mcpower-proxy 0.0.65__py3-none-any.whl → 0.0.74__py3-none-any.whl

modules/apis/security_policy.py

@@ -1,9 +1,9 @@
 """Security Policy API Client"""
 
 import json
+import time
 import uuid
 from typing import Dict, Any, Optional, List
-import time
 
 import httpx
 
@@ -13,6 +13,7 @@ from modules.logs.logger import MCPLogger
 from modules.redaction import redact
 from modules.utils.config import get_api_url, get_user_id
 from modules.utils.json import safe_json_dumps, to_dict
+from wrapper.__version__ import __version__
 
 
 class SecurityAPIError(Exception):
@@ -22,6 +23,7 @@ class SecurityAPIError(Exception):
 
 class RateLimitExhaustedError(SecurityAPIError):
     """Security API rate limit exhausted (429) error"""
+
     def __init__(self, message: str, retry_after: int = None):
         super().__init__(message)
         self.retry_after = retry_after
@@ -52,7 +54,7 @@ class SecurityPolicyClient:
         if self.client:
             await self.client.aclose()
 
-    async def inspect_policy_request(self, policy_request: PolicyRequest, 
+    async def inspect_policy_request(self, policy_request: PolicyRequest,
                                      prompt_id: str) -> InspectDecision:
         """Call inspect_policy_request API endpoint"""
         if not self.client:
@@ -155,7 +157,7 @@ class SecurityPolicyClient:
                 audit_payload = {"payload": {"server": payload_dict["server"], "tools": payload_dict["tools"]}}
             else:
                 audit_payload = {"payload": payload_dict}
-            
+
             self.audit_logger.log_event(
                 audit_event_type,
                 audit_payload,
@@ -166,6 +168,7 @@ class SecurityPolicyClient:
 
             headers = {
                 "Content-Type": "application/json",
+                "User-Agent": f"MCPower-{__version__}",
                 "X-User-UID": self.user_id,
                 "X-App-UID": self.app_id
             }
@@ -188,7 +191,8 @@ class SecurityPolicyClient:
                 raise SecurityAPIError(f"Unsupported HTTP method: {method}. Supported methods: POST, PUT")
 
             on_make_request_duration = time.time() - on_make_request_start_time
-            self.logger.info(f"PROFILE: {method} id: {id} make_request duration: {on_make_request_duration:.2f} seconds url: {url}")
+            self.logger.debug(
+                f"PROFILE: {method} id: {id} make_request duration: {on_make_request_duration:.2f} seconds url: {url}")
 
             match response.status_code:
                 case 200:
@@ -215,7 +219,7 @@ class SecurityPolicyClient:
                     else:
                         # Other responses (e.g., /init) - log entire response
                         audit_result = {"result": data_dict}
-                    
+
                     self.audit_logger.log_event(
                         f"{audit_event_type}_result",
                         audit_result,
@@ -278,7 +282,8 @@ class SecurityPolicyClient:
     def _handle_quota_restoration(self, endpoint: str):
         """Handle quota restoration (when non-429 response received)"""
         if self.session_id in self._session_notification_times:
-            self.logger.info(f"Quota restored - received successful response from {endpoint}. Session: {self.session_id}")
+            self.logger.info(
+                f"Quota restored - received successful response from {endpoint}. Session: {self.session_id}")
             del self._session_notification_times[self.session_id]
 
     def _send_throttled_quota_notification(self, retry_after: int, endpoint: str):

