protect-mcp 0.2.2 → 0.3.1

package/dist/index.js

@@ -61,6 +61,8 @@ module.exports = __toCommonJS(index_exports);
 var import_node_child_process = require("child_process");
 var import_node_crypto2 = require("crypto");
 var import_node_readline = require("readline");
+var import_node_fs5 = require("fs");
+var import_node_path3 = require("path");
 
 // src/policy.ts
 var import_node_crypto = require("crypto");
@@ -138,8 +140,126 @@ function checkRateLimit(key, limit, store) {
   return { allowed: true, remaining: limit.count - timestamps.length };
 }
 
+// src/evidence-store.ts
+var import_node_fs2 = require("fs");
+var import_node_path = require("path");
+var DEFAULT_THRESHOLDS = {
+  min_receipts: 10,
+  min_epoch_span: 3,
+  min_issuers: 2
+};
+var EvidenceStore = class {
+  agents = /* @__PURE__ */ new Map();
+  filePath;
+  dirty = false;
+  constructor(dir) {
+    this.filePath = (0, import_node_path.join)(dir || process.cwd(), ".protect-mcp-evidence.json");
+    this.load();
+  }
+  /**
+   * Record a receipt observation for an agent.
+   */
+  record(agentId, issuer, timestamp) {
+    const ts = timestamp || (/* @__PURE__ */ new Date()).toISOString();
+    const epochHour = Math.floor(new Date(ts).getTime() / (3600 * 1e3));
+    const existing = this.agents.get(agentId);
+    const observation = {
+      issuer,
+      timestamp: ts,
+      epoch_hour: epochHour
+    };
+    if (existing) {
+      existing.receipts.push(observation);
+      existing.last_seen = ts;
+      if (existing.receipts.length > 200) {
+        existing.receipts = existing.receipts.slice(-200);
+      }
+    } else {
+      this.agents.set(agentId, {
+        agent_id: agentId,
+        receipts: [observation],
+        first_seen: ts,
+        last_seen: ts
+      });
+    }
+    this.dirty = true;
+  }
+  /**
+   * Get the evidence summary for an agent.
+   */
+  getSummary(agentId) {
+    const record = this.agents.get(agentId);
+    if (!record || record.receipts.length === 0) {
+      return { receipt_count: 0, epoch_span: 0, issuer_count: 0 };
+    }
+    const uniqueIssuers = new Set(record.receipts.map((r) => r.issuer));
+    const uniqueEpochs = new Set(record.receipts.map((r) => r.epoch_hour));
+    return {
+      receipt_count: record.receipts.length,
+      epoch_span: uniqueEpochs.size,
+      issuer_count: uniqueIssuers.size
+    };
+  }
+  /**
+   * Check if an agent meets the evidenced tier thresholds.
+   */
+  meetsEvidencedThreshold(agentId, thresholds = DEFAULT_THRESHOLDS) {
+    const summary = this.getSummary(agentId);
+    return summary.receipt_count >= thresholds.min_receipts && summary.epoch_span >= thresholds.min_epoch_span && summary.issuer_count >= thresholds.min_issuers;
+  }
+  /**
+   * Persist to disk (call periodically or on shutdown).
+   */
+  save() {
+    if (!this.dirty) return;
+    const data = {};
+    for (const [id, record] of this.agents) {
+      data[id] = record;
+    }
+    try {
+      (0, import_node_fs2.writeFileSync)(this.filePath, JSON.stringify({ v: 1, agents: data }, null, 2) + "\n");
+      this.dirty = false;
+    } catch {
+    }
+  }
+  /**
+   * Load from disk.
+   */
+  load() {
+    if (!(0, import_node_fs2.existsSync)(this.filePath)) return;
+    try {
+      const raw = (0, import_node_fs2.readFileSync)(this.filePath, "utf-8");
+      const parsed = JSON.parse(raw);
+      if (parsed.agents && typeof parsed.agents === "object") {
+        for (const [id, record] of Object.entries(parsed.agents)) {
+          this.agents.set(id, record);
+        }
+      }
+    } catch {
+    }
+  }
+  /**
+   * Get total agent count (for status display).
+   */
+  agentCount() {
+    return this.agents.size;
+  }
+  /**
+   * Get all agent summaries (for status display).
