protect-mcp 0.3.1 → 0.3.3

package/dist/index.d.ts

@@ -36,8 +36,8 @@ type PolicyEngineMode = 'built-in' | 'external' | 'hybrid';
 interface ExternalPDPConfig {
     /** HTTP endpoint for the external policy decision point */
     endpoint: string;
-    /** Response format: 'opa' | 'cerbos' | 'generic' */
-    format?: 'opa' | 'cerbos' | 'generic';
+    /** Response format: 'opa' | 'cerbos' | 'cedar' | 'generic' */
+    format?: 'opa' | 'cerbos' | 'cedar' | 'generic';
     /** Timeout in milliseconds (default: 500) */
     timeout_ms?: number;
     /** Fallback decision when external PDP is unreachable */
@@ -154,6 +154,27 @@ interface ProtectConfig {
     signing?: SigningConfig;
     /** Credential vault: maps credential labels to injection config */
     credentials?: Record<string, CredentialConfig>;
+    /** Multi-agent mode: identify calling agents and apply per-agent policy */
+    multiAgent?: MultiAgentConfig;
+}
+/**
+ * Multi-agent mode configuration.
+ *
+ * When enabled, protect-mcp resolves the calling agent's passport kid
+ * from request metadata (x-passport-kid header or _passport_kid param)
+ * and applies agent-specific policy overrides.
+ */
+interface MultiAgentConfig {
+    /** Enable multi-agent mode */
+    enabled: boolean;
+    /** Registry endpoint for agent manifest lookup */
+    registryUrl?: string;
+    /** Per-agent policy overrides: maps kid → tool policy overrides */
+    agentPolicies?: Record<string, Record<string, ToolPolicy>>;
+    /** Default policy for unrecognized agents (default: use base policy) */
+    unknownAgentPolicy?: 'base' | 'deny' | 'shadow-only';
+    /** Cache TTL for agent manifests in ms (default: 300000 = 5 min) */
+    cacheTtlMs?: number;
 }
 
 /**
@@ -459,7 +480,7 @@ declare function isSigningEnabled(): boolean;
  * BYOPE (Bring Your Own Policy Engine) — sends decision context
  * to an external Policy Decision Point via HTTP webhook.
  *
- * Supports OPA, Cerbos, and generic JSON formats.
+ * Supports OPA, Cerbos, Cedar (AWS), and generic JSON formats.
  * ScopeBlind always signs the receipt regardless of who made the decision.
  *
  * Sprint 2: One HTTP webhook adapter. More adapters later.
@@ -570,6 +591,132 @@ declare function createAuditBundle(opts: AuditBundleOptions): AuditBundle;
  */
 declare function collectSignedReceipts(logs: DecisionLog[]): Record<string, unknown>[];
 
+/**
+ * protect-mcp simulate — dry-run policy evaluation
+ *
+ * Reads a recorded log file (.protect-mcp-log.jsonl) and evaluates
+ * each tool call against a policy file. Shows what would have been
+ * blocked, rate-limited, or approved — without wrapping a live server.
+ *
+ * Usage:
+ *   npx protect-mcp simulate --policy strict.json [--log .protect-mcp-log.jsonl] [--json]
+ */
+
+interface LogEntry {
+    v: number;
+    tool: string;
+    decision: string;
+    reason_code: string;
+    mode: string;
+    timestamp: number;
+    tier?: string;
+    rate_limit_remaining?: number;
+    [key: string]: unknown;
+}
+interface SimulationResult {
+    tool: string;
+    calls: number;
+    results: {
+        allow: number;
+        block: number;
+        rate_limited: number;
+        require_approval: number;
+        tier_insufficient: number;
+    };
+    original: {
+        allow: number;
+        deny: number;
+    };
+}
+interface SimulationSummary {
+    policy_file: string;
+    log_file: string;
+    total_calls: number;
+    results: {
+        allow: number;
+        block: number;
+        rate_limited: number;
+        require_approval: number;
+        tier_insufficient: number;
+    };
+    original: {
+        allow: number;
+        deny: number;
+    };
+    tool_breakdown: SimulationResult[];
+    changes: string[];
+}
+/**
+ * Parse a JSONL log file into log entries.
+ */
+declare function parseLogFile(path: string): LogEntry[];
+/**
+ * Simulate a policy against a set of log entries.
+ * Evaluates each entry against the policy's per-tool rules,
+ * including block, rate_limit, min_tier, and require_approval.
