Merge pull request #37 from f/feature/guard

Implementing guards

Author: f

README.md

@@ -34,6 +34,7 @@
 - [Server Modes](#server-modes)
   - [Mock Server Mode](#mock-server-mode)
   - [Proxy Mode](#proxy-mode)
+  - [Guard Mode](#guard-mode)
 - [Examples](#examples)
   - [Basic Usage](#basic-usage)
   - [Script Integration](#script-integration)
@@ -564,6 +565,104 @@ mcp proxy tool count_lines "Counts lines in a file" "file:string" -e "wc -l < \"
 - The proxy server logs all requests and responses to `~/.mcpt/logs/proxy.log`
 - Use `--unregister` to remove a tool from the configuration
 
+### Guard Mode
+
+The guard mode allows you to restrict access to specific tools, prompts, and resources based on pattern matching. This is useful for security purposes when:
+
+- Restricting potentially dangerous operations (file writes, deletions, etc.)
+- Limiting the capabilities of AI assistants or applications 
+- Providing read-only access to sensitive systems
+- Creating sandboxed environments for testing or demonstrations
+
+> **Note:** Guard mode currently only works with STDIO transport (command execution) and not HTTP transport.
+
+```bash
+# Allow only file reading operations, deny file modifications
+mcp guard --allow tools:read_* --deny tools:write_*,create_*,delete_* npx -y @modelcontextprotocol/server-filesystem ~
+
+# Permit only a single specific tool
+mcp guard --allow tools:search_files npx -y @modelcontextprotocol/server-filesystem ~
+
+# Restrict by both tool type and prompt type
+mcp guard --allow tools:read_*,prompts:system_* --deny tools:execute_* npx -y @modelcontextprotocol/server-filesystem ~
+
+# Using with aliases
+mcp guard --allow tools:read_* fs  # Where 'fs' is an alias for a filesystem server
+```
+
+#### How It Works
+
+The guard command works by:
+1. Creating a proxy that sits between the client and the MCP server
+2. Intercepting and filtering all requests to `tools/list`, `prompts/list`, and `resources/list`
+3. Preventing calls to tools, prompts, or resources that don't match the allowed patterns
+4. Blocking requests for filtered resources, tools and prompts
+6. Passing through all other requests and responses unchanged
+
+#### Pattern Matching
+
+Patterns use simple glob syntax with `*` as a wildcard:
+
+- `tools:read_*` - Matches all tools starting with "read_"
+- `tools:*file*` - Matches any tool with "file" in the name
+- `prompts:system_*` - Matches all prompts starting with "system_"
+
+For each entity type, you can specify:
+- `--allow 'pattern1,pattern2,...'` - Only allow entities matching these patterns
+- `--deny 'pattern1,pattern2,...'` - Remove entities matching these patterns
+
+If no allow patterns are specified, all entities are allowed by default (except those matching deny patterns).
+
+#### Application Integration
+
+You can use the guard command to secure MCP configurations in applications. For example, to restrict a file system server to only allow read operations, change:
+
+```json
+"filesystem": {
+  "command": "npx",
+  "args": [
+    "-y",
+    "@modelcontextprotocol/server-filesystem",
+    "/Users/fka/Desktop"
+  ]
+}
+```
+
+To:
+
+```json
+"filesystem": {
+  "command": "mcp",
+  "args": [
+    "guard", "--deny", "tools:write_*,create_*,move_*,delete_*",
+    "npx", "-y", "@modelcontextprotocol/server-filesystem",
+    "/Users/fka/Desktop"
+  ]
+}
+```
+
+This provides a read-only view of the filesystem by preventing any modification operations.
+
+You can also use aliases with the guard command in configurations:
+
+```json
+"filesystem": {
+  "command": "mcp",
+  "args": [
+    "guard", "--allow", "tools:read_*,list_*,search_*",
+    "fs"  // Where 'fs' is an alias for the filesystem server
+  ]
+}
+```
+
+This makes your configurations even more concise and easier to maintain.
+
+#### Logging
+
+- Guard operations are logged to `~/.mcpt/logs/guard.log`
+- The log includes all requests, responses, and filtering decisions
+- Use `tail -f ~/.mcpt/logs/guard.log` to monitor activity in real-time
+
 ## Examples
 
