npm - protect-mcp - Versions diffs - 0.2.2 → 0.3.1 - Mend

protect-mcp 0.2.2 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +11 -1
package/dist/bundle-TXOTFJIJ.mjs +8 -0
package/dist/chunk-5JXFV37Y.mjs +53 -0
package/dist/chunk-U7TMVD3E.mjs +1105 -0
package/dist/cli.js +1176 -172
package/dist/cli.mjs +462 -5
package/dist/demo-server.d.mts +1 -0
package/dist/demo-server.d.ts +1 -0
package/dist/demo-server.js +137 -0
package/dist/demo-server.mjs +136 -0
package/dist/index.d.mts +83 -61
package/dist/index.d.ts +83 -61
package/dist/index.js +637 -271
package/dist/index.mjs +7 -172
package/package.json +3 -3
package/dist/chunk-ZCKNFULF.mjs +0 -613

package/dist/cli.js CHANGED Viewed

@@ -67,7 +67,7 @@ __export(utils_exports, {
   isLE: () => isLE,
   kdfInputToBytes: () => kdfInputToBytes,
   nextTick: () => nextTick,
-  randomBytes: () => randomBytes,
+  randomBytes: () => randomBytes2,
   rotl: () => rotl,
   rotr: () => rotr,
   swap32IfBE: () => swap32IfBE,
@@ -257,7 +257,7 @@ function createXOFer(hashCons) {
   hashC.create = (opts) => hashCons(opts);
   return hashC;
 }
-function randomBytes(bytesLength = 32) {
+function randomBytes2(bytesLength = 32) {
   if (crypto && typeof crypto.getRandomValues === "function") {
     return crypto.getRandomValues(new Uint8Array(bytesLength));
   }
@@ -1700,7 +1700,7 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
   });
   const { prehash } = eddsaOpts;
   const { BASE, Fp: Fp2, Fn: Fn2 } = Point;
-  const randomBytes2 = eddsaOpts.randomBytes || randomBytes;
+  const randomBytes3 = eddsaOpts.randomBytes || randomBytes2;
   const adjustScalarBytes2 = eddsaOpts.adjustScalarBytes || ((bytes) => bytes);
   const domain = eddsaOpts.domain || ((data, ctx, phflag) => {
     _abool2(phflag, "phflag");
@@ -1782,7 +1782,7 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
     signature: 2 * _size,
     seed: _size
   };
-  function randomSecretKey(seed = randomBytes2(lengths.seed)) {
+  function randomSecretKey(seed = randomBytes3(lengths.seed)) {
     return _abytes2(seed, lengths.seed, "seed");
   }
   function keygen(seed) {
@@ -2137,7 +2137,7 @@ function montgomery(curveDef) {
   const is25519 = type === "x25519";
   if (!is25519 && type !== "x448")
     throw new Error("invalid type");
-  const randomBytes_ = rand || randomBytes;
+  const randomBytes_ = rand || randomBytes2;
   const montgomeryBits = is25519 ? 255 : 448;
   const fieldLen = is25519 ? 32 : 56;
   const Gu = is25519 ? BigInt(9) : BigInt(5);
@@ -2638,10 +2638,71 @@ var init_ed25519 = __esm({
   }
 });
+// src/bundle.ts
+var bundle_exports = {};
+__export(bundle_exports, {
+  collectSignedReceipts: () => collectSignedReceipts,
+  createAuditBundle: () => createAuditBundle
+});
+function createAuditBundle(opts) {
+  const receipts = opts.receipts.filter(
+    (r) => r && typeof r === "object" && typeof r.signature === "string"
+  );
+  if (receipts.length === 0) {
+    throw new Error("Audit bundle requires at least one signed receipt");
+  }
+  const keyMap = /* @__PURE__ */ new Map();
+  for (const key of opts.signingKeys) {
+    if (!keyMap.has(key.kid)) {
+      keyMap.set(key.kid, key);
+    }
+  }
+  let timeRange = opts.timeRange || null;
+  if (!timeRange) {
+    const timestamps = receipts.map((r) => r.issued_at || r.timestamp).filter(Boolean).sort();
+    if (timestamps.length > 0) {
+      timeRange = {
+        from: timestamps[0],
+        to: timestamps[timestamps.length - 1]
+      };
+    }
+  }
+  return {
+    format: "scopeblind:audit-bundle",
+    version: 1,
+    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+    tenant: opts.tenant,
+    time_range: timeRange,
+    receipts,
+    anchors: opts.anchors || [],
+    verification: {
+      algorithm: "ed25519",
+      signing_keys: Array.from(keyMap.values()),
+      instructions: `Verify each receipt by: (1) remove the "signature" field, (2) canonicalize the remaining object with JCS (sorted keys at every level), (3) encode as UTF-8 bytes, (4) verify the Ed25519 signature using the signing key matching the receipt's "kid" field. CLI: npx @veritasacta/verify bundle.json --bundle`
+    }
+  };
+}
+function collectSignedReceipts(logs) {
+  return logs.filter((log) => log.v === 2).map((log) => {
+    const logRecord = log;
+    if (logRecord.receipt) {
+      return logRecord.receipt;
+    }
+    return logRecord;
+  }).filter((r) => typeof r.signature === "string");
+}
+var init_bundle = __esm({
+  "src/bundle.ts"() {
+    "use strict";
+  }
+});
 // src/gateway.ts
 var import_node_child_process = require("child_process");
 var import_node_crypto2 = require("crypto");
 var import_node_readline = require("readline");
+var import_node_fs5 = require("fs");
+var import_node_path3 = require("path");
 // src/policy.ts
 var import_node_crypto = require("crypto");
@@ -2719,8 +2780,126 @@ function checkRateLimit(key, limit, store) {
   return { allowed: true, remaining: limit.count - timestamps.length };
 }
+// src/evidence-store.ts
+var import_node_fs2 = require("fs");
+var import_node_path = require("path");
+var DEFAULT_THRESHOLDS = {
+  min_receipts: 10,
+  min_epoch_span: 3,
+  min_issuers: 2
+};
+var EvidenceStore = class {
+  agents = /* @__PURE__ */ new Map();
+  filePath;
+  dirty = false;
+  constructor(dir) {
+    this.filePath = (0, import_node_path.join)(dir || process.cwd(), ".protect-mcp-evidence.json");
+    this.load();
+  }
+  /**
+   * Record a receipt observation for an agent.
+   */
+  record(agentId, issuer, timestamp) {
+    const ts = timestamp || (/* @__PURE__ */ new Date()).toISOString();
+    const epochHour = Math.floor(new Date(ts).getTime() / (3600 * 1e3));
+    const existing = this.agents.get(agentId);
+    const observation = {
+      issuer,
+      timestamp: ts,
+      epoch_hour: epochHour
+    };
+    if (existing) {
+      existing.receipts.push(observation);
+      existing.last_seen = ts;
+      if (existing.receipts.length > 200) {
+        existing.receipts = existing.receipts.slice(-200);
+      }
+    } else {
+      this.agents.set(agentId, {
+        agent_id: agentId,
+        receipts: [observation],
+        first_seen: ts,
+        last_seen: ts
+      });
+    }
+    this.dirty = true;
+  }
+  /**
+   * Get the evidence summary for an agent.
+   */
+  getSummary(agentId) {
+    const record = this.agents.get(agentId);
+    if (!record || record.receipts.length === 0) {
+      return { receipt_count: 0, epoch_span: 0, issuer_count: 0 };
+    }
+    const uniqueIssuers = new Set(record.receipts.map((r) => r.issuer));
+    const uniqueEpochs = new Set(record.receipts.map((r) => r.epoch_hour));
+    return {
+      receipt_count: record.receipts.length,
+      epoch_span: uniqueEpochs.size,
+      issuer_count: uniqueIssuers.size
+    };
+  }
+  /**
+   * Check if an agent meets the evidenced tier thresholds.
