protect-mcp 0.3.0 → 0.3.2

package/dist/index.js

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -36,6 +26,9 @@ __export(index_exports, {
   collectSignedReceipts: () => collectSignedReceipts,
   createAuditBundle: () => createAuditBundle,
   evaluateTier: () => evaluateTier,
+  formatReportMarkdown: () => formatReportMarkdown,
+  formatSimulation: () => formatSimulation,
+  generateReport: () => generateReport,
   getSignerInfo: () => getSignerInfo,
   getToolPolicy: () => getToolPolicy,
   initSigning: () => initSigning,
@@ -47,10 +40,12 @@ __export(index_exports, {
   listCredentialLabels: () => listCredentialLabels,
   loadPolicy: () => loadPolicy,
   meetsMinTier: () => meetsMinTier,
+  parseLogFile: () => parseLogFile,
   parseRateLimit: () => parseRateLimit,
   queryExternalPDP: () => queryExternalPDP,
   resolveCredential: () => resolveCredential,
   signDecision: () => signDecision,
+  simulate: () => simulate,
   validateCredentials: () => validateCredentials,
   validateEvidenceReceipt: () => validateEvidenceReceipt,
   validateManifest: () => validateManifest
@@ -383,7 +378,11 @@ async function initSigning(config) {
     return warnings;
   }
   try {
-    artifactsModule = await import("@veritasacta/artifacts");
+    const moduleName = "@veritasacta/artifacts";
+    artifactsModule = await import(
+      /* @vite-ignore */
+      moduleName
+    );
   } catch {
     warnings.push("signing: @veritasacta/artifacts not available \u2014 receipts will be unsigned");
     return warnings;
@@ -402,8 +401,8 @@ async function initSigning(config) {
       signerState = {
         privateKey: keyData.privateKey,
         publicKey: keyData.publicKey,
-        kid: artifactsModule.computeKid(keyData.publicKey),
-        issuer: config.issuer || "protect-mcp"
+        kid: keyData.kid || artifactsModule.computeKid(keyData.publicKey),
+        issuer: config.issuer || keyData.issuer || "protect-mcp"
       };
     } catch (err) {
       warnings.push(`signing: failed to load key file: ${err instanceof Error ? err.message : err}`);
@@ -615,13 +614,16 @@ var ReceiptBuffer = class {
   count() {
     return this.receipts.length;
   }
+  getLatest() {
+    return this.receipts.length > 0 ? this.receipts[this.receipts.length - 1] : void 0;
+  }
 };
-function startStatusServer(config, receiptBuffer) {
+function startStatusServer(config, receiptBuffer, approvalStore, approvalNonce) {
   const startTime = Date.now();
   const logDir = process.cwd();
   const server = (0, import_node_http.createServer)((req, res) => {
     res.setHeader("Access-Control-Allow-Origin", "*");
-    res.setHeader("Access-Control-Allow-Methods", "GET, OPTIONS");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
     res.setHeader("Access-Control-Allow-Headers", "Content-Type");
     res.setHeader("Content-Type", "application/json");
     if (req.method === "OPTIONS") {
@@ -638,18 +640,30 @@ function startStatusServer(config, receiptBuffer) {
         handleStatus(res, logDir);
       } else if (path === "/receipts") {
         handleReceipts(res, receiptBuffer, url);
+      } else if (path === "/receipts/latest") {
+        handleReceiptLatest(res, receiptBuffer);
       } else if (path.startsWith("/receipts/")) {
         const id = path.slice("/receipts/".length);
         handleReceiptById(res, receiptBuffer, id);
+      } else if (path === "/approve" && req.method === "POST") {
+        handleApprove(req, res, approvalStore, approvalNonce);
+      } else if (path === "/approvals" && req.method === "GET") {
+        handleListApprovals(res, approvalStore);
       } else {
