protect-mcp 0.2.1 → 0.3.0

package/dist/cli.js

@@ -2642,6 +2642,8 @@ var init_ed25519 = __esm({
 var import_node_child_process = require("child_process");
 var import_node_crypto2 = require("crypto");
 var import_node_readline = require("readline");
+var import_node_fs5 = require("fs");
+var import_node_path3 = require("path");
 
 // src/policy.ts
 var import_node_crypto = require("crypto");
@@ -2719,8 +2721,126 @@ function checkRateLimit(key, limit, store) {
   return { allowed: true, remaining: limit.count - timestamps.length };
 }
 
+// src/evidence-store.ts
+var import_node_fs2 = require("fs");
+var import_node_path = require("path");
+var DEFAULT_THRESHOLDS = {
+  min_receipts: 10,
+  min_epoch_span: 3,
+  min_issuers: 2
+};
+var EvidenceStore = class {
+  agents = /* @__PURE__ */ new Map();
+  filePath;
+  dirty = false;
+  constructor(dir) {
+    this.filePath = (0, import_node_path.join)(dir || process.cwd(), ".protect-mcp-evidence.json");
+    this.load();
+  }
+  /**
+   * Record a receipt observation for an agent.
+   */
+  record(agentId, issuer, timestamp) {
+    const ts = timestamp || (/* @__PURE__ */ new Date()).toISOString();
+    const epochHour = Math.floor(new Date(ts).getTime() / (3600 * 1e3));
+    const existing = this.agents.get(agentId);
+    const observation = {
+      issuer,
+      timestamp: ts,
+      epoch_hour: epochHour
+    };
+    if (existing) {
+      existing.receipts.push(observation);
+      existing.last_seen = ts;
+      if (existing.receipts.length > 200) {
+        existing.receipts = existing.receipts.slice(-200);
+      }
+    } else {
+      this.agents.set(agentId, {
+        agent_id: agentId,
+        receipts: [observation],
+        first_seen: ts,
+        last_seen: ts
+      });
+    }
+    this.dirty = true;
+  }
+  /**
+   * Get the evidence summary for an agent.
+   */
+  getSummary(agentId) {
+    const record = this.agents.get(agentId);
+    if (!record || record.receipts.length === 0) {
+      return { receipt_count: 0, epoch_span: 0, issuer_count: 0 };
+    }
+    const uniqueIssuers = new Set(record.receipts.map((r) => r.issuer));
+    const uniqueEpochs = new Set(record.receipts.map((r) => r.epoch_hour));
+    return {
+      receipt_count: record.receipts.length,
+      epoch_span: uniqueEpochs.size,
+      issuer_count: uniqueIssuers.size
+    };
+  }
+  /**
+   * Check if an agent meets the evidenced tier thresholds.
+   */
+  meetsEvidencedThreshold(agentId, thresholds = DEFAULT_THRESHOLDS) {
+    const summary = this.getSummary(agentId);
+    return summary.receipt_count >= thresholds.min_receipts && summary.epoch_span >= thresholds.min_epoch_span && summary.issuer_count >= thresholds.min_issuers;
+  }
+  /**
+   * Persist to disk (call periodically or on shutdown).
+   */
+  save() {
+    if (!this.dirty) return;
+    const data = {};
+    for (const [id, record] of this.agents) {
+      data[id] = record;
+    }
+    try {
+      (0, import_node_fs2.writeFileSync)(this.filePath, JSON.stringify({ v: 1, agents: data }, null, 2) + "\n");
+      this.dirty = false;
+    } catch {
+    }
+  }
+  /**
+   * Load from disk.
+   */
+  load() {
+    if (!(0, import_node_fs2.existsSync)(this.filePath)) return;
+    try {
+      const raw = (0, import_node_fs2.readFileSync)(this.filePath, "utf-8");
+      const parsed = JSON.parse(raw);
+      if (parsed.agents && typeof parsed.agents === "object") {
+        for (const [id, record] of Object.entries(parsed.agents)) {
+          this.agents.set(id, record);
+        }
+      }
+    } catch {
+    }
+  }
+  /**
+   * Get total agent count (for status display).
+   */
+  agentCount() {
+    return this.agents.size;
+  }
+  /**
+   * Get all agent summaries (for status display).