+ */
+declare function simulate(entries: LogEntry[], policy: ProtectPolicy, tier?: TrustTier): SimulationSummary;
+/**
+ * Format simulation results for terminal output.
+ */
+declare function formatSimulation(summary: SimulationSummary): string;
+
+/**
+ * protect-mcp report — compliance report generation
+ *
+ * Generates structured compliance reports from local log and receipt files.
+ * Output as JSON (machine-readable) or Markdown (human-readable, PDF-convertible).
+ *
+ * Usage:
+ *   npx protect-mcp report --period 30d --output report.json
+ *   npx protect-mcp report --period 30d --format md --output report.md
+ */
+interface ComplianceReport {
+    generated_at: string;
+    period: {
+        from: string;
+        to: string;
+    };
+    signing_identity: {
+        kid: string;
+        issuer: string;
+    } | null;
+    summary: {
+        total_decisions: number;
+        allowed: number;
+        blocked: number;
+        rate_limited: number;
+        approval_required: number;
+        unique_tools: number;
+        unique_tiers: number;
+    };
+    tool_breakdown: Array<{
+        tool: string;
+        total: number;
+        allowed: number;
+        blocked: number;
+        rate_limited: number;
+        approval_required: number;
+    }>;
+    policy_changes: Array<{
+        at: string;
+        policy_digest: string;
+    }>;
+    verification: {
+        receipts_signed: number;
+        receipts_unsigned: number;
+        verify_command: string;
+    };
+}
+/**
+ * Generate a compliance report from local log and receipt files.
+ */
+declare function generateReport(logPath: string, receiptPath: string, periodDays: number): ComplianceReport;
+/**
+ * Format a compliance report as Markdown.
+ */
+declare function formatReportMarkdown(report: ComplianceReport): string;
+
 /**
  * Agent identity format: sb:agent:{first 32 hex chars of SHA-256(public key bytes)}
  * Example: "sb:agent:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"
@@ -851,4 +998,4 @@ declare function validateManifest(manifest: unknown): string[];
  */
 declare function validateEvidenceReceipt(receipt: unknown): string[];
 
-export { type AdmissionResult, type AgentId, type AgentManifest, type ArenaPayload, type ArenaReceipt, type AttestationPayload, type AttestationReceipt, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type CredentialConfig, type DecisionContext, type DecisionLog, type DisclosureMode, type Ed25519PublicKey, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type PolicyEngineMode, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SigningConfig, type TierOverrides, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, buildDecisionContext, checkRateLimit, collectSignedReceipts, createAuditBundle, evaluateTier, getSignerInfo, getToolPolicy, initSigning, isAgentId, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadPolicy, meetsMinTier, parseRateLimit, queryExternalPDP, resolveCredential, signDecision, validateCredentials, validateEvidenceReceipt, validateManifest };
+export { type AdmissionResult, type AgentId, type AgentManifest, type ArenaPayload, type ArenaReceipt, type AttestationPayload, type AttestationReceipt, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type ComplianceReport, type CredentialConfig, type DecisionContext, type DecisionLog, type DisclosureMode, type Ed25519PublicKey, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type PolicyEngineMode, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SigningConfig, type SimulationResult, type SimulationSummary, type TierOverrides, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, buildDecisionContext, checkRateLimit, collectSignedReceipts, createAuditBundle, evaluateTier, formatReportMarkdown, formatSimulation, generateReport, getSignerInfo, getToolPolicy, initSigning, isAgentId, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadPolicy, meetsMinTier, parseLogFile, parseRateLimit, queryExternalPDP, resolveCredential, signDecision, simulate, validateCredentials, validateEvidenceReceipt, validateManifest };

package/dist/index.js

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -36,6 +26,9 @@ __export(index_exports, {
   collectSignedReceipts: () => collectSignedReceipts,