+   */
+  meetsEvidencedThreshold(agentId, thresholds = DEFAULT_THRESHOLDS) {
+    const summary = this.getSummary(agentId);
+    return summary.receipt_count >= thresholds.min_receipts && summary.epoch_span >= thresholds.min_epoch_span && summary.issuer_count >= thresholds.min_issuers;
+  }
+  /**
+   * Persist to disk (call periodically or on shutdown).
+   */
+  save() {
+    if (!this.dirty) return;
+    const data = {};
+    for (const [id, record] of this.agents) {
+      data[id] = record;
+    }
+    try {
+      (0, import_node_fs2.writeFileSync)(this.filePath, JSON.stringify({ v: 1, agents: data }, null, 2) + "\n");
+      this.dirty = false;
+    } catch {
+    }
+  }
+  /**
+   * Load from disk.
+   */
+  load() {
+    if (!(0, import_node_fs2.existsSync)(this.filePath)) return;
+    try {
+      const raw = (0, import_node_fs2.readFileSync)(this.filePath, "utf-8");
+      const parsed = JSON.parse(raw);
+      if (parsed.agents && typeof parsed.agents === "object") {
+        for (const [id, record] of Object.entries(parsed.agents)) {
+          this.agents.set(id, record);
+        }
+      }
+    } catch {
+    }
+  }
+  /**
+   * Get total agent count (for status display).
+   */
+  agentCount() {
+    return this.agents.size;
+  }
+  /**
+   * Get all agent summaries (for status display).
+   */
+  allSummaries() {
+    const result = [];
+    for (const [id] of this.agents) {
+      result.push({ agent_id: id, summary: this.getSummary(id) });
+    }
+    return result;
+  }
+};
 // src/admission.ts
-function evaluateTier(manifest, overrides) {
+function evaluateTier(manifest, opts) {
+  const options = opts && ("evidenceStore" in opts || "overrides" in opts || "thresholds" in opts) ? opts : { overrides: opts };
+  const { overrides, evidenceStore, thresholds } = options;
   if (!manifest) {
     return {
       tier: "unknown",
@@ -2746,7 +2925,8 @@ function evaluateTier(manifest, overrides) {
   if (manifest.signature_valid === true) {
     if (manifest.evidence_summary) {
       const es = manifest.evidence_summary;
-      if (es.receipt_count >= 10 && es.epoch_span >= 3 && es.issuer_count >= 2) {
+      const t = thresholds || DEFAULT_THRESHOLDS;
+      if (es.receipt_count >= t.min_receipts && es.epoch_span >= t.min_epoch_span && es.issuer_count >= t.min_issuers) {
         return {
           tier: "evidenced",
           agent_id: manifest.agent_id,
@@ -2755,6 +2935,16 @@ function evaluateTier(manifest, overrides) {
         };
       }
     }
+    if (evidenceStore && manifest.agent_id) {
+      if (evidenceStore.meetsEvidencedThreshold(manifest.agent_id, thresholds)) {
+        return {
+          tier: "evidenced",
+          agent_id: manifest.agent_id,
+          manifest_hash: manifest.manifest_hash,
+          reason: "evidence_store_threshold_met"
+        };
+      }
+    }
     return {
       tier: "signed-known",
       agent_id: manifest.agent_id,
@@ -2820,7 +3010,7 @@ function validateCredentials(credentials) {
 }
 // src/signing.ts
-var import_node_fs2 = require("fs");
+var import_node_fs3 = require("fs");
 var signerState = null;
 var artifactsModule = null;
 async function initSigning(config) {
@@ -2835,12 +3025,12 @@ async function initSigning(config) {
     return warnings;
   }
   if (config.key_path) {
-    if (!(0, import_node_fs2.existsSync)(config.key_path)) {
+    if (!(0, import_node_fs3.existsSync)(config.key_path)) {
       warnings.push(`signing: key file not found at ${config.key_path} \u2014 run "protect-mcp init" to generate`);
       return warnings;
     }
     try {
-      const keyData = JSON.parse((0, import_node_fs2.readFileSync)(config.key_path, "utf-8"));
+      const keyData = JSON.parse((0, import_node_fs3.readFileSync)(config.key_path, "utf-8"));
       if (!keyData.privateKey || !keyData.publicKey) {
         warnings.push("signing: key file missing privateKey or publicKey fields");
         return warnings;
@@ -2848,8 +3038,8 @@ async function initSigning(config) {
       signerState = {
         privateKey: keyData.privateKey,
         publicKey: keyData.publicKey,
-        kid: artifactsModule.computeKid(keyData.publicKey),
-        issuer: config.issuer || "protect-mcp"
+        kid: keyData.kid || artifactsModule.computeKid(keyData.publicKey),
+        issuer: config.issuer || keyData.issuer || "protect-mcp"
       };
     } catch (err) {
       warnings.push(`signing: failed to load key file: ${err instanceof Error ? err.message : err}`);
@@ -2904,21 +3094,378 @@ function isSigningEnabled() {
   return signerState !== null && artifactsModule !== null;
 }
+// src/external-pdp.ts
+async function queryExternalPDP(context, config) {
+  const timeout = config.timeout_ms || 500;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeout);
+  try {
+    const body = formatRequest(context, config.format || "generic");
+    const response = await fetch(config.endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!response.ok) {
+      return fallbackDecision(config, `PDP returned HTTP ${response.status}`);
+    }
+    const result = await response.json();
+    return parseResponse(result, config.format || "generic");
+  } catch (err) {
+    clearTimeout(timer);
+    if (err instanceof Error && err.name === "AbortError") {
+      return fallbackDecision(config, `PDP timeout after ${timeout}ms`);
+    }
+    return fallbackDecision(config, `PDP error: ${err instanceof Error ? err.message : "unknown"}`);
+  }
+}
+function formatRequest(context, format) {
+  switch (format) {
+    case "opa":
+      return {
+        input: {
+          actor: context.actor,
+          action: context.action,
+          target: context.target,
+          credential_ref: context.credential_ref,
+          mode: context.mode,
+          metadata: context.request_metadata
+        }
+      };
+    case "cerbos":
+      return {
+        principal: {
+          id: context.actor.id || "unknown",
+          roles: [context.actor.tier],
+          attr: {
+            manifest_hash: context.actor.manifest_hash
+          }
+        },
+        resource: {
+          kind: "tool",
+          id: context.action.tool,
+          attr: context.target
+        },
+        actions: [context.action.operation || "call"]
+      };
+    case "generic":
+    default:
+      return context;
+  }
+}
+function parseResponse(result, format) {
+  switch (format) {
+    case "opa":
+      if (typeof result.result === "boolean") {
+        return { allowed: result.result };
+      }
+      if (result.result && typeof result.result === "object") {
+        const r = result.result;
+        return {
+          allowed: Boolean(r.allow),
+          reason: r.reason,
+          metadata: r
+        };
+      }
+      return { allowed: false, reason: "unrecognized OPA response" };
+    case "cerbos":
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const actions = result.results[0].actions;
+        if (actions) {
+          const effect = Object.values(actions)[0];
+          return { allowed: effect === "EFFECT_ALLOW" };
+        }
+      }
+      return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "generic":
+    default:
+      return {
+        allowed: Boolean(result.allowed),
+        reason: result.reason,
+        metadata: result.metadata
+      };
+  }
+}
+function fallbackDecision(config, reason) {
+  const fallback = config.fallback || "deny";
+  return {
+    allowed: fallback === "allow",
+    reason: `fallback_${fallback}: ${reason}`
+  };
+}
+function buildDecisionContext(toolName, tier, opts) {
+  return {
+    v: 1,
+    actor: {
+      id: opts.agentId,
+      tier,
+      manifest_hash: opts.manifestHash
+    },
+    action: {
+      tool: toolName,
+      operation: "call"
+    },
+    target: {
+      service: opts.slug || "default"
+    },
+    credential_ref: opts.credentialRef,
+    mode: opts.mode,
+    request_metadata: opts.requestMetadata || {}
+  };
+}
+// src/http-server.ts
+var import_node_http = require("http");
+var import_node_fs4 = require("fs");
+var import_node_path2 = require("path");
+var LOG_FILE = ".protect-mcp-log.jsonl";
+var MAX_RECEIPTS = 100;
+var ReceiptBuffer = class {
+  receipts = [];
+  add(requestId, receipt) {
+    this.receipts.push({
