protect-mcp 0.3.0 → 0.3.1

package/dist/cli.mjs

@@ -4,7 +4,7 @@ import {
   initSigning,
   loadPolicy,
   validateCredentials
-} from "./chunk-3WCA7O4D.mjs";
+} from "./chunk-U7TMVD3E.mjs";
 
 // src/cli.ts
 function printHelp() {
@@ -16,6 +16,9 @@ Usage:
   protect-mcp init [--dir <path>]
   protect-mcp demo
   protect-mcp status [--dir <path>]
+  protect-mcp digest [--today] [--dir <path>]
+  protect-mcp receipts [--last <n>] [--dir <path>]
+  protect-mcp bundle [--output <path>] [--dir <path>]
 
 Options:
   --policy <path>   Policy/config JSON file (default: allow-all)
@@ -28,6 +31,9 @@ Commands:
   init              Generate config template, Ed25519 keypair, and sample policy
   demo              Start a demo server wrapped with protect-mcp (see receipts instantly)
   status            Show tool call statistics from the local decision log
+  digest            Generate a human-readable summary of agent activity
+  receipts          Show recent persisted signed receipts
+  bundle            Export an offline-verifiable audit bundle
 
 Examples:
   protect-mcp -- node my-server.js
@@ -36,6 +42,9 @@ Examples:
   protect-mcp init
   protect-mcp demo
   protect-mcp status
+  protect-mcp digest --today
+  protect-mcp receipts --last 10
+  protect-mcp bundle --output audit.json
 
 `);
 }
@@ -196,11 +205,10 @@ Add --enforce when ready to block policy violations.
 }
 async function handleDemo() {
   const { existsSync } = await import("fs");
-  const { join, dirname } = await import("path");
-  const { fileURLToPath } = await import("url");
-  const __filename = fileURLToPath(import.meta.url);
-  const __dirname = dirname(__filename);
-  const demoServerPath = join(__dirname, "demo-server.js");
+  const { join, dirname, resolve } = await import("path");
+  const cliPath = resolve(process.argv[1] || "dist/cli.js");
+  const cliDir = dirname(cliPath);
+  const demoServerPath = join(cliDir, "demo-server.js");
   const configPath = join(process.cwd(), "protect-mcp.json");
   const hasConfig = existsSync(configPath);
   if (!hasConfig) {
@@ -385,6 +393,27 @@ ${bold("protect-mcp status")}
     } catch {
     }
   }
+  const keyPath = join(dir, "keys", "gateway.json");
+  if (existsSync(keyPath)) {
+    try {
+      const keyData = JSON.parse(readFileSync(keyPath, "utf-8"));
+      if (keyData.publicKey) {
+        const fingerprint = keyData.publicKey.slice(0, 16) + "...";
+        process.stdout.write(`
+  ${bold("\u{1F6E1}\uFE0F Passport identity:")}
+`);
+        process.stdout.write(`    Public key:  ${fingerprint}
+`);
+        if (keyData.kid) process.stdout.write(`    Key ID:      ${keyData.kid}
+`);
+        process.stdout.write(`    Issuer:      ${keyData.issuer || "protect-mcp"}
+`);
+        process.stdout.write(`    Verify:      ${dim("npx @veritasacta/verify <receipt.json>")}
+`);
+      }
+    } catch {
+    }
+  }
   process.stdout.write(`
   Log file: ${dim(logPath)}
 