 ### Basic Usage
@@ -580,6 +679,16 @@ Call a tool with pretty JSON output:
 mcp call read_file --params '{"path":"README.md"}' --format pretty npx -y @modelcontextprotocol/server-filesystem ~
 ```
 
+Use the guard mode to filter available tools:
+
+```bash
+# Only allow file search functionality
+mcp guard --allow tools:search_files npx -y @modelcontextprotocol/server-filesystem ~
+
+# Create a read-only environment
+mcp guard --deny tools:write_*,delete_*,create_*,move_* npx -y @modelcontextprotocol/server-filesystem ~
+```
+
 ### Script Integration
 
 Using the proxy mode with a simple shell script:

cmd/mcptools/commands/guard.go

@@ -0,0 +1,180 @@
+package commands
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/f/mcptools/pkg/alias"
+	"github.com/f/mcptools/pkg/client"
+	"github.com/f/mcptools/pkg/guard"
+	"github.com/spf13/cobra"
+)
+
+// Guard flags.
+const (
+	FlagAllow      = "--allow"
+	FlagAllowShort = "-a"
+	FlagDeny       = "--deny"
+	FlagDenyShort  = "-d"
+)
+
+var entityTypes = []string{
+	EntityTypeTool,
+	EntityTypePrompt,
+	EntityTypeRes,
+}
+
+// GuardCmd creates the guard command to filter tools, prompts, and resources.
+func GuardCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "guard [--allow type:pattern] [--deny type:pattern] command args...",
+		Short: "Filter tools, prompts, and resources using allow and deny patterns",
+		Long: `Filter tools, prompts, and resources using allow and deny patterns.
+
+Examples:
+  mcp guard --allow tools:read_* --deny edit_*,write_*,create_* npx run @modelcontextprotocol/server-filesystem ~
+  mcp guard --allow prompts:system_* --deny tools:execute_* npx run @modelcontextprotocol/server-filesystem ~
+  mcp guard --allow tools:read_* fs  # Using an alias
+  
+Patterns can include wildcards:
+  * matches any sequence of characters
+  
+Entity types:
+  tools: filter available tools
+  prompts: filter available prompts
+  resource: filter available resources`,
+		DisableFlagParsing: true,
+		SilenceUsage:       true,
+		Run: func(thisCmd *cobra.Command, args []string) {
+			if len(args) == 1 && (args[0] == FlagHelp || args[0] == FlagHelpShort) {
+				_ = thisCmd.Help()
+				return
+			}
+
+			// Process and extract the allow and deny patterns
+			allowPatterns, denyPatterns, cmdArgs := extractPatterns(args)
+
+			// Process regular flags (format)
+			parsedArgs := ProcessFlags(cmdArgs)
+
+			// Print filtering info
+			fmt.Fprintf(os.Stderr, "Guard filtering configuration:\n")
+			for _, entityType := range entityTypes {
+				if len(allowPatterns[entityType]) > 0 {
+					fmt.Fprintf(os.Stderr, "Allowing %s matching: %s\n", entityType, strings.Join(allowPatterns[entityType], ", "))
+				}
+				if len(denyPatterns[entityType]) > 0 {
+					fmt.Fprintf(os.Stderr, "Denying %s matching: %s\n", entityType, strings.Join(denyPatterns[entityType], ", "))
+				}
+			}
+
+			// Check if we're using an alias for the server command
+			if len(parsedArgs) == 1 {
+				aliasName := parsedArgs[0]
+				serverCmd, found := alias.GetServerCommand(aliasName)
+				if found {
+					fmt.Fprintf(os.Stderr, "Expanding alias '%s' to '%s'\n", aliasName, serverCmd)
+					// Replace the alias with the actual command
+					parsedArgs = client.ParseCommandString(serverCmd)
+				}
+			}
+
+			// Verify we have a command to run