         res.writeHead(404);
-        res.end(JSON.stringify({ error: "not_found", endpoints: ["/health", "/status", "/receipts", "/receipts/:id"] }));
+        res.end(JSON.stringify({ error: "not_found", endpoints: ["/health", "/status", "/receipts", "/receipts/latest", "/receipts/:id", "/approve", "/approvals"] }));
       }
     } catch (err) {
       res.writeHead(500);
       res.end(JSON.stringify({ error: "internal_error" }));
     }
   });
+  server.on("error", (err) => {
+    if (config.verbose) {
+      process.stderr.write(`[PROTECT_MCP] HTTP status server error: ${err.message}
+`);
+    }
+  });
   server.listen(config.port, "127.0.0.1", () => {
     if (config.verbose) {
       process.stderr.write(`[PROTECT_MCP] HTTP status server listening on http://127.0.0.1:${config.port}
@@ -665,7 +679,7 @@ function handleHealth(res, startTime, config) {
     status: "ok",
     uptime_ms: Date.now() - startTime,
     mode: config.mode,
-    version: "0.3.0"
+    version: "0.3.1"
   }));
 }
 function handleStatus(res, logDir) {
@@ -714,6 +728,16 @@ function handleReceipts(res, buffer, url) {
     receipts
   }));
 }
+function handleReceiptLatest(res, buffer) {
+  const latest = buffer.getLatest();
+  if (!latest) {
+    res.writeHead(404);
+    res.end(JSON.stringify({ error: "no_receipts", message: "No receipts yet. Make a tool call through protect-mcp first." }));
+    return;
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify(latest));
+}
 function handleReceiptById(res, buffer, id) {
   const receipt = buffer.getById(id);
   if (!receipt) {
@@ -724,22 +748,92 @@ function handleReceiptById(res, buffer, id) {
   res.writeHead(200);
   res.end(JSON.stringify(receipt));
 }
+function handleApprove(req, res, approvalStore, expectedNonce) {
+  if (!approvalStore) {
+    res.writeHead(503);
+    res.end(JSON.stringify({ error: "approval_store_not_available" }));
+    return;
+  }
+  let body = "";
+  req.on("data", (chunk) => {
+    body += chunk.toString();
+  });
+  req.on("end", () => {
+    try {
+      const { request_id, tool, mode, nonce } = JSON.parse(body);
+      if (expectedNonce && nonce !== expectedNonce) {
+        res.writeHead(403);
+        res.end(JSON.stringify({ error: "invalid_nonce", message: "Approval nonce does not match. Check stderr output for the correct nonce." }));
+        return;
+      }
+      if (!tool || typeof tool !== "string") {
+        res.writeHead(400);
+        res.end(JSON.stringify({ error: "missing_tool", usage: '{"request_id":"abc123","tool":"send_email","mode":"once|always","nonce":"..."}' }));
+        return;
+      }
+      const grantMode = mode === "always" ? "always" : "once";
+      const ttlMs = grantMode === "once" ? 5 * 60 * 1e3 : 24 * 60 * 60 * 1e3;
+      const grantEntry = { tool, mode: grantMode, expires_at: Date.now() + ttlMs };
+      if (grantMode === "always") {
+        approvalStore.set(`always:${tool}`, grantEntry);
+      } else if (request_id) {
+        approvalStore.set(request_id, grantEntry);
+      } else {
+        approvalStore.set(tool, grantEntry);
+      }
+      res.writeHead(200);
+      res.end(JSON.stringify({
+        approved: true,
+        request_id: request_id || null,
+        tool,
+        mode: grantMode,
+        expires_in_seconds: ttlMs / 1e3
+      }));
+    } catch {
+      res.writeHead(400);
+      res.end(JSON.stringify({ error: "invalid_json", usage: '{"request_id":"abc123","tool":"send_email","mode":"once","nonce":"..."}' }));
+    }
+  });
+}
+function handleListApprovals(res, approvalStore) {
+  if (!approvalStore) {
+    res.writeHead(200);