modules/decision_handler.py

@@ -0,0 +1,219 @@
+"""
+Decision Handler - Common decision enforcement logic
+
+Shared module for enforcing security policy decisions across middleware and IDE tools.
+Handles user confirmation dialogs and decision recording.
+"""
+from typing import Dict, Any, Optional
+
+from mcpower_shared.mcp_types import UserConfirmation
+from modules.apis.security_policy import SecurityPolicyClient
+from modules.logs.audit_trail import AuditTrailLogger
+from modules.logs.logger import MCPLogger
+from modules.ui.classes import ConfirmationRequest, DialogOptions, UserDecision
+from modules.ui.confirmation import UserConfirmationDialog, UserConfirmationError
+
+
+class DecisionEnforcementError(Exception):
+    """Error raised when a security decision blocks an operation"""
+    pass
+
+
+class DecisionHandler:
+    """
+    Handles security policy decision enforcement with user confirmation support.
+    
+    This class provides common functionality for:
+    - Enforcing allow/block/confirm decisions
+    - Showing user confirmation dialogs
+    - Recording user decisions via API
+    """
+
+    def __init__(self, logger: MCPLogger, audit_logger: AuditTrailLogger,
+                 session_id: str, app_id: str):
+        self.logger = logger
+        self.audit_logger = audit_logger
+        self.session_id = session_id
+        self.app_id = app_id
+
+    async def enforce_decision(
+            self,
+            decision: Dict[str, Any],
+            is_request: bool,
+            event_id: str,
+            tool_name: str,
+            content_data: Dict[str, Any],
+            operation_type: str,
+            prompt_id: str,
+            server_name: str,
+            error_message_prefix: Optional[str] = None
+    ) -> None:
+        """
+        Enforce security decision with user confirmation support.
+        
+        Args:
+            decision: Security decision dict with 'decision', 'reasons', 'severity', 'call_type'
+            is_request: True if inspecting request, False if inspecting response
+            event_id: Event ID for tracking
+            tool_name: Name of the tool/operation
+            content_data: Data to show in confirmation dialog
+            operation_type: Type of operation (e.g., 'tool', 'hook')
+            prompt_id: prompt ID for correlation
+            server_name: server name for display
+            error_message_prefix: Optional prefix for error messages
+            
+        Raises:
+            DecisionEnforcementError: If decision blocks the operation
+        """
+        decision_type = decision.get("decision", "block")
+
+        if decision_type == "allow":
+            return
+
+        elif decision_type == "block":
+            policy_reasons = decision.get("reasons", ["Policy violation"])
+            severity = decision.get("severity", "unknown")
+            call_type = decision.get("call_type")
+
+            try:
+                # Show a blocking dialog and wait for user decision
+                confirmation_request = ConfirmationRequest(
+                    is_request=is_request,
+                    tool_name=tool_name,
+                    policy_reasons=policy_reasons,
+                    content_data=content_data,
+                    severity=severity,
+                    event_id=event_id,
+                    operation_type=operation_type,
+                    server_name=server_name,
+                    timeout_seconds=60
+                )
+
+                response = UserConfirmationDialog(
+                    self.logger, self.audit_logger
+                ).request_blocking_confirmation(confirmation_request, prompt_id, call_type)
+
+                # If we got here, user chose "Allow Anyway"
+                self.logger.info(f"User chose to 'allow anyway' a blocked {confirmation_request.operation_type} "
+                                 f"operation for tool '{tool_name}' (event: {event_id})")
+
+                await self._record_user_confirmation(event_id, is_request, response.user_decision, prompt_id, call_type)
+                return
+
+            except UserConfirmationError as e:
+                # User chose to block or dialog failed
+                await self._record_user_confirmation(event_id, is_request, UserDecision.BLOCK, prompt_id, call_type)
+                error_msg = error_message_prefix or "Security Violation"
+                raise DecisionEnforcementError(f"{error_msg}. User blocked the operation")
+
+        elif decision_type == "required_explicit_user_confirmation":
+            policy_reasons = decision.get("reasons", ["Security policy requires confirmation"])
+            severity = decision.get("severity", "unknown")
+            call_type = decision.get("call_type")
+
+            try:
+                confirmation_request = ConfirmationRequest(
+                    is_request=is_request,
+                    tool_name=tool_name,
+                    policy_reasons=policy_reasons,
+                    content_data=content_data,
+                    severity=severity,
+                    event_id=event_id,
+                    operation_type=operation_type,
+                    server_name=server_name,
+                    timeout_seconds=60
+                )
+
+                # only show YES_ALWAYS if call_type exists
+                options = DialogOptions(
+                    show_always_allow=(call_type is not None),
+                    show_always_block=False
+                )
+
+                response = UserConfirmationDialog(
+                    self.logger, self.audit_logger
+                ).request_confirmation(confirmation_request, prompt_id, call_type, options)
+
+                # If we got here, user approved the operation
+                self.logger.info(f"User {response.user_decision.value} {confirmation_request.operation_type} "
+                                 f"operation for tool '{tool_name}' (event: {event_id})")
+
+                await self._record_user_confirmation(event_id, is_request, response.user_decision, prompt_id, call_type)
+                return
+
+            except UserConfirmationError as e:
+                # User denied confirmation or dialog failed
+                await self._record_user_confirmation(event_id, is_request, UserDecision.BLOCK, prompt_id, call_type)
+                error_msg = error_message_prefix or "Security Violation"
+                raise DecisionEnforcementError(f"{error_msg}. User blocked the operation")
+
+        elif decision_type == "need_more_info":
+            stage_title = 'CLIENT REQUEST' if is_request else 'TOOL RESPONSE'
+
+            # Create an actionable error message for the AI agent
+            reasons = decision.get("reasons", [])
+            need_fields = decision.get("need_fields", [])
+
+            error_parts = [
+                f"SECURITY POLICY NEEDS MORE INFORMATION FOR REVIEWING {stage_title}:",
+                '\n'.join(reasons),
+                ''  # newline
+            ]
+
+            if need_fields:
+                # Convert server field names to wrapper field names for the AI agent
+                wrapper_field_mapping = {
+                    "context.agent.intent": "__wrapper_modelIntent",
+                    "context.agent.plan": "__wrapper_modelPlan",
+                    "context.agent.expectedOutputs": "__wrapper_modelExpectedOutputs",
+                    "context.agent.user_prompt": "__wrapper_userPrompt",
+                    "context.agent.user_prompt_id": "__wrapper_userPromptId",
+                    "context.agent.context_summary": "__wrapper_contextSummary",
+                    "context.workspace.current_files": "__wrapper_currentFiles",
+                }
+
+                missing_wrapper_fields = []
+                for field in need_fields:
+                    wrapper_field = wrapper_field_mapping.get(field, field)
+                    missing_wrapper_fields.append(wrapper_field)
+
+                if missing_wrapper_fields:
+                    error_parts.append("AFFECTED FIELDS:")
+                    error_parts.extend(missing_wrapper_fields)
+                else:
+                    error_parts.append("MISSING INFORMATION:")
+                    error_parts.extend(need_fields)
+
+            error_parts.append("\nMANDATORY ACTIONS:")
+            error_parts.append("1. Add/Edit ALL affected fields according to the required information")
+            error_parts.append("2. Retry the tool call")
+
+            actionable_message = "\n".join(error_parts)
+            raise DecisionEnforcementError(actionable_message)
+
+    async def _record_user_confirmation(
+            self,
+            event_id: str,
+            is_request: bool,
+            user_decision: UserDecision,
+            prompt_id: str,
+            call_type: Optional[str] = None
+    ):
+        """Record user confirmation decision with the security API"""
+        try:
+            direction = "request" if is_request else "response"
+
+            user_confirmation = UserConfirmation(
+                event_id=event_id,
+                direction=direction,
+                user_decision=user_decision,
+                call_type=call_type
+            )
+
+            async with SecurityPolicyClient(session_id=self.session_id, logger=self.logger,
+                                            audit_logger=self.audit_logger, app_id=self.app_id) as client:
+                result = await client.record_user_confirmation(user_confirmation, prompt_id=prompt_id)
+                self.logger.debug(f"User confirmation recorded: {result}")
+        except Exception as e:
+            # Don't fail the operation if API call fails - just log the error
+            self.logger.error(f"Failed to record user confirmation: {e}")