   createAuditBundle: () => createAuditBundle,
   evaluateTier: () => evaluateTier,
+  formatReportMarkdown: () => formatReportMarkdown,
+  formatSimulation: () => formatSimulation,
+  generateReport: () => generateReport,
   getSignerInfo: () => getSignerInfo,
   getToolPolicy: () => getToolPolicy,
   initSigning: () => initSigning,
@@ -47,10 +40,12 @@ __export(index_exports, {
   listCredentialLabels: () => listCredentialLabels,
   loadPolicy: () => loadPolicy,
   meetsMinTier: () => meetsMinTier,
+  parseLogFile: () => parseLogFile,
   parseRateLimit: () => parseRateLimit,
   queryExternalPDP: () => queryExternalPDP,
   resolveCredential: () => resolveCredential,
   signDecision: () => signDecision,
+  simulate: () => simulate,
   validateCredentials: () => validateCredentials,
   validateEvidenceReceipt: () => validateEvidenceReceipt,
   validateManifest: () => validateManifest
@@ -383,7 +378,11 @@ async function initSigning(config) {
     return warnings;
   }
   try {
-    artifactsModule = await import("@veritasacta/artifacts");
+    const moduleName = "@veritasacta/artifacts";
+    artifactsModule = await import(
+      /* @vite-ignore */
+      moduleName
+    );
   } catch {
     warnings.push("signing: @veritasacta/artifacts not available \u2014 receipts will be unsigned");
     return warnings;
@@ -522,6 +521,28 @@ function formatRequest(context, format) {
         },
         actions: [context.action.operation || "call"]
       };
+    case "cedar":
+      return {
+        principal: {
+          type: "Agent",
+          id: context.actor.id || "unknown"
+        },
+        action: {
+          type: "Action",
+          id: `MCP::Tool::${context.action.operation || "call"}`
+        },
+        resource: {
+          type: "Tool",
+          id: context.action.tool
+        },
+        context: {
+          tier: context.actor.tier,
+          manifest_hash: context.actor.manifest_hash || null,
+          service: context.target.service || "default",
+          mode: context.mode,
+          credential_ref: context.credential_ref || null
+        }
+      };
     case "generic":
     default:
       return context;
@@ -551,6 +572,22 @@ function parseResponse(result, format) {
         }
       }
       return { allowed: false, reason: "unrecognized Cerbos response" };
+    case "cedar":
+      if (typeof result.decision === "string") {
+        return {
+          allowed: result.decision === "Allow",
+          reason: result.decision === "Deny" ? `cedar_deny${result.diagnostics ? ": " + JSON.stringify(result.diagnostics) : ""}` : void 0,
+          metadata: result.diagnostics
+        };
+      }
+      if (Array.isArray(result.results) && result.results.length > 0) {
+        const first = result.results[0];
+        return {
+          allowed: first.decision === "Allow",
+          reason: first.decision === "Deny" ? "cedar_deny" : void 0
+        };
+      }
+      return { allowed: false, reason: "unrecognized Cedar response" };
     case "generic":
     default:
       return {
@@ -968,8 +1005,31 @@ var ProtectGateway = class {
   async interceptToolCall(request) {
     const toolName = request.params?.name || "unknown";
     const requestId = (0, import_node_crypto2.randomUUID)().slice(0, 12);
-    const toolPolicy = getToolPolicy(toolName, this.config.policy);
     const mode = this.config.enforce ? "enforce" : "shadow";
+    let resolvedAgentKid = this.admissionResult?.agent_id;
+    let effectiveToolPolicy;
+    if (this.config.multiAgent?.enabled) {
+      const paramKid = request.params?._passport_kid;
+      if (paramKid) resolvedAgentKid = paramKid;
+      const agentOverrides = resolvedAgentKid ? this.config.multiAgent.agentPolicies?.[resolvedAgentKid] : void 0;
+      if (agentOverrides && agentOverrides[toolName]) {
+        effectiveToolPolicy = { ...getToolPolicy(toolName, this.config.policy), ...agentOverrides[toolName] };
+      } else if (!resolvedAgentKid && this.config.multiAgent.unknownAgentPolicy === "deny") {
+        this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: "unknown_agent_denied", request_id: requestId, tier: this.currentTier });
+        if (this.config.enforce) {
+          return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" denied: unidentified agent`);