+    res.end(JSON.stringify({ grants: [] }));
+    return;
+  }
+  const now = Date.now();
+  const grants = [];
+  for (const [key, grant] of approvalStore) {
+    if (now < grant.expires_at) {
+      grants.push({ key, tool: grant.tool, mode: grant.mode, expires_in_seconds: Math.round((grant.expires_at - now) / 1e3) });
+    }
+  }
+  res.writeHead(200);
+  res.end(JSON.stringify({ grants }));
+}
 
 // src/gateway.ts
 var LOG_FILE2 = ".protect-mcp-log.jsonl";
+var RECEIPTS_FILE = ".protect-mcp-receipts.jsonl";
 var ProtectGateway = class {
   child = null;
   config;
   rateLimitStore = /* @__PURE__ */ new Map();
   clientReader = null;
   logFilePath;
+  receiptFilePath;
   evidenceStore;
   receiptBuffer;
+  /** Approval grants keyed by request_id (scoped to the specific action that was requested) */
+  approvalStore = /* @__PURE__ */ new Map();
+  /** Random nonce generated at startup — required for approval endpoint authentication */
+  approvalNonce = (0, import_node_crypto2.randomBytes)(16).toString("hex");
   currentTier = "unknown";
   admissionResult = null;
   constructor(config) {
     this.config = config;
     this.logFilePath = (0, import_node_path3.join)(process.cwd(), LOG_FILE2);
+    this.receiptFilePath = (0, import_node_path3.join)(process.cwd(), RECEIPTS_FILE);
     this.evidenceStore = new EvidenceStore();
     this.receiptBuffer = new ReceiptBuffer();
   }
@@ -763,12 +857,15 @@ var ProtectGateway = class {
         this.log(`External PDP: ${this.config.policy.external?.endpoint || "not configured"}`);
       }
     }
+    this.log(`Approval nonce: ${this.approvalNonce}`);
     const httpPort = parseInt(process.env.PROTECT_MCP_HTTP_PORT || "9876", 10);
     if (httpPort > 0) {
       try {
         startStatusServer(
           { port: httpPort, mode, verbose },
-          this.receiptBuffer
+          this.receiptBuffer,
+          this.approvalStore,
+          this.approvalNonce
         );
       } catch {
         if (verbose) this.log(`HTTP status server could not start on port ${httpPort}`);
@@ -870,8 +967,31 @@ var ProtectGateway = class {
   async interceptToolCall(request) {
     const toolName = request.params?.name || "unknown";
     const requestId = (0, import_node_crypto2.randomUUID)().slice(0, 12);
-    const toolPolicy = getToolPolicy(toolName, this.config.policy);
     const mode = this.config.enforce ? "enforce" : "shadow";
+    let resolvedAgentKid = this.admissionResult?.agent_id;
+    let effectiveToolPolicy;
+    if (this.config.multiAgent?.enabled) {
+      const paramKid = request.params?._passport_kid;
+      if (paramKid) resolvedAgentKid = paramKid;
+      const agentOverrides = resolvedAgentKid ? this.config.multiAgent.agentPolicies?.[resolvedAgentKid] : void 0;
+      if (agentOverrides && agentOverrides[toolName]) {
+        effectiveToolPolicy = { ...getToolPolicy(toolName, this.config.policy), ...agentOverrides[toolName] };
+      } else if (!resolvedAgentKid && this.config.multiAgent.unknownAgentPolicy === "deny") {
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "unknown_agent_denied", request_id: requestId, tier: this.currentTier });
+        if (this.config.enforce) {
+          return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" denied: unidentified agent`);
+        }
+        return null;
+      } else {
+        effectiveToolPolicy = getToolPolicy(toolName, this.config.policy);
+      }
+      if (this.config.verbose && resolvedAgentKid) {
+        this.log(`Multi-agent: resolved kid=${resolvedAgentKid} for tool=${toolName}`);
+      }
+    } else {
+      effectiveToolPolicy = getToolPolicy(toolName, this.config.policy);
