mcp-zero-trust-layer 0.1.0__tar.gz

mcp_zero_trust_layer-0.1.0/CHANGELOG.md

@@ -0,0 +1,84 @@
+# Changelog
+
+All notable changes to MCP Zero Trust Layer will be documented here.
+
+The project follows SemVer during the `0.x` line with the caveat that minor versions may still change configuration shape before `1.0`.
+
+## 0.1.0 - Unreleased
+
+### Added
+
+- PyPI-ready Python package with `mcpzt` and `mcp-zero-trust-layer` CLI entry points.
+- Versionable YAML config with validation and JSON Schema export.
+- HTTP JSON proxy runtime for MCP Streamable HTTP POST requests.
+- Stdio wrapper runtime with protocol-only stdout.
+- Multi-MCP HTTP routing with `/mcp/{server_name}`.
+- Policy engine with deny, hide, require approval, redact, limit, transform, allow and log effects.
+- `mcpzt policy explain` for request-context diagnostics, matched policies and per-policy match failures.
+- Native policy `input` blocks for allowed fields, required fields, forbidden fields, allowed values, max field bytes and max list items.
+- Optional OPA policy adapter for external policy decisions over normalized MCPZT context.
+- Exact and semantic capability matching over server, method, tool/resource/prompt, action, risk, access, tags, data classification and identity.
+- Request validators for read-only SQL, filesystem paths, URLs, email, regex, required fields, forbidden fields and max field size.
+- Output enforcement for redaction, deny patterns, max bytes and include-only views.
+- Local approval store and approval CLI.
+- Approval webhook notifications for created, approved and denied approval lifecycle events.
+- Prometheus-format decision metrics exposed by the HTTP runtime.
+- Capability discovery and diff commands.
+- Deterministic `mcpzt scan` command for capability snapshot risk checks.
+- MCP client config generation through `mcpzt client config`.
+- Bundled policy packs for GitHub read-only, Postgres read-only and filesystem-safe examples.
+- Multi-MCP example config covering GitHub, Postgres, filesystem and CRM use cases.
+- Static token, API key, JWT and OIDC/JWKS authentication.
+- Secret references with `auth.token_env`, `env:`, `${VAR}`, `file:`, `op://`, `aws-sm://` and `vault://`.
+- Explicit HTTP upstream credential headers through `servers[].upstream_headers`.
+- OAuth protected resource metadata endpoints for HTTP deployments.
+- JSONL audit logging with recursive secret redaction, strict/non-strict write modes and hash-chain verification.
+- `mcpzt doctor` for local and config diagnostics.
+- Dockerfile, production Docker Compose recipe, Helm starter chart, CI workflow and PyPI Trusted Publishing workflow.
+
+### Changed
+
+- Reworked README into a fuller narrative guide with longer explanatory sections, fewer compact bullet lists and more context around product intent, operations, security and release workflow.
+- Expanded README with request evaluation flow, copy-paste policy examples, manual HTTP examples, multi-MCP walkthrough, deployment patterns and troubleshooting.
+- Added [docs/MULTI_MCP_USE_CASES.md](docs/MULTI_MCP_USE_CASES.md) to document real multi-server scenarios and their expected behavior.
+- Added [examples/multi-mcp/mcpzt.yaml](examples/multi-mcp/mcpzt.yaml) as a versionable multi-MCP starter config.
+- Docker builds now install with `constraints.txt` for reproducible image dependency resolution.
+- Public package documentation now excludes internal construction docs, planning docs and security audit notes.
+- Expanded public docs for multi-MCP usage, production deployment and PyPI release operations with fuller explanations and release safety checks.
+- Expanded public docs with policy explanation, parameter contracts, secret-manager references, approval webhooks, metrics, audit verification, scanner usage and deployment recipes.
+
+### Security
+
+- Production config requires default deny and explicit auth unless overridden.
+- Production rejects `runtime.dry_run: true` unless an explicit production override is set.
+- Production requires `runtime.public_base_url` or `runtime.trusted_hosts`.
+- Production JWT/OIDC requires issuer and audience.
+- HTTP upstream headers are allowlisted.
+- Static tokens and API keys use constant-time comparison.
+- Static token and API key auth ignore caller-supplied `x-mcpzt-*` identity headers by default.
+- Incoming client `Authorization` is not forwarded to upstreams unless configured explicitly as an upstream header.
+- Side-effecting JSON-RPC notifications are evaluated by policy instead of being forwarded blindly.
+- HTTP request bodies are bounded by `runtime.max_request_bytes`.
+- HTTP upstream responses are bounded by `servers[].max_response_bytes`.
+- HTTP upstream error bodies are truncated and redacted before being returned to clients.
+- Output enforcement applies to JSON-RPC `error` payloads as well as `result` payloads.
+- Approval store writes use file locking and atomic replace.
+- Approval decisions record approver, timestamp and optional comment, and emit audit events.
+- FastAPI docs, Redoc and OpenAPI routes are disabled in production.
+- URL validator resolves hostnames and blocks private, loopback, link-local and cloud metadata IPs by default.
+- Audit decision events include whether the upstream was called.
+- Audit events can be hash-chain verified with `mcpzt audit verify`.
+- Metrics avoid request arguments and output payloads to reduce monitoring data leakage.
+- Filesystem validator relative roots can resolve from the loaded config directory.
+
+### Tests
+
+- Added full multi-MCP integration test coverage with local HTTP MCP upstreams.
+- Multi-MCP tests cover capability filtering, safe routing, SQL blocking, filesystem blocking, approvals, approval stripping and CRM output redaction.
+- Added tests for policy explanation, input policies, OPA adapter behavior, audit hash-chain verification, metrics exposure, client config generation and scanner findings.
+- Current suite: 82 tests passing.
+
+### Notes
+
+- GET SSE streams are not offered in `0.1.0`; the HTTP endpoint returns 405 for GET, which is allowed for servers that do not offer an SSE stream.
+- Request-scoped upstream SSE passthrough is intentionally outside this first release.

