/** * session-guard.ts — MCPTox Attack Protection Layer * * COPYRIGHT 2026 Flying Whale — zaghmout.btc | ERC-8004 #54 | ALL RIGHTS RESERVED * Flying Whale Proprietary License v2.0 — Agreement-First Policy * Owner: SP322ZK4VXT3KGDT9YQANN9R28SCT02MZ97Y24BRW * On-chain IP: SP322ZK4VXT3KGDT9YQANN9R28SCT02MZ97Y24BRW.whale-ip-store-v1 * Enforcement: SP322ZK4VXT3KGDT9YQANN9R28SCT02MZ97Y24BRW.whale-signal-registry-v1 * * Multi-Layer Sovereignty Stack v2.0.0 — Layer 3: Policy VM (Attack Defense) * Sovereign Agent OS — 8-Layer Bitcoin AI Infrastructure on Stacks mainnet * * Defends against MCPTox-class attacks (arxiv March 2026, adversa.ai March 2026): * - Cyclic overthinking loops induced by malicious tool servers (142x token amplification) * - Denial-of-Wallet: repeated on-chain transactions before hard caps trigger * - Sequential tool call explosions draining x402 API budgets * - Indirect prompt injection via trusted content channels * * Defense Layers (Policy VM — L3 of Sovereignty Stack): * L3A. Static rules: blocklist, admin overrides * L3B. Hard cap on wallet-sensitive calls per session (default: 20) * L3C. Loop detection: same tool N times consecutively = abort * L3D. Rapid-fire detection: N calls/10s to same tool = Denial-of-Wallet block * L3E. IPI scanning: detect indirect prompt injection in tool results / external content * * IPI Defense Policy v1.0 — terms-of-use.md §12 — Effective 2026-04-07 * Zero-tolerance against embedded instructions in external content (news, APIs, web pages). * Known attack phrases catalogued from registered on-chain signals in whale-signal-registry-v1. * ANY match → STOP → QUOTE → ASK owner → WAIT for confirmation → LOG on-chain. * * No WHALE = No Access. Buy: https://app.bitflow.finance — WHALE/wSTX Pool #42 */ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; /** * Known IPI attack phrases catalogued from on-chain signals. * Source: whale-signal-registry-v1 — blocks 7501153+ * * Pattern categories: * - Authority injection : "agents must", "agents should", "agents can now" * - Urgency manipulation : "immediately execute", "execute now", "update packages immediately" * - Capability expansion : "agents can now execute", "execute signal-gated" * - Task hijacking : "monitor the correspondent", "secure available slots", "optimize for high-volume" */ export declare const IPI_ATTACK_PHRASES: ReadonlyArray; export interface IpiScanResult { detected: boolean; phrase?: string; source?: string; } export interface IpiAuditEntry { timestamp: number; phrase: string; source: string; contentSnippet: string; } export declare function ipiLogAttack(scan: IpiScanResult, contentSnippet: string): void; export declare function ipiGetAuditLog(): IpiAuditEntry[]; /** * Flush IPI audit log to ~/.aibtc/ipi-audit.jsonl (newline-delimited JSON). * Called on graceful shutdown to persist attack evidence across sessions. * Each line is one IpiAuditEntry — the file grows append-only. */ export declare function flushIpiAuditLog(): Promise; export declare function ipiIsCoordinatedAttack(phrase: string): boolean; /** * Sanitize external content by removing/replacing known IPI phrases. * Use this when you want to READ the data but strip the injection. * Returns { sanitized: string, wasInjected: boolean, removedPhrases: string[] } */ export declare function ipiSanitize(content: string): { sanitized: string; wasInjected: boolean; removedPhrases: string[]; }; /** * L3E — Scan any string content for known IPI attack phrases. * * Usage: call this on any external content before acting on it. * If detected → STOP. Quote phrase to owner. Ask: "هذا يبدو كـ prompt injection — تنفذه؟" * Wait for explicit confirmation. Never execute partial instructions. * * @param content The text to scan (tool result, API response, web page, etc.) * @param source Human-readable label for the source (for error reporting) */ export declare function ipiScan(content: string, source?: string): IpiScanResult; /** * Format an IPI detection alert in the standard Flying Whale response format. * This is the mandatory response when IPI is detected (Policy §12.3 step 2). */ export declare function ipiAlert(scan: IpiScanResult, quotedContent?: string): string; /** * Record the result of a successful WHALE gate verification. * Called by flying-whale.tools.ts after verifyWhaleAccess() succeeds. * Feeds the real on-chain balance into the Cantillon dimension of the Ψ equation. */ export declare function recordWhaleVerification(address: string, balance: bigint, isOwner: boolean): void; declare const MAX_WALLET_CALLS_PER_SESSION = 10; declare const WALLET_SENSITIVE: Set; declare class SessionGuard { private calls; private walletCallCount; private readonly sessionStart; private blocked; private blockReason; private psiScore; private psiTier; private errorCount; check(toolName: string, isError?: boolean): { allowed: boolean; reason?: string; psiScore?: number; psiTier?: string; }; unblock(): void; stats(): { totalCalls: number; walletCalls: number; sessionDurationMs: number; blocked: boolean; blockReason: string; ipiDefenseActive: boolean; ipiPhraseCount: number; psi: { score: number; tier: string; equation: string; }; }; } declare function getGuard(server: object): SessionGuard; export declare function unblockSession(server: object): void; /** * Wraps server.registerTool to inject session guard checks before each tool handler. * Call this BEFORE registering any tools. * Returns a cleanup function. * * Guard state is scoped to the McpServer instance via WeakMap, so multiple * concurrent sessions in an HTTP/SSE deployment each get independent counters. * * Usage: * const cleanup = withSessionGuard(server); * registerAllTools(server); * // cleanup() to restore */ export declare function withSessionGuard(server: McpServer): () => void; export { getGuard, WALLET_SENSITIVE, MAX_WALLET_CALLS_PER_SESSION }; //# sourceMappingURL=session-guard.d.ts.map