+    }
+    const toolPolicy = effectiveToolPolicy;
     let credentialRef;
     if (this.config.credentials) {
       const cred = resolveCredential(toolName, this.config.credentials);
@@ -922,6 +1042,32 @@ var ProtectGateway = class {
       }
       return null;
     }
+    if (toolPolicy.require_approval) {
+      const grant = this.approvalStore.get(requestId);
+      const alwaysGrant = this.approvalStore.get(`always:${toolName}`);
+      if (grant && Date.now() < grant.expires_at || alwaysGrant && Date.now() < alwaysGrant.expires_at) {
+        if (grant && grant.mode === "once") this.approvalStore.delete(requestId);
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "approval_granted", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+        return null;
+      }
+      this.emitDecisionLog({ tool: toolName, decision: "require_approval", reason_code: "requires_human_approval", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+      if (this.config.enforce) {
+        return {
+          jsonrpc: "2.0",
+          id: request.id,
+          result: {
+            content: [
+              {
+                type: "text",
+                text: `REQUIRES_APPROVAL: The tool "${toolName}" requires human approval before execution. Request ID: ${requestId}. Approval nonce: ${this.approvalNonce}. Tell the user you need their approval to use "${toolName}" and will retry when granted. Do NOT retry this tool call until the user explicitly approves it.`
+              }
+            ],
+            isError: true
+          }
+        };
+      }
+      return null;
+    }
     const rateSpec = this.getTierRateLimit(toolPolicy, this.currentTier);
     if (rateSpec) {
       try {
@@ -979,6 +1125,10 @@ var ProtectGateway = class {
       if (signed.signed) {
         process.stderr.write(`[PROTECT_MCP_RECEIPT] ${signed.signed}
 `);
+        try {
+          (0, import_node_fs5.appendFileSync)(this.receiptFilePath, signed.signed + "\n");
+        } catch {
+        }
         this.receiptBuffer.add(log.request_id, signed.signed);
         if (this.admissionResult?.agent_id) {
           this.evidenceStore.record(this.admissionResult.agent_id, this.config.signing?.issuer || "protect-mcp");
@@ -1065,6 +1215,298 @@ function collectSignedReceipts(logs) {
   }).filter((r) => typeof r.signature === "string");
 }
 
+// src/simulate.ts
+var import_node_fs6 = require("fs");
+function parseLogFile(path) {
+  const raw = (0, import_node_fs6.readFileSync)(path, "utf-8");
+  const entries = [];
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const jsonStr = trimmed.replace(/^\[PROTECT_MCP\]\s*/, "");
+    try {
+      const parsed = JSON.parse(jsonStr);
+      if (parsed.tool && parsed.decision) {
+        entries.push(parsed);
+      }
+    } catch {
+    }
+  }
+  return entries;
+}
+function simulate(entries, policy, tier = "unknown") {
+  const rateLimitStore = /* @__PURE__ */ new Map();
+  const toolResults = /* @__PURE__ */ new Map();
+  const totals = {
+    allow: 0,
+    block: 0,
+    rate_limited: 0,
+    require_approval: 0,
+    tier_insufficient: 0
+  };
+  const originalTotals = { allow: 0, deny: 0 };
+  const changes = [];
+  for (const entry of entries) {
+    const toolName = entry.tool;
+    const toolPolicy = getToolPolicy(toolName, policy);
+    if (entry.decision === "allow") {
+      originalTotals.allow++;
+    } else {
+      originalTotals.deny++;
+    }
+    let newDecision;
+    if (toolPolicy.block) {
+      newDecision = "block";
+    } else if (toolPolicy.min_tier && !meetsMinTier(tier, toolPolicy.min_tier)) {
