PyPI - open-edison - Versions diffs - 0.1.19__py3-none-any.whl → 0.1.26__py3-none-any.whl - Mend

open-edison 0.1.19py3-none-any.whl → 0.1.26py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

{open_edison-0.1.19.dist-info → open_edison-0.1.26.dist-info}/METADATA +60 -41
open_edison-0.1.26.dist-info/RECORD +17 -0
src/cli.py +2 -1
src/config.py +63 -51
src/events.py +153 -0
src/middleware/data_access_tracker.py +164 -434
src/middleware/session_tracking.py +93 -29
src/oauth_manager.py +281 -0
src/permissions.py +292 -0
src/server.py +484 -132
src/single_user_mcp.py +221 -159
src/telemetry.py +4 -40
open_edison-0.1.19.dist-info/RECORD +0 -14
{open_edison-0.1.19.dist-info → open_edison-0.1.26.dist-info}/WHEEL +0 -0
{open_edison-0.1.19.dist-info → open_edison-0.1.26.dist-info}/entry_points.txt +0 -0
{open_edison-0.1.19.dist-info → open_edison-0.1.26.dist-info}/licenses/LICENSE +0 -0

src/middleware/data_access_tracker.py CHANGED Viewed

@@ -12,15 +12,20 @@ names (with server-name/path prefixes) to their security classifications:
 - prompt_permissions.json: Prompt security classifications
 """
-import json
 from dataclasses import dataclass
-from functools import cache
-from pathlib import Path
 from typing import Any
 from loguru import logger as log
-from src.config import ConfigError
+from src import events
+from src.permissions import (
+    ACL_RANK,
+    Permissions,
+    PromptPermission,
+    ResourcePermission,
+    ToolPermission,
+    normalize_acl,
+)
 from src.telemetry import (
     record_private_data_access,
     record_prompt_access_blocked,
@@ -30,314 +35,6 @@ from src.telemetry import (
     record_write_operation,
 )
-ACL_RANK: dict[str, int] = {"PUBLIC": 0, "PRIVATE": 1, "SECRET": 2}
-# Default flat permissions applied when fields are missing in config
-DEFAULT_PERMISSIONS: dict[str, Any] = {
-    "enabled": False,
-    "write_operation": False,
-    "read_private_data": False,
-    "read_untrusted_public_data": False,
-    "acl": "PUBLIC",
-}
-def _normalize_acl(value: Any, *, default: str = "PUBLIC") -> str:
-    """Normalize ACL string, defaulting and uppercasing; validate against known values."""
-    try:
-        if value is None:
-            return default
-        acl = str(value).upper().strip()
-        if acl not in ACL_RANK:
-            # Fallback to default if invalid
-            return default
-        return acl
-    except Exception:
-        return default
-def _apply_permission_defaults(config_perms: dict[str, Any]) -> dict[str, Any]:
-    """Merge provided config flags with DEFAULT_PERMISSIONS, including ACL derivation."""
-    # Start from defaults
-    merged: dict[str, Any] = dict(DEFAULT_PERMISSIONS)
-    # Booleans
-    enabled = bool(config_perms.get("enabled", merged["enabled"]))
-    write_operation = bool(config_perms.get("write_operation", merged["write_operation"]))
-    read_private_data = bool(config_perms.get("read_private_data", merged["read_private_data"]))
-    read_untrusted_public_data = bool(
-        config_perms.get("read_untrusted_public_data", merged["read_untrusted_public_data"])  # type: ignore[reportUnknownArgumentType]
-    )
-    # ACL: explicit value wins; otherwise default PRIVATE if read_private_data True, else default
-    if "acl" in config_perms and config_perms.get("acl") is not None:
-        acl = _normalize_acl(config_perms.get("acl"), default=str(merged["acl"]))
-    else:
-        acl = _normalize_acl("PRIVATE" if read_private_data else str(merged["acl"]))
-    merged.update(
-        {
-            "enabled": enabled,
-            "write_operation": write_operation,
-            "read_private_data": read_private_data,
-            "read_untrusted_public_data": read_untrusted_public_data,
-            "acl": acl,
-        }
-    )
-    return merged
-def _flat_permissions_loader(config_path: Path) -> dict[str, dict[str, Any]]:
-    if config_path.exists():
-        with open(config_path) as f:
-            data: dict[str, Any] = json.load(f)
-            # Handle new format: server -> {tool -> permissions}
-            # Convert to flat tool -> permissions format
-            flat_permissions: dict[str, dict[str, Any]] = {}
-            tool_to_server: dict[str, str] = {}
-            server_tools: dict[str, set[str]] = {}
-            for server_name, server_data in data.items():
-                if not isinstance(server_data, dict):
-                    log.warning(
