test(protect-mcp): add test/ fixtures and round-trip verification

Follow-up to wshobson#484 closing the test-plan commitment. Adds a
plugins/protect-mcp/test/ directory with:

  - Six deterministic fixtures covering PreToolUse (allow + deny paths
    on Read / Bash safe / Bash destructive / Write) and PostToolUse
    (receipt signing input)
  - A Cedar test policy exercising both permit and forbid semantics
  - An expected receipt-schema.json (JSON Schema draft-07) pinned to
    draft-farley-acta-signed-receipts required fields
  - run-tests.sh: full round-trip, requires node >= 18 and python3.
    Eight tests covering evaluate (permit/forbid exit codes), sign
    (receipt file produced), schema conformance, verify (valid + tamper
    detection).
  - verify-fixtures.sh: static fixture validation, python3 only, safe
    to run in sandboxed CI without network access.
  - README.md explaining the layout, how to run, and the exit-code
    convention (including 77 = autotools "skip" for missing tools).

The critical regression guard is test 8: flipping the `decision` field
in a signed receipt MUST invalidate the Ed25519 signature, so
`@veritasacta/verify` MUST exit 1. This locks in the tamper-detection
property that the plugin claims.

No changes to the plugin itself. No new runtime dependencies. No
changes to marketplace.json or hooks.json.

Author: ZeroXLauren

plugins/protect-mcp/test/README.md

@@ -0,0 +1,94 @@
+# protect-mcp test fixtures
+
+Round-trip tests for the `protect-mcp` plugin's `PreToolUse` and `PostToolUse`
+hooks. Exercises the full evaluate → sign → verify loop against deterministic
+fixtures, including the tamper-detection path.
+
+## Layout
+
+```
+test/
+├── fixtures/
+│   ├── test-policy.cedar                  # Cedar policy used by all tests
+│   ├── pretool-allow-read.json            # Read should be permitted
+│   ├── pretool-allow-bash-safe.json       # Bash "git status" should be permitted
+│   ├── pretool-deny-bash-destructive.json # Bash "rm -rf /" should be denied
+│   ├── pretool-deny-write.json            # Write should be denied
+│   └── posttool-signing-input.json        # Input for receipt signing
+├── expected/
+│   └── receipt-schema.json                # Expected receipt shape (JSON Schema)
+├── run-tests.sh                           # Full round-trip (requires node / npx)
+└── verify-fixtures.sh                     # Static validation (python3 only)
+```
+
+## Running
+
+### Full round-trip (local development)
+
+```bash
+./run-tests.sh
+```
+
+Requires `node` (>= 18), `npx`, and `python3`. Fetches `protect-mcp` and
+`@veritasacta/verify` from npm on first run. Runs eight tests:
+
+| # | Scenario | Expected exit |
+|---|----------|----------------|
+| 1 | `PreToolUse` on `Read`                         | 0 (permit)  |
+| 2 | `PreToolUse` on `Bash git status`              | 0 (permit)  |
+| 3 | `PreToolUse` on `Bash rm -rf /`                | 2 (forbid)  |
+| 4 | `PreToolUse` on `Write`                        | 2 (forbid)  |
+| 5 | `PostToolUse` signing produces a receipt file  | 0 (success) |
+| 6 | Produced receipt conforms to the schema        | 0 (valid)   |
+| 7 | `@veritasacta/verify` accepts the receipt      | 0 (valid)   |
+| 8 | Tampered receipt is rejected                   | 1 (tampered)|
+
+Test 8 is the critical regression guard: flipping the `decision` field in a
+signed receipt must invalidate the Ed25519 signature, so `@veritasacta/verify`
+must exit 1 rather than 0.
+
+### Static validation (CI-safe)
+
+```bash
+./verify-fixtures.sh
+```
+
+Only requires `python3`. Validates that every fixture is well-formed JSON and
+has the expected structure. No network calls, no npm fetches. Safe to run in
+sandboxed or offline CI.
+
+## What the tests prove
+
+- **Policy evaluation:** Cedar `permit` and `forbid` rules produce the
+  expected exit codes (0 / 2).
+- **Receipt schema:** signed receipts include every required field from
+  [`draft-farley-acta-signed-receipts`](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/).
+- **Signature integrity:** `@veritasacta/verify` validates authentic
+  receipts and rejects tampered ones, with the documented exit codes.
+- **End-to-end integration:** the plugin's two hooks compose into a
+  working allow/deny + sign + verify pipeline.
+
+## Extending
+
+To add a new test case:
+
+1. Drop a `pretool-*.json` or `posttool-*.json` fixture into `fixtures/`
+2. Add a matching rule to `fixtures/test-policy.cedar` if the test needs one
+3. Add an assertion block to `run-tests.sh` mirroring the existing ones
+
+Follow the naming convention `pretool-<allow|deny>-<scenario>.json` so the
+intent is obvious from `ls fixtures/`.
+
+## Exit codes
+
+| Script             | Exit | Meaning |
+|--------------------|------|---------|
+| `run-tests.sh`     | 0    | All tests passed |
+| `run-tests.sh`     | 1    | One or more tests failed |
+| `run-tests.sh`     | 77   | Required tool missing (skipped in CI) |
+| `verify-fixtures.sh` | 0  | All fixtures valid |
+| `verify-fixtures.sh` | 1  | Fixture malformed |
+| `verify-fixtures.sh` | 77 | `python3` missing (skipped) |
+
+77 is the autotools convention for "skip this test" and is interpreted as a
+skip by most CI frameworks.