+      newDecision = "tier_insufficient";
+    } else if (toolPolicy.require_approval) {
+      newDecision = "require_approval";
+    } else if (toolPolicy.rate_limit) {
+      const limit = parseRateLimit(toolPolicy.rate_limit);
+      const result = checkRateLimit(toolName, limit, rateLimitStore);
+      newDecision = result.allowed ? "allow" : "rate_limited";
+    } else {
+      newDecision = "allow";
+    }
+    totals[newDecision]++;
+    if (!toolResults.has(toolName)) {
+      toolResults.set(toolName, {
+        tool: toolName,
+        calls: 0,
+        results: { allow: 0, block: 0, rate_limited: 0, require_approval: 0, tier_insufficient: 0 },
+        original: { allow: 0, deny: 0 }
+      });
+    }
+    const tr = toolResults.get(toolName);
+    tr.calls++;
+    tr.results[newDecision]++;
+    if (entry.decision === "allow") {
+      tr.original.allow++;
+    } else {
+      tr.original.deny++;
+    }
+  }
+  for (const [tool, result] of toolResults) {
+    const wasAllBlocked = result.original.allow === 0;
+    const nowAllBlocked = result.results.allow === 0;
+    const wasAllAllowed = result.original.deny === 0;
+    if (wasAllAllowed && result.results.block > 0) {
+      changes.push(`${tool}: ${result.results.block} calls would be blocked (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.rate_limited > 0) {
+      changes.push(`${tool}: ${result.results.rate_limited} calls would be rate-limited (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.require_approval > 0) {
+      changes.push(`${tool}: ${result.results.require_approval} calls would require approval (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.tier_insufficient > 0) {
+      changes.push(`${tool}: ${result.results.tier_insufficient} calls would fail tier check (was: all allowed)`);
+    }
+    if (wasAllBlocked && result.results.allow > 0 && !nowAllBlocked) {
+      changes.push(`${tool}: ${result.results.allow} calls would now be allowed (was: all blocked)`);
+    }
+  }
+  return {
+    policy_file: "",
+    log_file: "",
+    total_calls: entries.length,
+    results: totals,
+    original: originalTotals,
+    tool_breakdown: Array.from(toolResults.values()).sort((a, b) => b.calls - a.calls),
+    changes
+  };
+}
+function formatSimulation(summary) {
+  const lines = [];
+  lines.push(`Simulating ${summary.policy_file} against ${summary.total_calls} recorded tool calls:
+`);
+  const maxToolLen = Math.max(...summary.tool_breakdown.map((t) => t.tool.length), 4);
+  for (const tr of summary.tool_breakdown) {
+    const parts = [];
+    if (tr.results.allow > 0) parts.push(`${tr.results.allow} allow`);
+    if (tr.results.block > 0) parts.push(`\x1B[31m${tr.results.block} blocked\x1B[0m`);
+    if (tr.results.rate_limited > 0) parts.push(`\x1B[33m${tr.results.rate_limited} rate_limited\x1B[0m`);
+    if (tr.results.require_approval > 0) parts.push(`\x1B[36m${tr.results.require_approval} require_approval\x1B[0m`);
+    if (tr.results.tier_insufficient > 0) parts.push(`\x1B[35m${tr.results.tier_insufficient} tier_insufficient\x1B[0m`);
+    const originalParts = [];
+    if (tr.original.allow > 0) originalParts.push(`${tr.original.allow} allow`);
+    if (tr.original.deny > 0) originalParts.push(`${tr.original.deny} deny`);
+    lines.push(`  ${tr.tool.padEnd(maxToolLen)}  \xD7 ${String(tr.calls).padStart(3)} \u2192 ${parts.join(", ")}  (was: ${originalParts.join(", ")})`);
+  }
+  lines.push("");
+  lines.push(`Summary: ${summary.results.allow} allow, ${summary.results.block} blocked, ${summary.results.rate_limited} rate_limited, ${summary.results.require_approval} require_approval, ${summary.results.tier_insufficient} tier_insufficient`);
