feat: add protect-mcp plugin — Cedar policies + signed receipts (closes #471)

.claude-plugin/marketplace.json

@@ -1028,6 +1028,21 @@
       "homepage": "https://github.com/Anasss/qa-orchestra",
       "license": "MIT",
       "category": "testing"
+    },
+    {
+      "name": "protect-mcp",
+      "source": "./plugins/protect-mcp",
+      "description": "Cedar policy enforcement + Ed25519 signed receipts for every Claude Code tool call. First cryptographic governance plugin — decisions are policy-gated before they run and every decision produces a tamper-evident receipt verifiable offline.",
+      "version": "0.1.0",
+      "author": {
+        "name": "Tom Farley",
+        "email": "tommy@scopeblind.com",
+        "url": "https://github.com/tomjwxf"
+      },
+      "homepage": "https://veritasacta.com",
+      "license": "MIT",
+      "category": "governance",
+      "keywords": ["cedar", "receipts", "ed25519", "policy", "governance", "audit", "compliance"]
     }
   ]
 }

plugins/protect-mcp/.claude-plugin/plugin.json

@@ -0,0 +1,10 @@
+{
+  "name": "protect-mcp",
+  "version": "0.1.0",
+  "description": "Cedar policy enforcement + Ed25519 signed receipts for every Claude Code tool call. First cryptographic governance plugin — receipts independently verifiable offline.",
+  "author": {
+    "name": "Tom Farley",
+    "email": "tommy@scopeblind.com"
+  },
+  "license": "MIT"
+}