+   */
+  allSummaries() {
+    const result = [];
+    for (const [id] of this.agents) {
+      result.push({ agent_id: id, summary: this.getSummary(id) });
+    }
+    return result;
+  }
+};
+
 // src/admission.ts
-function evaluateTier(manifest, overrides) {
+function evaluateTier(manifest, opts) {
+  const options = opts && ("evidenceStore" in opts || "overrides" in opts || "thresholds" in opts) ? opts : { overrides: opts };
+  const { overrides, evidenceStore, thresholds } = options;
   if (!manifest) {
     return {
       tier: "unknown",
@@ -2746,7 +2866,8 @@ function evaluateTier(manifest, overrides) {
   if (manifest.signature_valid === true) {
     if (manifest.evidence_summary) {
       const es = manifest.evidence_summary;
-      if (es.receipt_count >= 10 && es.epoch_span >= 3 && es.issuer_count >= 2) {
+      const t = thresholds || DEFAULT_THRESHOLDS;
+      if (es.receipt_count >= t.min_receipts && es.epoch_span >= t.min_epoch_span && es.issuer_count >= t.min_issuers) {
         return {
           tier: "evidenced",
           agent_id: manifest.agent_id,
@@ -2755,6 +2876,16 @@ function evaluateTier(manifest, overrides) {
         };
       }
     }
+    if (evidenceStore && manifest.agent_id) {
+      if (evidenceStore.meetsEvidencedThreshold(manifest.agent_id, thresholds)) {
+        return {
+          tier: "evidenced",
+          agent_id: manifest.agent_id,
+          manifest_hash: manifest.manifest_hash,
+          reason: "evidence_store_threshold_met"
+        };
+      }
+    }
     return {
       tier: "signed-known",
       agent_id: manifest.agent_id,
@@ -2820,7 +2951,7 @@ function validateCredentials(credentials) {
 }
 
 // src/signing.ts
-var import_node_fs2 = require("fs");
+var import_node_fs3 = require("fs");
 var signerState = null;
 var artifactsModule = null;
 async function initSigning(config) {
@@ -2835,12 +2966,12 @@ async function initSigning(config) {
     return warnings;
   }
   if (config.key_path) {
-    if (!(0, import_node_fs2.existsSync)(config.key_path)) {
+    if (!(0, import_node_fs3.existsSync)(config.key_path)) {
       warnings.push(`signing: key file not found at ${config.key_path} \u2014 run "protect-mcp init" to generate`);
       return warnings;
     }
     try {
-      const keyData = JSON.parse((0, import_node_fs2.readFileSync)(config.key_path, "utf-8"));
+      const keyData = JSON.parse((0, import_node_fs3.readFileSync)(config.key_path, "utf-8"));
       if (!keyData.privateKey || !keyData.publicKey) {
         warnings.push("signing: key file missing privateKey or publicKey fields");
         return warnings;
@@ -2904,21 +3035,283 @@ function isSigningEnabled() {
   return signerState !== null && artifactsModule !== null;
 }
 
+// src/external-pdp.ts
+async function queryExternalPDP(context, config) {
+  const timeout = config.timeout_ms || 500;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeout);
+  try {
+    const body = formatRequest(context, config.format || "generic");
+    const response = await fetch(config.endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!response.ok) {
+      return fallbackDecision(config, `PDP returned HTTP ${response.status}`);
+    }
+    const result = await response.json();
+    return parseResponse(result, config.format || "generic");
+  } catch (err) {
+    clearTimeout(timer);
+    if (err instanceof Error && err.name === "AbortError") {
+      return fallbackDecision(config, `PDP timeout after ${timeout}ms`);
+    }
+    return fallbackDecision(config, `PDP error: ${err instanceof Error ? err.message : "unknown"}`);
+  }
+}
+function formatRequest(context, format) {
+  switch (format) {
+    case "opa":
+      return {
+        input: {
+          actor: context.actor,
+          action: context.action,
+          target: context.target,
+          credential_ref: context.credential_ref,
+          mode: context.mode,
+          metadata: context.request_metadata
+        }
+      };
+    case "cerbos":
+      return {
+        principal: {
+          id: context.actor.id || "unknown",
+          roles: [context.actor.tier],
+          attr: {
+            manifest_hash: context.actor.manifest_hash
+          }
+        },
+        resource: {
+          kind: "tool",
+          id: context.action.tool,
+          attr: context.target
+        },
+        actions: [context.action.operation || "call"]
+      };
+    case "generic":
+    default:
+      return context;
+  }
+}
+function parseResponse(result, format) {
+  switch (format) {
+    case "opa":
+      if (typeof result.result === "boolean") {
+        return { allowed: result.result };
+      }
+      if (result.result && typeof result.result === "object") {
+        const r = result.result;
+        return {
+          allowed: Boolean(r.allow),
+          reason: r.reason,
+          metadata: r
+        };
+      }
+      return { allowed: false, reason: "unrecognized OPA response" };
+    case "cerbos":
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const actions = result.results[0].actions;
+        if (actions) {
+          const effect = Object.values(actions)[0];
+          return { allowed: effect === "EFFECT_ALLOW" };
+        }
+      }
+      return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "generic":
+    default:
+      return {
+        allowed: Boolean(result.allowed),
+        reason: result.reason,
+        metadata: result.metadata
