oktsec
diff --git a/‎go.mod‎
Lines changed: 2 additions & 2 deletions b/‎go.mod‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 4 additions & 14 deletions b/‎go.sum‎
Lines changed: 4 additions & 14 deletions
diff --git a/‎internal/config/config.go‎
Lines changed: 8 additions & 6 deletions b/‎internal/config/config.go‎
Lines changed: 8 additions & 6 deletions
diff --git a/‎internal/gateway/dephash.go‎
Lines changed: 121 additions & 0 deletions b/‎internal/gateway/dephash.go‎
Lines changed: 121 additions & 0 deletions
@@ -7,15 +7,14 @@ require (
 	github.com/charmbracelet/bubbletea v1.3.10
 	github.com/charmbracelet/lipgloss v1.1.0
 	github.com/fatih/color v1.18.0
-	github.com/garagon/aguara v0.9.1
+	github.com/garagon/aguara v0.10.0
 	github.com/google/uuid v1.6.0
 	github.com/jackc/pgx/v5 v5.8.0
 	github.com/modelcontextprotocol/go-sdk v1.4.1
 	github.com/prometheus/client_golang v1.23.2
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/term v0.41.0
-	golang.org/x/text v0.35.0
 	gopkg.in/yaml.v3 v3.0.1
 	modernc.org/sqlite v1.46.1
 )
@@ -68,6 +67,7 @@ require (
 	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	modernc.org/libc v1.67.6 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 
@@ -35,12 +35,8 @@ github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/garagon/aguara v0.3.1 h1:6nhFRFazQKth3XIsBLG+4AELWB4EYW++XqU1FJfQCOA=
-github.com/garagon/aguara v0.3.1/go.mod h1:8SfNIdQxmX8tapfX/FWje818ZxKf3uRuS1jVe7FU96I=
-github.com/garagon/aguara v0.9.0 h1:yoO/PDnFwV6zAB0PdX1XamszKUn5nX+/iempRamMXkY=
-github.com/garagon/aguara v0.9.0/go.mod h1:njU1wgwlHIKnH1mmPua7ifNbzkRERnMyNndLBmMWk4A=
-github.com/garagon/aguara v0.9.1 h1:IzcG1BBAUnq7aZVjypQIz59gshvBDzuQWed54l4S2B0=
-github.com/garagon/aguara v0.9.1/go.mod h1:njU1wgwlHIKnH1mmPua7ifNbzkRERnMyNndLBmMWk4A=
+github.com/garagon/aguara v0.10.0 h1:2s8Opc/rBx7xsojymrn4Qbh23d9Br0HU6SaSmV5fc+4=
+github.com/garagon/aguara v0.10.0/go.mod h1:njU1wgwlHIKnH1mmPua7ifNbzkRERnMyNndLBmMWk4A=
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -139,13 +135,10 @@ go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
 golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -155,13 +148,10 @@ golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
 golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
 golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
 golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
 google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 
@@ -319,16 +319,18 @@ type GatewayConfig struct {
 	Bind          string `yaml:"bind"`            // default 127.0.0.1
 	EndpointPath  string `yaml:"endpoint_path"`   // default /mcp
 	ScanResponses bool   `yaml:"scan_responses"`  // scan backend responses
+	DepCheck      bool   `yaml:"dep_check,omitempty"` // hash dependency manifests on startup
 }
 
 // MCPServerConfig defines a backend MCP server to proxy through the gateway.
 type MCPServerConfig struct {
-	Transport string            `yaml:"transport"`         // "stdio" or "http"
-	Command   string            `yaml:"command,omitempty"` // for stdio
-	Args      []string          `yaml:"args,omitempty"`
-	URL       string            `yaml:"url,omitempty"`     // for http
-	Headers   map[string]string `yaml:"headers,omitempty"`
-	Env       map[string]string `yaml:"env,omitempty"` // env vars for stdio
+	Transport  string            `yaml:"transport"`            // "stdio" or "http"
+	Command    string            `yaml:"command,omitempty"`    // for stdio
+	Args       []string          `yaml:"args,omitempty"`
+	URL        string            `yaml:"url,omitempty"`        // for http
+	Headers    map[string]string `yaml:"headers,omitempty"`
+	Env        map[string]string `yaml:"env,omitempty"`        // env vars for stdio
+	WorkingDir string            `yaml:"working_dir,omitempty"` // working directory for dep_check
 }
 
 // CategoryWebhook binds a rule category to default notification channels.
 