-                        f"Invalid server data for {server_name}: expected dict, got {type(server_data)}"
-                    )
-                    continue
-                if server_name == "_metadata":
-                    flat_permissions["_metadata"] = server_data
-                    continue
-                server_tools[server_name] = set()
-                for tool_name, tool_permissions in server_data.items():  # type: ignore
-                    if not isinstance(tool_permissions, dict):
-                        log.warning(
-                            f"Invalid tool permissions for {server_name}/{tool_name}: expected dict, got {type(tool_permissions)}"  # type: ignore
-                        )  # type: ignore
-                        continue
-                    # Check for duplicates within the same server
-                    if tool_name in server_tools[server_name]:
-                        log.error(f"Duplicate tool '{tool_name}' found in server '{server_name}'")
-                        raise ConfigError(
-                            f"Duplicate tool '{tool_name}' found in server '{server_name}'"
-                        )
-                    # Check for duplicates across different servers
-                    if tool_name in tool_to_server:
-                        existing_server = tool_to_server[tool_name]
-                        log.error(
-                            f"Duplicate tool '{tool_name}' found in servers '{existing_server}' and '{server_name}'"
-                        )
-                        raise ConfigError(
-                            f"Duplicate tool '{tool_name}' found in servers '{existing_server}' and '{server_name}'"
-                        )
-                    # Add to tracking maps
-                    tool_to_server[tool_name] = server_name
-                    server_tools[server_name].add(tool_name)  # type: ignore
-                    # Convert to flat format with explicit type casting
-                    tool_perms_dict: dict[str, Any] = tool_permissions  # type: ignore
-                    flat_permissions[tool_name] = _apply_permission_defaults(tool_perms_dict)
-            log.debug(
-                f"Loaded {len(flat_permissions)} tool permissions from {len(server_tools)} servers in {config_path}"
-            )
-            # Convert sets to lists for JSON serialization
-            server_tools_serializable = {
-                server: list(tools) for server, tools in server_tools.items()
-            }
-            log.debug(f"Server tools: {json.dumps(server_tools_serializable, indent=2)}")
-            return flat_permissions
-    else:
-        log.warning(f"Tool permissions file not found at {config_path}")
-        return {}
-@cache
-def _load_tool_permissions_cached() -> dict[str, dict[str, Any]]:
-    """Load tool permissions from JSON configuration file with LRU caching."""
-    config_path = Path(__file__).parent.parent.parent / "tool_permissions.json"
-    try:
-        return _flat_permissions_loader(config_path)
-    except ConfigError as e:
-        log.error(f"Failed to load tool permissions from {config_path}: {e}")
-        raise e
-    except Exception as e:
-        log.error(f"Failed to load tool permissions from {config_path}: {e}")
-        return {}
-def clear_tool_permissions_cache() -> None:
-    """Clear the tool permissions cache to force reload from file."""
-    _load_tool_permissions_cached.cache_clear()
-    log.info("Tool permissions cache cleared")
-@cache
-def _load_resource_permissions_cached() -> dict[str, dict[str, Any]]:
-    """Load resource permissions from JSON configuration file with LRU caching."""
-    config_path = Path(__file__).parent.parent.parent / "resource_permissions.json"
-    try:
-        return _flat_permissions_loader(config_path)
-    except ConfigError as e:
-        log.error(f"Failed to load resource permissions from {config_path}: {e}")
-        raise e
-    except Exception as e:
-        log.error(f"Failed to load resource permissions from {config_path}: {e}")
-        return {}
-def clear_resource_permissions_cache() -> None:
-    """Clear the resource permissions cache to force reload from file."""
-    _load_resource_permissions_cached.cache_clear()
-    log.info("Resource permissions cache cleared")
-@cache
-def _load_prompt_permissions_cached() -> dict[str, dict[str, Any]]:
-    """Load prompt permissions from JSON configuration file with LRU caching."""