+  lines.push(`  vs original: ${summary.original.allow} allow, ${summary.original.deny} deny`);
+  if (summary.changes.length > 0) {
+    lines.push("");
+    lines.push("Changes:");
+    for (const change of summary.changes) {
+      lines.push(`  \u2022 ${change}`);
+    }
+  }
+  return lines.join("\n");
+}
+
+// src/report.ts
+var import_node_fs7 = require("fs");
+function generateReport(logPath, receiptPath, periodDays) {
+  const now = /* @__PURE__ */ new Date();
+  const from = new Date(now.getTime() - periodDays * 864e5);
+  const entries = [];
+  if ((0, import_node_fs7.existsSync)(logPath)) {
+    const raw = (0, import_node_fs7.readFileSync)(logPath, "utf-8");
+    for (const line of raw.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      const jsonStr = trimmed.replace(/^\[PROTECT_MCP\]\s*/, "");
+      try {
+        const parsed = JSON.parse(jsonStr);
+        if (parsed.tool && parsed.decision && parsed.timestamp) {
+          const entryTime = typeof parsed.timestamp === "number" && parsed.timestamp > 1e12 ? parsed.timestamp : parsed.timestamp * 1e3;
+          if (entryTime >= from.getTime()) {
+            entries.push(parsed);
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  let receiptsSigned = 0;
+  let signerKid = "";
+  let signerIssuer = "";
+  if ((0, import_node_fs7.existsSync)(receiptPath)) {
+    const raw = (0, import_node_fs7.readFileSync)(receiptPath, "utf-8");
+    for (const line of raw.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      try {
+        const parsed = JSON.parse(trimmed);
+        if (parsed.signature) {
+          receiptsSigned++;
+          if (parsed.kid && !signerKid) signerKid = parsed.kid;
+          if (parsed.issuer && !signerIssuer) signerIssuer = parsed.issuer;
+        }
+      } catch {
+      }
+    }
+  }
+  const toolMap = /* @__PURE__ */ new Map();
+  const tiers = /* @__PURE__ */ new Set();
+  const policyDigests = /* @__PURE__ */ new Map();
+  let allowed = 0;
+  let blocked = 0;
+  let rateLimited = 0;
+  let approvalRequired = 0;
+  for (const entry of entries) {
+    const tool = entry.tool;
+    if (!toolMap.has(tool)) {
+      toolMap.set(tool, { total: 0, allowed: 0, blocked: 0, rate_limited: 0, approval_required: 0 });
+    }
+    const tm = toolMap.get(tool);
+    tm.total++;
+    if (entry.decision === "allow") {
+      allowed++;
+      tm.allowed++;
+    } else if (entry.decision === "deny" && entry.reason_code === "rate_limit_exceeded") {
+      rateLimited++;
+      tm.rate_limited++;
+    } else if (entry.decision === "deny" && entry.reason_code === "require_approval") {
+      approvalRequired++;
+      tm.approval_required++;
+    } else {
+      blocked++;
+      tm.blocked++;
+    }
+    if (entry.tier) tiers.add(entry.tier);
+    if (entry.policy_digest && !policyDigests.has(entry.policy_digest)) {
+      policyDigests.set(entry.policy_digest, new Date(entry.timestamp).toISOString());
+    }
+  }
+  const policyChanges = Array.from(policyDigests.entries()).map(([digest, at]) => ({
+    at,
+    policy_digest: digest
+  })).sort((a, b) => a.at.localeCompare(b.at));
+  return {
+    generated_at: now.toISOString(),
+    period: { from: from.toISOString(), to: now.toISOString() },
+    signing_identity: signerKid ? { kid: signerKid, issuer: signerIssuer } : null,
+    summary: {
+      total_decisions: entries.length,
+      allowed,
+      blocked,
+      rate_limited: rateLimited,
+      approval_required: approvalRequired,
+      unique_tools: toolMap.size,
