protect-mcp 0.4.1 → 0.4.3

package/dist/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,22 +17,54 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  ConfidentialGate: () => ConfidentialGate,
   ProtectGateway: () => ProtectGateway,
+  ReceiptPropagator: () => ReceiptPropagator,
+  anchorToRekor: () => anchorToRekor,
   buildDecisionContext: () => buildDecisionContext,
   checkRateLimit: () => checkRateLimit,
   collectSignedReceipts: () => collectSignedReceipts,
+  computeCalibration: () => computeCalibration,
+  confidentialInference: () => confidentialInference,
+  createApprovalChallenge: () => createApprovalChallenge,
+  createApprovalReceiptPayload: () => createApprovalReceiptPayload,
+  createAttestationField: () => createAttestationField,
   createAuditBundle: () => createAuditBundle,
+  createC2PAManifest: () => createC2PAManifest,
+  createDisclosurePackage: () => createDisclosurePackage,
+  createEvidenceAttestation: () => createEvidenceAttestation,
+  createLogAnchorField: () => createLogAnchorField,
+  createReceiptChannel: () => createReceiptChannel,
+  createSandbox: () => createSandbox,
+  destroySandbox: () => destroySandbox,
+  ed25519ToDIDKey: () => ed25519ToDIDKey,
   evaluateTier: () => evaluateTier,
+  exportC2PAManifestJSON: () => exportC2PAManifestJSON,
+  exportJSONL: () => exportJSONL,
   formatReportMarkdown: () => formatReportMarkdown,
   formatSimulation: () => formatSimulation,
+  generateC2PACommand: () => generateC2PACommand,
+  generateDatasetCard: () => generateDatasetCard,
+  generateHFMetadata: () => generateHFMetadata,
   generateReport: () => generateReport,
+  generateSafetyTranscript: () => generateSafetyTranscript,
   getSignerInfo: () => getSignerInfo,
   getToolPolicy: () => getToolPolicy,
+  hashReceipt: () => hashReceipt,
+  hashResponseBody: () => hashResponseBody,
   initSigning: () => initSigning,
   isAgentId: () => isAgentId,
   isDisclosureMode: () => isDisclosureMode,
@@ -39,25 +73,42 @@ __export(index_exports, {
   isSigningEnabled: () => isSigningEnabled,
   listCredentialLabels: () => listCredentialLabels,
   loadPolicy: () => loadPolicy,
+  manifestToVC: () => manifestToVC,
   meetsMinTier: () => meetsMinTier,
   parseLogFile: () => parseLogFile,
+  parseNotificationConfigFromEnv: () => parseNotificationConfigFromEnv,
   parseRateLimit: () => parseRateLimit,
   queryExternalPDP: () => queryExternalPDP,
+  receiptToVP: () => receiptToVP,
+  receiptsToHFRows: () => receiptsToHFRows,
+  redactFields: () => redactFields,
   resolveCredential: () => resolveCredential,
+  revealField: () => revealField,
+  runInSandbox: () => runInSandbox,
+  sendApprovalNotification: () => sendApprovalNotification,
   signDecision: () => signDecision,
   simulate: () => simulate,
+  toCredentialRequestOptions: () => toCredentialRequestOptions,
+  toManifoldFormat: () => toManifoldFormat,
+  toMetaculusFormat: () => toMetaculusFormat,
   validateCredentials: () => validateCredentials,
   validateEvidenceReceipt: () => validateEvidenceReceipt,
-  validateManifest: () => validateManifest
+  validateManifest: () => validateManifest,
+  verifyActaC2PAAssertions: () => verifyActaC2PAAssertions,
+  verifyAllCommitments: () => verifyAllCommitments,
+  verifyApprovalAssertion: () => verifyApprovalAssertion,
+  verifyCommitment: () => verifyCommitment,
+  verifyEvidenceAttestation: () => verifyEvidenceAttestation,
+  verifyRekorAnchor: () => verifyRekorAnchor
 });
 module.exports = __toCommonJS(index_exports);
 
 // src/gateway.ts
 var import_node_child_process = require("child_process");
-var import_node_crypto2 = require("crypto");
+var import_node_crypto3 = require("crypto");
 var import_node_readline = require("readline");
-var import_node_fs5 = require("fs");
-var import_node_path3 = require("path");
+var import_node_fs6 = require("fs");
+var import_node_path4 = require("path");
 
 // src/policy.ts
 var import_node_crypto = require("crypto");
@@ -625,10 +676,334 @@ function buildDecisionContext(toolName, tier, opts) {
   };
 }
 