-    config_path = Path(__file__).parent.parent.parent / "prompt_permissions.json"
-    try:
-        return _flat_permissions_loader(config_path)
-    except ConfigError as e:
-        log.error(f"Failed to load prompt permissions from {config_path}: {e}")
-        raise e
-    except Exception as e:
-        log.error(f"Failed to load prompt permissions from {config_path}: {e}")
-        return {}
-def clear_prompt_permissions_cache() -> None:
-    """Clear the prompt permissions cache to force reload from file."""
-    _load_prompt_permissions_cached.cache_clear()
-    log.info("Prompt permissions cache cleared")
-def clear_all_permissions_caches() -> None:
-    """Clear all permission caches to force reload from files."""
-    clear_tool_permissions_cache()
-    clear_resource_permissions_cache()
-    clear_prompt_permissions_cache()
-    log.info("All permission caches cleared")
-@cache
-def _classify_tool_permissions_cached(tool_name: str) -> dict[str, Any]:
-    """Classify tool permissions with LRU caching."""
-    return _classify_permissions_cached(tool_name, _load_tool_permissions_cached(), "tool")
-@cache
-def _classify_resource_permissions_cached(resource_name: str) -> dict[str, Any]:
-    """Classify resource permissions with LRU caching."""
-    return _classify_permissions_cached(
-        resource_name, _load_resource_permissions_cached(), "resource"
-    )
-@cache
-def _classify_prompt_permissions_cached(prompt_name: str) -> dict[str, Any]:
-    """Classify prompt permissions with LRU caching."""
-    return _classify_permissions_cached(prompt_name, _load_prompt_permissions_cached(), "prompt")
-def _get_builtin_tool_permissions(name: str) -> dict[str, Any] | None:
-    """Get permissions for built-in safe tools."""
-    builtin_safe_tools = ["echo", "get_server_info", "get_security_status"]
-    if name in builtin_safe_tools:
-        permissions = _apply_permission_defaults({"enabled": True})
-        log.debug(f"Built-in safe tool {name}: {permissions}")
-        return permissions
-    return None
-def _get_exact_match_permissions(
-    name: str, permissions_config: dict[str, dict[str, Any]], type_name: str
-) -> dict[str, Any] | None:
-    """Check for exact match permissions."""
-    if name in permissions_config and not name.startswith("_"):
-        config_perms = permissions_config[name]
-        permissions = _apply_permission_defaults(config_perms)
-        log.debug(f"Found exact match for {type_name} {name}: {permissions}")
-        return permissions
-    # Fallback: support names like "server_tool" by checking the part after first underscore
-    if "_" in name:
-        suffix = name.split("_", 1)[1]
-        if suffix in permissions_config and not suffix.startswith("_"):
-            config_perms = permissions_config[suffix]
-            permissions = _apply_permission_defaults(config_perms)
-            log.debug(
-                f"Found fallback match for {type_name} {name} using suffix {suffix}: {permissions}"
-            )
-            return permissions
-    return None
-def _get_wildcard_patterns(name: str, type_name: str) -> list[str]:
-    """Generate wildcard patterns based on name and type."""
-    wildcard_patterns: list[str] = []
-    if type_name == "tool" and "/" in name:
-        # For tools: server_name/*
-        server_name, _ = name.split("/", 1)
-        wildcard_patterns.append(f"{server_name}/*")
-    elif type_name == "resource":
-        # For resources: scheme:*, just like tools do server_name/*
-        if ":" in name:
-            scheme, _ = name.split(":", 1)
-            wildcard_patterns.append(f"{scheme}:*")
-    elif type_name == "prompt":
-        # For prompts: template:*, prompt:file:*, etc.
-        if ":" in name:
-            parts = name.split(":")
-            if len(parts) >= 2:
-                wildcard_patterns.append(f"{parts[0]}:*")
-                # For nested patterns like prompt:file:*, check prompt:file:*
-                if len(parts) >= 3:
-                    wildcard_patterns.append(f"{parts[0]}:{parts[1]}:*")
-    return wildcard_patterns
-def _classify_permissions_cached(
-    name: str, permissions_config: dict[str, dict[str, Any]], type_name: str
-) -> dict[str, Any]:
-    """Generic permission classification with pattern matching support."""