+   */
+  allSummaries() {
+    const result = [];
+    for (const [id] of this.agents) {
+      result.push({ agent_id: id, summary: this.getSummary(id) });
+    }
+    return result;
+  }
+};
+
 // src/admission.ts
-function evaluateTier(manifest, overrides) {
+function evaluateTier(manifest, opts) {
+  const options = opts && ("evidenceStore" in opts || "overrides" in opts || "thresholds" in opts) ? opts : { overrides: opts };
+  const { overrides, evidenceStore, thresholds } = options;
   if (!manifest) {
     return {
       tier: "unknown",
@@ -165,7 +285,8 @@ function evaluateTier(manifest, overrides) {
   if (manifest.signature_valid === true) {
     if (manifest.evidence_summary) {
       const es = manifest.evidence_summary;
-      if (es.receipt_count >= 10 && es.epoch_span >= 3 && es.issuer_count >= 2) {
+      const t = thresholds || DEFAULT_THRESHOLDS;
+      if (es.receipt_count >= t.min_receipts && es.epoch_span >= t.min_epoch_span && es.issuer_count >= t.min_issuers) {
         return {
           tier: "evidenced",
           agent_id: manifest.agent_id,
@@ -174,6 +295,16 @@ function evaluateTier(manifest, overrides) {
         };
       }
     }
+    if (evidenceStore && manifest.agent_id) {
+      if (evidenceStore.meetsEvidencedThreshold(manifest.agent_id, thresholds)) {
+        return {
+          tier: "evidenced",
+          agent_id: manifest.agent_id,
+          manifest_hash: manifest.manifest_hash,
+          reason: "evidence_store_threshold_met"
+        };
+      }
+    }
     return {
       tier: "signed-known",
       agent_id: manifest.agent_id,
@@ -243,7 +374,7 @@ function validateCredentials(credentials) {
 }
 
 // src/signing.ts
-var import_node_fs2 = require("fs");
+var import_node_fs3 = require("fs");
 var signerState = null;
 var artifactsModule = null;
 async function initSigning(config) {
@@ -258,12 +389,12 @@ async function initSigning(config) {
     return warnings;
   }
   if (config.key_path) {
-    if (!(0, import_node_fs2.existsSync)(config.key_path)) {
+    if (!(0, import_node_fs3.existsSync)(config.key_path)) {
       warnings.push(`signing: key file not found at ${config.key_path} \u2014 run "protect-mcp init" to generate`);
       return warnings;
     }
     try {
-      const keyData = JSON.parse((0, import_node_fs2.readFileSync)(config.key_path, "utf-8"));
+      const keyData = JSON.parse((0, import_node_fs3.readFileSync)(config.key_path, "utf-8"));
       if (!keyData.privateKey || !keyData.publicKey) {
         warnings.push("signing: key file missing privateKey or publicKey fields");
         return warnings;
@@ -271,8 +402,8 @@ async function initSigning(config) {
       signerState = {
         privateKey: keyData.privateKey,
         publicKey: keyData.publicKey,
-        kid: artifactsModule.computeKid(keyData.publicKey),
-        issuer: config.issuer || "protect-mcp"
+        kid: keyData.kid || artifactsModule.computeKid(keyData.publicKey),
+        issuer: config.issuer || keyData.issuer || "protect-mcp"
       };
     } catch (err) {
       warnings.push(`signing: failed to load key file: ${err instanceof Error ? err.message : err}`);
@@ -335,21 +466,378 @@ function isSigningEnabled() {
   return signerState !== null && artifactsModule !== null;
 }
 
+// src/external-pdp.ts
+async function queryExternalPDP(context, config) {
+  const timeout = config.timeout_ms || 500;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeout);
+  try {
+    const body = formatRequest(context, config.format || "generic");
+    const response = await fetch(config.endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!response.ok) {
+      return fallbackDecision(config, `PDP returned HTTP ${response.status}`);
+    }
+    const result = await response.json();
+    return parseResponse(result, config.format || "generic");
+  } catch (err) {
+    clearTimeout(timer);
+    if (err instanceof Error && err.name === "AbortError") {
+      return fallbackDecision(config, `PDP timeout after ${timeout}ms`);
+    }
+    return fallbackDecision(config, `PDP error: ${err instanceof Error ? err.message : "unknown"}`);
+  }
+}
+function formatRequest(context, format) {
+  switch (format) {
+    case "opa":
+      return {
+        input: {
+          actor: context.actor,
+          action: context.action,
+          target: context.target,
+          credential_ref: context.credential_ref,
+          mode: context.mode,
+          metadata: context.request_metadata
+        }
+      };
+    case "cerbos":
+      return {
+        principal: {
+          id: context.actor.id || "unknown",
+          roles: [context.actor.tier],
+          attr: {
+            manifest_hash: context.actor.manifest_hash
+          }
+        },
+        resource: {
+          kind: "tool",
+          id: context.action.tool,
+          attr: context.target
+        },
+        actions: [context.action.operation || "call"]
+      };
+    case "generic":
+    default:
+      return context;
+  }
+}
+function parseResponse(result, format) {
+  switch (format) {