+      request_id: requestId,
+      receipt,
+      timestamp: Date.now()
+    });
+    if (this.receipts.length > MAX_RECEIPTS) {
+      this.receipts = this.receipts.slice(-MAX_RECEIPTS);
+    }
+  }
+  getAll() {
+    return [...this.receipts].reverse();
+  }
+  getById(requestId) {
+    return this.receipts.find((r) => r.request_id === requestId);
+  }
+  count() {
+    return this.receipts.length;
+  }
+  getLatest() {
+    return this.receipts.length > 0 ? this.receipts[this.receipts.length - 1] : void 0;
+  }
+};
+function startStatusServer(config, receiptBuffer, approvalStore, approvalNonce) {
+  const startTime = Date.now();
+  const logDir = process.cwd();
+  const server = (0, import_node_http.createServer)((req, res) => {
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+    res.setHeader("Content-Type", "application/json");
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    const url = new URL(req.url || "/", `http://localhost:${config.port}`);
+    const path = url.pathname;
+    try {
+      if (path === "/health") {
+        handleHealth(res, startTime, config);
+      } else if (path === "/status") {
+        handleStatus(res, logDir);
+      } else if (path === "/receipts") {
+        handleReceipts(res, receiptBuffer, url);
+      } else if (path === "/receipts/latest") {
+        handleReceiptLatest(res, receiptBuffer);
+      } else if (path.startsWith("/receipts/")) {
+        const id = path.slice("/receipts/".length);
+        handleReceiptById(res, receiptBuffer, id);
+      } else if (path === "/approve" && req.method === "POST") {
+        handleApprove(req, res, approvalStore, approvalNonce);
+      } else if (path === "/approvals" && req.method === "GET") {
+        handleListApprovals(res, approvalStore);
+      } else {
+        res.writeHead(404);
+        res.end(JSON.stringify({ error: "not_found", endpoints: ["/health", "/status", "/receipts", "/receipts/latest", "/receipts/:id", "/approve", "/approvals"] }));
+      }
+    } catch (err) {
+      res.writeHead(500);
+      res.end(JSON.stringify({ error: "internal_error" }));
+    }
+  });
+  server.on("error", (err) => {
+    if (config.verbose) {
+      process.stderr.write(`[PROTECT_MCP] HTTP status server error: ${err.message}
+`);
+    }
+  });
+  server.listen(config.port, "127.0.0.1", () => {
+    if (config.verbose) {
+      process.stderr.write(`[PROTECT_MCP] HTTP status server listening on http://127.0.0.1:${config.port}
+`);
+    }
+  });
+  server.unref();
+  return server;
+}
+function handleHealth(res, startTime, config) {
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    status: "ok",
+    uptime_ms: Date.now() - startTime,
+    mode: config.mode,
+    version: "0.3.1"
+  }));
+}
+function handleStatus(res, logDir) {
+  const logPath = (0, import_node_path2.join)(logDir, LOG_FILE);
+  if (!(0, import_node_fs4.existsSync)(logPath)) {
+    res.writeHead(200);
+    res.end(JSON.stringify({ entries: 0, message: "no log file yet" }));
+    return;
+  }
+  const raw = (0, import_node_fs4.readFileSync)(logPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  const entries = [];
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {
+    }
+  }
+  const toolCounts = {};
+  let allowCount = 0, denyCount = 0;
+  const tierCounts = {};
+  for (const e of entries) {
+    toolCounts[e.tool] = (toolCounts[e.tool] || 0) + 1;
+    if (e.decision === "allow") allowCount++;
+    else denyCount++;
+    if (e.tier) tierCounts[e.tier] = (tierCounts[e.tier] || 0) + 1;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    entries: entries.length,
+    allow: allowCount,
+    deny: denyCount,
+    tools: toolCounts,
+    tiers: tierCounts,
+    first_timestamp: entries.length > 0 ? entries[0].timestamp : null,
+    last_timestamp: entries.length > 0 ? entries[entries.length - 1].timestamp : null
+  }));
+}
+function handleReceipts(res, buffer, url) {
+  const limit = parseInt(url.searchParams.get("limit") || "20", 10);
+  const receipts = buffer.getAll().slice(0, Math.min(limit, MAX_RECEIPTS));
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    count: receipts.length,
+    total: buffer.count(),
+    receipts
+  }));
+}
+function handleReceiptLatest(res, buffer) {
+  const latest = buffer.getLatest();
+  if (!latest) {
+    res.writeHead(404);
+    res.end(JSON.stringify({ error: "no_receipts", message: "No receipts yet. Make a tool call through protect-mcp first." }));
+    return;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify(latest));
+}
+function handleReceiptById(res, buffer, id) {
+  const receipt = buffer.getById(id);
+  if (!receipt) {
+    res.writeHead(404);
+    res.end(JSON.stringify({ error: "receipt_not_found", request_id: id }));
+    return;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify(receipt));
+}
+function handleApprove(req, res, approvalStore, expectedNonce) {
+  if (!approvalStore) {
+    res.writeHead(503);
+    res.end(JSON.stringify({ error: "approval_store_not_available" }));
+    return;
+  }
+  let body = "";
+  req.on("data", (chunk) => {
+    body += chunk.toString();
+  });
+  req.on("end", () => {
+    try {
+      const { request_id, tool, mode, nonce } = JSON.parse(body);
+      if (expectedNonce && nonce !== expectedNonce) {
+        res.writeHead(403);
+        res.end(JSON.stringify({ error: "invalid_nonce", message: "Approval nonce does not match. Check stderr output for the correct nonce." }));
+        return;
+      }
+      if (!tool || typeof tool !== "string") {
+        res.writeHead(400);
+        res.end(JSON.stringify({ error: "missing_tool", usage: '{"request_id":"abc123","tool":"send_email","mode":"once|always","nonce":"..."}' }));
+        return;
+      }
+      const grantMode = mode === "always" ? "always" : "once";
+      const ttlMs = grantMode === "once" ? 5 * 60 * 1e3 : 24 * 60 * 60 * 1e3;
+      const grantEntry = { tool, mode: grantMode, expires_at: Date.now() + ttlMs };
+      if (grantMode === "always") {
+        approvalStore.set(`always:${tool}`, grantEntry);
+      } else if (request_id) {
+        approvalStore.set(request_id, grantEntry);
+      } else {
+        approvalStore.set(tool, grantEntry);
+      }
+      res.writeHead(200);
+      res.end(JSON.stringify({
+        approved: true,
+        request_id: request_id || null,
+        tool,
+        mode: grantMode,
+        expires_in_seconds: ttlMs / 1e3
+      }));
+    } catch {
+      res.writeHead(400);
+      res.end(JSON.stringify({ error: "invalid_json", usage: '{"request_id":"abc123","tool":"send_email","mode":"once","nonce":"..."}' }));
+    }
+  });
+}
+function handleListApprovals(res, approvalStore) {
+  if (!approvalStore) {
+    res.writeHead(200);
+    res.end(JSON.stringify({ grants: [] }));
+    return;
+  }
+  const now = Date.now();
+  const grants = [];
+  for (const [key, grant] of approvalStore) {
+    if (now < grant.expires_at) {
+      grants.push({ key, tool: grant.tool, mode: grant.mode, expires_in_seconds: Math.round((grant.expires_at - now) / 1e3) });
+    }
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify({ grants }));
+}
 // src/gateway.ts
+var LOG_FILE2 = ".protect-mcp-log.jsonl";
+var RECEIPTS_FILE = ".protect-mcp-receipts.jsonl";
 var ProtectGateway = class {
   child = null;
   config;
   rateLimitStore = /* @__PURE__ */ new Map();
   clientReader = null;
-  // Trust-tier state for the current session
+  logFilePath;
+  receiptFilePath;
+  evidenceStore;
+  receiptBuffer;
+  /** Approval grants keyed by request_id (scoped to the specific action that was requested) */
+  approvalStore = /* @__PURE__ */ new Map();
+  /** Random nonce generated at startup — required for approval endpoint authentication */
+  approvalNonce = (0, import_node_crypto2.randomBytes)(16).toString("hex");
   currentTier = "unknown";
   admissionResult = null;
   constructor(config) {
     this.config = config;
+    this.logFilePath = (0, import_node_path3.join)(process.cwd(), LOG_FILE2);
+    this.receiptFilePath = (0, import_node_path3.join)(process.cwd(), RECEIPTS_FILE);
+    this.evidenceStore = new EvidenceStore();
+    this.receiptBuffer = new ReceiptBuffer();
   }
-  /**
-   * Start the gateway: spawn child process and wire up message relay.