plugins/protect-mcp/test/expected/receipt-schema.json

@@ -0,0 +1,32 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://veritasacta.com/schemas/receipt-v1.json",
+  "title": "Veritas Acta Decision Receipt v1",
+  "description": "Expected shape of a protect-mcp-produced receipt. Mirrors draft-farley-acta-signed-receipts.",
+  "type": "object",
+  "required": [
+    "receipt_id",
+    "receipt_version",
+    "issuer_id",
+    "event_time",
+    "tool_name",
+    "decision",
+    "public_key",
+    "signature"
+  ],
+  "properties": {
+    "receipt_id":      { "type": "string", "pattern": "^rec_" },
+    "receipt_version": { "type": "string", "const": "1.0" },
+    "issuer_id":       { "type": "string" },
+    "event_time":      { "type": "string", "format": "date-time" },
+    "tool_name":       { "type": "string" },
+    "input_hash":      { "type": "string", "pattern": "^sha256:" },
+    "decision":        { "type": "string", "enum": ["allow", "deny"] },
+    "policy_id":       { "type": "string" },
+    "policy_digest":   { "type": "string", "pattern": "^sha256:" },
+    "parent_receipt_id": { "type": ["string", "null"] },
+    "public_key":      { "type": "string", "minLength": 32 },
+    "signature":       { "type": "string", "minLength": 32 }
+  },
+  "additionalProperties": true
+}

plugins/protect-mcp/test/fixtures/posttool-signing-input.json

@@ -0,0 +1,12 @@
+{
+  "tool_name": "Read",
+  "tool_input": {
+    "file_path": "./README.md"
+  },
+  "tool_output": {
+    "content": "# Example project\n\nTest fixture output."
+  },
+  "session_id": "test-session-sign",
+  "decision": "allow",
+  "policy_id": "protect-mcp-test-policy"
+}

plugins/protect-mcp/test/fixtures/pretool-allow-bash-safe.json

@@ -0,0 +1,10 @@
+{
+  "tool_name": "Bash",
+  "tool_input": {
+    "command": "git status"
+  },
+  "session_id": "test-session-allow-bash",
+  "context": {
+    "command_pattern": "git"
+  }
+}

plugins/protect-mcp/test/fixtures/pretool-allow-read.json

@@ -0,0 +1,10 @@
+{
+  "tool_name": "Read",
+  "tool_input": {
+    "file_path": "./README.md"
+  },
+  "session_id": "test-session-allow-read",
+  "context": {
+    "path_starts_with": "./"
+  }
+}

plugins/protect-mcp/test/fixtures/pretool-deny-bash-destructive.json

@@ -0,0 +1,10 @@
+{
+  "tool_name": "Bash",
+  "tool_input": {
+    "command": "rm -rf /"
+  },
+  "session_id": "test-session-deny-destructive",
+  "context": {
+    "command_pattern": "rm -rf"
+  }
+}

plugins/protect-mcp/test/fixtures/pretool-deny-write.json

@@ -0,0 +1,11 @@
+{
+  "tool_name": "Write",
+  "tool_input": {
+    "file_path": "./secrets.env",
+    "content": "dummy"
+  },
+  "session_id": "test-session-deny-write",
+  "context": {
+    "path_starts_with": "./"
+  }
+}

plugins/protect-mcp/test/fixtures/test-policy.cedar

@@ -0,0 +1,37 @@
+// Test Cedar policy for protect-mcp hook round-trip tests.
+// Not a production example. See ../../agents/policy-enforcer.md for real-world policies.
+
+// Allow all read-oriented tools.
+permit (
+    principal,
+    action in [Action::"Read", Action::"Glob", Action::"Grep", Action::"WebSearch"],
+    resource
+);
+
+// Allow safe Bash commands only.
+permit (
+    principal,
+    action == Action::"Bash",
+    resource
+) when {
+    context.command_pattern in ["git", "npm", "ls", "cat", "echo", "pwd", "test", "node"]
+};
+
+// Explicit deny on destructive commands, even if permit would match elsewhere.
+// Cedar deny is authoritative.
+forbid (
+    principal,
+    action == Action::"Bash",
+    resource
+) when {
+    context.command_pattern in ["rm -rf", "dd", "mkfs", "shred", ":(){ :|:& };:"]
+};
+
+// Writes are denied unscoped. A real policy would permit writes when
+// context.path_starts_with is safe. The tests exercise the unscoped
+// form so we can verify deny is enforced.
+forbid (
+    principal,
+    action in [Action::"Write", Action::"Edit"],
+    resource
+);