+    case "opa":
+      if (typeof result.result === "boolean") {
+        return { allowed: result.result };
+      }
+      if (result.result && typeof result.result === "object") {
+        const r = result.result;
+        return {
+          allowed: Boolean(r.allow),
+          reason: r.reason,
+          metadata: r
+        };
+      }
+      return { allowed: false, reason: "unrecognized OPA response" };
+    case "cerbos":
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const actions = result.results[0].actions;
+        if (actions) {
+          const effect = Object.values(actions)[0];
+          return { allowed: effect === "EFFECT_ALLOW" };
+        }
+      }
+      return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "generic":
+    default:
+      return {
+        allowed: Boolean(result.allowed),
+        reason: result.reason,
+        metadata: result.metadata
+      };
+  }
+}
+function fallbackDecision(config, reason) {
+  const fallback = config.fallback || "deny";
+  return {
+    allowed: fallback === "allow",
+    reason: `fallback_${fallback}: ${reason}`
+  };
+}
+function buildDecisionContext(toolName, tier, opts) {
+  return {
+    v: 1,
+    actor: {
+      id: opts.agentId,
+      tier,
+      manifest_hash: opts.manifestHash
+    },
+    action: {
+      tool: toolName,
+      operation: "call"
+    },
+    target: {
+      service: opts.slug || "default"
+    },
+    credential_ref: opts.credentialRef,
+    mode: opts.mode,
+    request_metadata: opts.requestMetadata || {}
+  };
+}
+
+// src/http-server.ts
+var import_node_http = require("http");
+var import_node_fs4 = require("fs");
+var import_node_path2 = require("path");
+var LOG_FILE = ".protect-mcp-log.jsonl";
+var MAX_RECEIPTS = 100;
+var ReceiptBuffer = class {
+  receipts = [];
+  add(requestId, receipt) {
+    this.receipts.push({
+      request_id: requestId,
+      receipt,
+      timestamp: Date.now()
+    });
+    if (this.receipts.length > MAX_RECEIPTS) {
+      this.receipts = this.receipts.slice(-MAX_RECEIPTS);
+    }
+  }
+  getAll() {
+    return [...this.receipts].reverse();
+  }
+  getById(requestId) {
+    return this.receipts.find((r) => r.request_id === requestId);
+  }
+  count() {
+    return this.receipts.length;
+  }
+  getLatest() {
+    return this.receipts.length > 0 ? this.receipts[this.receipts.length - 1] : void 0;
+  }
+};
+function startStatusServer(config, receiptBuffer, approvalStore, approvalNonce) {
+  const startTime = Date.now();
+  const logDir = process.cwd();
+  const server = (0, import_node_http.createServer)((req, res) => {
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+    res.setHeader("Content-Type", "application/json");
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    const url = new URL(req.url || "/", `http://localhost:${config.port}`);
+    const path = url.pathname;
+    try {
+      if (path === "/health") {
+        handleHealth(res, startTime, config);
+      } else if (path === "/status") {
+        handleStatus(res, logDir);
+      } else if (path === "/receipts") {
+        handleReceipts(res, receiptBuffer, url);
+      } else if (path === "/receipts/latest") {
+        handleReceiptLatest(res, receiptBuffer);
+      } else if (path.startsWith("/receipts/")) {
+        const id = path.slice("/receipts/".length);
+        handleReceiptById(res, receiptBuffer, id);
+      } else if (path === "/approve" && req.method === "POST") {
+        handleApprove(req, res, approvalStore, approvalNonce);
+      } else if (path === "/approvals" && req.method === "GET") {
+        handleListApprovals(res, approvalStore);
+      } else {
+        res.writeHead(404);
+        res.end(JSON.stringify({ error: "not_found", endpoints: ["/health", "/status", "/receipts", "/receipts/latest", "/receipts/:id", "/approve", "/approvals"] }));
+      }
+    } catch (err) {
+      res.writeHead(500);
+      res.end(JSON.stringify({ error: "internal_error" }));
+    }
+  });
+  server.on("error", (err) => {
+    if (config.verbose) {
+      process.stderr.write(`[PROTECT_MCP] HTTP status server error: ${err.message}
+`);
+    }
+  });
+  server.listen(config.port, "127.0.0.1", () => {
+    if (config.verbose) {
+      process.stderr.write(`[PROTECT_MCP] HTTP status server listening on http://127.0.0.1:${config.port}
+`);
+    }
+  });
+  server.unref();
+  return server;
+}
+function handleHealth(res, startTime, config) {
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    status: "ok",
+    uptime_ms: Date.now() - startTime,
+    mode: config.mode,
+    version: "0.3.1"
+  }));
+}
+function handleStatus(res, logDir) {
+  const logPath = (0, import_node_path2.join)(logDir, LOG_FILE);
+  if (!(0, import_node_fs4.existsSync)(logPath)) {
+    res.writeHead(200);
+    res.end(JSON.stringify({ entries: 0, message: "no log file yet" }));
+    return;
+  }
+  const raw = (0, import_node_fs4.readFileSync)(logPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  const entries = [];
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {
+    }
+  }
+  const toolCounts = {};
+  let allowCount = 0, denyCount = 0;
+  const tierCounts = {};
+  for (const e of entries) {
+    toolCounts[e.tool] = (toolCounts[e.tool] || 0) + 1;
+    if (e.decision === "allow") allowCount++;
+    else denyCount++;
+    if (e.tier) tierCounts[e.tier] = (tierCounts[e.tier] || 0) + 1;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    entries: entries.length,
+    allow: allowCount,
+    deny: denyCount,
+    tools: toolCounts,
+    tiers: tierCounts,
+    first_timestamp: entries.length > 0 ? entries[0].timestamp : null,
+    last_timestamp: entries.length > 0 ? entries[entries.length - 1].timestamp : null
+  }));
+}
+function handleReceipts(res, buffer, url) {
+  const limit = parseInt(url.searchParams.get("limit") || "20", 10);
+  const receipts = buffer.getAll().slice(0, Math.min(limit, MAX_RECEIPTS));
+  res.writeHead(200);
+  res.end(JSON.stringify({
+    count: receipts.length,
+    total: buffer.count(),
+    receipts
+  }));
+}
+function handleReceiptLatest(res, buffer) {
+  const latest = buffer.getLatest();
+  if (!latest) {
+    res.writeHead(404);
+    res.end(JSON.stringify({ error: "no_receipts", message: "No receipts yet. Make a tool call through protect-mcp first." }));
+    return;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify(latest));
+}
+function handleReceiptById(res, buffer, id) {
+  const receipt = buffer.getById(id);
+  if (!receipt) {
+    res.writeHead(404);
+    res.end(JSON.stringify({ error: "receipt_not_found", request_id: id }));
+    return;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify(receipt));
+}
+function handleApprove(req, res, approvalStore, expectedNonce) {
+  if (!approvalStore) {
+    res.writeHead(503);
+    res.end(JSON.stringify({ error: "approval_store_not_available" }));
+    return;
+  }
+  let body = "";
+  req.on("data", (chunk) => {
+    body += chunk.toString();
+  });
+  req.on("end", () => {
+    try {
+      const { request_id, tool, mode, nonce } = JSON.parse(body);
+      if (expectedNonce && nonce !== expectedNonce) {
+        res.writeHead(403);
+        res.end(JSON.stringify({ error: "invalid_nonce", message: "Approval nonce does not match. Check stderr output for the correct nonce." }));
+        return;
+      }
+      if (!tool || typeof tool !== "string") {
+        res.writeHead(400);
+        res.end(JSON.stringify({ error: "missing_tool", usage: '{"request_id":"abc123","tool":"send_email","mode":"once|always","nonce":"..."}' }));
+        return;
+      }
+      const grantMode = mode === "always" ? "always" : "once";
+      const ttlMs = grantMode === "once" ? 5 * 60 * 1e3 : 24 * 60 * 60 * 1e3;
+      const grantEntry = { tool, mode: grantMode, expires_at: Date.now() + ttlMs };
+      if (grantMode === "always") {
+        approvalStore.set(`always:${tool}`, grantEntry);
+      } else if (request_id) {
+        approvalStore.set(request_id, grantEntry);
+      } else {
+        approvalStore.set(tool, grantEntry);
+      }
+      res.writeHead(200);
+      res.end(JSON.stringify({
+        approved: true,
+        request_id: request_id || null,
+        tool,
+        mode: grantMode,
+        expires_in_seconds: ttlMs / 1e3
+      }));
+    } catch {
+      res.writeHead(400);
+      res.end(JSON.stringify({ error: "invalid_json", usage: '{"request_id":"abc123","tool":"send_email","mode":"once","nonce":"..."}' }));
+    }
+  });
+}
+function handleListApprovals(res, approvalStore) {
+  if (!approvalStore) {
+    res.writeHead(200);
+    res.end(JSON.stringify({ grants: [] }));
+    return;
+  }
+  const now = Date.now();
+  const grants = [];
+  for (const [key, grant] of approvalStore) {
+    if (now < grant.expires_at) {
+      grants.push({ key, tool: grant.tool, mode: grant.mode, expires_in_seconds: Math.round((grant.expires_at - now) / 1e3) });
+    }
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify({ grants }));
+}
+
 // src/gateway.ts
+var LOG_FILE2 = ".protect-mcp-log.jsonl";
+var RECEIPTS_FILE = ".protect-mcp-receipts.jsonl";
 var ProtectGateway = class {
   child = null;
   config;
   rateLimitStore = /* @__PURE__ */ new Map();
   clientReader = null;
-  // Trust-tier state for the current session
+  logFilePath;
+  receiptFilePath;
+  evidenceStore;
+  receiptBuffer;
+  /** Approval grants keyed by request_id (scoped to the specific action that was requested) */
+  approvalStore = /* @__PURE__ */ new Map();
+  /** Random nonce generated at startup — required for approval endpoint authentication */
+  approvalNonce = (0, import_node_crypto2.randomBytes)(16).toString("hex");
   currentTier = "unknown";
   admissionResult = null;
   constructor(config) {
     this.config = config;
+    this.logFilePath = (0, import_node_path3.join)(process.cwd(), LOG_FILE2);
+    this.receiptFilePath = (0, import_node_path3.join)(process.cwd(), RECEIPTS_FILE);
+    this.evidenceStore = new EvidenceStore();
+    this.receiptBuffer = new ReceiptBuffer();
   }
-  /**
-   * Start the gateway: spawn child process and wire up message relay.