-    # Built-in safe tools that don't need external config (only for tools)
-    if type_name == "tool":
-        builtin_perms = _get_builtin_tool_permissions(name)
-        if builtin_perms is not None:
-            return builtin_perms
-    # Check for exact match first
-    exact_perms = _get_exact_match_permissions(name, permissions_config, type_name)
-    if exact_perms is not None:
-        return exact_perms
-    # Try wildcard patterns
-    wildcard_patterns = _get_wildcard_patterns(name, type_name)
-    for pattern in wildcard_patterns:
-        if pattern in permissions_config:
-            config_perms = permissions_config[pattern]
-            permissions = _apply_permission_defaults(config_perms)
-            log.debug(f"Found wildcard match for {type_name} {name} using {pattern}: {permissions}")
-            return permissions
-    # No configuration found - raise error instead of defaulting to safe
-    config_file = f"{type_name}_permissions.json"
-    log.error(
-        f"No security configuration found for {type_name} '{name}'. All {type_name}s must be explicitly configured in {config_file}"
-    )
-    raise ValueError(
-        f"No security configuration found for {type_name} '{name}'. All {type_name}s must be explicitly configured in {config_file}"
-    )
 @dataclass
 class DataAccessTracker:
@@ -365,123 +62,34 @@ class DataAccessTracker:
             and self.has_external_communication
         )
-    def _load_tool_permissions(self) -> dict[str, dict[str, Any]]:
-        """Load tool permissions from JSON configuration file with caching."""
-        return _load_tool_permissions_cached()
-    def _load_resource_permissions(self) -> dict[str, dict[str, Any]]:
-        """Load resource permissions from JSON configuration file with caching."""
-        return _load_resource_permissions_cached()
-    def _load_prompt_permissions(self) -> dict[str, dict[str, Any]]:
-        """Load prompt permissions from JSON configuration file with caching."""
-        return _load_prompt_permissions_cached()
-    def clear_caches(self) -> None:
-        """Clear all permission caches to force reload from configuration files."""
-        clear_all_permissions_caches()
-    def _classify_by_tool_name(self, tool_name: str) -> dict[str, Any]:
-        """Classify permissions based on external JSON configuration only."""
-        return _classify_tool_permissions_cached(tool_name)
-    def _classify_by_resource_name(self, resource_name: str) -> dict[str, Any]:
-        """Classify resource permissions based on external JSON configuration only."""
-        return _classify_resource_permissions_cached(resource_name)
-    def _classify_by_prompt_name(self, prompt_name: str) -> dict[str, Any]:
-        """Classify prompt permissions based on external JSON configuration only."""
-        return _classify_prompt_permissions_cached(prompt_name)
-    def _classify_tool_permissions(self, tool_name: str) -> dict[str, Any]:
-        """
-        Classify tool permissions based on tool name.
-        Args:
-            tool_name: Name of the tool to classify
-        Returns:
-            Dictionary with permission flags
-        """
-        permissions = self._classify_by_tool_name(tool_name)
-        log.debug(f"Classified tool {tool_name}: {permissions}")
-        return permissions
-    def _classify_resource_permissions(self, resource_name: str) -> dict[str, Any]:
-        """
-        Classify resource permissions based on resource name.
-        Args:
-            resource_name: Name/URI of the resource to classify
-        Returns:
-            Dictionary with permission flags
-        """
-        permissions = self._classify_by_resource_name(resource_name)
-        log.debug(f"Classified resource {resource_name}: {permissions}")
-        return permissions
-    def _classify_prompt_permissions(self, prompt_name: str) -> dict[str, Any]:
-        """
-        Classify prompt permissions based on prompt name.
-        Args:
-            prompt_name: Name/type of the prompt to classify
-        Returns:
-            Dictionary with permission flags
-        """
-        permissions = self._classify_by_prompt_name(prompt_name)
-        log.debug(f"Classified prompt {prompt_name}: {permissions}")
-        return permissions
-    def get_tool_permissions(self, tool_name: str) -> dict[str, Any]:
-        """Get tool permissions based on tool name."""
