lacrm-enforcement-wrapper
v1.1.0
Published
MCP proxy wrapper enforcing session limits and a fail-closed tool allow-list on LACRM MCP
Readme
lacrm-enforcement-wrapper
An MCP proxy that sits between an MCP host and the LACRM MCP server (lacrm-mcp), enforcing operational limits and a fail-closed tool allow-list that the underlying server does not enforce on its own.
MCP Host → lacrm-enforcement-wrapper → lacrm-mcp → LACRM APIThe wrapper spawns the real lacrm-mcp server as its own child process and proxies every tool call through it. It is insertable by changing only the host's configured command/args to point at this package's binary.
Security posture
- Fail-closed tool allow-list. The wrapper exposes and forwards only the tools on an explicit allow-list — read tools (
get_*/search_*), bounded writes (create_*/edit_*/add_contact_to_group/remove_contact_from_group), and bulk import/export (bulk_*). Everything else is blocked by default: everydelete_tool, any futureremove_/merge_/purge_/bulk_wipe-style destructive tool, and any brand-new backend tool that has not yet been classified. This replaced an earlierdelete_-name-prefix block, which was fail-open — a destructive backend tool not nameddelete_*would have passed straight through. Classification lives insrc/policy.ts; a new backend tool must be classified there before it can be forwarded. - Session budgets. Max 20 unique contacts modified and max 80 total operations per session, with a 10-minute inactivity reset. These throttle incremental, one-at-a-time contact mutations; bulk import/export is deliberately exempt from the per-contact budget (a single bulk call may touch hundreds of records).
Every guard fails closed: an unrecognized or destructive tool is refused, not forwarded.
Build & test
npm install
npm run build # tsc → build/
npm test # vitest — classification + budget unit tests
npm start # node build/index.js (requires the downstream server's env, e.g. LACRM_API_KEY)License
MIT