-   */
   async start() {
     const { command, args, verbose } = this.config;
     const mode = this.config.enforce ? "enforce" : "shadow";
@@ -366,11 +854,37 @@ var ProtectGateway = class {
         const labels = Object.keys(this.config.credentials);
         this.log(`Credential vault: ${labels.length} credential(s) configured [${labels.join(", ")}]`);
       }
+      if (this.config.policy?.policy_engine === "external" || this.config.policy?.policy_engine === "hybrid") {
+        this.log(`External PDP: ${this.config.policy.external?.endpoint || "not configured"}`);
+      }
     }
-    this.child = (0, import_node_child_process.spawn)(command, args, {
-      stdio: ["pipe", "pipe", "pipe"],
-      env: { ...process.env }
-    });
+    this.log(`Approval nonce: ${this.approvalNonce}`);
+    const httpPort = parseInt(process.env.PROTECT_MCP_HTTP_PORT || "9876", 10);
+    if (httpPort > 0) {
+      try {
+        startStatusServer(
+          { port: httpPort, mode, verbose },
+          this.receiptBuffer,
+          this.approvalStore,
+          this.approvalNonce
+        );
+      } catch {
+        if (verbose) this.log(`HTTP status server could not start on port ${httpPort}`);
+      }
+    }
+    const childEnv = { ...process.env };
+    if (this.config.credentials) {
+      for (const [label, credConfig] of Object.entries(this.config.credentials)) {
+        if (credConfig.inject === "env" && credConfig.name && credConfig.value_env) {
+          const envValue = process.env[credConfig.value_env];
+          if (envValue) {
+            childEnv[credConfig.name] = envValue;
+            if (verbose) this.log(`Credential "${label}": injected as env var "${credConfig.name}"`);
+          }
+        }
+      }
+    }
+    this.child = (0, import_node_child_process.spawn)(command, args, { stdio: ["pipe", "pipe", "pipe"], env: childEnv });
     if (!this.child.stdin || !this.child.stdout || !this.child.stderr) {
       throw new Error("Failed to create pipes to child process");
     }
@@ -386,9 +900,8 @@ var ProtectGateway = class {
       this.handleClientMessage(line);
     });
     this.child.on("exit", (code, signal) => {
-      if (this.config.verbose) {
-        this.log(`Child process exited (code=${code}, signal=${signal})`);
-      }
+      if (verbose) this.log(`Child process exited (code=${code}, signal=${signal})`);
+      this.evidenceStore.save();
       process.exit(code ?? 1);
     });
     this.child.on("error", (err) => {
@@ -398,30 +911,18 @@ var ProtectGateway = class {
     process.on("SIGINT", () => this.stop());
     process.on("SIGTERM", () => this.stop());
     process.stdin.on("end", () => {
-      if (this.config.verbose) {
-        this.log("Client stdin closed, closing child stdin");
-      }
-      if (this.child?.stdin?.writable) {
-        this.child.stdin.end();
-      }
+      if (verbose) this.log("Client stdin closed, closing child stdin");
+      if (this.child?.stdin?.writable) this.child.stdin.end();
     });
   }
-  /**
-   * Set the trust tier for this session.
-   * Called at admission (first interaction) or by explicit manifest presentation.
-   */
   setManifest(manifest) {
-    this.admissionResult = evaluateTier(manifest);
+    this.admissionResult = evaluateTier(manifest, { evidenceStore: this.evidenceStore });
     this.currentTier = this.admissionResult.tier;
     if (this.config.verbose) {
-      this.log(`Admission: tier=${this.currentTier} agent=${this.admissionResult.agent_id || "none"} reason=${this.admissionResult.reason}`);
+      this.log(`Admission: tier=${this.currentTier} agent=${this.admissionResult.agent_id || "none"}`);
     }
     return this.admissionResult;
   }
-  /**
-   * Handle a message from the MCP client (stdin).
-   * Intercept tools/call requests; pass through everything else.