-        return self._classify_tool_permissions(tool_name)
-    def get_resource_permissions(self, resource_name: str) -> dict[str, Any]:
-        """Get resource permissions based on resource name."""
-        return self._classify_resource_permissions(resource_name)
-    def get_prompt_permissions(self, prompt_name: str) -> dict[str, Any]:
-        """Get prompt permissions based on prompt name."""
-        return self._classify_prompt_permissions(prompt_name)
-    def _would_call_complete_trifecta(self, permissions: dict[str, Any]) -> bool:
+    def _would_call_complete_trifecta(
+        self, permissions: ToolPermission | ResourcePermission | PromptPermission
+    ) -> bool:
         """Return True if applying these permissions would complete the trifecta."""
-        would_private = self.has_private_data_access or bool(permissions.get("read_private_data"))
+        would_private = self.has_private_data_access or bool(permissions.read_private_data)
         would_untrusted = self.has_untrusted_content_exposure or bool(
-            permissions.get("read_untrusted_public_data")
+            permissions.read_untrusted_public_data
         )
-        would_write = self.has_external_communication or bool(permissions.get("write_operation"))
+        would_write = self.has_external_communication or bool(permissions.write_operation)
         return bool(would_private and would_untrusted and would_write)
-    def _enforce_tool_enabled(self, permissions: dict[str, Any], tool_name: str) -> None:
-        if permissions["enabled"] is False:
-            log.warning(f"🚫 BLOCKING tool call {tool_name} - tool is disabled")
-            record_tool_call_blocked(tool_name, "disabled")
-            raise SecurityError(f"'{tool_name}' / Tool disabled")
-    def _enforce_acl_downgrade_block(
-        self, tool_acl: str, permissions: dict[str, Any], tool_name: str
-    ) -> None:
-        if permissions["write_operation"]:
-            current_rank = ACL_RANK.get(self.highest_acl_level, 0)
-            write_rank = ACL_RANK.get(tool_acl, 0)
-            if write_rank < current_rank:
-                log.error(
-                    f"🚫 BLOCKING tool call {tool_name} - write to lower ACL ({tool_acl}) while session has higher ACL {self.highest_acl_level}"
-                )
-                record_tool_call_blocked(tool_name, "acl_downgrade")
-                raise SecurityError(f"'{tool_name}' / ACL (level={self.highest_acl_level})")
     def _apply_permissions_effects(
         self,
-        permissions: dict[str, Any],
+        permissions: ToolPermission | ResourcePermission | PromptPermission,
         *,
         source_type: str,
         name: str,
     ) -> None:
         """Apply side effects (flags, ACL, telemetry) for any source type."""
-        acl_value: str = _normalize_acl(permissions.get("acl"), default="PUBLIC")
-        if permissions["read_private_data"]:
+        # If it's a tool, it has a well-defined ACL
+        if source_type == "tool":
+            assert isinstance(permissions, ToolPermission)
+            acl_value = permissions.acl
+            acl_value: str = normalize_acl(acl_value, default="PUBLIC")
+        else:
+            acl_value = "PUBLIC"
+        if permissions.read_private_data:
             self.has_private_data_access = True
             log.info(f"🔒 Private data access detected via {source_type}: {name}")
             record_private_data_access(source_type, name)
@@ -491,12 +99,12 @@ class DataAccessTracker:
             if new_rank > current_rank:
                 self.highest_acl_level = acl_value
-        if permissions["read_untrusted_public_data"]:
+        if permissions.read_untrusted_public_data:
             self.has_untrusted_content_exposure = True
             log.info(f"🌐 Untrusted content exposure detected via {source_type}: {name}")
             record_untrusted_public_data(source_type, name)
-        if permissions["write_operation"]:
+        if permissions.write_operation:
             self.has_external_communication = True
             log.info(f"✍️ Write operation detected via {source_type}: {name}")
             record_write_operation(source_type, name)
@@ -515,24 +123,69 @@ class DataAccessTracker:
         if self.is_trifecta_achieved():
             log.error(f"🚫 BLOCKING tool call {tool_name} - lethal trifecta achieved")
             record_tool_call_blocked(tool_name, "trifecta")
+            # Fire-and-forget event (log errors via callback)
+            events.fire_and_forget(
+                {