mcp_zero_trust_layer-0.1.0/CONTRIBUTING.md

@@ -0,0 +1,48 @@
+# Contributing
+
+Thanks for helping make MCP Zero Trust Layer safer and easier to use.
+
+## Local Setup
+
+```bash
+python -m venv .venv
+. .venv/bin/activate
+python -m pip install -e ".[dev]"
+```
+
+Run the core checks before opening a pull request:
+
+```bash
+python -m pytest
+ruff check .
+python -m build
+twine check dist/*
+```
+
+## Design Rules
+
+- Keep policy decisions independent from HTTP and stdio transports.
+- Do not put security decisions in CLI presentation code.
+- Prefer explicit deny behavior over implicit allow behavior.
+- Every deny, approval, validation failure and output block needs a human-readable reason.
+- Never write logs to stdout in stdio mode.
+- Redact secrets before audit writes, test outputs or error messages.
+- Add tests when changing policy, validators, auth, output enforcement, audit or transports.
+
+## Configuration Compatibility
+
+The project is currently `0.x`, so config shape may evolve. Breaking config changes must include:
+
+- changelog entry;
+- migration note;
+- updated examples;
+- focused tests.
+
+## Pull Request Checklist
+
+- Tests pass.
+- Lint passes.
+- README/docs updated for user-visible behavior.
+- New config fields have schema defaults and validation.
+- Security-sensitive changes include negative tests.
+- Packaging metadata still builds and passes `twine check`.

mcp_zero_trust_layer-0.1.0/Dockerfile

@@ -0,0 +1,15 @@
+FROM python:3.12-slim
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+WORKDIR /app
+COPY pyproject.toml README.md LICENSE MANIFEST.in constraints.txt ./
+COPY src ./src
+
+RUN python -m pip install --no-cache-dir -c constraints.txt .
+RUN useradd --create-home --shell /usr/sbin/nologin mcpzt && chown -R mcpzt:mcpzt /app
+
+USER mcpzt
+
+ENTRYPOINT ["mcpzt"]