-   */
   handleClientMessage(raw) {
     const trimmed = raw.trim();
     if (!trimmed) return;
@@ -433,25 +934,38 @@ var ProtectGateway = class {
       return;
     }
     if (message.method === "tools/call" && message.id !== void 0) {
-      const result = this.interceptToolCall(message);
-      if (result) {
-        this.sendToClient(JSON.stringify(result));
-        return;
-      }
+      this.interceptToolCallAsync(message, trimmed);
+      return;
     }
     this.sendToChild(trimmed);
   }
-  /**
-   * Handle a message from the wrapped MCP server (child stdout).
-   * Forward to client (stdout) transparently.
-   */
+  async interceptToolCallAsync(request, raw) {
+    const result = await this.interceptToolCall(request);
+    if (result) {
+      this.sendToClient(JSON.stringify(result));
+    } else {
+      const modified = this.injectParamsCredentials(request);
+      this.sendToChild(JSON.stringify(modified));
+    }
+  }
   handleServerMessage(raw) {
     this.sendToClient(raw);
   }
-  /**
-   * Intercept a tools/call request. Returns a JSON-RPC error response if denied, null if allowed.
-   */
-  interceptToolCall(request) {
+  injectParamsCredentials(request) {
+    if (!this.config.credentials) return request;
+    const injections = {};
+    for (const [label, credConfig] of Object.entries(this.config.credentials)) {
+      if (credConfig.inject === "header" || credConfig.inject === "query") {
+        const cred = resolveCredential(label, this.config.credentials);
+        if (cred.resolved && cred.value && cred.name) {
+          injections[cred.name] = cred.value;
+        }
+      }
+    }
+    if (Object.keys(injections).length === 0) return request;
+    return { ...request, params: { ...request.params, _credentials: injections } };
+  }
+  async interceptToolCall(request) {
     const toolName = request.params?.name || "unknown";
     const requestId = (0, import_node_crypto2.randomUUID)().slice(0, 12);
     const toolPolicy = getToolPolicy(toolName, this.config.policy);
@@ -462,54 +976,76 @@ var ProtectGateway = class {
       if (cred.resolved) {
         credentialRef = cred.label;
       } else if (cred.error && !cred.error.includes("not configured")) {
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "deny",
-          reason_code: "policy_block",
-          request_id: requestId,
-          credential_ref: toolName,
-          tier: this.currentTier
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "credential_error", request_id: requestId, tier: this.currentTier, credential_ref: toolName });
         if (this.config.enforce) {
-          this.log(`Credential error for "${toolName}": ${cred.error}`);
           return this.makeErrorResponse(request.id, -32600, `Credential error for tool "${toolName}"`);
         }
       }
     }
+    if (this.config.policy?.external && (this.config.policy.policy_engine === "external" || this.config.policy.policy_engine === "hybrid")) {
+      try {
+        const ctx = buildDecisionContext(toolName, this.currentTier, {
+          agentId: this.admissionResult?.agent_id,
+          manifestHash: this.admissionResult?.manifest_hash,
+          credentialRef,
+          mode,
+          slug: this.config.slug
+        });
+        const externalDecision = await queryExternalPDP(ctx, this.config.policy.external);
+        if (!externalDecision.allowed) {
+          const reason = `external_pdp_deny${externalDecision.reason ? ": " + externalDecision.reason : ""}`;
+          this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: reason, request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+          if (this.config.enforce) {
+            return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" denied by external policy engine`);
+          }
+          if (this.config.policy.policy_engine === "external") return null;
+        }
+      } catch (err) {
+        if (this.config.verbose) this.log(`External PDP error: ${err instanceof Error ? err.message : err}`);
+      }
+    }
     if (toolPolicy.min_tier) {
       if (!meetsMinTier(this.currentTier, toolPolicy.min_tier)) {
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "deny",
-          reason_code: "tier_insufficient",
-          request_id: requestId,
-          tier: this.currentTier,
-          credential_ref: credentialRef
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "tier_insufficient", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
         if (this.config.enforce) {
-          return this.makeErrorResponse(
-            request.id,
-            -32600,
-            `Tool "${toolName}" requires tier "${toolPolicy.min_tier}", agent has "${this.currentTier}"`
-          );
+          return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" requires tier "${toolPolicy.min_tier}"`);
         }
         return null;
       }
     }
     if (toolPolicy.block) {
-      this.emitDecisionLog({
-        tool: toolName,
-        decision: "deny",
-        reason_code: "policy_block",
-        request_id: requestId,
-        tier: this.currentTier,
-        credential_ref: credentialRef
-      });
+      this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "policy_block", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
       if (this.config.enforce) {
         return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" is blocked by policy`);
       }
       return null;
     }
+    if (toolPolicy.require_approval) {
+      const grant = this.approvalStore.get(requestId);