+      };
+  }
+}
+function fallbackDecision(config, reason) {
+  const fallback = config.fallback || "deny";
+  return {
+    allowed: fallback === "allow",
+    reason: `fallback_${fallback}: ${reason}`
+  };
+}
+function buildDecisionContext(toolName, tier, opts) {
+  return {
+    v: 1,
+    actor: {
+      id: opts.agentId,
+      tier,
+      manifest_hash: opts.manifestHash
+    },
+    action: {
+      tool: toolName,
+      operation: "call"
+    },
+    target: {
+      service: opts.slug || "default"
+    },
+    credential_ref: opts.credentialRef,
+    mode: opts.mode,
+    request_metadata: opts.requestMetadata || {}
+  };
+}
+
+// src/http-server.ts
+var import_node_http = require("http");
+var import_node_fs4 = require("fs");
+var import_node_path2 = require("path");
+var LOG_FILE = ".protect-mcp-log.jsonl";
+var MAX_RECEIPTS = 100;
+var ReceiptBuffer = class {
+  receipts = [];
+  add(requestId, receipt) {
+    this.receipts.push({
+      request_id: requestId,
+      receipt,
+      timestamp: Date.now()
+    });
+    if (this.receipts.length > MAX_RECEIPTS) {
+      this.receipts = this.receipts.slice(-MAX_RECEIPTS);
+    }
+  }
+  getAll() {
+    return [...this.receipts].reverse();
+  }
+  getById(requestId) {
+    return this.receipts.find((r) => r.request_id === requestId);
+  }
+  count() {
+    return this.receipts.length;
+  }
+};
+function startStatusServer(config, receiptBuffer) {
+  const startTime = Date.now();
+  const logDir = process.cwd();
+  const server = (0, import_node_http.createServer)((req, res) => {
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+    res.setHeader("Content-Type", "application/json");
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    const url = new URL(req.url || "/", `http://localhost:${config.port}`);
+    const path = url.pathname;
+    try {
+      if (path === "/health") {
+        handleHealth(res, startTime, config);
+      } else if (path === "/status") {
+        handleStatus(res, logDir);
+      } else if (path === "/receipts") {
+        handleReceipts(res, receiptBuffer, url);
+      } else if (path.startsWith("/receipts/")) {
+        const id = path.slice("/receipts/".length);
+        handleReceiptById(res, receiptBuffer, id);
+      } else {
+        res.writeHead(404);
+        res.end(JSON.stringify({ error: "not_found", endpoints: ["/health", "/status", "/receipts", "/receipts/:id"] }));
+      }
+    } catch (err) {
+      res.writeHead(500);
+      res.end(JSON.stringify({ error: "internal_error" }));
+    }
+  });
+  server.listen(config.port, "127.0.0.1", () => {
+    if (config.verbose) {
+      process.stderr.write(`[PROTECT_MCP] HTTP status server listening on http://127.0.0.1:${config.port}
+`);
+    }
+  });
+  server.unref();
+  return server;
+}
+function handleHealth(res, startTime, config) {
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    status: "ok",
+    uptime_ms: Date.now() - startTime,
+    mode: config.mode,
+    version: "0.3.0"
+  }));
+}
+function handleStatus(res, logDir) {
+  const logPath = (0, import_node_path2.join)(logDir, LOG_FILE);
+  if (!(0, import_node_fs4.existsSync)(logPath)) {
+    res.writeHead(200);
+    res.end(JSON.stringify({ entries: 0, message: "no log file yet" }));
+    return;
+  }
+  const raw = (0, import_node_fs4.readFileSync)(logPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  const entries = [];
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {
+    }
+  }
+  const toolCounts = {};
+  let allowCount = 0, denyCount = 0;
+  const tierCounts = {};
+  for (const e of entries) {
+    toolCounts[e.tool] = (toolCounts[e.tool] || 0) + 1;
+    if (e.decision === "allow") allowCount++;
+    else denyCount++;
+    if (e.tier) tierCounts[e.tier] = (tierCounts[e.tier] || 0) + 1;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    entries: entries.length,
+    allow: allowCount,
+    deny: denyCount,
+    tools: toolCounts,
+    tiers: tierCounts,
+    first_timestamp: entries.length > 0 ? entries[0].timestamp : null,
+    last_timestamp: entries.length > 0 ? entries[entries.length - 1].timestamp : null
+  }));
+}
+function handleReceipts(res, buffer, url) {
+  const limit = parseInt(url.searchParams.get("limit") || "20", 10);
+  const receipts = buffer.getAll().slice(0, Math.min(limit, MAX_RECEIPTS));
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    count: receipts.length,
+    total: buffer.count(),
+    receipts
+  }));
+}
+function handleReceiptById(res, buffer, id) {
+  const receipt = buffer.getById(id);
+  if (!receipt) {
+    res.writeHead(404);
+    res.end(JSON.stringify({ error: "receipt_not_found", request_id: id }));
+    return;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify(receipt));
+}
+
 // src/gateway.ts
+var LOG_FILE2 = ".protect-mcp-log.jsonl";
 var ProtectGateway = class {
   child = null;
   config;
   rateLimitStore = /* @__PURE__ */ new Map();
   clientReader = null;
-  // Trust-tier state for the current session
+  logFilePath;
+  evidenceStore;
+  receiptBuffer;
   currentTier = "unknown";
   admissionResult = null;
   constructor(config) {
     this.config = config;
+    this.logFilePath = (0, import_node_path3.join)(process.cwd(), LOG_FILE2);
+    this.evidenceStore = new EvidenceStore();
+    this.receiptBuffer = new ReceiptBuffer();
   }
-  /**
-   * Start the gateway: spawn child process and wire up message relay.