-   */
   async start() {
     const { command, args, verbose } = this.config;
     const mode = this.config.enforce ? "enforce" : "shadow";
@@ -2935,11 +3482,37 @@ var ProtectGateway = class {
         const labels = Object.keys(this.config.credentials);
         this.log(`Credential vault: ${labels.length} credential(s) configured [${labels.join(", ")}]`);
       }
+      if (this.config.policy?.policy_engine === "external" || this.config.policy?.policy_engine === "hybrid") {
+        this.log(`External PDP: ${this.config.policy.external?.endpoint || "not configured"}`);
+      }
     }
-    this.child = (0, import_node_child_process.spawn)(command, args, {
-      stdio: ["pipe", "pipe", "pipe"],
-      env: { ...process.env }
-    });
+    this.log(`Approval nonce: ${this.approvalNonce}`);
+    const httpPort = parseInt(process.env.PROTECT_MCP_HTTP_PORT || "9876", 10);
+    if (httpPort > 0) {
+      try {
+        startStatusServer(
+          { port: httpPort, mode, verbose },
+          this.receiptBuffer,
+          this.approvalStore,
+          this.approvalNonce
+        );
+      } catch {
+        if (verbose) this.log(`HTTP status server could not start on port ${httpPort}`);
+      }
+    }
+    const childEnv = { ...process.env };
+    if (this.config.credentials) {
+      for (const [label, credConfig] of Object.entries(this.config.credentials)) {
+        if (credConfig.inject === "env" && credConfig.name && credConfig.value_env) {
+          const envValue = process.env[credConfig.value_env];
+          if (envValue) {
+            childEnv[credConfig.name] = envValue;
+            if (verbose) this.log(`Credential "${label}": injected as env var "${credConfig.name}"`);
+          }
+        }
+      }
+    }
+    this.child = (0, import_node_child_process.spawn)(command, args, { stdio: ["pipe", "pipe", "pipe"], env: childEnv });
     if (!this.child.stdin || !this.child.stdout || !this.child.stderr) {
       throw new Error("Failed to create pipes to child process");
     }
@@ -2955,9 +3528,8 @@ var ProtectGateway = class {
       this.handleClientMessage(line);
     });
     this.child.on("exit", (code, signal) => {
-      if (this.config.verbose) {
-        this.log(`Child process exited (code=${code}, signal=${signal})`);
-      }
+      if (verbose) this.log(`Child process exited (code=${code}, signal=${signal})`);
+      this.evidenceStore.save();
       process.exit(code ?? 1);
     });
     this.child.on("error", (err) => {
@@ -2967,30 +3539,18 @@ var ProtectGateway = class {
     process.on("SIGINT", () => this.stop());
     process.on("SIGTERM", () => this.stop());
     process.stdin.on("end", () => {
-      if (this.config.verbose) {
-        this.log("Client stdin closed, closing child stdin");
-      }
-      if (this.child?.stdin?.writable) {
-        this.child.stdin.end();
-      }
+      if (verbose) this.log("Client stdin closed, closing child stdin");
+      if (this.child?.stdin?.writable) this.child.stdin.end();
     });
   }
-  /**
-   * Set the trust tier for this session.
-   * Called at admission (first interaction) or by explicit manifest presentation.
-   */
   setManifest(manifest) {
-    this.admissionResult = evaluateTier(manifest);
+    this.admissionResult = evaluateTier(manifest, { evidenceStore: this.evidenceStore });
     this.currentTier = this.admissionResult.tier;
     if (this.config.verbose) {
-      this.log(`Admission: tier=${this.currentTier} agent=${this.admissionResult.agent_id || "none"} reason=${this.admissionResult.reason}`);
+      this.log(`Admission: tier=${this.currentTier} agent=${this.admissionResult.agent_id || "none"}`);
     }
     return this.admissionResult;
   }
-  /**
-   * Handle a message from the MCP client (stdin).
-   * Intercept tools/call requests; pass through everything else.
-   */
   handleClientMessage(raw) {
     const trimmed = raw.trim();
     if (!trimmed) return;
@@ -3002,25 +3562,38 @@ var ProtectGateway = class {
       return;
     }
     if (message.method === "tools/call" && message.id !== void 0) {
-      const result = this.interceptToolCall(message);
-      if (result) {
-        this.sendToClient(JSON.stringify(result));
-        return;
-      }
+      this.interceptToolCallAsync(message, trimmed);
+      return;
     }
     this.sendToChild(trimmed);
   }
-  /**
-   * Handle a message from the wrapped MCP server (child stdout).
-   * Forward to client (stdout) transparently.
-   */
+  async interceptToolCallAsync(request, raw) {
+    const result = await this.interceptToolCall(request);
+    if (result) {
+      this.sendToClient(JSON.stringify(result));
+    } else {
+      const modified = this.injectParamsCredentials(request);
+      this.sendToChild(JSON.stringify(modified));
+    }
+  }
   handleServerMessage(raw) {
     this.sendToClient(raw);
   }
-  /**
-   * Intercept a tools/call request. Returns a JSON-RPC error response if denied, null if allowed.