plugins/protect-mcp/README.md

@@ -0,0 +1,161 @@
+# protect-mcp
+
+Cedar policy enforcement + Ed25519 signed receipts for every Claude Code tool call.
+
+[![npm version](https://img.shields.io/npm/v/protect-mcp)](https://www.npmjs.com/package/protect-mcp)
+[![Downloads](https://img.shields.io/npm/dm/protect-mcp)](https://www.npmjs.com/package/protect-mcp)
+[![License](https://img.shields.io/badge/license-MIT-blue)](./LICENSE)
+
+The first Claude Code plugin that enforces declarative authorization policies
+and produces cryptographically verifiable audit trails. Every tool call is
+evaluated against a Cedar policy, every decision is signed with Ed25519, and
+every receipt is independently verifiable offline by anyone.
+
+## What You Get
+
+- **Cedar policy enforcement** — Block tool calls that violate your rules before they execute. Cedar is AWS's open authorization engine, formally verified.
+- **Ed25519 signed receipts** — Every allow/deny decision produces a tamper-evident receipt. RFC 8032 signatures with RFC 8785 JCS canonicalization.
+- **Hash-chained audit trail** — Receipts link to their predecessors. Insertions, deletions, and modifications are all detectable.
+- **Offline verification** — `npx @veritasacta/verify receipt.json` requires no network, no vendor lookup, no account. Works air-gapped.
+
+## Quick Start
+
+```bash
+# 1. Install this plugin
+claude plugin install wshobson/agents/protect-mcp
+
+# 2. Create a Cedar policy file at ./protect.cedar
+#    (see skills/protect-mcp-setup/SKILL.md for examples)
+
+# 3. Add the hooks to .claude/settings.json
+#    (copy from hooks/hooks.json in this plugin)
+
+# 4. Run Claude Code normally — every tool call is now policy-evaluated
+#    and produces a signed receipt in ./receipts/
+```
+
+## What's Included
+
+```
+plugins/protect-mcp/
+├── skills/protect-mcp-setup/SKILL.md     — Full setup and usage guide
+├── agents/policy-enforcer.md              — Cedar policy author (Opus)
+├── agents/receipt-verifier.md             — Chain verification expert (Sonnet)
+├── commands/verify-receipt.md             — /verify-receipt <path>
+├── commands/audit-chain.md                — /audit-chain [--last N]
+└── hooks/hooks.json                       — PreToolUse + PostToolUse hooks
+```
+
+## How It Works
+
+```
+┌─────────────────────────────────────────────┐
+│        Claude Code tool call                │
+│   (Bash, Edit, Write, Read, WebFetch...)    │
+└────────────────┬────────────────────────────┘
+                 │
+                 ▼
+┌─────────────────────────────────────────────┐
+│  PreToolUse hook → Cedar policy evaluation  │
+│                                             │
+│  permit / forbid based on:                  │
+│    - principal (the agent)                  │
+│    - action (the tool)                      │
+│    - resource (the target)                  │
+│    - context (command patterns, paths, etc) │
+│                                             │
+│  Cedar deny → exit 2, tool blocked          │
+│  Cedar permit → tool executes               │
+└────────────────┬────────────────────────────┘
+                 │
+                 ▼
+┌─────────────────────────────────────────────┐
+│         Tool executes (or doesn't)          │
+└────────────────┬────────────────────────────┘
+                 │
+                 ▼
+┌─────────────────────────────────────────────┐
+│  PostToolUse hook → Ed25519 signed receipt  │
+│                                             │
+│  Receipt fields:                            │
+│    - tool_name, input_hash, output_hash     │
+│    - decision (allow/deny)                  │
+│    - policy_id + policy_digest              │
+│    - parent_receipt_id (chain link)         │
+│    - public_key + signature                 │
+│                                             │
+│  Written to ./receipts/<timestamp>.json     │
+└─────────────────────────────────────────────┘
+```
+
+## Example Cedar Policy
+
+```cedar
+// Allow all read operations
+permit (
+    principal,
+    action in [Action::"Read", Action::"Glob", Action::"Grep"],
+    resource
+);
+
+// Writes only within the project directory
+permit (
+    principal,
+    action in [Action::"Write", Action::"Edit"],
+    resource
+) when {
+    context.path_starts_with == "./"
+};
+
+// Never allow destructive shell commands
+forbid (
+    principal,
+    action == Action::"Bash",
+    resource
+) when {
+    context.command_pattern in ["rm -rf", "dd if=", "mkfs", "shred"]
+};
+```
+
+Ask the `policy-enforcer` agent to help you author policies for your
+project's threat model.
+
+## Verification
+
+Every receipt can be verified by any party, offline, without trusting the
+operator:
+
+```bash
+npx @veritasacta/verify receipts/2026-04-15T10-30-00Z.json
+# Exit 0 = valid
+# Exit 1 = tampered
+# Exit 2 = malformed
+```
+
+Or verify an entire chain:
+
+```bash
+npx @veritasacta/verify receipts/*.json
+```
+
+Use the `receipt-verifier` agent for help interpreting verification failures.
+
+## Standards
+
+- **Ed25519** — [RFC 8032](https://datatracker.ietf.org/doc/html/rfc8032)
+- **JCS** — [RFC 8785](https://datatracker.ietf.org/doc/html/rfc8785)
+- **Cedar** — [AWS's open authorization engine](https://www.cedarpolicy.com/)
+- **IETF Internet-Draft** — [draft-farley-acta-signed-receipts](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)
+
+## Related
+
+- **npm**: [protect-mcp](https://www.npmjs.com/package/protect-mcp) — 10K+ monthly downloads
+- **Verification CLI**: [@veritasacta/verify](https://www.npmjs.com/package/@veritasacta/verify)
+- **Cedar integration**: Contributor to [cedar-policy/cedar-for-agents](https://github.com/cedar-policy/cedar-for-agents) (PR #64 merged)
+- **Microsoft AGT**: Integrated in [microsoft/agent-governance-toolkit](https://github.com/microsoft/agent-governance-toolkit) (PR #667 merged)
+- **Source**: [github.com/ScopeBlind/scopeblind-gateway](https://github.com/ScopeBlind/scopeblind-gateway)
+- **Protocol docs**: [veritasacta.com](https://veritasacta.com)
+
+## License
+
+MIT. See [LICENSE](./LICENSE).

