
+    Extract hostname from a target string (URL, hostname, or IP).
+    
+    Args:
+        target: Target string to parse
+        
+    Returns:
+        Extracted hostname or IP address
+    """
+    # If it looks like a URL, parse it
+    if "://" in target:
+        parsed = urlparse(target)
+        return parsed.hostname or parsed.netloc
+    
+    # If it contains a port, strip it
+    if ":" in target and not _is_ipv6(target):
+        return target.split(":")[0]
+    
+    return target
+
+
+def _is_ipv6(address: str) -> bool:
+    """Check if a string is an IPv6 address."""
+    try:
+        ipaddress.IPv6Address(address)
+        return True
+    except ipaddress.AddressValueError:
+        return False
+
+
+def _is_host_allowed(hostname: str, allowed_hosts: List[str]) -> bool:
+    """
+    Check if a hostname is in the allowlist.
+    
+    Args:
+        hostname: Hostname to check
+        allowed_hosts: List of allowed hosts (can include patterns)
+        
+    Returns:
+        True if the hostname is allowed
+    """
+    for allowed in allowed_hosts:
+        if _host_matches(hostname, allowed):
+            return True
+    return False
+
+
+def _host_matches(hostname: str, pattern: str) -> bool:
+    """
+    Check if a hostname matches an allowlist pattern.
+    
+    Supports:
+    - Exact matches: "api.example.com"
+    - Wildcard subdomains: "*.example.com"
+    - IP addresses: "192.168.1.1"
+    - IP ranges: "192.168.1.0/24"
+    
+    Args:
+        hostname: Hostname to check
+        pattern: Pattern to match against
+        
+    Returns:
+        True if the hostname matches the pattern
+    """
+    # Exact match
+    if hostname == pattern:
+        return True
+    
+    # Wildcard subdomain match
+    if pattern.startswith("*."):
+        domain = pattern[2:]
+        return hostname.endswith(f".{domain}") or hostname == domain
+    
+    # IP range match
+    if "/" in pattern:
+        try:
+            network = ipaddress.ip_network(pattern, strict=False)
+            address = ipaddress.ip_address(hostname)
+            return address in network
+        except (ipaddress.AddressValueError, ValueError):
+            pass
+    
+    # Regex pattern match (if pattern contains regex characters)
+    if any(char in pattern for char in r"[](){}+?^$|\\"):
+        try:
+            return bool(re.match(pattern, hostname))
+        except re.error:
+            pass
+    
+    return False
+
+
+def add_host_to_allowlist(cfg: Dict[str, List[str]], host: str) -> None:
+    """
+    Add a host to the allowlist configuration.
+    
+    Args:
+        cfg: Configuration dictionary to modify
+        host: Host to add to the allowlist
+    """
+    if "ALLOWED_HOSTS" not in cfg:
+        cfg["ALLOWED_HOSTS"] = []
+    
+    if host not in cfg["ALLOWED_HOSTS"]:
+        cfg["ALLOWED_HOSTS"].append(host)
+
+
+def remove_host_from_allowlist(cfg: Dict[str, List[str]], host: str) -> None:
+    """
+    Remove a host from the allowlist configuration.
+    
+    Args:
+        cfg: Configuration dictionary to modify
+        host: Host to remove from the allowlist
+    """
+    if "ALLOWED_HOSTS" in cfg and host in cfg["ALLOWED_HOSTS"]:
+        cfg["ALLOWED_HOSTS"].remove(host)
+
+
+def get_allowed_hosts(cfg: Dict[str, List[str]]) -> List[str]:
+    """
+    Get the current allowlist.
+    
+    Args:
+        cfg: Configuration dictionary
+        
+    Returns:
+        List of allowed hosts
+    """
+    return cfg.get("ALLOWED_HOSTS", [])