-   */
-  interceptToolCall(request) {
+  injectParamsCredentials(request) {
+    if (!this.config.credentials) return request;
+    const injections = {};
+    for (const [label, credConfig] of Object.entries(this.config.credentials)) {
+      if (credConfig.inject === "header" || credConfig.inject === "query") {
+        const cred = resolveCredential(label, this.config.credentials);
+        if (cred.resolved && cred.value && cred.name) {
+          injections[cred.name] = cred.value;
+        }
+      }
+    }
+    if (Object.keys(injections).length === 0) return request;
+    return { ...request, params: { ...request.params, _credentials: injections } };
+  }
+  async interceptToolCall(request) {
     const toolName = request.params?.name || "unknown";
     const requestId = (0, import_node_crypto2.randomUUID)().slice(0, 12);
     const toolPolicy = getToolPolicy(toolName, this.config.policy);
@@ -3031,54 +3604,76 @@ var ProtectGateway = class {
       if (cred.resolved) {
         credentialRef = cred.label;
       } else if (cred.error && !cred.error.includes("not configured")) {
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "deny",
-          reason_code: "policy_block",
-          request_id: requestId,
-          credential_ref: toolName,
-          tier: this.currentTier
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "credential_error", request_id: requestId, tier: this.currentTier, credential_ref: toolName });
         if (this.config.enforce) {
-          this.log(`Credential error for "${toolName}": ${cred.error}`);
           return this.makeErrorResponse(request.id, -32600, `Credential error for tool "${toolName}"`);
         }
       }
     }
+    if (this.config.policy?.external && (this.config.policy.policy_engine === "external" || this.config.policy.policy_engine === "hybrid")) {
+      try {
+        const ctx = buildDecisionContext(toolName, this.currentTier, {
+          agentId: this.admissionResult?.agent_id,
+          manifestHash: this.admissionResult?.manifest_hash,
+          credentialRef,
+          mode,
+          slug: this.config.slug
+        });
+        const externalDecision = await queryExternalPDP(ctx, this.config.policy.external);
+        if (!externalDecision.allowed) {
+          const reason = `external_pdp_deny${externalDecision.reason ? ": " + externalDecision.reason : ""}`;
+          this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: reason, request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+          if (this.config.enforce) {
+            return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" denied by external policy engine`);
+          }
+          if (this.config.policy.policy_engine === "external") return null;
+        }
+      } catch (err) {
+        if (this.config.verbose) this.log(`External PDP error: ${err instanceof Error ? err.message : err}`);
+      }
+    }
     if (toolPolicy.min_tier) {
       if (!meetsMinTier(this.currentTier, toolPolicy.min_tier)) {
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "deny",
-          reason_code: "tier_insufficient",
-          request_id: requestId,
-          tier: this.currentTier,
-          credential_ref: credentialRef
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "tier_insufficient", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
         if (this.config.enforce) {
-          return this.makeErrorResponse(
-            request.id,
-            -32600,
-            `Tool "${toolName}" requires tier "${toolPolicy.min_tier}", agent has "${this.currentTier}"`
-          );
+          return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" requires tier "${toolPolicy.min_tier}"`);
         }
         return null;
       }
     }
     if (toolPolicy.block) {
-      this.emitDecisionLog({
-        tool: toolName,
-        decision: "deny",
-        reason_code: "policy_block",
-        request_id: requestId,
-        tier: this.currentTier,
-        credential_ref: credentialRef
-      });
+      this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "policy_block", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
       if (this.config.enforce) {
         return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" is blocked by policy`);
       }
       return null;
     }
+    if (toolPolicy.require_approval) {
+      const grant = this.approvalStore.get(requestId);
+      const alwaysGrant = this.approvalStore.get(`always:${toolName}`);
+      if (grant && Date.now() < grant.expires_at || alwaysGrant && Date.now() < alwaysGrant.expires_at) {
+        if (grant && grant.mode === "once") this.approvalStore.delete(requestId);
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "approval_granted", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+        return null;
+      }
+      this.emitDecisionLog({ tool: toolName, decision: "require_approval", reason_code: "requires_human_approval", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+      if (this.config.enforce) {
+        return {
+          jsonrpc: "2.0",
+          id: request.id,
+          result: {
+            content: [
+              {
+                type: "text",
+                text: `REQUIRES_APPROVAL: The tool "${toolName}" requires human approval before execution. Request ID: ${requestId}. Approval nonce: ${this.approvalNonce}. Tell the user you need their approval to use "${toolName}" and will retry when granted. Do NOT retry this tool call until the user explicitly approves it.`
+              }
+            ],
+            isError: true
+          }
+        };
+      }
+      return null;
+    }
     const rateSpec = this.getTierRateLimit(toolPolicy, this.currentTier);
     if (rateSpec) {
       try {
@@ -3086,59 +3681,22 @@ var ProtectGateway = class {
         const key = `tool:${toolName}:${this.currentTier}`;
         const { allowed, remaining } = checkRateLimit(key, limit, this.rateLimitStore);
         if (!allowed) {
-          this.emitDecisionLog({
-            tool: toolName,
-            decision: "deny",
-            reason_code: "rate_limit_exceeded",
-            request_id: requestId,
-            rate_limit_remaining: 0,
-            tier: this.currentTier,
-            credential_ref: credentialRef
-          });
+          this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "rate_limit_exceeded", request_id: requestId, rate_limit_remaining: 0, tier: this.currentTier, credential_ref: credentialRef });
           if (this.config.enforce) {
-            return this.makeErrorResponse(
-              request.id,
-              -32600,
-              `Tool "${toolName}" rate limit exceeded (${rateSpec})`
-            );
+            return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" rate limit exceeded (${rateSpec})`);
           }
           return null;
         }
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "allow",
-          reason_code: "policy_allow",
-          request_id: requestId,
-          rate_limit_remaining: remaining,
-          tier: this.currentTier,
-          credential_ref: credentialRef
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "policy_allow", request_id: requestId, rate_limit_remaining: remaining, tier: this.currentTier, credential_ref: credentialRef });
       } catch {
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "allow",
-          reason_code: "default_allow",
-          request_id: requestId,
-          tier: this.currentTier,
-          credential_ref: credentialRef
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "default_allow", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
       }
     } else {
       const reasonCode = this.config.enforce ? "policy_allow" : "observe_mode";
-      this.emitDecisionLog({
-        tool: toolName,
-        decision: "allow",
-        reason_code: reasonCode,
-        request_id: requestId,
-        tier: this.currentTier,
-        credential_ref: credentialRef
-      });
+      this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: reasonCode, request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
     }
     return null;
   }
-  /**
-   * Get the applicable rate limit spec based on the agent's tier.
-   */
   getTierRateLimit(policy, tier) {
     if (policy.rate_limits && policy.rate_limits[tier]) {
       const tierLimit = policy.rate_limits[tier];
@@ -3146,10 +3704,6 @@ var ProtectGateway = class {
     }
     return policy.rate_limit;
   }
-  /**
-   * Emit a structured decision log to stderr.
-   * If signing is enabled, also emits a signed artifact.
-   */
   emitDecisionLog(entry) {
     const mode = this.config.enforce ? "enforce" : "shadow";
     const log = {
@@ -3168,55 +3722,48 @@ var ProtectGateway = class {
     };
     process.stderr.write(`[PROTECT_MCP] ${JSON.stringify(log)}
 `);
+    try {
+      (0, import_node_fs5.appendFileSync)(this.logFilePath, JSON.stringify(log) + "\n");
+    } catch {
+    }
     if (isSigningEnabled()) {
       const signed = signDecision(log);
       if (signed.signed) {
         process.stderr.write(`[PROTECT_MCP_RECEIPT] ${signed.signed}
 `);
+        try {
+          (0, import_node_fs5.appendFileSync)(this.receiptFilePath, signed.signed + "\n");
+        } catch {
+        }
+        this.receiptBuffer.add(log.request_id, signed.signed);
+        if (this.admissionResult?.agent_id) {
+          this.evidenceStore.record(this.admissionResult.agent_id, this.config.signing?.issuer || "protect-mcp");
+          if (this.evidenceStore.getSummary(this.admissionResult.agent_id).receipt_count % 10 === 0) {
+            this.evidenceStore.save();
+          }
+        }
       } else if (signed.warning) {
         process.stderr.write(`[PROTECT_MCP] Warning: ${signed.warning}
 `);
       }
     }
   }
-  /**
-   * Create a JSON-RPC error response.
-   */
   makeErrorResponse(id, code, message) {
-    return {
-      jsonrpc: "2.0",
-      id,
-      error: { code, message }
-    };
+    return { jsonrpc: "2.0", id, error: { code, message } };
   }
-  /**
-   * Send a message to the child process (wrapped MCP server).
-   */
   sendToChild(message) {
-    if (this.child?.stdin?.writable) {
-      this.child.stdin.write(message + "\n");
-    }
+    if (this.child?.stdin?.writable) this.child.stdin.write(message + "\n");
   }
-  /**
-   * Send a message to the MCP client (stdout).
-   */
   sendToClient(message) {
     process.stdout.write(message + "\n");
   }
-  /**
-   * Log a message to stderr (debug output).
-   */
   log(message) {
     process.stderr.write(`[PROTECT_MCP] ${message}
 `);
   }
-  /**
-   * Stop the gateway: kill child process and exit.