modules/logs/audit_trail.py

@@ -50,14 +50,14 @@ class AuditTrailLogger:
         Path(self.audit_file).parent.mkdir(parents=True, exist_ok=True)
 
     def log_event(
-        self, 
-        event_type: str, 
-        data: Dict[str, Any], 
-        event_id: Optional[str] = None,
-        prompt_id: Optional[str] = None,
-        user_prompt: Optional[str] = None,
-        ignored_keys: Optional[List[str]] = None,
-        include_keys: Optional[List[str]] = None
+            self,
+            event_type: str,
+            data: Dict[str, Any],
+            event_id: Optional[str] = None,
+            prompt_id: Optional[str] = None,
+            user_prompt: Optional[str] = None,
+            ignored_keys: Optional[List[str]] = None,
+            include_keys: Optional[List[str]] = None
     ):
         """
         Log a single audit event
@@ -74,19 +74,20 @@ class AuditTrailLogger:
         try:
             # Convert data to dict structure (handles nested objects, dataclasses, Pydantic models)
             data_dict = to_dict(data)
-            
+
             # Build event structure
             event = {
                 "session_id": self.session_id,
                 "timestamp": datetime.now(timezone.utc).isoformat(),
                 "event_type": event_type,
-                "data": redact(data_dict, ignored_keys=ignored_keys, include_keys=include_keys)  # Redaction with optional key filtering
+                "data": redact(data_dict, ignored_keys=ignored_keys, include_keys=include_keys)
+                # Redaction with optional key filtering
             }
 