-   */
   async start() {
     const { command, args, verbose } = this.config;
     const mode = this.config.enforce ? "enforce" : "shadow";
@@ -2935,11 +3328,34 @@ var ProtectGateway = class {
         const labels = Object.keys(this.config.credentials);
         this.log(`Credential vault: ${labels.length} credential(s) configured [${labels.join(", ")}]`);
       }
+      if (this.config.policy?.policy_engine === "external" || this.config.policy?.policy_engine === "hybrid") {
+        this.log(`External PDP: ${this.config.policy.external?.endpoint || "not configured"}`);
+      }
     }
-    this.child = (0, import_node_child_process.spawn)(command, args, {
-      stdio: ["pipe", "pipe", "pipe"],
-      env: { ...process.env }
-    });
+    const httpPort = parseInt(process.env.PROTECT_MCP_HTTP_PORT || "9876", 10);
+    if (httpPort > 0) {
+      try {
+        startStatusServer(
+          { port: httpPort, mode, verbose },
+          this.receiptBuffer
+        );
+      } catch {
+        if (verbose) this.log(`HTTP status server could not start on port ${httpPort}`);
+      }
+    }
+    const childEnv = { ...process.env };
+    if (this.config.credentials) {
+      for (const [label, credConfig] of Object.entries(this.config.credentials)) {
+        if (credConfig.inject === "env" && credConfig.name && credConfig.value_env) {
+          const envValue = process.env[credConfig.value_env];
+          if (envValue) {
+            childEnv[credConfig.name] = envValue;
+            if (verbose) this.log(`Credential "${label}": injected as env var "${credConfig.name}"`);
+          }
+        }
+      }
+    }
+    this.child = (0, import_node_child_process.spawn)(command, args, { stdio: ["pipe", "pipe", "pipe"], env: childEnv });
     if (!this.child.stdin || !this.child.stdout || !this.child.stderr) {
       throw new Error("Failed to create pipes to child process");
     }
@@ -2955,9 +3371,8 @@ var ProtectGateway = class {
       this.handleClientMessage(line);
     });
     this.child.on("exit", (code, signal) => {
-      if (this.config.verbose) {
-        this.log(`Child process exited (code=${code}, signal=${signal})`);
-      }
+      if (verbose) this.log(`Child process exited (code=${code}, signal=${signal})`);
+      this.evidenceStore.save();
       process.exit(code ?? 1);
     });
     this.child.on("error", (err) => {
@@ -2967,30 +3382,18 @@ var ProtectGateway = class {
     process.on("SIGINT", () => this.stop());
     process.on("SIGTERM", () => this.stop());
     process.stdin.on("end", () => {
-      if (this.config.verbose) {
-        this.log("Client stdin closed, closing child stdin");
-      }
-      if (this.child?.stdin?.writable) {
-        this.child.stdin.end();
-      }
+      if (verbose) this.log("Client stdin closed, closing child stdin");
+      if (this.child?.stdin?.writable) this.child.stdin.end();
     });
   }
-  /**
-   * Set the trust tier for this session.
-   * Called at admission (first interaction) or by explicit manifest presentation.
-   */
   setManifest(manifest) {
-    this.admissionResult = evaluateTier(manifest);
+    this.admissionResult = evaluateTier(manifest, { evidenceStore: this.evidenceStore });
     this.currentTier = this.admissionResult.tier;
     if (this.config.verbose) {
-      this.log(`Admission: tier=${this.currentTier} agent=${this.admissionResult.agent_id || "none"} reason=${this.admissionResult.reason}`);
+      this.log(`Admission: tier=${this.currentTier} agent=${this.admissionResult.agent_id || "none"}`);
     }
     return this.admissionResult;
   }
-  /**
-   * Handle a message from the MCP client (stdin).
-   * Intercept tools/call requests; pass through everything else.
-   */
   handleClientMessage(raw) {
     const trimmed = raw.trim();
     if (!trimmed) return;
@@ -3002,25 +3405,38 @@ var ProtectGateway = class {
       return;
     }
     if (message.method === "tools/call" && message.id !== void 0) {
-      const result = this.interceptToolCall(message);
-      if (result) {
-        this.sendToClient(JSON.stringify(result));
-        return;
-      }
+      this.interceptToolCallAsync(message, trimmed);
+      return;
     }
     this.sendToChild(trimmed);
   }
-  /**
-   * Handle a message from the wrapped MCP server (child stdout).
-   * Forward to client (stdout) transparently.
-   */
+  async interceptToolCallAsync(request, raw) {
+    const result = await this.interceptToolCall(request);
+    if (result) {
+      this.sendToClient(JSON.stringify(result));
+    } else {
+      const modified = this.injectParamsCredentials(request);
+      this.sendToChild(JSON.stringify(modified));
+    }
+  }
   handleServerMessage(raw) {
     this.sendToClient(raw);
   }
-  /**
-   * Intercept a tools/call request. Returns a JSON-RPC error response if denied, null if allowed.