+        }
+        return null;
+      } else {
+        effectiveToolPolicy = getToolPolicy(toolName, this.config.policy);
+      }
+      if (this.config.verbose && resolvedAgentKid) {
+        this.log(`Multi-agent: resolved kid=${resolvedAgentKid} for tool=${toolName}`);
+      }
+    } else {
+      effectiveToolPolicy = getToolPolicy(toolName, this.config.policy);
+    }
+    const toolPolicy = effectiveToolPolicy;
     let credentialRef;
     if (this.config.credentials) {
       const cred = resolveCredential(toolName, this.config.credentials);
@@ -1193,6 +1253,298 @@ function collectSignedReceipts(logs) {
   }).filter((r) => typeof r.signature === "string");
 }
 
+// src/simulate.ts
+var import_node_fs6 = require("fs");
+function parseLogFile(path) {
+  const raw = (0, import_node_fs6.readFileSync)(path, "utf-8");
+  const entries = [];
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const jsonStr = trimmed.replace(/^\[PROTECT_MCP\]\s*/, "");
+    try {
+      const parsed = JSON.parse(jsonStr);
+      if (parsed.tool && parsed.decision) {
+        entries.push(parsed);
+      }
+    } catch {
+    }
+  }
+  return entries;
+}
+function simulate(entries, policy, tier = "unknown") {
+  const rateLimitStore = /* @__PURE__ */ new Map();
+  const toolResults = /* @__PURE__ */ new Map();
+  const totals = {
+    allow: 0,
+    block: 0,
+    rate_limited: 0,
+    require_approval: 0,
+    tier_insufficient: 0
+  };
+  const originalTotals = { allow: 0, deny: 0 };
+  const changes = [];
+  for (const entry of entries) {
+    const toolName = entry.tool;
+    const toolPolicy = getToolPolicy(toolName, policy);
+    if (entry.decision === "allow") {
+      originalTotals.allow++;
+    } else {
+      originalTotals.deny++;
+    }
+    let newDecision;
+    if (toolPolicy.block) {
+      newDecision = "block";
+    } else if (toolPolicy.min_tier && !meetsMinTier(tier, toolPolicy.min_tier)) {
+      newDecision = "tier_insufficient";
+    } else if (toolPolicy.require_approval) {
+      newDecision = "require_approval";
+    } else if (toolPolicy.rate_limit) {
+      const limit = parseRateLimit(toolPolicy.rate_limit);
+      const result = checkRateLimit(toolName, limit, rateLimitStore);
+      newDecision = result.allowed ? "allow" : "rate_limited";
+    } else {
+      newDecision = "allow";
+    }
+    totals[newDecision]++;
+    if (!toolResults.has(toolName)) {
+      toolResults.set(toolName, {
+        tool: toolName,
+        calls: 0,
+        results: { allow: 0, block: 0, rate_limited: 0, require_approval: 0, tier_insufficient: 0 },
+        original: { allow: 0, deny: 0 }
+      });
+    }
+    const tr = toolResults.get(toolName);
+    tr.calls++;
+    tr.results[newDecision]++;
+    if (entry.decision === "allow") {
+      tr.original.allow++;
+    } else {
+      tr.original.deny++;
+    }
+  }
+  for (const [tool, result] of toolResults) {
+    const wasAllBlocked = result.original.allow === 0;
+    const nowAllBlocked = result.results.allow === 0;
+    const wasAllAllowed = result.original.deny === 0;
+    if (wasAllAllowed && result.results.block > 0) {
+      changes.push(`${tool}: ${result.results.block} calls would be blocked (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.rate_limited > 0) {
+      changes.push(`${tool}: ${result.results.rate_limited} calls would be rate-limited (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.require_approval > 0) {
+      changes.push(`${tool}: ${result.results.require_approval} calls would require approval (was: all allowed)`);
+    }
+    if (wasAllAllowed && result.results.tier_insufficient > 0) {
+      changes.push(`${tool}: ${result.results.tier_insufficient} calls would fail tier check (was: all allowed)`);
+    }
+    if (wasAllBlocked && result.results.allow > 0 && !nowAllBlocked) {
+      changes.push(`${tool}: ${result.results.allow} calls would now be allowed (was: all blocked)`);
+    }
+  }
+  return {
+    policy_file: "",
+    log_file: "",
+    total_calls: entries.length,
+    results: totals,
+    original: originalTotals,
+    tool_breakdown: Array.from(toolResults.values()).sort((a, b) => b.calls - a.calls),
+    changes
+  };
+}
+function formatSimulation(summary) {
+  const lines = [];