             # Include prompt_id if provided (for grouping by user prompt)
             if prompt_id:
                 event["prompt_id"] = prompt_id
-                
+
             # Include user_prompt text if provided (only needed once per prompt_id)
             if user_prompt:
                 event["user_prompt"] = user_prompt
@@ -118,7 +119,7 @@ class AuditTrailLogger:
             "app_uid": self.app_uid,
             **{k: v for k, v in event.items() if k != "app_uid"}
         }
-        
+
         # Atomic append to audit trail file
         with open(self.audit_file, 'a', encoding='utf-8') as f:
             f.write(safe_json_dumps(event_with_app_uid) + '\n')
@@ -137,14 +138,14 @@ class AuditTrailLogger:
         """
         if self.app_uid == app_uid:
             return
-        
+
         if self.app_uid is not None:
             self.logger.info(f"app_uid changed from {self.app_uid} to {app_uid}")
         else:
             self.logger.debug(f"app_uid set to: {app_uid}")
-        
+
         self.app_uid = app_uid
-        
+
         # Flush all pending logs
         if self._pending_logs:
             self.logger.debug(f"Flushing {len(self._pending_logs)} queued audit logs")

modules/logs/logger.py

@@ -13,7 +13,7 @@ from modules.utils.ids import get_session_id
 
 class UTF8StreamHandler(logging.StreamHandler):
     """StreamHandler that forces UTF-8 encoding on Windows to prevent UnicodeEncodeError"""
-    
+
     def __init__(self, stream=None):
         # On Windows, wrap the stream with UTF-8 encoding BEFORE passing to parent
         if sys.platform == 'win32' and stream is not None:
@@ -25,13 +25,13 @@ class UTF8StreamHandler(logging.StreamHandler):
                     errors='replace',
                     line_buffering=True
                 )
-        
+
         super().__init__(stream)
 
 
 class SessionFormatter(logging.Formatter):
     """Custom formatter that includes session ID in log messages"""
-    
+
     # Single character mapping for perfect alignment and compactness
     LEVEL_MAPPING = {
         'DEBUG': 'D',
@@ -40,11 +40,11 @@ class SessionFormatter(logging.Formatter):
         'ERROR': 'E',
         'CRITICAL': 'C'
     }
-    
+
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self._session_id = get_session_id()[:8]
-    
+
     def format(self, record):
         # Use the cached session ID
         record.session_id = self._session_id
@@ -58,52 +58,51 @@ class SessionFormatter(logging.Formatter):
 
 class MCPLogger:
     """Simple line-based logger for MCP traffic"""
-    
+
     def __init__(self, log_file: Optional[str] = None, level: int = logging.INFO):
         self.log_file = log_file
         self.file_handle: Optional[TextIO] = None
-        
+
         # Setup file handle if log file specified (for MCP traffic logging)
         if log_file:
             log_path = Path(log_file)
             log_path.parent.mkdir(parents=True, exist_ok=True)
             self.file_handle = open(log_path, 'a', encoding='utf-8')
-        
+
         # Setup standard logger for non-MCP messages
         self.logger = logging.getLogger('mcpower')
         self.logger.setLevel(level)
-        
+
         # Create console handler with UTF-8 support
         console_handler = UTF8StreamHandler(sys.stderr)
         console_handler.setLevel(level)
         formatter = SessionFormatter('%(asctime)s [%(session_id)s] (%(levelname)s) %(message)s')
         console_handler.setFormatter(formatter)
         self.logger.addHandler(console_handler)
-        
+
         # Add file handler if log file specified
         if log_file:
             file_handler = logging.FileHandler(log_file, encoding='utf-8')
             file_handler.setLevel(level)
             file_handler.setFormatter(formatter)
             self.logger.addHandler(file_handler)
-    
 
     def info(self, message: str) -> None:
         """Log info message"""
         self.logger.info(message)
-    
+
     def error(self, message: str, exc_info: bool = False) -> None:
         """Log error message"""
         self.logger.error(message, exc_info=exc_info)
-    
+
     def warning(self, message: str) -> None:
         """Log warning message"""
         self.logger.warning(message)
-    
+
     def debug(self, message: str) -> None:
         """Log debug message"""
         self.logger.debug(message)
-    
+
     def close(self) -> None:
         """Close log file handle"""
         if self.file_handle:
@@ -123,6 +122,3 @@ def setup_logger(log_file: Optional[str] = None, level: int = logging.INFO) -> M
         Configured MCPLogger instance
     """
     return MCPLogger(log_file, level)
-
-
-

modules/redaction/gitleaks_rules.py

@@ -3,7 +3,7 @@ from typing import Dict, List, Tuple
 
 # This file is auto-generated from Gitleaks rules. Do not edit manually.
 # Source: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
-# Generation script: targets/vsc-extension/scripts/update-gitleaks-rules.mjs
+# Generation script: targets/scripts/update-gitleaks-rules.mjs
 