-   */
-  interceptToolCall(request) {
+  injectParamsCredentials(request) {
+    if (!this.config.credentials) return request;
+    const injections = {};
+    for (const [label, credConfig] of Object.entries(this.config.credentials)) {
+      if (credConfig.inject === "header" || credConfig.inject === "query") {
+        const cred = resolveCredential(label, this.config.credentials);
+        if (cred.resolved && cred.value && cred.name) {
+          injections[cred.name] = cred.value;
+        }
+      }
+    }
+    if (Object.keys(injections).length === 0) return request;
+    return { ...request, params: { ...request.params, _credentials: injections } };
+  }
+  async interceptToolCall(request) {
     const toolName = request.params?.name || "unknown";
     const requestId = (0, import_node_crypto2.randomUUID)().slice(0, 12);
     const toolPolicy = getToolPolicy(toolName, this.config.policy);
@@ -3031,49 +3447,45 @@ var ProtectGateway = class {
       if (cred.resolved) {
         credentialRef = cred.label;
       } else if (cred.error && !cred.error.includes("not configured")) {
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "deny",
-          reason_code: "policy_block",
-          request_id: requestId,
-          credential_ref: toolName,
-          tier: this.currentTier
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "credential_error", request_id: requestId, tier: this.currentTier, credential_ref: toolName });
         if (this.config.enforce) {
-          this.log(`Credential error for "${toolName}": ${cred.error}`);
           return this.makeErrorResponse(request.id, -32600, `Credential error for tool "${toolName}"`);
         }
       }
     }
+    if (this.config.policy?.external && (this.config.policy.policy_engine === "external" || this.config.policy.policy_engine === "hybrid")) {
+      try {
+        const ctx = buildDecisionContext(toolName, this.currentTier, {
+          agentId: this.admissionResult?.agent_id,
+          manifestHash: this.admissionResult?.manifest_hash,
+          credentialRef,
+          mode,
+          slug: this.config.slug
+        });
+        const externalDecision = await queryExternalPDP(ctx, this.config.policy.external);
+        if (!externalDecision.allowed) {
+          const reason = `external_pdp_deny${externalDecision.reason ? ": " + externalDecision.reason : ""}`;
+          this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: reason, request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+          if (this.config.enforce) {
+            return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" denied by external policy engine`);
+          }
+          if (this.config.policy.policy_engine === "external") return null;
+        }
+      } catch (err) {
+        if (this.config.verbose) this.log(`External PDP error: ${err instanceof Error ? err.message : err}`);
+      }
+    }
     if (toolPolicy.min_tier) {
       if (!meetsMinTier(this.currentTier, toolPolicy.min_tier)) {
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "deny",
-          reason_code: "tier_insufficient",
-          request_id: requestId,
-          tier: this.currentTier,
-          credential_ref: credentialRef
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "tier_insufficient", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
         if (this.config.enforce) {
-          return this.makeErrorResponse(
-            request.id,
-            -32600,
-            `Tool "${toolName}" requires tier "${toolPolicy.min_tier}", agent has "${this.currentTier}"`
-          );
+          return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" requires tier "${toolPolicy.min_tier}"`);
         }
         return null;
       }
     }
     if (toolPolicy.block) {
-      this.emitDecisionLog({
-        tool: toolName,
-        decision: "deny",
-        reason_code: "policy_block",
-        request_id: requestId,
-        tier: this.currentTier,
-        credential_ref: credentialRef
-      });
+      this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "policy_block", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
       if (this.config.enforce) {
         return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" is blocked by policy`);
       }
@@ -3086,59 +3498,22 @@ var ProtectGateway = class {
         const key = `tool:${toolName}:${this.currentTier}`;
         const { allowed, remaining } = checkRateLimit(key, limit, this.rateLimitStore);
         if (!allowed) {
-          this.emitDecisionLog({
-            tool: toolName,
-            decision: "deny",
-            reason_code: "rate_limit_exceeded",
-            request_id: requestId,
-            rate_limit_remaining: 0,
-            tier: this.currentTier,
-            credential_ref: credentialRef
-          });
+          this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "rate_limit_exceeded", request_id: requestId, rate_limit_remaining: 0, tier: this.currentTier, credential_ref: credentialRef });
           if (this.config.enforce) {
-            return this.makeErrorResponse(
-              request.id,
-              -32600,
-              `Tool "${toolName}" rate limit exceeded (${rateSpec})`
-            );
+            return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" rate limit exceeded (${rateSpec})`);
           }
           return null;
         }
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "allow",
-          reason_code: "policy_allow",
-          request_id: requestId,
-          rate_limit_remaining: remaining,
-          tier: this.currentTier,
-          credential_ref: credentialRef
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "policy_allow", request_id: requestId, rate_limit_remaining: remaining, tier: this.currentTier, credential_ref: credentialRef });
       } catch {
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "allow",
-          reason_code: "default_allow",
-          request_id: requestId,
-          tier: this.currentTier,
-          credential_ref: credentialRef
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "default_allow", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
       }
     } else {
       const reasonCode = this.config.enforce ? "policy_allow" : "observe_mode";
-      this.emitDecisionLog({
-        tool: toolName,
-        decision: "allow",
-        reason_code: reasonCode,
-        request_id: requestId,
-        tier: this.currentTier,
-        credential_ref: credentialRef
-      });
+      this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: reasonCode, request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
     }
     return null;
   }
-  /**
-   * Get the applicable rate limit spec based on the agent's tier.
-   */
   getTierRateLimit(policy, tier) {
     if (policy.rate_limits && policy.rate_limits[tier]) {
       const tierLimit = policy.rate_limits[tier];
@@ -3146,10 +3521,6 @@ var ProtectGateway = class {
     }
     return policy.rate_limit;
   }
-  /**
-   * Emit a structured decision log to stderr.
-   * If signing is enabled, also emits a signed artifact.