+			if len(parsedArgs) == 0 {
+				fmt.Fprintf(os.Stderr, "Error: command to execute is required\n")
+				fmt.Fprintf(os.Stderr, "Example: mcp guard --allow tools:read_* npx -y @modelcontextprotocol/server-filesystem ~\n")
+				os.Exit(1)
+			}
+
+			// Map our entity types to the guard proxy entity types
+			guardAllowPatterns := map[string][]string{
+				"tool":     allowPatterns[EntityTypeTool],
+				"prompt":   allowPatterns[EntityTypePrompt],
+				"resource": allowPatterns[EntityTypeRes],
+			}
+			guardDenyPatterns := map[string][]string{
+				"tool":     denyPatterns[EntityTypeTool],
+				"prompt":   denyPatterns[EntityTypePrompt],
+				"resource": denyPatterns[EntityTypeRes],
+			}
+
+			// Run the guard proxy with the filtered environment
+			fmt.Fprintf(os.Stderr, "Running command with filtered environment: %s\n", strings.Join(parsedArgs, " "))
+			if err := guard.RunFilterServer(guardAllowPatterns, guardDenyPatterns, parsedArgs); err != nil {
+				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+				os.Exit(1)
+			}
+		},
+	}
+}
+
+// extractPatterns processes arguments to extract allow and deny patterns.
+func extractPatterns(args []string) (map[string][]string, map[string][]string, []string) {
+	allowPatterns := make(map[string][]string)
+	denyPatterns := make(map[string][]string)
+
+	// Initialize maps for all entity types
+	for _, entityType := range entityTypes {
+		allowPatterns[entityType] = []string{}
+		denyPatterns[entityType] = []string{}
+	}
+
+	cmdArgs := []string{}
+	i := 0
+	for i < len(args) {
+		switch {
+		case (args[i] == FlagAllow || args[i] == FlagAllowShort) && i+1 < len(args):
+			// Process --allow flag
+			patternsStr := args[i+1]
+			processPatternString(patternsStr, allowPatterns)
+			i += 2
+		case (args[i] == FlagDeny || args[i] == FlagDenyShort) && i+1 < len(args):
+			// Process --deny flag
+			patternsStr := args[i+1]
+			processPatternString(patternsStr, denyPatterns)
+			i += 2
+		default:
+			// Not a flag we recognize, pass it along
+			cmdArgs = append(cmdArgs, args[i])
+			i++
+		}
+	}
+
+	return allowPatterns, denyPatterns, cmdArgs
+}
+
+// processPatternString processes a comma-separated pattern string.
+func processPatternString(patternsStr string, patternMap map[string][]string) {
+	patterns := strings.Split(patternsStr, ",")
+
+	for _, pattern := range patterns {
+		pattern = strings.TrimSpace(pattern)
+		if pattern == "" {
+			continue
+		}
+
+		parts := strings.SplitN(pattern, ":", 2)
+		if len(parts) != 2 {
+			// If no type specified, assume it's a tool pattern
+			patternMap[EntityTypeTool] = append(patternMap[EntityTypeTool], pattern)
+			continue
+		}
+
+		entityType := strings.ToLower(parts[0])
+		patternValue := parts[1]
+
+		// Map entity type to known types
+		switch entityType {
+		case "tool", "tools":
+			patternMap[EntityTypeTool] = append(patternMap[EntityTypeTool], patternValue)
+		case "prompt", "prompts":
+			patternMap[EntityTypePrompt] = append(patternMap[EntityTypePrompt], patternValue)
+		case "resource", "resources", "res":
+			patternMap[EntityTypeRes] = append(patternMap[EntityTypeRes], patternValue)
+		default:
+			// Unknown entity type, treat as tool pattern
+			patternMap[EntityTypeTool] = append(patternMap[EntityTypeTool], pattern)
+		}
+	}
+}