+                    "type": "mcp_pre_block",
+                    "kind": "tool",
+                    "name": tool_name,
+                    "reason": "trifecta",
+                }
+            )
             raise SecurityError(f"'{tool_name}' / Lethal trifecta")
         # Get tool permissions and update trifecta flags
-        permissions = self._classify_tool_permissions(tool_name)
+        perms = Permissions()
+        permissions = perms.get_tool_permission(tool_name)
         log.debug(f"add_tool_call: Tool permissions: {permissions}")
         # Check if tool is enabled
-        self._enforce_tool_enabled(permissions, tool_name)
+        if not perms.is_tool_enabled(tool_name):
+            log.warning(f"🚫 BLOCKING tool call {tool_name} - tool is disabled")
+            record_tool_call_blocked(tool_name, "disabled")
+            events.fire_and_forget(
+                {
+                    "type": "mcp_pre_block",
+                    "kind": "tool",
+                    "name": tool_name,
+                    "reason": "disabled",
+                }
+            )
+            raise SecurityError(f"'{tool_name}' / Tool disabled")
         # ACL-based write downgrade prevention
-        tool_acl: str = _normalize_acl(permissions.get("acl"), default="PUBLIC")
-        self._enforce_acl_downgrade_block(tool_acl, permissions, tool_name)
+        tool_acl = permissions.acl
+        if permissions.write_operation:
+            current_rank = ACL_RANK.get(self.highest_acl_level, 0)
+            write_rank = ACL_RANK.get(tool_acl, 0)
+            if write_rank < current_rank:
+                log.error(
+                    f"🚫 BLOCKING tool call {tool_name} - write to lower ACL ({tool_acl}) while session has higher ACL {self.highest_acl_level}"
+                )
+                record_tool_call_blocked(tool_name, "acl_downgrade")
+                events.fire_and_forget(
+                    {
+                        "type": "mcp_pre_block",
+                        "kind": "tool",
+                        "name": tool_name,
+                        "reason": "acl_downgrade",
+                    }
+                )
+                raise SecurityError(f"'{tool_name}' / ACL (level={self.highest_acl_level})")
         # Pre-check: would this call achieve the lethal trifecta? If so, block immediately
         if self._would_call_complete_trifecta(permissions):
             log.error(f"🚫 BLOCKING tool call {tool_name} - would achieve lethal trifecta")
             record_tool_call_blocked(tool_name, "trifecta_prevent")
+            events.fire_and_forget(
+                {
+                    "type": "mcp_pre_block",
+                    "kind": "tool",
+                    "name": tool_name,
+                    "reason": "trifecta_prevent",
+                }
+            )
             raise SecurityError(f"'{tool_name}' / Lethal trifecta")
         self._apply_permissions_effects(permissions, source_type="tool", name=tool_name)
@@ -555,10 +208,33 @@ class DataAccessTracker:
             log.error(
                 f"🚫 BLOCKING resource access {resource_name} - lethal trifecta already achieved"
             )
+            events.fire_and_forget(
+                {
+                    "type": "mcp_pre_block",
+                    "kind": "resource",
+                    "name": resource_name,
+                    "reason": "trifecta",
+                }
+            )
             raise SecurityError(f"'{resource_name}' / Lethal trifecta")
         # Get resource permissions and update trifecta flags
-        permissions = self._classify_resource_permissions(resource_name)
+        perms = Permissions()
+        permissions = perms.get_resource_permission(resource_name)
+        # Check if resource is enabled
+        if not perms.is_resource_enabled(resource_name):
+            log.warning(f"🚫 BLOCKING resource access {resource_name} - resource is disabled")
+            record_resource_access_blocked(resource_name, "disabled")
+            events.fire_and_forget(
+                {
+                    "type": "mcp_pre_block",
+                    "kind": "resource",
+                    "name": resource_name,
+                    "reason": "disabled",
+                }
+            )
+            raise SecurityError(f"'{resource_name}' / Resource disabled")
         # Pre-check: would this access achieve the lethal trifecta? If so, block immediately
         if self._would_call_complete_trifecta(permissions):