-   */
   emitDecisionLog(entry) {
     const mode = this.config.enforce ? "enforce" : "shadow";
     const log = {
@@ -3168,55 +3539,44 @@ var ProtectGateway = class {
     };
     process.stderr.write(`[PROTECT_MCP] ${JSON.stringify(log)}
 `);
+    try {
+      (0, import_node_fs5.appendFileSync)(this.logFilePath, JSON.stringify(log) + "\n");
+    } catch {
+    }
     if (isSigningEnabled()) {
       const signed = signDecision(log);
       if (signed.signed) {
         process.stderr.write(`[PROTECT_MCP_RECEIPT] ${signed.signed}
 `);
+        this.receiptBuffer.add(log.request_id, signed.signed);
+        if (this.admissionResult?.agent_id) {
+          this.evidenceStore.record(this.admissionResult.agent_id, this.config.signing?.issuer || "protect-mcp");
+          if (this.evidenceStore.getSummary(this.admissionResult.agent_id).receipt_count % 10 === 0) {
+            this.evidenceStore.save();
+          }
+        }
       } else if (signed.warning) {
         process.stderr.write(`[PROTECT_MCP] Warning: ${signed.warning}
 `);
       }
     }
   }
-  /**
-   * Create a JSON-RPC error response.
-   */
   makeErrorResponse(id, code, message) {
-    return {
-      jsonrpc: "2.0",
-      id,
-      error: { code, message }
-    };
+    return { jsonrpc: "2.0", id, error: { code, message } };
   }
-  /**
-   * Send a message to the child process (wrapped MCP server).
-   */
   sendToChild(message) {
-    if (this.child?.stdin?.writable) {
-      this.child.stdin.write(message + "\n");
-    }
+    if (this.child?.stdin?.writable) this.child.stdin.write(message + "\n");
   }
-  /**
-   * Send a message to the MCP client (stdout).
-   */
   sendToClient(message) {
     process.stdout.write(message + "\n");
   }
-  /**
-   * Log a message to stderr (debug output).
-   */
   log(message) {
     process.stderr.write(`[PROTECT_MCP] ${message}
 `);
   }
-  /**
-   * Stop the gateway: kill child process and exit.
-   */
   stop() {
-    if (this.clientReader) {
-      this.clientReader.close();
-    }
+    this.evidenceStore.save();
+    if (this.clientReader) this.clientReader.close();
     if (this.child) {
       this.child.kill("SIGTERM");
       this.child = null;
@@ -3226,6 +3586,7 @@ var ProtectGateway = class {
 };
 
 // src/cli.ts
+var import_meta = {};
 function printHelp() {
   process.stderr.write(`
 protect-mcp \u2014 Shadow-mode security gateway for MCP servers
@@ -3233,6 +3594,8 @@ protect-mcp \u2014 Shadow-mode security gateway for MCP servers
 Usage:
   protect-mcp [options] -- <command> [args...]
   protect-mcp init [--dir <path>]
+  protect-mcp demo
+  protect-mcp status [--dir <path>]
 
 Options:
   --policy <path>   Policy/config JSON file (default: allow-all)
@@ -3243,12 +3606,16 @@ Options:
 
 Commands:
   init              Generate config template, Ed25519 keypair, and sample policy
+  demo              Start a demo server wrapped with protect-mcp (see receipts instantly)
+  status            Show tool call statistics from the local decision log
 
 Examples:
   protect-mcp -- node my-server.js
   protect-mcp --policy protect-mcp.json -- node my-server.js
   protect-mcp --policy protect-mcp.json --enforce -- node my-server.js
   protect-mcp init
+  protect-mcp demo
+  protect-mcp status
 
 `);
 }
@@ -3292,17 +3659,17 @@ function parseArgs(argv) {
   return { policyPath, slug, enforce, verbose, childCommand };
 }
 async function handleInit(argv) {
-  const { writeFileSync, existsSync: existsSync2, mkdirSync } = await import("fs");
-  const { join } = await import("path");
+  const { writeFileSync: writeFileSync2, existsSync: existsSync4, mkdirSync } = await import("fs");
+  const { join: join4 } = await import("path");
   let dir = process.cwd();
   const dirIdx = argv.indexOf("--dir");
   if (dirIdx !== -1 && argv[dirIdx + 1]) {
     dir = argv[dirIdx + 1];
   }
-  const configPath = join(dir, "protect-mcp.json");
-  const keysDir = join(dir, "keys");
-  const keyPath = join(keysDir, "gateway.json");
-  if (existsSync2(configPath)) {
+  const configPath = join4(dir, "protect-mcp.json");
+  const keysDir = join4(dir, "keys");
+  const keyPath = join4(keysDir, "gateway.json");
+  if (existsSync4(configPath)) {
     process.stderr.write(`[PROTECT_MCP] Config already exists at ${configPath}
 `);
     process.stderr.write("[PROTECT_MCP] Delete it first if you want to regenerate.\n");
@@ -3324,19 +3691,19 @@ async function handleInit(argv) {
       kid: "generated"
     };
   }
-  if (!existsSync2(keysDir)) {
+  if (!existsSync4(keysDir)) {
     mkdirSync(keysDir, { recursive: true });
   }
-  writeFileSync(keyPath, JSON.stringify({
+  writeFileSync2(keyPath, JSON.stringify({
     privateKey: keypair.privateKey,
     publicKey: keypair.publicKey,
     kid: keypair.kid,
     generated_at: (/* @__PURE__ */ new Date()).toISOString(),
     warning: "KEEP THIS FILE SECRET. Never commit to version control."