@@ -405,6 +434,186 @@ function red(s) {
 function yellow(s) {
   return process.env.NO_COLOR ? s : `\x1B[33m${s}\x1B[0m`;
 }
+async function handleDigest(argv) {
+  const { readFileSync, existsSync } = await import("fs");
+  const { join } = await import("path");
+  let dir = process.cwd();
+  const dirIdx = argv.indexOf("--dir");
+  if (dirIdx !== -1 && argv[dirIdx + 1]) dir = argv[dirIdx + 1];
+  const today = argv.includes("--today");
+  const logPath = join(dir, ".protect-mcp-log.jsonl");
+  if (!existsSync(logPath)) {
+    process.stderr.write(`${bold("protect-mcp digest")}
+
+No log file found. Run protect-mcp first.
+`);
+    process.exit(0);
+  }
+  const raw = readFileSync(logPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  let entries = [];
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {
+    }
+  }
+  if (today) {
+    const todayStart = /* @__PURE__ */ new Date();
+    todayStart.setHours(0, 0, 0, 0);
+    entries = entries.filter((e) => e.timestamp >= todayStart.getTime());
+  }
+  if (entries.length === 0) {
+    process.stdout.write(`
+${bold("\u{1F6E1}\uFE0F Agent Digest")}
+
+  No activity${today ? " today" : ""}.
+
+`);
+    process.exit(0);
+  }
+  const allowed = entries.filter((e) => e.decision === "allow").length;
+  const denied = entries.filter((e) => e.decision === "deny").length;
+  const approvalRequired = entries.filter((e) => e.decision === "require_approval").length;
+  const toolUsage = /* @__PURE__ */ new Map();
+  for (const e of entries) {
+    toolUsage.set(e.tool, (toolUsage.get(e.tool) || 0) + 1);
+  }
+  const sortedTools = [...toolUsage.entries()].sort((a, b) => b[1] - a[1]);
+  const currentTier = entries[entries.length - 1]?.tier || "unknown";
+  const firstTime = new Date(Math.min(...entries.map((e) => e.timestamp)));
+  const lastTime = new Date(Math.max(...entries.map((e) => e.timestamp)));
+  const durationMs = lastTime.getTime() - firstTime.getTime();
+  const durationStr = durationMs < 6e4 ? `${Math.round(durationMs / 1e3)}s` : durationMs < 36e5 ? `${Math.round(durationMs / 6e4)}m` : `${(durationMs / 36e5).toFixed(1)}h`;
+  process.stdout.write(`
+${bold("\u{1F6E1}\uFE0F Agent Daily Digest")}
+
+`);
+  process.stdout.write(`  \u{1F4CA} ${bold(String(entries.length))} actions | `);
+  process.stdout.write(`${green("\u2713 " + allowed)} allowed | `);
+  process.stdout.write(`${red("\u2717 " + denied)} blocked`);
+  if (approvalRequired > 0) process.stdout.write(` | ${yellow("\u23F3 " + approvalRequired)} awaiting approval`);
+  process.stdout.write(`
+`);
+  process.stdout.write(`  \u{1F3C5} Trust tier: ${bold(currentTier)} | \u23F1 Active: ${durationStr}
+
+`);
+  process.stdout.write(`  ${bold("Tools used:")}
+`);
+  for (const [tool, count] of sortedTools.slice(0, 8)) {
+    process.stdout.write(`    ${tool.padEnd(22)} ${count}x
+`);
+  }
+  if (denied > 0) {
+    const deniedTools = entries.filter((e) => e.decision === "deny");
+    const deniedToolNames = [...new Set(deniedTools.map((e) => e.tool))];
+    process.stdout.write(`
+  ${bold(red("Blocked tools:"))}
+`);
+    for (const tool of deniedToolNames) {
+      const reason = deniedTools.find((e) => e.tool === tool)?.reason_code || "policy";
+      process.stdout.write(`    ${red("\u2717")} ${tool} (${reason})
+`);
+    }
+  }
+  process.stdout.write(`
+  ${dim("Latest receipt: curl -s http://127.0.0.1:9876/receipts/latest | jq -r .receipt > receipt.json")}
+`);
+  process.stdout.write(`  ${dim("Verify: npx @veritasacta/verify receipt.json --key <public-key-hex>")}
+`);
+  process.stdout.write(`  ${dim("Export: npx protect-mcp bundle --output audit.json")}
+
+`);
+}
+async function handleReceipts(argv) {
+  const { readFileSync, existsSync } = await import("fs");
+  const { join } = await import("path");
+  let dir = process.cwd();
+  const dirIdx = argv.indexOf("--dir");
+  if (dirIdx !== -1 && argv[dirIdx + 1]) dir = argv[dirIdx + 1];