+  lines.push(`Simulating ${summary.policy_file} against ${summary.total_calls} recorded tool calls:
+`);
+  const maxToolLen = Math.max(...summary.tool_breakdown.map((t) => t.tool.length), 4);
+  for (const tr of summary.tool_breakdown) {
+    const parts = [];
+    if (tr.results.allow > 0) parts.push(`${tr.results.allow} allow`);
+    if (tr.results.block > 0) parts.push(`\x1B[31m${tr.results.block} blocked\x1B[0m`);
+    if (tr.results.rate_limited > 0) parts.push(`\x1B[33m${tr.results.rate_limited} rate_limited\x1B[0m`);
+    if (tr.results.require_approval > 0) parts.push(`\x1B[36m${tr.results.require_approval} require_approval\x1B[0m`);
+    if (tr.results.tier_insufficient > 0) parts.push(`\x1B[35m${tr.results.tier_insufficient} tier_insufficient\x1B[0m`);
+    const originalParts = [];
+    if (tr.original.allow > 0) originalParts.push(`${tr.original.allow} allow`);
+    if (tr.original.deny > 0) originalParts.push(`${tr.original.deny} deny`);
+    lines.push(`  ${tr.tool.padEnd(maxToolLen)}  \xD7 ${String(tr.calls).padStart(3)} \u2192 ${parts.join(", ")}  (was: ${originalParts.join(", ")})`);
+  }
+  lines.push("");
+  lines.push(`Summary: ${summary.results.allow} allow, ${summary.results.block} blocked, ${summary.results.rate_limited} rate_limited, ${summary.results.require_approval} require_approval, ${summary.results.tier_insufficient} tier_insufficient`);
+  lines.push(`  vs original: ${summary.original.allow} allow, ${summary.original.deny} deny`);
+  if (summary.changes.length > 0) {
+    lines.push("");
+    lines.push("Changes:");
+    for (const change of summary.changes) {
+      lines.push(`  \u2022 ${change}`);
+    }
+  }
+  return lines.join("\n");
+}
+
+// src/report.ts
+var import_node_fs7 = require("fs");
+function generateReport(logPath, receiptPath, periodDays) {
+  const now = /* @__PURE__ */ new Date();
+  const from = new Date(now.getTime() - periodDays * 864e5);
+  const entries = [];
+  if ((0, import_node_fs7.existsSync)(logPath)) {
+    const raw = (0, import_node_fs7.readFileSync)(logPath, "utf-8");
+    for (const line of raw.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      const jsonStr = trimmed.replace(/^\[PROTECT_MCP\]\s*/, "");
+      try {
+        const parsed = JSON.parse(jsonStr);
+        if (parsed.tool && parsed.decision && parsed.timestamp) {
+          const entryTime = typeof parsed.timestamp === "number" && parsed.timestamp > 1e12 ? parsed.timestamp : parsed.timestamp * 1e3;
+          if (entryTime >= from.getTime()) {
+            entries.push(parsed);
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  let receiptsSigned = 0;
+  let signerKid = "";
+  let signerIssuer = "";
+  if ((0, import_node_fs7.existsSync)(receiptPath)) {
+    const raw = (0, import_node_fs7.readFileSync)(receiptPath, "utf-8");
+    for (const line of raw.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      try {
+        const parsed = JSON.parse(trimmed);
+        if (parsed.signature) {
+          receiptsSigned++;
+          if (parsed.kid && !signerKid) signerKid = parsed.kid;
+          if (parsed.issuer && !signerIssuer) signerIssuer = parsed.issuer;
+        }
+      } catch {
+      }
+    }
+  }
+  const toolMap = /* @__PURE__ */ new Map();
+  const tiers = /* @__PURE__ */ new Set();
+  const policyDigests = /* @__PURE__ */ new Map();
+  let allowed = 0;
+  let blocked = 0;
+  let rateLimited = 0;
+  let approvalRequired = 0;
+  for (const entry of entries) {
+    const tool = entry.tool;
+    if (!toolMap.has(tool)) {
+      toolMap.set(tool, { total: 0, allowed: 0, blocked: 0, rate_limited: 0, approval_required: 0 });
+    }
+    const tm = toolMap.get(tool);
+    tm.total++;
+    if (entry.decision === "allow") {
+      allowed++;
+      tm.allowed++;
+    } else if (entry.decision === "deny" && entry.reason_code === "rate_limit_exceeded") {
+      rateLimited++;
+      tm.rate_limited++;
+    } else if (entry.decision === "deny" && entry.reason_code === "require_approval") {
+      approvalRequired++;
+      tm.approval_required++;
+    } else {
+      blocked++;
+      tm.blocked++;
+    }
+    if (entry.tier) tiers.add(entry.tier);
+    if (entry.policy_digest && !policyDigests.has(entry.policy_digest)) {