mcp_zero_trust_layer-0.1.0/LICENSE

@@ -0,0 +1,200 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction,
+and distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by
+the copyright owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all
+other entities that control, are controlled by, or are under common
+control with that entity. For the purposes of this definition,
+"control" means (i) the power, direct or indirect, to cause the
+direction or management of such entity, whether by contract or
+otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications,
+including but not limited to software source code, documentation
+source, and configuration files.
+
+"Object" form shall mean any form resulting from mechanical
+transformation or translation of a Source form, including but
+not limited to compiled object code, generated documentation,
+and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or
+Object form, made available under the License, as indicated by a
+copyright notice that is included in or attached to the work.
+
+"Derivative Works" shall mean any work, whether in Source or Object
+form, that is based on (or derived from) the Work and for which the
+editorial revisions, annotations, elaborations, or other modifications
+represent, as a whole, an original work of authorship. For the purposes
+of this License, Derivative Works shall not include works that remain
+separable from, or merely link (or bind by name) to the interfaces of,
+the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the
+original version of the Work and any modifications or additions
+to that Work or Derivative Works thereof, that is intentionally
+submitted to Licensor for inclusion in the Work by the copyright owner
+or by an individual or Legal Entity authorized to submit on behalf of
+the copyright owner. For the purposes of this definition, "submitted"
+means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems,
+and issue tracking systems that are managed by, or on behalf of, the
+Licensor for the purpose of discussing and improving the Work, but
+excluding communication that is conspicuously marked or otherwise
+designated in writing by the copyright owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity
+on behalf of whom a Contribution has been received by Licensor and
+subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the
+Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+(except as stated in this section) patent license to make, have made,
+use, offer to sell, sell, import, and otherwise transfer the Work,
+where such license applies only to those patent claims licensable
+by such Contributor that are necessarily infringed by their
+Contribution(s) alone or by combination of their Contribution(s)
+with the Work to which such Contribution(s) was submitted. If You
+institute patent litigation against any entity (including a cross-claim
+or counterclaim in a lawsuit) alleging that the Work or a Contribution
+incorporated within the Work constitutes direct or contributory patent
+infringement, then any patent licenses granted to You under this
+License for that Work shall terminate as of the date such litigation
+is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+Work or Derivative Works thereof in any medium, with or without
+modifications, and in Source or Object form, provided that You
+meet the following conditions:
+
+(a) You must give any other recipients of the Work or Derivative
+Works a copy of this License; and
+
+(b) You must cause any modified files to carry prominent notices
+stating that You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works
+that You distribute, all copyright, patent, trademark, and
+attribution notices from the Source form of the Work, excluding
+those notices that do not pertain to any part of the Derivative
+Works; and
+
+(d) If the Work includes a "NOTICE" text file as part of its
+distribution, then any Derivative Works that You distribute must
+include a readable copy of the attribution notices contained
+within such NOTICE file, excluding those notices that do not
+pertain to any part of the Derivative Works, in at least one
+of the following places: within a NOTICE text file distributed
+as part of the Derivative Works; within the Source form or
+documentation, if provided along with the Derivative Works; or,
+within a display generated by the Derivative Works, if and
+wherever such third-party notices normally appear. The contents
+of the NOTICE file are for informational purposes only and
+do not modify the License. You may add Your own attribution
+notices within Derivative Works that You distribute, alongside
+or as an addendum to the NOTICE text from the Work, provided
+that such additional attribution notices cannot be construed
+as modifying the License.
+
+You may add Your own copyright statement to Your modifications and
+may provide additional or different license terms and conditions
+for use, reproduction, or distribution of Your modifications, or
+for any such Derivative Works as a whole, provided Your use,
+reproduction, and distribution of the Work otherwise complies with
+the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+any Contribution intentionally submitted for inclusion in the Work
+by You to the Licensor shall be under the terms and conditions of
+this License, without any additional terms or conditions. Notwithstanding
+the above, nothing herein shall supersede or modify the terms of any
+separate license agreement you may have executed with Licensor
+regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+names, trademarks, service marks, or product names of the Licensor,
+except as required for reasonable and customary use in describing the
+origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+agreed to in writing, Licensor provides the Work (and each
+Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+implied, including, without limitation, any warranties or conditions
+of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+PARTICULAR PURPOSE. You are solely responsible for determining the
+appropriateness of using or redistributing the Work and assume any
+risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+whether in tort (including negligence), contract, or otherwise,
+unless required by applicable law (such as deliberate and grossly
+negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special,
+incidental, or consequential damages of any character arising as a
+result of this License or out of the use or inability to use the
+Work (including but not limited to damages for loss of goodwill,
+work stoppage, computer failure or malfunction, or any and all
+other commercial damages or losses), even if such Contributor
+has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+the Work or Derivative Works thereof, You may choose to offer,
+and charge a fee for, acceptance of support, warranty, indemnity,
+or other liability obligations and/or rights consistent with this
+License. However, in accepting such obligations, You may act only
+on Your own behalf and on Your sole responsibility, not on behalf
+of any other Contributor, and only if You agree to indemnify,
+defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason
+of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+To apply the Apache License to your work, attach the following
+boilerplate notice, with the fields enclosed by brackets "[]"
+replaced with your own identifying information. Do not include
+the brackets. The text should be enclosed in the appropriate
+comment syntax for the file format. We also recommend that a
+file or class name and description of purpose be included on the
+same "printed page" as the copyright notice for easier
+identification within third-party archives.
+
+Copyright 2026 MCP Zero Trust Layer Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

mcp_zero_trust_layer-0.1.0/MANIFEST.in

@@ -0,0 +1,13 @@
+include README.md
+include LICENSE
+include SECURITY.md
+include CONTRIBUTING.md
+include CHANGELOG.md
+include Dockerfile
+include constraints.txt
+include docs/MULTI_MCP_USE_CASES.md
+include docs/PRODUCTION.md
+include docs/PYPI_RELEASE.md
+recursive-include examples *.yaml
+recursive-include deploy *.yaml
+recursive-include deploy *.tpl