   }, null, 2) + "\n");
-  const gitignorePath = join(keysDir, ".gitignore");
-  if (!existsSync2(gitignorePath)) {
-    writeFileSync(gitignorePath, "# Never commit signing keys\n*.json\n");
+  const gitignorePath = join4(keysDir, ".gitignore");
+  if (!existsSync4(gitignorePath)) {
+    writeFileSync2(gitignorePath, "# Never commit signing keys\n*.json\n");
   }
   const config = {
     tools: {
@@ -3363,19 +3730,27 @@ async function handleInit(argv) {
     },
     credentials: {
       _example_api: {
-        inject: "header",
-        name: "Authorization",
+        inject: "env",
+        name: "EXAMPLE_API_KEY",
         value_env: "EXAMPLE_API_KEY",
         _comment: "Remove the underscore prefix and set EXAMPLE_API_KEY in your environment"
       }
     }
   };
-  writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+  writeFileSync2(configPath, JSON.stringify(config, null, 2) + "\n");
+  const claudeConfig = {
+    "mcpServers": {
+      "my-server": {
+        "command": "npx",
+        "args": ["protect-mcp", "--policy", configPath, "--", "node", "my-server.js"]
+      }
+    }
+  };
   process.stderr.write(`
 ${bold("protect-mcp initialized!")}
 
 Created:
-  ${configPath}     Config with shadow mode + optional local signing
+  ${configPath}     Config with shadow mode + local signing
   ${keyPath}       Ed25519 signing keypair
 
 ${bold("Next steps:")}
@@ -3389,13 +3764,227 @@ ${bold("Your gateway public key:")}
 ${bold("Key ID (kid):")}
   ${keypair.kid}
 
+${bold("Claude Desktop config snippet")} (add to claude_desktop_config.json):
+${dim(JSON.stringify(claudeConfig, null, 2))}
+
+${bold("Quick demo:")}
+  protect-mcp demo
+
 Shadow mode is the default \u2014 all tool calls are logged and nothing is blocked.
-Run with the generated policy file if you also want local signed receipts. Add --enforce when ready.
+Add --enforce when ready to block policy violations.
+`);
+}
+async function handleDemo() {
+  const { existsSync: existsSync4 } = await import("fs");
+  const { join: join4, dirname } = await import("path");
+  const { fileURLToPath } = await import("url");
+  const __filename = fileURLToPath(import_meta.url);
+  const __dirname = dirname(__filename);
+  const demoServerPath = join4(__dirname, "demo-server.js");
+  const configPath = join4(process.cwd(), "protect-mcp.json");
+  const hasConfig = existsSync4(configPath);
+  if (!hasConfig) {
+    process.stderr.write(`
+${bold("protect-mcp demo")}
+
+Starting demo with default shadow mode (no signing).
+For signed receipts, run ${dim("npx protect-mcp init")} first.
+
+`);
+  } else {
+    process.stderr.write(`
+${bold("protect-mcp demo")}
+
+Using config from ${configPath}
+Starting demo server with 5 tools...
+
+`);
+  }
+  let policy = null;
+  let policyDigest = "none";
+  let credentials;
+  let signing;
+  if (hasConfig) {
+    try {
+      const loaded = loadPolicy(configPath);
+      policy = loaded.policy;
+      policyDigest = loaded.digest;
+      credentials = loaded.credentials;
+      signing = loaded.signing;
+    } catch (err) {
+      process.stderr.write(`[PROTECT_MCP] Warning: Could not load config: ${err instanceof Error ? err.message : err}
+`);
+    }
+  }
+  if (signing) {
+    const warnings = await initSigning(signing);
+    for (const w of warnings) {
+      process.stderr.write(`[PROTECT_MCP] Warning: ${w}
+`);
+    }
+  }
+  if (credentials) {
+    const warnings = validateCredentials(credentials);
+    for (const w of warnings) {
+      process.stderr.write(`[PROTECT_MCP] Warning: ${w}
+`);
+    }
+  }
+  const config = {
+    command: process.execPath,
+    // node
+    args: [demoServerPath],
+    policy,
+    policyDigest,
+    enforce: false,
+    // Demo always runs in shadow mode
+    verbose: true,
+    signing,
+    credentials
+  };
+  const gateway = new ProtectGateway(config);
+  process.stderr.write(`${bold("Demo ready!")} The demo server is running.
+`);
+  process.stderr.write(`Send JSON-RPC tool calls on stdin, or use an MCP client.
+
+`);
+  process.stderr.write(`${dim("Example (paste into stdin):")}
+`);
+  process.stderr.write(`${dim('{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"read_file","arguments":{"path":"/etc/hosts"}}}')}
+
+`);
+  await gateway.start();
+}
+async function handleStatus2(argv) {
+  const { readFileSync: readFileSync5, existsSync: existsSync4 } = await import("fs");
+  const { join: join4 } = await import("path");
+  let dir = process.cwd();
+  const dirIdx = argv.indexOf("--dir");
+  if (dirIdx !== -1 && argv[dirIdx + 1]) {
+    dir = argv[dirIdx + 1];
+  }
+  const logPath = join4(dir, ".protect-mcp-log.jsonl");
+  if (!existsSync4(logPath)) {
+    process.stderr.write(`${bold("protect-mcp status")}
+
+`);
+    process.stderr.write(`No log file found at ${logPath}
+`);
+    process.stderr.write(`Run protect-mcp with a wrapped server first to generate logs.