-   */
   stop() {
-    if (this.clientReader) {
-      this.clientReader.close();
-    }
+    this.evidenceStore.save();
+    if (this.clientReader) this.clientReader.close();
     if (this.child) {
       this.child.kill("SIGTERM");
       this.child = null;
@@ -3233,6 +3780,11 @@ protect-mcp \u2014 Shadow-mode security gateway for MCP servers
 Usage:
   protect-mcp [options] -- <command> [args...]
   protect-mcp init [--dir <path>]
+  protect-mcp demo
+  protect-mcp status [--dir <path>]
+  protect-mcp digest [--today] [--dir <path>]
+  protect-mcp receipts [--last <n>] [--dir <path>]
+  protect-mcp bundle [--output <path>] [--dir <path>]
 Options:
   --policy <path>   Policy/config JSON file (default: allow-all)
@@ -3243,12 +3795,22 @@ Options:
 Commands:
   init              Generate config template, Ed25519 keypair, and sample policy
+  demo              Start a demo server wrapped with protect-mcp (see receipts instantly)
+  status            Show tool call statistics from the local decision log
+  digest            Generate a human-readable summary of agent activity
+  receipts          Show recent persisted signed receipts
+  bundle            Export an offline-verifiable audit bundle
 Examples:
   protect-mcp -- node my-server.js
   protect-mcp --policy protect-mcp.json -- node my-server.js
   protect-mcp --policy protect-mcp.json --enforce -- node my-server.js
   protect-mcp init
+  protect-mcp demo
+  protect-mcp status
+  protect-mcp digest --today
+  protect-mcp receipts --last 10
+  protect-mcp bundle --output audit.json
 `);
 }
@@ -3292,17 +3854,17 @@ function parseArgs(argv) {
   return { policyPath, slug, enforce, verbose, childCommand };
 }
 async function handleInit(argv) {
-  const { writeFileSync, existsSync: existsSync2, mkdirSync } = await import("fs");
-  const { join } = await import("path");
+  const { writeFileSync: writeFileSync2, existsSync: existsSync4, mkdirSync } = await import("fs");
+  const { join: join4 } = await import("path");
   let dir = process.cwd();
   const dirIdx = argv.indexOf("--dir");
   if (dirIdx !== -1 && argv[dirIdx + 1]) {
     dir = argv[dirIdx + 1];
   }
-  const configPath = join(dir, "protect-mcp.json");
-  const keysDir = join(dir, "keys");
-  const keyPath = join(keysDir, "gateway.json");
-  if (existsSync2(configPath)) {
+  const configPath = join4(dir, "protect-mcp.json");
+  const keysDir = join4(dir, "keys");
+  const keyPath = join4(keysDir, "gateway.json");
+  if (existsSync4(configPath)) {
     process.stderr.write(`[PROTECT_MCP] Config already exists at ${configPath}
 `);
     process.stderr.write("[PROTECT_MCP] Delete it first if you want to regenerate.\n");
@@ -3313,10 +3875,10 @@ async function handleInit(argv) {
     const artifacts = await import("@veritasacta/artifacts");
     keypair = artifacts.generateKeypair();
   } catch {
-    const { randomBytes: randomBytes2 } = await import("crypto");
+    const { randomBytes: randomBytes3 } = await import("crypto");
     const { ed25519: ed255192 } = await Promise.resolve().then(() => (init_ed25519(), ed25519_exports));
     const { bytesToHex: bytesToHex2 } = await Promise.resolve().then(() => (init_utils(), utils_exports));
-    const privateKey = randomBytes2(32);
+    const privateKey = randomBytes3(32);
     const publicKey = ed255192.getPublicKey(privateKey);
     keypair = {
       privateKey: bytesToHex2(privateKey),
@@ -3324,19 +3886,19 @@ async function handleInit(argv) {
       kid: "generated"
     };
   }
-  if (!existsSync2(keysDir)) {
+  if (!existsSync4(keysDir)) {
     mkdirSync(keysDir, { recursive: true });
   }
-  writeFileSync(keyPath, JSON.stringify({
+  writeFileSync2(keyPath, JSON.stringify({
     privateKey: keypair.privateKey,
     publicKey: keypair.publicKey,
     kid: keypair.kid,
     generated_at: (/* @__PURE__ */ new Date()).toISOString(),
     warning: "KEEP THIS FILE SECRET. Never commit to version control."
   }, null, 2) + "\n");
-  const gitignorePath = join(keysDir, ".gitignore");
-  if (!existsSync2(gitignorePath)) {
-    writeFileSync(gitignorePath, "# Never commit signing keys\n*.json\n");
+  const gitignorePath = join4(keysDir, ".gitignore");
+  if (!existsSync4(gitignorePath)) {
+    writeFileSync2(gitignorePath, "# Never commit signing keys\n*.json\n");
   }
   const config = {
     tools: {
@@ -3363,19 +3925,27 @@ async function handleInit(argv) {
     },
     credentials: {
       _example_api: {
-        inject: "header",
-        name: "Authorization",
+        inject: "env",
+        name: "EXAMPLE_API_KEY",
         value_env: "EXAMPLE_API_KEY",
         _comment: "Remove the underscore prefix and set EXAMPLE_API_KEY in your environment"
       }
     }
   };
-  writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+  writeFileSync2(configPath, JSON.stringify(config, null, 2) + "\n");
+  const claudeConfig = {
+    "mcpServers": {
+      "my-server": {
+        "command": "npx",
+        "args": ["protect-mcp", "--policy", configPath, "--", "node", "my-server.js"]
+      }
+    }
+  };
   process.stderr.write(`
 ${bold("protect-mcp initialized!")}
 Created:
-  ${configPath}     Config with shadow mode + optional local signing
+  ${configPath}     Config with shadow mode + local signing
   ${keyPath}       Ed25519 signing keypair
 ${bold("Next steps:")}
@@ -3389,13 +3959,427 @@ ${bold("Your gateway public key:")}
 ${bold("Key ID (kid):")}
   ${keypair.kid}
+${bold("Claude Desktop config snippet")} (add to claude_desktop_config.json):
+${dim(JSON.stringify(claudeConfig, null, 2))}
+${bold("Quick demo:")}
+  protect-mcp demo
 Shadow mode is the default \u2014 all tool calls are logged and nothing is blocked.
-Run with the generated policy file if you also want local signed receipts. Add --enforce when ready.
+Add --enforce when ready to block policy violations.
+`);
+}
+async function handleDemo() {
+  const { existsSync: existsSync4 } = await import("fs");
+  const { join: join4, dirname, resolve } = await import("path");
+  const cliPath = resolve(process.argv[1] || "dist/cli.js");
+  const cliDir = dirname(cliPath);
+  const demoServerPath = join4(cliDir, "demo-server.js");
+  const configPath = join4(process.cwd(), "protect-mcp.json");
+  const hasConfig = existsSync4(configPath);
+  if (!hasConfig) {
+    process.stderr.write(`
+${bold("protect-mcp demo")}
+Starting demo with default shadow mode (no signing).
+For signed receipts, run ${dim("npx protect-mcp init")} first.
+`);
+  } else {
+    process.stderr.write(`
+${bold("protect-mcp demo")}
+Using config from ${configPath}
+Starting demo server with 5 tools...
+`);
+  }
+  let policy = null;
+  let policyDigest = "none";
+  let credentials;
+  let signing;
+  if (hasConfig) {
+    try {
+      const loaded = loadPolicy(configPath);
+      policy = loaded.policy;
+      policyDigest = loaded.digest;
+      credentials = loaded.credentials;
+      signing = loaded.signing;
+    } catch (err) {
+      process.stderr.write(`[PROTECT_MCP] Warning: Could not load config: ${err instanceof Error ? err.message : err}
+`);
+    }
+  }
+  if (signing) {
+    const warnings = await initSigning(signing);
+    for (const w of warnings) {
+      process.stderr.write(`[PROTECT_MCP] Warning: ${w}
+`);
+    }
+  }
+  if (credentials) {
+    const warnings = validateCredentials(credentials);
+    for (const w of warnings) {
+      process.stderr.write(`[PROTECT_MCP] Warning: ${w}
+`);
+    }
+  }
+  const config = {
+    command: process.execPath,
+    // node
+    args: [demoServerPath],
+    policy,
+    policyDigest,
+    enforce: false,
+    // Demo always runs in shadow mode
+    verbose: true,
+    signing,
+    credentials
+  };
+  const gateway = new ProtectGateway(config);
+  process.stderr.write(`${bold("Demo ready!")} The demo server is running.