+      policyDigests.set(entry.policy_digest, new Date(entry.timestamp).toISOString());
+    }
+  }
+  const policyChanges = Array.from(policyDigests.entries()).map(([digest, at]) => ({
+    at,
+    policy_digest: digest
+  })).sort((a, b) => a.at.localeCompare(b.at));
+  return {
+    generated_at: now.toISOString(),
+    period: { from: from.toISOString(), to: now.toISOString() },
+    signing_identity: signerKid ? { kid: signerKid, issuer: signerIssuer } : null,
+    summary: {
+      total_decisions: entries.length,
+      allowed,
+      blocked,
+      rate_limited: rateLimited,
+      approval_required: approvalRequired,
+      unique_tools: toolMap.size,
+      unique_tiers: tiers.size
+    },
+    tool_breakdown: Array.from(toolMap.entries()).map(([tool, stats]) => ({ tool, ...stats })).sort((a, b) => b.total - a.total),
+    policy_changes: policyChanges,
+    verification: {
+      receipts_signed: receiptsSigned,
+      receipts_unsigned: entries.length - receiptsSigned,
+      verify_command: "npx @veritasacta/verify audit-bundle.json --bundle"
+    }
+  };
+}
+function formatReportMarkdown(report) {
+  const lines = [];
+  lines.push("# ScopeBlind Compliance Report");
+  lines.push("");
+  lines.push(`**Generated:** ${report.generated_at}`);
+  lines.push(`**Period:** ${report.period.from.split("T")[0]} to ${report.period.to.split("T")[0]}`);
+  if (report.signing_identity) {
+    lines.push(`**Signing identity:** kid \`${report.signing_identity.kid}\`, issuer \`${report.signing_identity.issuer}\``);
+  }
+  lines.push("");
+  lines.push("## Summary");
+  lines.push("");
+  lines.push(`| Metric | Value |`);
+  lines.push(`|--------|-------|`);
+  lines.push(`| Total decisions | ${report.summary.total_decisions} |`);
+  lines.push(`| Allowed | ${report.summary.allowed} |`);
+  lines.push(`| Blocked | ${report.summary.blocked} |`);
+  lines.push(`| Rate-limited | ${report.summary.rate_limited} |`);
+  lines.push(`| Approval required | ${report.summary.approval_required} |`);
+  lines.push(`| Unique tools | ${report.summary.unique_tools} |`);
+  lines.push(`| Unique tiers | ${report.summary.unique_tiers} |`);
+  lines.push("");
+  if (report.tool_breakdown.length > 0) {
+    lines.push("## Tool Breakdown");
+    lines.push("");
+    lines.push("| Tool | Total | Allowed | Blocked | Rate-limited | Approval |");
+    lines.push("|------|-------|---------|---------|--------------|----------|");
+    for (const t of report.tool_breakdown) {
+      lines.push(`| \`${t.tool}\` | ${t.total} | ${t.allowed} | ${t.blocked} | ${t.rate_limited} | ${t.approval_required} |`);
+    }
+    lines.push("");
+  }
+  if (report.policy_changes.length > 0) {
+    lines.push("## Policy History");
+    lines.push("");
+    lines.push("| Timestamp | Policy Digest |");
+    lines.push("|-----------|--------------|");
+    for (const pc of report.policy_changes) {
+      lines.push(`| ${pc.at} | \`${pc.policy_digest}\` |`);
+    }
+    lines.push("");
+  }
+  lines.push("## Verification");
+  lines.push("");
+  lines.push(`- Receipts signed: **${report.verification.receipts_signed}**`);
+  lines.push(`- Receipts unsigned: **${report.verification.receipts_unsigned}**`);
+  lines.push("");
+  lines.push("Verify the audit bundle:");
+  lines.push("");
+  lines.push("```bash");
+  lines.push(report.verification.verify_command);
+  lines.push("```");
+  lines.push("");
+  lines.push("The verifier is MIT-licensed and works offline. No ScopeBlind account required.");
+  lines.push("");
+  lines.push("---");
+  lines.push("*Generated by protect-mcp \xB7 scopeblind.com*");
+  return lines.join("\n");
+}
+
 // src/manifest.ts
 function isAgentId(s) {
   return /^sb:agent:[a-f0-9]{32}$/.test(s);
@@ -1355,6 +1707,9 @@ function validateEvidenceReceipt(receipt) {
   collectSignedReceipts,
   createAuditBundle,
   evaluateTier,
+  formatReportMarkdown,
+  formatSimulation,
+  generateReport,
   getSignerInfo,
   getToolPolicy,
   initSigning,
@@ -1366,10 +1721,12 @@ function validateEvidenceReceipt(receipt) {
   listCredentialLabels,
   loadPolicy,
   meetsMinTier,
+  parseLogFile,
   parseRateLimit,
   queryExternalPDP,
   resolveCredential,
   signDecision,
+  simulate,
   validateCredentials,
   validateEvidenceReceipt,
   validateManifest