+  const lastIdx = argv.indexOf("--last");
+  const count = lastIdx !== -1 && argv[lastIdx + 1] ? parseInt(argv[lastIdx + 1], 10) : 20;
+  const receiptsPath = join(dir, ".protect-mcp-receipts.jsonl");
+  if (!existsSync(receiptsPath)) {
+    process.stderr.write(`${bold("protect-mcp receipts")}
+
+No signed receipt file found. Run protect-mcp with signing enabled first.
+`);
+    process.exit(0);
+  }
+  const raw = readFileSync(receiptsPath, "utf-8");
+  const lines = raw.trim().split("\n").filter(Boolean);
+  const recent = lines.slice(-count);
+  process.stdout.write(`
+${bold("\u{1F6E1}\uFE0F Recent Receipts")} (last ${recent.length})
+
+`);
+  for (const line of recent) {
+    try {
+      const entry = JSON.parse(line);
+      const payload = entry.payload || {};
+      const time = typeof entry.issued_at === "string" ? new Date(entry.issued_at).toLocaleTimeString() : "unknown";
+      const decision = payload.decision || "unknown";
+      const icon = decision === "allow" ? green("\u2713") : decision === "require_approval" ? yellow("\u23F3") : red("\u2717");
+      process.stdout.write(`  ${dim(time)} ${icon} ${String(payload.tool || "unknown").padEnd(22)} ${String(entry.type || "receipt").padEnd(18)} ${dim(String(payload.reason_code || "signed"))}
+`);
+    } catch {
+    }
+  }
+  process.stdout.write(`
+`);
+}
+async function handleBundle(argv) {
+  const { readFileSync, writeFileSync, existsSync } = await import("fs");
+  const { join } = await import("path");
+  const { createAuditBundle } = await import("./bundle-TXOTFJIJ.mjs");
+  let dir = process.cwd();
+  const dirIdx = argv.indexOf("--dir");
+  if (dirIdx !== -1 && argv[dirIdx + 1]) dir = argv[dirIdx + 1];
+  const outputIdx = argv.indexOf("--output");
+  const outputPath = outputIdx !== -1 && argv[outputIdx + 1] ? argv[outputIdx + 1] : join(dir, "audit-bundle.json");
+  const receiptsPath = join(dir, ".protect-mcp-receipts.jsonl");
+  const keyPath = join(dir, "keys", "gateway.json");
+  if (!existsSync(receiptsPath)) {
+    process.stderr.write(`${bold("protect-mcp bundle")}
+
+No signed receipt file found. Run protect-mcp with signing enabled first.
+`);
+    process.exit(0);
+  }
+  if (!existsSync(keyPath)) {
+    process.stderr.write(`${bold("protect-mcp bundle")}
+
+No key file found at ${keyPath}
+`);
+    process.exit(1);
+  }
+  const receipts = readFileSync(receiptsPath, "utf-8").trim().split("\n").filter(Boolean).map((line) => JSON.parse(line));
+  const keyData = JSON.parse(readFileSync(keyPath, "utf-8"));
+  const bundle = createAuditBundle({
+    tenant: keyData.issuer || "protect-mcp",
+    receipts,
+    signingKeys: [{
+      kty: "OKP",
+      crv: "Ed25519",
+      kid: keyData.kid || "unknown",
+      x: Buffer.from(keyData.publicKey, "hex").toString("base64url"),
+      use: "sig"
+    }]
+  });
+  writeFileSync(outputPath, JSON.stringify(bundle, null, 2) + "\n");
+  process.stdout.write(`
+${bold("protect-mcp bundle")}
+
+`);
+  process.stdout.write(`  Receipts: ${receipts.length}
+`);
+  process.stdout.write(`  Output:   ${outputPath}
+`);
+  process.stdout.write(`  Verify:   npx @veritasacta/verify ${outputPath} --bundle
+
+`);
+}
 async function main() {
   const args = process.argv.slice(2);
   if (args.length === 0 || args.includes("--help") || args.includes("-h")) {
@@ -423,6 +632,18 @@ async function main() {
     await handleStatus(args.slice(1));
     process.exit(0);
   }
+  if (args[0] === "digest") {
+    await handleDigest(args.slice(1));
+    process.exit(0);
+  }
+  if (args[0] === "receipts") {
+    await handleReceipts(args.slice(1));
+    process.exit(0);
+  }
+  if (args[0] === "bundle") {
+    await handleBundle(args.slice(1));
+    process.exit(0);
+  }
   const { policyPath, slug, enforce, verbose, childCommand } = parseArgs(args);
   let policy = null;
   let policyDigest = "none";