+`);
+  process.stderr.write(`Send JSON-RPC tool calls on stdin, or use an MCP client.
+`);
+  process.stderr.write(`${dim("Example (paste into stdin):")}
+`);
+  process.stderr.write(`${dim('{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"read_file","arguments":{"path":"/etc/hosts"}}}')}
+`);
+  await gateway.start();
+}
+async function handleStatus2(argv) {
+  const { readFileSync: readFileSync5, existsSync: existsSync4 } = await import("fs");
+  const { join: join4 } = await import("path");
+  let dir = process.cwd();
+  const dirIdx = argv.indexOf("--dir");
+  if (dirIdx !== -1 && argv[dirIdx + 1]) {
+    dir = argv[dirIdx + 1];
+  }
+  const logPath = join4(dir, ".protect-mcp-log.jsonl");
+  if (!existsSync4(logPath)) {
+    process.stderr.write(`${bold("protect-mcp status")}
+`);
+    process.stderr.write(`No log file found at ${logPath}
+`);
+    process.stderr.write(`Run protect-mcp with a wrapped server first to generate logs.
+`);
+    process.exit(0);
+  }
+  const raw = readFileSync5(logPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  if (lines.length === 0) {
+    process.stderr.write(`${bold("protect-mcp status")}
+No entries in log file.
+`);
+    process.exit(0);
+  }
+  const entries = [];
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {
+    }
+  }
+  if (entries.length === 0) {
+    process.stderr.write(`${bold("protect-mcp status")}
+No valid entries in log file.
+`);
+    process.exit(0);
+  }
+  const toolCounts = /* @__PURE__ */ new Map();
+  let allowCount = 0;
+  let denyCount = 0;
+  let rateLimitCount = 0;
+  const tierCounts = /* @__PURE__ */ new Map();
+  const reasonCounts = /* @__PURE__ */ new Map();
+  for (const entry of entries) {
+    toolCounts.set(entry.tool, (toolCounts.get(entry.tool) || 0) + 1);
+    if (entry.decision === "allow") allowCount++;
+    else if (entry.decision === "deny") denyCount++;
+    if (entry.reason_code === "rate_limit_exceeded") rateLimitCount++;
+    if (entry.tier) tierCounts.set(entry.tier, (tierCounts.get(entry.tier) || 0) + 1);
+    reasonCounts.set(entry.reason_code, (reasonCounts.get(entry.reason_code) || 0) + 1);
+  }
+  const firstTs = new Date(Math.min(...entries.map((e) => e.timestamp)));
+  const lastTs = new Date(Math.max(...entries.map((e) => e.timestamp)));
+  const sortedTools = [...toolCounts.entries()].sort((a, b) => b[1] - a[1]);
+  process.stdout.write(`
+${bold("protect-mcp status")}
+`);
+  process.stdout.write(`  Total decisions: ${bold(String(entries.length))}
+`);
+  process.stdout.write(`  ${green("\u2713 Allow")}: ${allowCount}    ${red("\u2717 Deny")}: ${denyCount}    ${yellow("\u2298 Rate-limited")}: ${rateLimitCount}
+`);
+  process.stdout.write(`  ${bold("Time range:")}
+`);
+  process.stdout.write(`    First: ${firstTs.toISOString()}
+`);
+  process.stdout.write(`    Last:  ${lastTs.toISOString()}
+`);
+  process.stdout.write(`  ${bold("Top tools:")}
+`);
+  for (const [tool, count] of sortedTools.slice(0, 10)) {
+    const bar = "\u2588".repeat(Math.min(Math.ceil(count / entries.length * 30), 30));
+    process.stdout.write(`    ${tool.padEnd(20)} ${String(count).padStart(4)}  ${dim(bar)}
+`);
+  }
+  if (tierCounts.size > 0) {
+    process.stdout.write(`
+  ${bold("Trust tiers seen:")}
+`);
+    for (const [tier, count] of tierCounts) {
+      process.stdout.write(`    ${tier.padEnd(15)} ${count}
+`);
+    }
+  }
+  process.stdout.write(`
+  ${bold("Decision reasons:")}
+`);
+  for (const [reason, count] of [...reasonCounts.entries()].sort((a, b) => b[1] - a[1])) {
+    process.stdout.write(`    ${reason.padEnd(25)} ${count}
+`);
+  }
+  const evidencePath = join4(dir, ".protect-mcp-evidence.json");
+  if (existsSync4(evidencePath)) {
+    try {
+      const evidenceRaw = readFileSync5(evidencePath, "utf-8");
+      const evidence = JSON.parse(evidenceRaw);
+      const agentCount = Object.keys(evidence.agents || {}).length;
+      process.stdout.write(`
+  ${bold("Evidence store:")} ${agentCount} agent(s) tracked
+`);
+    } catch {
+    }
+  }
+  const keyPath = join4(dir, "keys", "gateway.json");
+  if (existsSync4(keyPath)) {
+    try {
+      const keyData = JSON.parse(readFileSync5(keyPath, "utf-8"));
+      if (keyData.publicKey) {
+        const fingerprint = keyData.publicKey.slice(0, 16) + "...";
+        process.stdout.write(`
+  ${bold("\u{1F6E1}\uFE0F Passport identity:")}
+`);
+        process.stdout.write(`    Public key:  ${fingerprint}
+`);
+        if (keyData.kid) process.stdout.write(`    Key ID:      ${keyData.kid}
+`);
+        process.stdout.write(`    Issuer:      ${keyData.issuer || "protect-mcp"}
+`);
+        process.stdout.write(`    Verify:      ${dim("npx @veritasacta/verify <receipt.json>")}
+`);
+      }
+    } catch {
+    }
+  }
+  process.stdout.write(`
+  Log file: ${dim(logPath)}
 `);
 }
 function bold(s) {
   return process.env.NO_COLOR ? s : `\x1B[1m${s}\x1B[0m`;
 }
+function dim(s) {
+  return process.env.NO_COLOR ? s : `\x1B[2m${s}\x1B[0m`;
+}
+function green(s) {
+  return process.env.NO_COLOR ? s : `\x1B[32m${s}\x1B[0m`;
+}
+function red(s) {
+  return process.env.NO_COLOR ? s : `\x1B[31m${s}\x1B[0m`;
+}
+function yellow(s) {
+  return process.env.NO_COLOR ? s : `\x1B[33m${s}\x1B[0m`;
+}
+async function handleDigest(argv) {
+  const { readFileSync: readFileSync5, existsSync: existsSync4 } = await import("fs");
+  const { join: join4 } = await import("path");
+  let dir = process.cwd();
+  const dirIdx = argv.indexOf("--dir");
+  if (dirIdx !== -1 && argv[dirIdx + 1]) dir = argv[dirIdx + 1];
+  const today = argv.includes("--today");
+  const logPath = join4(dir, ".protect-mcp-log.jsonl");
+  if (!existsSync4(logPath)) {
+    process.stderr.write(`${bold("protect-mcp digest")}
+No log file found. Run protect-mcp first.
+`);
+    process.exit(0);
+  }
+  const raw = readFileSync5(logPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  let entries = [];
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {
+    }
+  }
+  if (today) {
+    const todayStart = /* @__PURE__ */ new Date();
+    todayStart.setHours(0, 0, 0, 0);
+    entries = entries.filter((e) => e.timestamp >= todayStart.getTime());
+  }
+  if (entries.length === 0) {
+    process.stdout.write(`
+${bold("\u{1F6E1}\uFE0F Agent Digest")}
+  No activity${today ? " today" : ""}.