+`);
+    process.exit(0);
+  }
+  const raw = readFileSync5(logPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  if (lines.length === 0) {
+    process.stderr.write(`${bold("protect-mcp status")}
+
+No entries in log file.
+`);
+    process.exit(0);
+  }
+  const entries = [];
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {
+    }
+  }
+  if (entries.length === 0) {
+    process.stderr.write(`${bold("protect-mcp status")}
+
+No valid entries in log file.
+`);
+    process.exit(0);
+  }
+  const toolCounts = /* @__PURE__ */ new Map();
+  let allowCount = 0;
+  let denyCount = 0;
+  let rateLimitCount = 0;
+  const tierCounts = /* @__PURE__ */ new Map();
+  const reasonCounts = /* @__PURE__ */ new Map();
+  for (const entry of entries) {
+    toolCounts.set(entry.tool, (toolCounts.get(entry.tool) || 0) + 1);
+    if (entry.decision === "allow") allowCount++;
+    else if (entry.decision === "deny") denyCount++;
+    if (entry.reason_code === "rate_limit_exceeded") rateLimitCount++;
+    if (entry.tier) tierCounts.set(entry.tier, (tierCounts.get(entry.tier) || 0) + 1);
+    reasonCounts.set(entry.reason_code, (reasonCounts.get(entry.reason_code) || 0) + 1);
+  }
+  const firstTs = new Date(Math.min(...entries.map((e) => e.timestamp)));
+  const lastTs = new Date(Math.max(...entries.map((e) => e.timestamp)));
+  const sortedTools = [...toolCounts.entries()].sort((a, b) => b[1] - a[1]);
+  process.stdout.write(`
+${bold("protect-mcp status")}
+
+`);
+  process.stdout.write(`  Total decisions: ${bold(String(entries.length))}
+`);
+  process.stdout.write(`  ${green("\u2713 Allow")}: ${allowCount}    ${red("\u2717 Deny")}: ${denyCount}    ${yellow("\u2298 Rate-limited")}: ${rateLimitCount}
+
+`);
+  process.stdout.write(`  ${bold("Time range:")}
+`);
+  process.stdout.write(`    First: ${firstTs.toISOString()}
+`);
+  process.stdout.write(`    Last:  ${lastTs.toISOString()}
+
+`);
+  process.stdout.write(`  ${bold("Top tools:")}
+`);
+  for (const [tool, count] of sortedTools.slice(0, 10)) {
+    const bar = "\u2588".repeat(Math.min(Math.ceil(count / entries.length * 30), 30));
+    process.stdout.write(`    ${tool.padEnd(20)} ${String(count).padStart(4)}  ${dim(bar)}
+`);
+  }
+  if (tierCounts.size > 0) {
+    process.stdout.write(`
+  ${bold("Trust tiers seen:")}
+`);
+    for (const [tier, count] of tierCounts) {
+      process.stdout.write(`    ${tier.padEnd(15)} ${count}
+`);
+    }
+  }
+  process.stdout.write(`
+  ${bold("Decision reasons:")}
+`);
+  for (const [reason, count] of [...reasonCounts.entries()].sort((a, b) => b[1] - a[1])) {
+    process.stdout.write(`    ${reason.padEnd(25)} ${count}
+`);
+  }
+  const evidencePath = join4(dir, ".protect-mcp-evidence.json");
+  if (existsSync4(evidencePath)) {
+    try {
+      const evidenceRaw = readFileSync5(evidencePath, "utf-8");
+      const evidence = JSON.parse(evidenceRaw);
+      const agentCount = Object.keys(evidence.agents || {}).length;
+      process.stdout.write(`
+  ${bold("Evidence store:")} ${agentCount} agent(s) tracked
+`);
+    } catch {
+    }
+  }
+  process.stdout.write(`
+  Log file: ${dim(logPath)}
+
 `);
 }
 function bold(s) {
   return process.env.NO_COLOR ? s : `\x1B[1m${s}\x1B[0m`;
 }
+function dim(s) {
+  return process.env.NO_COLOR ? s : `\x1B[2m${s}\x1B[0m`;
+}
+function green(s) {
+  return process.env.NO_COLOR ? s : `\x1B[32m${s}\x1B[0m`;
+}
+function red(s) {
+  return process.env.NO_COLOR ? s : `\x1B[31m${s}\x1B[0m`;
+}
+function yellow(s) {
+  return process.env.NO_COLOR ? s : `\x1B[33m${s}\x1B[0m`;
+}
 async function main() {
   const args = process.argv.slice(2);
   if (args.length === 0 || args.includes("--help") || args.includes("-h")) {
@@ -3406,6 +3995,14 @@ async function main() {
     await handleInit(args.slice(1));
     process.exit(0);
   }
+  if (args[0] === "demo") {
+    await handleDemo();
+    return;
+  }
+  if (args[0] === "status") {
+    await handleStatus2(args.slice(1));
+    process.exit(0);
+  }
   const { policyPath, slug, enforce, verbose, childCommand } = parseArgs(args);
   let policy = null;
   let policyDigest = "none";