package/dist/index.d.mts

@@ -21,6 +21,8 @@ interface ToolPolicy {
     rate_limit?: string;
     /** Explicitly block this tool */
     block?: boolean;
+    /** Require human approval before executing (non-blocking: returns MCP error for LLM to suspend) */
+    require_approval?: boolean;
     /** Minimum trust tier required for this tool (v2) */
     min_tier?: TrustTier;
     /** Tier-specific rate limits (v2) */
@@ -113,7 +115,7 @@ interface DecisionLog {
     /** Tool name that was called */
     tool: string;
     /** Decision: allow or deny */
-    decision: 'allow' | 'deny';
+    decision: 'allow' | 'deny' | 'require_approval';
     /** Why this decision was made */
     reason_code: string;
     /** SHA-256 digest of the canonicalized policy file */
@@ -284,8 +286,13 @@ declare class ProtectGateway {
     private rateLimitStore;
     private clientReader;
     private logFilePath;
+    private receiptFilePath;
     private evidenceStore;
     private receiptBuffer;
+    /** Approval grants keyed by request_id (scoped to the specific action that was requested) */
+    private approvalStore;
+    /** Random nonce generated at startup — required for approval endpoint authentication */
+    private readonly approvalNonce;
     private currentTier;
     private admissionResult;
     constructor(config: ProtectConfig);

package/dist/index.d.ts

@@ -21,6 +21,8 @@ interface ToolPolicy {
     rate_limit?: string;
     /** Explicitly block this tool */
     block?: boolean;
+    /** Require human approval before executing (non-blocking: returns MCP error for LLM to suspend) */
+    require_approval?: boolean;
     /** Minimum trust tier required for this tool (v2) */
     min_tier?: TrustTier;
     /** Tier-specific rate limits (v2) */
@@ -113,7 +115,7 @@ interface DecisionLog {
     /** Tool name that was called */
     tool: string;
     /** Decision: allow or deny */
-    decision: 'allow' | 'deny';
+    decision: 'allow' | 'deny' | 'require_approval';
     /** Why this decision was made */
     reason_code: string;
     /** SHA-256 digest of the canonicalized policy file */
@@ -284,8 +286,13 @@ declare class ProtectGateway {
     private rateLimitStore;
     private clientReader;
     private logFilePath;
+    private receiptFilePath;
     private evidenceStore;
     private receiptBuffer;
+    /** Approval grants keyed by request_id (scoped to the specific action that was requested) */
+    private approvalStore;
+    /** Random nonce generated at startup — required for approval endpoint authentication */
+    private readonly approvalNonce;
     private currentTier;
     private admissionResult;
     constructor(config: ProtectConfig);