+`);
+    process.exit(0);
+  }
+  const allowed = entries.filter((e) => e.decision === "allow").length;
+  const denied = entries.filter((e) => e.decision === "deny").length;
+  const approvalRequired = entries.filter((e) => e.decision === "require_approval").length;
+  const toolUsage = /* @__PURE__ */ new Map();
+  for (const e of entries) {
+    toolUsage.set(e.tool, (toolUsage.get(e.tool) || 0) + 1);
+  }
+  const sortedTools = [...toolUsage.entries()].sort((a, b) => b[1] - a[1]);
+  const currentTier = entries[entries.length - 1]?.tier || "unknown";
+  const firstTime = new Date(Math.min(...entries.map((e) => e.timestamp)));
+  const lastTime = new Date(Math.max(...entries.map((e) => e.timestamp)));
+  const durationMs = lastTime.getTime() - firstTime.getTime();
+  const durationStr = durationMs < 6e4 ? `${Math.round(durationMs / 1e3)}s` : durationMs < 36e5 ? `${Math.round(durationMs / 6e4)}m` : `${(durationMs / 36e5).toFixed(1)}h`;
+  process.stdout.write(`
+${bold("\u{1F6E1}\uFE0F Agent Daily Digest")}
+`);
+  process.stdout.write(`  \u{1F4CA} ${bold(String(entries.length))} actions | `);
+  process.stdout.write(`${green("\u2713 " + allowed)} allowed | `);
+  process.stdout.write(`${red("\u2717 " + denied)} blocked`);
+  if (approvalRequired > 0) process.stdout.write(` | ${yellow("\u23F3 " + approvalRequired)} awaiting approval`);
+  process.stdout.write(`
+`);
+  process.stdout.write(`  \u{1F3C5} Trust tier: ${bold(currentTier)} | \u23F1 Active: ${durationStr}
+`);
+  process.stdout.write(`  ${bold("Tools used:")}
+`);
+  for (const [tool, count] of sortedTools.slice(0, 8)) {
+    process.stdout.write(`    ${tool.padEnd(22)} ${count}x
+`);
+  }
+  if (denied > 0) {
+    const deniedTools = entries.filter((e) => e.decision === "deny");
+    const deniedToolNames = [...new Set(deniedTools.map((e) => e.tool))];
+    process.stdout.write(`
+  ${bold(red("Blocked tools:"))}
+`);
+    for (const tool of deniedToolNames) {
+      const reason = deniedTools.find((e) => e.tool === tool)?.reason_code || "policy";
+      process.stdout.write(`    ${red("\u2717")} ${tool} (${reason})
+`);
+    }
+  }
+  process.stdout.write(`
+  ${dim("Latest receipt: curl -s http://127.0.0.1:9876/receipts/latest | jq -r .receipt > receipt.json")}
+`);
+  process.stdout.write(`  ${dim("Verify: npx @veritasacta/verify receipt.json --key <public-key-hex>")}
+`);
+  process.stdout.write(`  ${dim("Export: npx protect-mcp bundle --output audit.json")}
+`);
+}
+async function handleReceipts2(argv) {
+  const { readFileSync: readFileSync5, existsSync: existsSync4 } = await import("fs");
+  const { join: join4 } = await import("path");
+  let dir = process.cwd();
+  const dirIdx = argv.indexOf("--dir");
+  if (dirIdx !== -1 && argv[dirIdx + 1]) dir = argv[dirIdx + 1];
+  const lastIdx = argv.indexOf("--last");
+  const count = lastIdx !== -1 && argv[lastIdx + 1] ? parseInt(argv[lastIdx + 1], 10) : 20;
+  const receiptsPath = join4(dir, ".protect-mcp-receipts.jsonl");
+  if (!existsSync4(receiptsPath)) {
+    process.stderr.write(`${bold("protect-mcp receipts")}
+No signed receipt file found. Run protect-mcp with signing enabled first.
+`);
+    process.exit(0);
+  }
+  const raw = readFileSync5(receiptsPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  const recent = lines.slice(-count);
+  process.stdout.write(`
+${bold("\u{1F6E1}\uFE0F Recent Receipts")} (last ${recent.length})
+`);
+  for (const line of recent) {
+    try {
+      const entry = JSON.parse(line);
+      const payload = entry.payload || {};
+      const time = typeof entry.issued_at === "string" ? new Date(entry.issued_at).toLocaleTimeString() : "unknown";
+      const decision = payload.decision || "unknown";
+      const icon = decision === "allow" ? green("\u2713") : decision === "require_approval" ? yellow("\u23F3") : red("\u2717");
+      process.stdout.write(`  ${dim(time)} ${icon} ${String(payload.tool || "unknown").padEnd(22)} ${String(entry.type || "receipt").padEnd(18)} ${dim(String(payload.reason_code || "signed"))}
+`);
+    } catch {
+    }
+  }
+  process.stdout.write(`
+`);
+}
+async function handleBundle(argv) {
+  const { readFileSync: readFileSync5, writeFileSync: writeFileSync2, existsSync: existsSync4 } = await import("fs");
+  const { join: join4 } = await import("path");
+  const { createAuditBundle: createAuditBundle2 } = await Promise.resolve().then(() => (init_bundle(), bundle_exports));
+  let dir = process.cwd();
+  const dirIdx = argv.indexOf("--dir");
+  if (dirIdx !== -1 && argv[dirIdx + 1]) dir = argv[dirIdx + 1];
+  const outputIdx = argv.indexOf("--output");
+  const outputPath = outputIdx !== -1 && argv[outputIdx + 1] ? argv[outputIdx + 1] : join4(dir, "audit-bundle.json");
+  const receiptsPath = join4(dir, ".protect-mcp-receipts.jsonl");
+  const keyPath = join4(dir, "keys", "gateway.json");
+  if (!existsSync4(receiptsPath)) {
+    process.stderr.write(`${bold("protect-mcp bundle")}
+No signed receipt file found. Run protect-mcp with signing enabled first.
+`);
+    process.exit(0);
+  }
+  if (!existsSync4(keyPath)) {
+    process.stderr.write(`${bold("protect-mcp bundle")}
+No key file found at ${keyPath}
+`);
+    process.exit(1);
+  }
+  const receipts = readFileSync5(receiptsPath, "utf-8").trim().split("\n").filter(Boolean).map((line) => JSON.parse(line));
+  const keyData = JSON.parse(readFileSync5(keyPath, "utf-8"));
+  const bundle = createAuditBundle2({
+    tenant: keyData.issuer || "protect-mcp",
+    receipts,
+    signingKeys: [{
+      kty: "OKP",
+      crv: "Ed25519",
+      kid: keyData.kid || "unknown",
+      x: Buffer.from(keyData.publicKey, "hex").toString("base64url"),
+      use: "sig"
+    }]
+  });
+  writeFileSync2(outputPath, JSON.stringify(bundle, null, 2) + "\n");
+  process.stdout.write(`
+${bold("protect-mcp bundle")}
+`);
+  process.stdout.write(`  Receipts: ${receipts.length}
+`);
+  process.stdout.write(`  Output:   ${outputPath}
+`);
+  process.stdout.write(`  Verify:   npx @veritasacta/verify ${outputPath} --bundle
+`);
+}
 async function main() {
   const args = process.argv.slice(2);
   if (args.length === 0 || args.includes("--help") || args.includes("-h")) {
@@ -3406,6 +4390,26 @@ async function main() {
     await handleInit(args.slice(1));
     process.exit(0);
   }
+  if (args[0] === "demo") {
+    await handleDemo();
+    return;
+  }
+  if (args[0] === "status") {
+    await handleStatus2(args.slice(1));
+    process.exit(0);
+  }
+  if (args[0] === "digest") {
+    await handleDigest(args.slice(1));
+    process.exit(0);
+  }
+  if (args[0] === "receipts") {
+    await handleReceipts2(args.slice(1));
+    process.exit(0);
+  }
+  if (args[0] === "bundle") {
+    await handleBundle(args.slice(1));
+    process.exit(0);
+  }
   const { policyPath, slug, enforce, verbose, childCommand } = parseArgs(args);
   let policy = null;
   let policyDigest = "none";