+      unique_tiers: tiers.size
+    },
+    tool_breakdown: Array.from(toolMap.entries()).map(([tool, stats]) => ({ tool, ...stats })).sort((a, b) => b.total - a.total),
+    policy_changes: policyChanges,
+    verification: {
+      receipts_signed: receiptsSigned,
+      receipts_unsigned: entries.length - receiptsSigned,
+      verify_command: "npx @veritasacta/verify audit-bundle.json --bundle"
+    }
+  };
+}
+function formatReportMarkdown(report) {
+  const lines = [];
+  lines.push("# ScopeBlind Compliance Report");
+  lines.push("");
+  lines.push(`**Generated:** ${report.generated_at}`);
+  lines.push(`**Period:** ${report.period.from.split("T")[0]} to ${report.period.to.split("T")[0]}`);
+  if (report.signing_identity) {
+    lines.push(`**Signing identity:** kid \`${report.signing_identity.kid}\`, issuer \`${report.signing_identity.issuer}\``);
+  }
+  lines.push("");
+  lines.push("## Summary");
+  lines.push("");
+  lines.push(`| Metric | Value |`);
+  lines.push(`|--------|-------|`);
+  lines.push(`| Total decisions | ${report.summary.total_decisions} |`);
+  lines.push(`| Allowed | ${report.summary.allowed} |`);
+  lines.push(`| Blocked | ${report.summary.blocked} |`);
+  lines.push(`| Rate-limited | ${report.summary.rate_limited} |`);
+  lines.push(`| Approval required | ${report.summary.approval_required} |`);
+  lines.push(`| Unique tools | ${report.summary.unique_tools} |`);
+  lines.push(`| Unique tiers | ${report.summary.unique_tiers} |`);
+  lines.push("");
+  if (report.tool_breakdown.length > 0) {
+    lines.push("## Tool Breakdown");
+    lines.push("");
+    lines.push("| Tool | Total | Allowed | Blocked | Rate-limited | Approval |");
+    lines.push("|------|-------|---------|---------|--------------|----------|");
+    for (const t of report.tool_breakdown) {
+      lines.push(`| \`${t.tool}\` | ${t.total} | ${t.allowed} | ${t.blocked} | ${t.rate_limited} | ${t.approval_required} |`);
+    }
+    lines.push("");
+  }
+  if (report.policy_changes.length > 0) {
+    lines.push("## Policy History");
+    lines.push("");
+    lines.push("| Timestamp | Policy Digest |");
+    lines.push("|-----------|--------------|");
+    for (const pc of report.policy_changes) {
+      lines.push(`| ${pc.at} | \`${pc.policy_digest}\` |`);
+    }
+    lines.push("");
+  }
+  lines.push("## Verification");
+  lines.push("");
+  lines.push(`- Receipts signed: **${report.verification.receipts_signed}**`);
+  lines.push(`- Receipts unsigned: **${report.verification.receipts_unsigned}**`);
+  lines.push("");
+  lines.push("Verify the audit bundle:");
+  lines.push("");
+  lines.push("```bash");
+  lines.push(report.verification.verify_command);
+  lines.push("```");
+  lines.push("");
+  lines.push("The verifier is MIT-licensed and works offline. No ScopeBlind account required.");
+  lines.push("");
+  lines.push("---");
+  lines.push("*Generated by protect-mcp \xB7 scopeblind.com*");
+  return lines.join("\n");
+}
+
 // src/manifest.ts
 function isAgentId(s) {
   return /^sb:agent:[a-f0-9]{32}$/.test(s);
@@ -1227,6 +1669,9 @@ function validateEvidenceReceipt(receipt) {
   collectSignedReceipts,
   createAuditBundle,
   evaluateTier,
+  formatReportMarkdown,
+  formatSimulation,
+  generateReport,
   getSignerInfo,
   getToolPolicy,
   initSigning,
@@ -1238,10 +1683,12 @@ function validateEvidenceReceipt(receipt) {
   listCredentialLabels,
   loadPolicy,
   meetsMinTier,
+  parseLogFile,
   parseRateLimit,
   queryExternalPDP,
   resolveCredential,
   signDecision,
+  simulate,
   validateCredentials,
   validateEvidenceReceipt,
   validateManifest