package/dist/index.js

@@ -402,8 +402,8 @@ async function initSigning(config) {
       signerState = {
         privateKey: keyData.privateKey,
         publicKey: keyData.publicKey,
-        kid: artifactsModule.computeKid(keyData.publicKey),
-        issuer: config.issuer || "protect-mcp"
+        kid: keyData.kid || artifactsModule.computeKid(keyData.publicKey),
+        issuer: config.issuer || keyData.issuer || "protect-mcp"
       };
     } catch (err) {
       warnings.push(`signing: failed to load key file: ${err instanceof Error ? err.message : err}`);
@@ -615,13 +615,16 @@ var ReceiptBuffer = class {
   count() {
     return this.receipts.length;
   }
+  getLatest() {
+    return this.receipts.length > 0 ? this.receipts[this.receipts.length - 1] : void 0;
+  }
 };
-function startStatusServer(config, receiptBuffer) {
+function startStatusServer(config, receiptBuffer, approvalStore, approvalNonce) {
   const startTime = Date.now();
   const logDir = process.cwd();
   const server = (0, import_node_http.createServer)((req, res) => {
     res.setHeader("Access-Control-Allow-Origin", "*");
-    res.setHeader("Access-Control-Allow-Methods", "GET, OPTIONS");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
     res.setHeader("Access-Control-Allow-Headers", "Content-Type");
     res.setHeader("Content-Type", "application/json");
     if (req.method === "OPTIONS") {
@@ -638,18 +641,30 @@ function startStatusServer(config, receiptBuffer) {
         handleStatus(res, logDir);
       } else if (path === "/receipts") {
         handleReceipts(res, receiptBuffer, url);
+      } else if (path === "/receipts/latest") {
+        handleReceiptLatest(res, receiptBuffer);
       } else if (path.startsWith("/receipts/")) {
         const id = path.slice("/receipts/".length);
         handleReceiptById(res, receiptBuffer, id);
+      } else if (path === "/approve" && req.method === "POST") {
+        handleApprove(req, res, approvalStore, approvalNonce);
+      } else if (path === "/approvals" && req.method === "GET") {
+        handleListApprovals(res, approvalStore);
       } else {
         res.writeHead(404);
-        res.end(JSON.stringify({ error: "not_found", endpoints: ["/health", "/status", "/receipts", "/receipts/:id"] }));
+        res.end(JSON.stringify({ error: "not_found", endpoints: ["/health", "/status", "/receipts", "/receipts/latest", "/receipts/:id", "/approve", "/approvals"] }));
       }
     } catch (err) {
       res.writeHead(500);
       res.end(JSON.stringify({ error: "internal_error" }));
     }
   });
+  server.on("error", (err) => {
+    if (config.verbose) {
+      process.stderr.write(`[PROTECT_MCP] HTTP status server error: ${err.message}
+`);
+    }
+  });
   server.listen(config.port, "127.0.0.1", () => {
     if (config.verbose) {
       process.stderr.write(`[PROTECT_MCP] HTTP status server listening on http://127.0.0.1:${config.port}
@@ -665,7 +680,7 @@ function handleHealth(res, startTime, config) {
     status: "ok",
     uptime_ms: Date.now() - startTime,
     mode: config.mode,
-    version: "0.3.0"
+    version: "0.3.1"
   }));
 }
 function handleStatus(res, logDir) {
@@ -714,6 +729,16 @@ function handleReceipts(res, buffer, url) {
     receipts
   }));
 }
+function handleReceiptLatest(res, buffer) {
+  const latest = buffer.getLatest();
+  if (!latest) {
+    res.writeHead(404);
+    res.end(JSON.stringify({ error: "no_receipts", message: "No receipts yet. Make a tool call through protect-mcp first." }));
+    return;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify(latest));
+}
 function handleReceiptById(res, buffer, id) {
   const receipt = buffer.getById(id);
   if (!receipt) {
@@ -724,22 +749,92 @@ function handleReceiptById(res, buffer, id) {
   res.writeHead(200);
   res.end(JSON.stringify(receipt));
 }
+function handleApprove(req, res, approvalStore, expectedNonce) {
+  if (!approvalStore) {
+    res.writeHead(503);
+    res.end(JSON.stringify({ error: "approval_store_not_available" }));
+    return;
+  }
+  let body = "";
+  req.on("data", (chunk) => {
+    body += chunk.toString();
+  });
+  req.on("end", () => {
+    try {
+      const { request_id, tool, mode, nonce } = JSON.parse(body);
+      if (expectedNonce && nonce !== expectedNonce) {
+        res.writeHead(403);
+        res.end(JSON.stringify({ error: "invalid_nonce", message: "Approval nonce does not match. Check stderr output for the correct nonce." }));
+        return;
+      }
+      if (!tool || typeof tool !== "string") {
+        res.writeHead(400);
+        res.end(JSON.stringify({ error: "missing_tool", usage: '{"request_id":"abc123","tool":"send_email","mode":"once|always","nonce":"..."}' }));
+        return;
+      }
+      const grantMode = mode === "always" ? "always" : "once";
+      const ttlMs = grantMode === "once" ? 5 * 60 * 1e3 : 24 * 60 * 60 * 1e3;
+      const grantEntry = { tool, mode: grantMode, expires_at: Date.now() + ttlMs };
+      if (grantMode === "always") {
+        approvalStore.set(`always:${tool}`, grantEntry);
+      } else if (request_id) {
+        approvalStore.set(request_id, grantEntry);
+      } else {
+        approvalStore.set(tool, grantEntry);
+      }
+      res.writeHead(200);
+      res.end(JSON.stringify({
+        approved: true,
+        request_id: request_id || null,
+        tool,
+        mode: grantMode,
+        expires_in_seconds: ttlMs / 1e3
+      }));
+    } catch {
+      res.writeHead(400);
+      res.end(JSON.stringify({ error: "invalid_json", usage: '{"request_id":"abc123","tool":"send_email","mode":"once","nonce":"..."}' }));
+    }
+  });
+}
+function handleListApprovals(res, approvalStore) {
+  if (!approvalStore) {
+    res.writeHead(200);
+    res.end(JSON.stringify({ grants: [] }));
+    return;
+  }
+  const now = Date.now();
+  const grants = [];
+  for (const [key, grant] of approvalStore) {
+    if (now < grant.expires_at) {
+      grants.push({ key, tool: grant.tool, mode: grant.mode, expires_in_seconds: Math.round((grant.expires_at - now) / 1e3) });
+    }
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify({ grants }));
+}
 