+      const alwaysGrant = this.approvalStore.get(`always:${toolName}`);
+      if (grant && Date.now() < grant.expires_at || alwaysGrant && Date.now() < alwaysGrant.expires_at) {
+        if (grant && grant.mode === "once") this.approvalStore.delete(requestId);
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "approval_granted", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+        return null;
+      }
+      this.emitDecisionLog({ tool: toolName, decision: "require_approval", reason_code: "requires_human_approval", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+      if (this.config.enforce) {
+        return {
+          jsonrpc: "2.0",
+          id: request.id,
+          result: {
+            content: [
+              {
+                type: "text",
+                text: `REQUIRES_APPROVAL: The tool "${toolName}" requires human approval before execution. Request ID: ${requestId}. Approval nonce: ${this.approvalNonce}. Tell the user you need their approval to use "${toolName}" and will retry when granted. Do NOT retry this tool call until the user explicitly approves it.`
+              }
+            ],
+            isError: true
+          }
+        };
+      }
+      return null;
+    }
     const rateSpec = this.getTierRateLimit(toolPolicy, this.currentTier);
     if (rateSpec) {
       try {
@@ -517,59 +1053,22 @@ var ProtectGateway = class {
         const key = `tool:${toolName}:${this.currentTier}`;
         const { allowed, remaining } = checkRateLimit(key, limit, this.rateLimitStore);
         if (!allowed) {
-          this.emitDecisionLog({
-            tool: toolName,
-            decision: "deny",
-            reason_code: "rate_limit_exceeded",
-            request_id: requestId,
-            rate_limit_remaining: 0,
-            tier: this.currentTier,
-            credential_ref: credentialRef
-          });
+          this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "rate_limit_exceeded", request_id: requestId, rate_limit_remaining: 0, tier: this.currentTier, credential_ref: credentialRef });
           if (this.config.enforce) {
-            return this.makeErrorResponse(
-              request.id,
-              -32600,
-              `Tool "${toolName}" rate limit exceeded (${rateSpec})`
-            );
+            return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" rate limit exceeded (${rateSpec})`);
           }
           return null;
         }
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "allow",
-          reason_code: "policy_allow",
-          request_id: requestId,
-          rate_limit_remaining: remaining,
-          tier: this.currentTier,
-          credential_ref: credentialRef
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "policy_allow", request_id: requestId, rate_limit_remaining: remaining, tier: this.currentTier, credential_ref: credentialRef });
       } catch {
-        this.emitDecisionLog({
-          tool: toolName,
-          decision: "allow",
-          reason_code: "default_allow",
-          request_id: requestId,
-          tier: this.currentTier,
-          credential_ref: credentialRef
-        });
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "default_allow", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
       }
     } else {
       const reasonCode = this.config.enforce ? "policy_allow" : "observe_mode";
-      this.emitDecisionLog({
-        tool: toolName,
-        decision: "allow",
-        reason_code: reasonCode,
-        request_id: requestId,
-        tier: this.currentTier,
-        credential_ref: credentialRef
-      });
+      this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: reasonCode, request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
     }
     return null;
   }
-  /**
-   * Get the applicable rate limit spec based on the agent's tier.
-   */
   getTierRateLimit(policy, tier) {
     if (policy.rate_limits && policy.rate_limits[tier]) {
       const tierLimit = policy.rate_limits[tier];
@@ -577,10 +1076,6 @@ var ProtectGateway = class {
     }
     return policy.rate_limit;
   }
-  /**
-   * Emit a structured decision log to stderr.
-   * If signing is enabled, also emits a signed artifact.
-   */
   emitDecisionLog(entry) {
     const mode = this.config.enforce ? "enforce" : "shadow";
     const log = {
@@ -599,55 +1094,48 @@ var ProtectGateway = class {
     };
     process.stderr.write(`[PROTECT_MCP] ${JSON.stringify(log)}
 `);
+    try {
+      (0, import_node_fs5.appendFileSync)(this.logFilePath, JSON.stringify(log) + "\n");
+    } catch {
+    }
     if (isSigningEnabled()) {
       const signed = signDecision(log);
       if (signed.signed) {
         process.stderr.write(`[PROTECT_MCP_RECEIPT] ${signed.signed}
 `);
+        try {
+          (0, import_node_fs5.appendFileSync)(this.receiptFilePath, signed.signed + "\n");
+        } catch {
+        }
+        this.receiptBuffer.add(log.request_id, signed.signed);
+        if (this.admissionResult?.agent_id) {
+          this.evidenceStore.record(this.admissionResult.agent_id, this.config.signing?.issuer || "protect-mcp");
+          if (this.evidenceStore.getSummary(this.admissionResult.agent_id).receipt_count % 10 === 0) {
+            this.evidenceStore.save();
+          }
+        }
       } else if (signed.warning) {
         process.stderr.write(`[PROTECT_MCP] Warning: ${signed.warning}
 `);
       }
     }
   }
-  /**
-   * Create a JSON-RPC error response.
