feat: add protect-mcp plugin — Cedar policies + signed receipts (closes #471)

[tomjwxf]

Summary

Closes #471.

Adds protect-mcp, the first cryptographic governance plugin in the marketplace. Every Claude Code tool call is:

1. Evaluated against a Cedar policy before it runs (PreToolUse hook). Cedar deny → exit 2 → tool blocked.
2. Signed with an Ed25519 key after it runs (PostToolUse hook). Receipts are hash-chained and written to ./receipts/.
3. Verifiable offline by anyone via npx @veritasacta/verify — no network, no vendor lookup, no trust in the operator.

Directory structure matches what was requested in #471:

plugins/protect-mcp/
├── .claude-plugin/plugin.json
├── README.md
├── skills/protect-mcp-setup/SKILL.md
├── agents/policy-enforcer.md        (opus)
├── agents/receipt-verifier.md       (sonnet)
├── commands/verify-receipt.md       (/verify-receipt <path>)
├── commands/audit-chain.md          (/audit-chain [--last N])
└── hooks/hooks.json

Also adds the marketplace entry under category: security. If you'd prefer a new governance category, happy to add one in a follow-up — I defaulted to security since that category already exists.

Why this is a good fit

• Addresses an open issue. Add protect-mcp — Ed25519 receipt signing + Cedar policy enforcement plugin #471 specifically requested this plugin with this structure.
• Depends on published packages. The plugin is a thin wrapper around two npm packages that already exist:
  • protect-mcp — 10K+ monthly downloads, the hooks runtime
  • @veritasacta/verify — offline verification CLI
• Standards-based. Ed25519 (RFC 8032), JCS (RFC 8785), Cedar (AWS's open authorization engine), IETF draft draft-farley-acta-signed-receipts.
• Ecosystem presence already exists. Cedar WASM bindings for agent policies merged in cedar-policy/cedar-for-agents#64 and a governed example merged in microsoft/agent-governance-toolkit#667.

Test plan

• python3 -m json.tool validates plugin.json, hooks.json, and the updated marketplace.json
• claude plugin install wshobson/agents/protect-mcp (after merge)
• Claude Code session with a Bash tool call + ./protect.cedar present produces a receipt file
• npx @veritasacta/verify receipts/*.json exits 0 on the produced receipts
• Tampering with a receipt file causes npx @veritasacta/verify to exit 1
• /verify-receipt and /audit-chain slash commands render from within Claude Code

Notes

• The hooks are written to fail-open on missing policy (--fail-on-missing-policy false) so installing the plugin doesn't break existing projects that haven't configured a Cedar policy yet.
• Receipts are written to ./receipts/ by default, configurable via PROTECT_MCP_RECEIPTS.
• The plugin's skill includes a full setup guide with example Cedar policies for research, development, and production contexts.

cc @wshobson — happy to iterate on anything here.

[tomjwxf]

Thanks for the review! Addressing each point:

🟡 Governance category — done (just pushed)

Commit 0f1bb6f moves the plugin to a new `governance` category and adds a `keywords` array for discovery. Looking at existing categories in the marketplace (testing, payments, gaming, finance, blockchain, accessibility all have 1-2 plugins each), a new single-inhabitant category seems acceptable — happy to revert if you'd rather keep it in `security` until there's a second governance plugin.

🟡 Automated tests — agreed as follow-up

Good suggestion. I'll open a follow-up PR once this one lands that adds a `plugins/protect-mcp/test/` directory with:

• A test Cedar policy + synthetic tool call that should deny → exercises the PreToolUse block path
• A PostToolUse receipt generation + `@veritasacta/verify` round-trip → exercises the sign + verify path

Want to keep this PR focused on the plugin itself rather than changing CI scope.

🔴 Marketplace `files` array — checked, appears not required

I looked carefully before responding and I don't think this change is needed. Two data points:

1. Anthropic's marketplace schema docs (code.claude.com/docs/en/plugin-marketplaces) list the supported plugin-entry fields: `name`, `source`, `description`, `version`, `author`, `homepage`, `repository`, `license`, `keywords`, `category`, `tags`, `strict`, and component paths (`skills`, `commands`, `agents`, `hooks`, `mcpServers`, `lspServers`). There is no documented `files` field.
2. None of the 77 existing plugin entries in this marketplace use a `files` array:
   ```
   $ grep -c '"files":' .claude-plugin/marketplace.json
   0
   ```
   If `files` were required, all 77 would be failing to install.

The plugin installs via `source: ./plugins/protect-mcp` — relative-path source, which the docs confirm "clones the entire repository, making relative paths work correctly." I've tested with `claude plugin marketplace add ./` locally and the plugin loads without issues.

If you have an internal tooling/policy that requires a `files` array that isn't reflected in the public docs or the existing entries, I'm happy to add it — just point me at the spec and I'll update this PR immediately. But I didn't want to add a field whose semantics I couldn't confirm, since it could conflict with the existing convention.

Thanks again for keeping the review bar high on this marketplace.

[wshobson]

Hi @tomjwxf — huge apologies for the noise on this thread. I was testing a "Hermes" agent integration that went off the rails and posted a bunch of repetitive and factually incorrect reviews under my account (including the bogus "missing files array" request-changes). I've shut that integration down and cleaned up the bad comments.

Your rebuttal was 100% correct — no entry in marketplace.json uses a files array, and it's not in the documented schema. Sorry you had to spend time refuting a hallucination.

The plugin itself looks great:

• Structure matches #471 exactly
• governance category addition is a nice touch, keywords help discovery
• Standards-based design (Ed25519 / JCS / Cedar) with offline-verifiable receipts is genuinely novel for this marketplace
• Fail-open on missing policy is the right default for backward compatibility

Approving and merging. Thanks for the thoughtful contribution and for your patience with the bot mess.

[wshobson]

Rebased on latest main to resolve the marketplace.json conflict introduced by #480 (qa-orchestra). Conflict was purely positional — both PRs added a new entry after block-no-verify. I kept both: qa-orchestra first, then protect-mcp with the governance category and keywords array from your follow-up commit 0f1bb6f. JSON validated, no other changes. PR is now CLEAN / MERGEABLE.

[tomjwxf]

No worries at all @wshobson !