 // src/gateway.ts
 var LOG_FILE2 = ".protect-mcp-log.jsonl";
+var RECEIPTS_FILE = ".protect-mcp-receipts.jsonl";
 var ProtectGateway = class {
   child = null;
   config;
   rateLimitStore = /* @__PURE__ */ new Map();
   clientReader = null;
   logFilePath;
+  receiptFilePath;
   evidenceStore;
   receiptBuffer;
+  /** Approval grants keyed by request_id (scoped to the specific action that was requested) */
+  approvalStore = /* @__PURE__ */ new Map();
+  /** Random nonce generated at startup — required for approval endpoint authentication */
+  approvalNonce = (0, import_node_crypto2.randomBytes)(16).toString("hex");
   currentTier = "unknown";
   admissionResult = null;
   constructor(config) {
     this.config = config;
     this.logFilePath = (0, import_node_path3.join)(process.cwd(), LOG_FILE2);
+    this.receiptFilePath = (0, import_node_path3.join)(process.cwd(), RECEIPTS_FILE);
     this.evidenceStore = new EvidenceStore();
     this.receiptBuffer = new ReceiptBuffer();
   }
@@ -763,12 +858,15 @@ var ProtectGateway = class {
         this.log(`External PDP: ${this.config.policy.external?.endpoint || "not configured"}`);
       }
     }
+    this.log(`Approval nonce: ${this.approvalNonce}`);
     const httpPort = parseInt(process.env.PROTECT_MCP_HTTP_PORT || "9876", 10);
     if (httpPort > 0) {
       try {
         startStatusServer(
           { port: httpPort, mode, verbose },
-          this.receiptBuffer
+          this.receiptBuffer,
+          this.approvalStore,
+          this.approvalNonce
         );
       } catch {
         if (verbose) this.log(`HTTP status server could not start on port ${httpPort}`);
@@ -922,6 +1020,32 @@ var ProtectGateway = class {
       }
       return null;
     }
+    if (toolPolicy.require_approval) {
+      const grant = this.approvalStore.get(requestId);
+      const alwaysGrant = this.approvalStore.get(`always:${toolName}`);
+      if (grant && Date.now() < grant.expires_at || alwaysGrant && Date.now() < alwaysGrant.expires_at) {
+        if (grant && grant.mode === "once") this.approvalStore.delete(requestId);
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "approval_granted", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+        return null;
+      }
+      this.emitDecisionLog({ tool: toolName, decision: "require_approval", reason_code: "requires_human_approval", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+      if (this.config.enforce) {
+        return {
+          jsonrpc: "2.0",
+          id: request.id,
+          result: {
+            content: [
+              {
+                type: "text",
+                text: `REQUIRES_APPROVAL: The tool "${toolName}" requires human approval before execution. Request ID: ${requestId}. Approval nonce: ${this.approvalNonce}. Tell the user you need their approval to use "${toolName}" and will retry when granted. Do NOT retry this tool call until the user explicitly approves it.`
+              }
+            ],
+            isError: true
+          }
+        };
+      }
+      return null;
+    }
     const rateSpec = this.getTierRateLimit(toolPolicy, this.currentTier);
     if (rateSpec) {
       try {
@@ -979,6 +1103,10 @@ var ProtectGateway = class {
       if (signed.signed) {
         process.stderr.write(`[PROTECT_MCP_RECEIPT] ${signed.signed}
 `);
+        try {
+          (0, import_node_fs5.appendFileSync)(this.receiptFilePath, signed.signed + "\n");
+        } catch {
+        }
         this.receiptBuffer.add(log.request_id, signed.signed);
         if (this.admissionResult?.agent_id) {
           this.evidenceStore.record(this.admissionResult.agent_id, this.config.signing?.issuer || "protect-mcp");