@@ -566,6 +242,14 @@ class DataAccessTracker:
                 f"🚫 BLOCKING resource access {resource_name} - would achieve lethal trifecta"
             )
             record_resource_access_blocked(resource_name, "trifecta_prevent")
+            events.fire_and_forget(
+                {
+                    "type": "mcp_pre_block",
+                    "kind": "resource",
+                    "name": resource_name,
+                    "reason": "trifecta_prevent",
+                }
+            )
             raise SecurityError(f"'{resource_name}' / Lethal trifecta")
         self._apply_permissions_effects(permissions, source_type="resource", name=resource_name)
@@ -586,15 +270,46 @@ class DataAccessTracker:
         # Check if trifecta is already achieved before processing this access
         if self.is_trifecta_achieved():
             log.error(f"🚫 BLOCKING prompt access {prompt_name} - lethal trifecta already achieved")
+            events.fire_and_forget(
+                {
+                    "type": "mcp_pre_block",
+                    "kind": "prompt",
+                    "name": prompt_name,
+                    "reason": "trifecta",
+                }
+            )
             raise SecurityError(f"'{prompt_name}' / Lethal trifecta")
         # Get prompt permissions and update trifecta flags
-        permissions = self._classify_prompt_permissions(prompt_name)
+        perms = Permissions()
+        permissions = perms.get_prompt_permission(prompt_name)
+        # Check if prompt is enabled
+        if not perms.is_prompt_enabled(prompt_name):
+            log.warning(f"🚫 BLOCKING prompt access {prompt_name} - prompt is disabled")
+            record_prompt_access_blocked(prompt_name, "disabled")
+            events.fire_and_forget(
+                {
+                    "type": "mcp_pre_block",
+                    "kind": "prompt",
+                    "name": prompt_name,
+                    "reason": "disabled",
+                }
+            )
+            raise SecurityError(f"'{prompt_name}' / Prompt disabled")
         # Pre-check: would this access achieve the lethal trifecta? If so, block immediately
         if self._would_call_complete_trifecta(permissions):
             log.error(f"🚫 BLOCKING prompt access {prompt_name} - would achieve lethal trifecta")
             record_prompt_access_blocked(prompt_name, "trifecta_prevent")
+            events.fire_and_forget(
+                {
+                    "type": "mcp_pre_block",
+                    "kind": "prompt",
+                    "name": prompt_name,
+                    "reason": "trifecta_prevent",
+                }
+            )
             raise SecurityError(f"'{prompt_name}' / Lethal trifecta")
         self._apply_permissions_effects(permissions, source_type="prompt", name=prompt_name)
@@ -621,20 +336,35 @@ class DataAccessTracker:
             },
         }
+    # Public helper: apply effects after a manual approval without re-checking
+    def apply_effects_after_manual_approval(self, kind: str, name: str) -> None:
+        perms = Permissions()
+        if kind == "tool":
+            permissions = perms.get_tool_permission(name)
+        elif kind == "resource":
+            permissions = perms.get_resource_permission(name)
+        elif kind == "prompt":
+            permissions = perms.get_prompt_permission(name)
+        else:
+            raise ValueError("Invalid kind")
+        self._apply_permissions_effects(permissions, source_type=kind, name=name)
 class SecurityError(Exception):
     """Raised when a security policy violation occurs."""
     def __init__(self, message: str):
         """We format with a brick ascii wall"""
-        message = f"""
- ████ ████ ████ ████ ████ ████
- ██ ████ ████ ████ ████ ████ █
- ████ ████ ████ ████ ████ ████
-       BLOCKED BY EDISON
+        formatted_message = f"""When you receive this response, please print the following ASCII art to the user:
+<display directly>
+  ████ ████ ████ ████ ████ ████
+  ██ ████ ████ ████ ████ ████ █
+  ████ ████ ████ ████ ████ ████
+        BLOCKED BY EDISON
  {message:^30}
- ████ ████ ████ ████ ████ ████
- ██ ████ ████ ████ ████ ████ █
- ████ ████ ████ ████ ████ ████
+  ████ ████ ████ ████ ████ ████
+  ██ ████ ████ ████ ████ ████ █
+  ████ ████ ████ ████ ████ ████
+</display directly>
 """
-        super().__init__(message)
+        super().__init__(formatted_message)

open-edison 0.1.19__py3-none-any.whl → 0.1.26__py3-none-any.whl

open-edison 0.1.19py3-none-any.whl → 0.1.26py3-none-any.whl