CursorPool
登录
← 返回首页

protect-mcp

Cryptographic receipt signing and Cedar policy enforcement for every tool call. Ed25519 receipts, offline verification, zero-trust audit trails. MIT licensed.

cursor.directory·0
MCP

protect-mcp

MCP server: protect-mcp

{
  "command": "npx",
  "args": [
    "-y",
    "protect-mcp@0.5.2",
    "serve",
    "--enforce"
  ],
  "description": "Ed25519 receipt signing + Cedar policy enforcement for tool calls"
}
规则

hooks

Event hooks configuration

{
  "$schema": "https://json.schemastore.org/claude-code-settings.json",
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "*",
        "hooks": [
          {
            "type": "command",
            "command": "curl -s -X POST http://127.0.0.1:9377/hook -H 'Content-Type: application/json' -d @-"
          }
        ],
        "description": "Send tool call to protect-mcp for Cedar policy evaluation and receipt signing"
      }
    ],
    "PostToolUse": [
      {
        "matcher": "*",
        "hooks": [
          {
            "type": "command",
            "command": "curl -s -X POST http://127.0.0.1:9377/hook -H 'Content-Type: application/json' -d @-"
          }
        ],
        "description": "Record tool result and sign receipt for audit trail"
      }
    ]
  }
}
Skill

protect-mcp

>

# protect-mcp — Agent Governance with Cryptographic Receipts

## What This Does

Adds two layers to every tool call:

1. **Cedar policy enforcement** — evaluate allow/deny decisions using the same
   authorization engine AWS uses for IAM. Policies are declarative `.cedar` files.
2. **Ed25519 receipt signing** — each tool call produces a tamper-evident receipt.
   If the record is modified after signing, the signature breaks. Anyone can
   verify offline without trusting the issuer.

## Setup

```bash
# One-time: configure Claude Code hooks
npx protect-mcp@0.5.2 init-hooks

# Start the hook server (runs on port 9377)
npx protect-mcp@0.5.2 serve --enforce
```

This configures Claude Code to POST every tool call event to protect-mcp for
policy evaluation and receipt signing. First run auto-generates permissive
Cedar policies that you can tighten.

## Usage

Once running, protect-mcp operates silently. Every tool call:
- Is evaluated against Cedar policies (allow/deny/ask)
- Produces a signed receipt in `.protect-mcp-log.jsonl`
- Decision is returned to Claude Code within ~1ms

## Verify Receipts

```bash
# Verify all receipts in the log
npx @veritasacta/verify .protect-mcp-log.jsonl

# Verify a single receipt
npx @veritasacta/verify receipt.json
```

## What a Receipt Looks Like

```json
{
  "type": "protectmcp:decision",
  "tool_name": "Bash",
  "decision": "allow",
  "policy_digest": "sha256:a3f8...",
  "issued_at": "2026-04-04T12:00:00Z",
  "signature": { "alg": "EdDSA", "sig": "..." }
}
```

## Cedar Policy Example

```cedar
// Block destructive commands
forbid (
  principal,
  action == Action::"tool_call",
  resource == Tool::"Bash"
) when {
  context.input.command like "rm -rf *"
};
```

## Links

- npm: https://npmjs.com/package/protect-mcp
- Source: https://github.com/scopeblind/scopeblind-gateway
- IETF Draft: https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/
- Merged into Microsoft Agent Governance Toolkit (PR #667)

来源:https://github.com/scopeblind/scopeblind-gateway