package/dist/index.mjs

@@ -15,56 +15,11 @@ import {
   resolveCredential,
   signDecision,
   validateCredentials
-} from "./chunk-3WCA7O4D.mjs";
-
-// src/bundle.ts
-function createAuditBundle(opts) {
-  const receipts = opts.receipts.filter(
-    (r) => r && typeof r === "object" && typeof r.signature === "string"
-  );
-  if (receipts.length === 0) {
-    throw new Error("Audit bundle requires at least one signed receipt");
-  }
-  const keyMap = /* @__PURE__ */ new Map();
-  for (const key of opts.signingKeys) {
-    if (!keyMap.has(key.kid)) {
-      keyMap.set(key.kid, key);
-    }
-  }
-  let timeRange = opts.timeRange || null;
-  if (!timeRange) {
-    const timestamps = receipts.map((r) => r.issued_at || r.timestamp).filter(Boolean).sort();
-    if (timestamps.length > 0) {
-      timeRange = {
-        from: timestamps[0],
-        to: timestamps[timestamps.length - 1]
-      };
-    }
-  }
-  return {
-    format: "scopeblind:audit-bundle",
-    version: 1,
-    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
-    tenant: opts.tenant,
-    time_range: timeRange,
-    receipts,
-    anchors: opts.anchors || [],
-    verification: {
-      algorithm: "ed25519",
-      signing_keys: Array.from(keyMap.values()),
-      instructions: `Verify each receipt by: (1) remove the "signature" field, (2) canonicalize the remaining object with JCS (sorted keys at every level), (3) encode as UTF-8 bytes, (4) verify the Ed25519 signature using the signing key matching the receipt's "kid" field. CLI: npx @veritasacta/verify bundle.json --bundle`
-    }
-  };
-}
-function collectSignedReceipts(logs) {
-  return logs.filter((log) => log.v === 2).map((log) => {
-    const logRecord = log;
-    if (logRecord.receipt) {
-      return logRecord.receipt;
-    }
-    return logRecord;
-  }).filter((r) => typeof r.signature === "string");
-}
+} from "./chunk-U7TMVD3E.mjs";
+import {
+  collectSignedReceipts,
+  createAuditBundle
+} from "./chunk-5JXFV37Y.mjs";
 
 // src/manifest.ts
 function isAgentId(s) {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "protect-mcp",
-  "version": "0.3.0",
-  "description": "Security gateway for MCP servers. Shadow-mode logs by default, per-tool policies, trust-tier gating, credential isolation, BYOPE (OPA/Cerbos), signed receipts, offline verification.",
+  "version": "0.3.1",
+  "description": "Security gateway for MCP servers. Shadow-mode logs, per-tool policies, optional local Ed25519-signed receipts. Programmatic hooks for trust tiers, credential config, and external policy engines.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "module": "dist/index.mjs",