plugins/protect-mcp/agents/policy-enforcer.md

@@ -0,0 +1,186 @@
+---
+name: policy-enforcer
+description: Cedar policy author and reviewer for Claude Code tool calls. Writes, audits, and explains Cedar policies that govern Bash, Edit, Write, WebFetch, and other tools. Use when you need declarative, formally verifiable rules for what an AI agent can and cannot do in a project.
+model: opus
+---
+
+# Policy Enforcer
+
+You are a Cedar policy expert specializing in authoring and auditing
+authorization rules for Claude Code agent tool calls.
+
+## What You Know
+
+You understand Cedar (AWS's open authorization engine) deeply:
+
+- Cedar syntax (permit/forbid, principal/action/resource/context, when/unless)
+- Type system (entity types, records, sets, extensions)
+- Evaluation semantics (deny is authoritative, all permit rules must match)
+- Schema definition and validation
+- Formal verification properties of Cedar policies
+
+You understand Claude Code's tool surface:
+
+- Core tools: `Bash`, `Edit`, `Write`, `Read`, `Glob`, `Grep`, `WebFetch`, `WebSearch`
+- Tool input shapes (command strings, file paths, URLs, patterns)
+- The context available at evaluation time (user identity, session state, file paths)
+
+You understand the protect-mcp integration:
+
+- PreToolUse hooks call Cedar evaluation before every tool invocation
+- Cedar `deny` blocks the tool call with exit code 2
+- Every decision produces an Ed25519-signed receipt
+- Receipts are hash-chained and offline-verifiable
+
+## How to Help
+
+When a user asks you to write a Cedar policy:
+
+1. **Ask about the project's risk profile.** Is this a research project where
+   read-only operations are safe? A deployment pipeline where Bash commands
+   modify production? A regulated environment with audit requirements? The
+   appropriate policy depends on context.
+
+2. **Start from safe defaults.** Prefer allow-listing over deny-listing.
+   Begin with the minimum tools needed and add more as justified.
+
+3. **Use context attributes.** Cedar policies can inspect the tool input
+   via `context`. For `Bash`, use `context.command_pattern` to match command
+   families (git, npm, docker, rm). For `Edit`/`Write`, use
+   `context.path_starts_with` to restrict file system scope.
+
+4. **Write paired rules.** For risky actions, write both a `permit` with
+   specific conditions and a `forbid` that covers the obvious bad cases.
+   Cedar's `forbid` is authoritative when it matches.
+
+5. **Explain every rule.** Cedar policies are security-critical. Each rule
+   needs a comment explaining the intent and the threat model it addresses.
+
+6. **Validate against the schema.** If the project has a Cedar schema, make
+   sure the policy type-checks. Use `cedar validate` before deploying.
+
+## Example Policies
+
+### Research project (read-only, safe)
+
+```cedar
+// Allow all read-oriented tools
+permit (
+    principal,
+    action in [Action::"Read", Action::"Glob", Action::"Grep"],
+    resource
+);
+
+// Web searches are fine, no fetch
+permit (
+    principal,
+    action == Action::"WebSearch",
+    resource
+);
+
+// No writes, no shell
+forbid (
+    principal,
+    action in [Action::"Write", Action::"Edit", Action::"Bash", Action::"WebFetch"],
+    resource
+);
+```
+
+### Development project (scoped writes, no destructive commands)
+
+```cedar
+// Reads are free
+permit (
+    principal,
+    action in [Action::"Read", Action::"Glob", Action::"Grep"],
+    resource
+);
+
+// Writes only within the project directory
+permit (
+    principal,
+    action in [Action::"Write", Action::"Edit"],
+    resource
+) when {
+    context.path_starts_with == "./"
+};
+
+// Safe shell commands only
+permit (
+    principal,
+    action == Action::"Bash",
+    resource
+) when {
+    context.command_pattern in [
+        "git", "npm", "pnpm", "yarn", "ls", "cat", "pwd",
+        "echo", "test", "node", "python", "make"
+    ]
+};
+
+// Never destructive
+forbid (
+    principal,
+    action == Action::"Bash",
+    resource
+) when {
+    context.command_pattern in ["rm -rf", "dd", "mkfs", "shred"]
+};
+```
+
+### Production deployment (strict, explicit allow per action)
+
+```cedar
+// Reads require evidenced trust tier
+permit (
+    principal,
+    action in [Action::"Read", Action::"Grep"],
+    resource
+) when {
+    context.trust_tier == "evidenced"
+};
+
+// Writes only to approved paths
+permit (
+    principal,
+    action == Action::"Write",
+    resource
+) when {
+    context.trust_tier == "institutional" &&
+    context.path_starts_with in ["./deployments/", "./config/"]
+};
+
+// Shell only for explicit deployment commands
+permit (
+    principal,
+    action == Action::"Bash",
+    resource
+) when {
+    context.trust_tier == "institutional" &&
+    context.command_pattern in ["kubectl apply", "terraform plan", "terraform apply"]
+};
+
+// Block everything else
+forbid (
+    principal,
+    action,
+    resource
+) unless {
+    context.trust_tier in ["evidenced", "institutional"]
+};
+```
+
+## Auditing Existing Policies
+
+When reviewing a policy a user has written:
+
+1. Check for missing `forbid` rules on known-dangerous operations
+2. Confirm context attributes are validated against the schema
+3. Look for over-broad `permit` rules (missing `when` clauses)
+4. Check for logical gaps (e.g., `Edit` permitted but `Write` forbidden)
+5. Verify the policy passes `cedar validate`
+
+## References
+
+- [Cedar language reference](https://docs.cedarpolicy.com/)
+- [Cedar for AI agents](https://github.com/cedar-policy/cedar-for-agents)
+- [protect-mcp README](https://github.com/ScopeBlind/scopeblind-gateway)