@@ -0,0 +1,121 @@
+package gateway
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"os"
+	"path/filepath"
+)
+
+// depManifests lists dependency manifest filenames to look for.
+var depManifests = []string{
+	"requirements.txt",
+	"Pipfile.lock",
+	"package.json",
+	"package-lock.json",
+	"yarn.lock",
+	"pnpm-lock.yaml",
+	"go.sum",
+	"go.mod",
+}
+
+// DepChange describes a dependency manifest that changed between runs.
+type DepChange struct {
+	ServerName string
+	File       string
+	OldHash    string // empty on first run
+	NewHash    string
+}
+
+// depHashStore manages SHA-256 hashes of MCP server dependency manifests.
+// Hashes are persisted to a JSON file between runs.
+type depHashStore struct {
+	path   string                       // e.g. ~/.oktsec/dep-hashes.json
+	hashes map[string]map[string]string // server name -> filename -> sha256 hex
+}
+
+// newDepHashStore loads existing hashes from the JSON file, or creates an empty store.
+func newDepHashStore(storePath string) *depHashStore {
+	s := &depHashStore{
+		path:   storePath,
+		hashes: make(map[string]map[string]string),
+	}
+	data, err := os.ReadFile(storePath)
+	if err != nil {
+		// File doesn't exist or can't be read — start fresh.
+		return s
+	}
+	_ = json.Unmarshal(data, &s.hashes)
+	if s.hashes == nil {
+		s.hashes = make(map[string]map[string]string)
+	}
+	return s
+}
+
+// Check hashes dependency manifests in workingDir and compares them to stored
+// values. Returns a DepChange for each file that is new or changed.
+func (s *depHashStore) Check(serverName, workingDir string) []DepChange {
+	old := s.hashes[serverName]
+	if old == nil {
+		old = make(map[string]string)
+	}
+
+	current := make(map[string]string)
+	var changes []DepChange
+
+	for _, name := range depManifests {
+		p := filepath.Join(workingDir, name)
+		data, err := os.ReadFile(p)
+		if err != nil {
+			continue // file doesn't exist or unreadable — skip
+		}
+		sum := sha256.Sum256(data)
+		h := hex.EncodeToString(sum[:])
+		current[name] = h
+
+		if oldH, seen := old[name]; !seen {
+			// First time seeing this file.
+			changes = append(changes, DepChange{
+				ServerName: serverName,
+				File:       name,
+				NewHash:    h,
+			})
+		} else if oldH != h {
+			// File changed since last run.
+			changes = append(changes, DepChange{
+				ServerName: serverName,
+				File:       name,
+				OldHash:    oldH,
+				NewHash:    h,
+			})
+		}
+	}
+
+	// Store the current hashes for this server.
+	s.hashes[serverName] = current
+	return changes
+}
+
+// Save persists the hash store to its JSON file with 0600 permissions.
+// Creates the parent directory if it doesn't exist.
+func (s *depHashStore) Save() error {
+	dir := filepath.Dir(s.path)
+	if err := os.MkdirAll(dir, 0o700); err != nil {
+		return err
+	}
+	data, err := json.MarshalIndent(s.hashes, "", "  ")
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(s.path, data, 0o600)
+}
+
+// defaultDepHashPath returns ~/.oktsec/dep-hashes.json.
+func defaultDepHashPath() string {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		home = "."
+	}
+	return filepath.Join(home, ".oktsec", "dep-hashes.json")
+}