-   */
   makeErrorResponse(id, code, message) {
-    return {
-      jsonrpc: "2.0",
-      id,
-      error: { code, message }
-    };
+    return { jsonrpc: "2.0", id, error: { code, message } };
   }
-  /**
-   * Send a message to the child process (wrapped MCP server).
-   */
   sendToChild(message) {
-    if (this.child?.stdin?.writable) {
-      this.child.stdin.write(message + "\n");
-    }
+    if (this.child?.stdin?.writable) this.child.stdin.write(message + "\n");
   }
-  /**
-   * Send a message to the MCP client (stdout).
-   */
   sendToClient(message) {
     process.stdout.write(message + "\n");
   }
-  /**
-   * Log a message to stderr (debug output).
-   */
   log(message) {
     process.stderr.write(`[PROTECT_MCP] ${message}
 `);
   }
-  /**
-   * Stop the gateway: kill child process and exit.
-   */
   stop() {
-    if (this.clientReader) {
-      this.clientReader.close();
-    }
+    this.evidenceStore.save();
+    if (this.clientReader) this.clientReader.close();
     if (this.child) {
       this.child.kill("SIGTERM");
       this.child = null;
@@ -656,128 +1144,6 @@ var ProtectGateway = class {
   }
 };
 
-// src/external-pdp.ts
-async function queryExternalPDP(context, config) {
-  const timeout = config.timeout_ms || 500;
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), timeout);
-  try {
-    const body = formatRequest(context, config.format || "generic");
-    const response = await fetch(config.endpoint, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify(body),
-      signal: controller.signal
-    });
-    clearTimeout(timer);
-    if (!response.ok) {
-      return fallbackDecision(config, `PDP returned HTTP ${response.status}`);
-    }
-    const result = await response.json();
-    return parseResponse(result, config.format || "generic");
-  } catch (err) {
-    clearTimeout(timer);
-    if (err instanceof Error && err.name === "AbortError") {
-      return fallbackDecision(config, `PDP timeout after ${timeout}ms`);
-    }
-    return fallbackDecision(config, `PDP error: ${err instanceof Error ? err.message : "unknown"}`);
-  }
-}
-function formatRequest(context, format) {
-  switch (format) {
-    case "opa":
-      return {
-        input: {
-          actor: context.actor,
-          action: context.action,
-          target: context.target,
-          credential_ref: context.credential_ref,
-          mode: context.mode,
-          metadata: context.request_metadata
-        }
-      };
-    case "cerbos":
-      return {
-        principal: {
-          id: context.actor.id || "unknown",
-          roles: [context.actor.tier],
-          attr: {
-            manifest_hash: context.actor.manifest_hash
-          }
-        },
-        resource: {
-          kind: "tool",
-          id: context.action.tool,
-          attr: context.target
-        },
-        actions: [context.action.operation || "call"]
-      };
-    case "generic":
-    default:
-      return context;
-  }
-}
-function parseResponse(result, format) {
-  switch (format) {
-    case "opa":
-      if (typeof result.result === "boolean") {
-        return { allowed: result.result };
-      }
-      if (result.result && typeof result.result === "object") {
-        const r = result.result;
-        return {
-          allowed: Boolean(r.allow),
-          reason: r.reason,
-          metadata: r
-        };
-      }
-      return { allowed: false, reason: "unrecognized OPA response" };
-    case "cerbos":
-      if (Array.isArray(result.results) && result.results.length > 0) {
-        const actions = result.results[0].actions;
-        if (actions) {
-          const effect = Object.values(actions)[0];
-          return { allowed: effect === "EFFECT_ALLOW" };
-        }
-      }
-      return { allowed: false, reason: "unrecognized Cerbos response" };
-    case "generic":
-    default:
-      return {
-        allowed: Boolean(result.allowed),
-        reason: result.reason,
-        metadata: result.metadata
-      };
-  }
-}
-function fallbackDecision(config, reason) {
-  const fallback = config.fallback || "deny";
-  return {
-    allowed: fallback === "allow",
-    reason: `fallback_${fallback}: ${reason}`
-  };
-}
-function buildDecisionContext(toolName, tier, opts) {
-  return {
-    v: 1,
-    actor: {
-      id: opts.agentId,
-      tier,
-      manifest_hash: opts.manifestHash
-    },
-    action: {
-      tool: toolName,
-      operation: "call"
-    },
-    target: {
-      service: opts.slug || "default"
-    },
-    credential_ref: opts.credentialRef,
-    mode: opts.mode,
-    request_metadata: opts.requestMetadata || {}
-  };
-}
-
 // src/bundle.ts
 function createAuditBundle(opts) {
   const receipts = opts.receipts.filter(