 COMPILED_RULES: List[Tuple[str, re.Pattern, int, List[str]]] = [
     (

modules/redaction/pii_rules.py

@@ -60,15 +60,8 @@ class PIIDetector:
     """Lightweight PII detector using only regex patterns."""
 
     def __init__(self):
-        # URL detector with intelligent boundary detection
-        self.url_detector = URLDetector()
-
         # Compile regex patterns for better performance
         self.patterns = {
-            'EMAIL_ADDRESS': re.compile(
-                r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b',
-                re.IGNORECASE
-            ),
             'CREDIT_CARD': re.compile(
                 r'\b(?:'
                 r'4[0-9]{3}[-\s]?[0-9]{4}[-\s]?[0-9]{4}[-\s]?[0-9]{4}(?:[0-9]{3})?|'  # Visa with formatting
@@ -81,40 +74,6 @@ class PIIDetector:
                 r'6(?:011|5[0-9]{2})[0-9]{12}'  # Discover
                 r')\b'
             ),
-            'IP_ADDRESS': re.compile(
-                r'(?:'
-                # IPv4
-                r'\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}'
-                r'(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b'
-                r'|'
-                # IPv6 - comprehensive pattern
-                r'(?:'
-                # Full IPv6 or with :: compression
-                r'(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|'  # Full: 1:2:3:4:5:6:7:8
-                r'(?:[0-9a-fA-F]{1,4}:){1,7}:|'  # Compressed trailing: 1:: or 1:2:3:4:5:6:7::
-                r'(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|'  # Compressed middle: 1::8 or 1:2:3:4:5:6::8
-                r'(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|'  # 1::7:8 or 1:2:3:4:5::7:8
-                r'(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|'  # 1::6:7:8 or 1:2:3:4::6:7:8
-                r'(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|'  # 1::5:6:7:8 or 1:2:3::5:6:7:8
-                r'(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|'  # 1::4:5:6:7:8 or 1:2::4:5:6:7:8
-                r'[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|'  # 1::3:4:5:6:7:8
-                r':(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|'  # ::2:3:4:5:6:7:8 or ::
-                # IPv4-mapped IPv6: ::ffff:192.0.2.1
-                r'(?:[0-9a-fA-F]{1,4}:){1,4}:'
-                r'(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}'
-                r'(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)'
-                r')'
-                r')',
-                re.IGNORECASE
-            ),
-            # Common crypto addresses
-            'CRYPTO_ADDRESS': re.compile(
-                r'\b(?:'
-                r'[13][a-km-zA-HJ-NP-Z1-9]{25,34}|'  # Bitcoin
-                r'0x[a-fA-F0-9]{40}|'  # Ethereum
-                r'[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}'  # Litecoin
-                r')\b'
-            ),
             # IBAN (International Bank Account Number)
             'IBAN': re.compile(
                 r'\b[A-Z]{2}[0-9]{2}[A-Z0-9]{4}[0-9]{7}([A-Z0-9]?){0,16}\b'
@@ -176,9 +135,6 @@ class PIIDetector:
         """
         matches = []
 
-        # Extract URLs using URLDetector
-        matches.extend(self.url_detector.extract(text))
-
         # Extract other PII using regex patterns
         for entity_type, pattern in self.patterns.items():
             for match in pattern.finditer(text):
@@ -212,11 +168,7 @@ class PIIDetector:
         """Calculate confidence score based on entity type and matched text."""
         # Base confidence scores
         base_scores = {
-            'EMAIL_ADDRESS': 0.95,
             'CREDIT_CARD': 0.85,  # Will be 0.99 after Luhn validation
-            'IP_ADDRESS': 0.90,
-            'URL': 0.80,
-            'CRYPTO_ADDRESS': 0.95,
             'IBAN': 0.85,  # Will be 0.99 after MOD-97 validation
         }