-// src/http-server.ts
-var import_node_http = require("http");
+// src/cedar-evaluator.ts
+var import_node_crypto2 = require("crypto");
 var import_node_fs4 = require("fs");
 var import_node_path2 = require("path");
+var cedarWasm = null;
+var loadAttempted = false;
+async function ensureCedarWasm() {
+  if (cedarWasm) return true;
+  if (loadAttempted) return false;
+  loadAttempted = true;
+  try {
+    const moduleName = "@cedar-policy/cedar-wasm";
+    cedarWasm = await import(
+      /* @vite-ignore */
+      moduleName
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+function buildEntities(req) {
+  const agentId = req.agentId || req.tier;
+  return [
+    {
+      uid: { type: "Agent", id: agentId },
+      attrs: {
+        tier: req.tier,
+        ...req.agentId ? { agent_id: req.agentId } : {}
+      },
+      parents: []
+    },
+    {
+      uid: { type: "Tool", id: req.tool },
+      attrs: {},
+      parents: []
+    }
+  ];
+}
+async function evaluateCedar(policySet, req) {
+  const available = await ensureCedarWasm();
+  if (!available) {
+    return {
+      allowed: true,
+      reason: "cedar_wasm_not_available",
+      metadata: { fallback: true }
+    };
+  }
+  try {
+    const agentId = req.agentId || req.tier;
+    const authRequest = {
+      principal: { type: "Agent", id: agentId },
+      action: { type: "Action", id: "MCP::Tool::call" },
+      resource: { type: "Tool", id: req.tool },
+      context: {
+        tier: req.tier,
+        ...req.context || {}
+      }
+    };
+    const entities = buildEntities(req);
+    let result;
+    if (typeof cedarWasm.isAuthorized === "function") {
+      result = cedarWasm.isAuthorized({
+        policies: policySet.source,
+        entities,
+        principal: authRequest.principal,
+        action: authRequest.action,
+        resource: authRequest.resource,
+        context: authRequest.context,
+        schema: null
+        // No schema enforcement — Cedar still evaluates correctly
+      });
+    } else if (typeof cedarWasm.checkAuthorization === "function") {
+      result = cedarWasm.checkAuthorization(
+        policySet.source,
+        JSON.stringify(entities),
+        JSON.stringify(authRequest)
+      );
+    } else {
+      const cedarEngine = cedarWasm.default || cedarWasm;
+      if (typeof cedarEngine.isAuthorized === "function") {
+        result = cedarEngine.isAuthorized({
+          policies: policySet.source,
+          entities,
+          principal: authRequest.principal,
+          action: authRequest.action,
+          resource: authRequest.resource,
+          context: authRequest.context,
+          schema: null
+        });
+      } else {
+        return {
+          allowed: true,
+          reason: "cedar_wasm_api_unsupported",
+          metadata: { fallback: true, exports: Object.keys(cedarWasm) }
+        };
+      }
+    }
+    const decision = parseWasmResult(result);
+    return {
+      allowed: decision.allowed,
+      reason: decision.allowed ? void 0 : `cedar_deny${decision.diagnostics ? ": " + decision.diagnostics : ""}`,
+      metadata: {
+        policy_digest: policySet.digest,
+        ...decision.matchedPolicies ? { matched_policies: decision.matchedPolicies } : {}
+      }
+    };
+  } catch (err) {
+    return {
+      allowed: true,
+      reason: `cedar_eval_error: ${err instanceof Error ? err.message : "unknown"}`,
+      metadata: { fallback: true, error: true }
+    };
+  }
+}
+function parseWasmResult(result) {
+  if (!result) {
+    return { allowed: true, diagnostics: "null result from Cedar WASM" };
+  }
+  if (result.type === "allow" || result.type === "Allow") {
+    return { allowed: true };
+  }
+  if (result.type === "deny" || result.type === "Deny") {
+    return {
+      allowed: false,
+      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0,
+      matchedPolicies: result.diagnostics?.reasons
+    };
+  }
+  if (result.decision === "Allow") {
+    return { allowed: true };
+  }
+  if (result.decision === "Deny") {
+    return {
+      allowed: false,
+      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0
+    };
+  }
+  if (typeof result === "boolean") {
+    return { allowed: result };
+  }
+  return { allowed: true, diagnostics: `unknown result format: ${JSON.stringify(result)}` };
+}
+
+// src/notifications.ts
+async function sendApprovalNotification(config, notification) {
+  const promises = [];
+  if (config.sms) {
+    promises.push(sendSms(config.sms, notification));
+  }
+  if (config.webhook) {
+    promises.push(sendWebhook(config.webhook, notification));
+  }
+  if (config.email) {
+    promises.push(sendEmail(config.email, notification));
+  }
+  const results = await Promise.allSettled(promises);
+  for (const result of results) {
+    if (result.status === "rejected") {
+      console.error(`[protect-mcp] Notification failed: ${result.reason}`);
+    }
+  }
+}
+async function sendSms(config, notification) {
+  const body = [
+    `\u{1F512} Approval Required`,
+    `Tool: ${notification.toolName}`,
+    notification.agentId ? `Agent: ${notification.agentId}` : null,
+    `Reason: ${notification.reason}`,
+    notification.approveUrl ? `Approve: ${notification.approveUrl}` : null,
+    notification.traceUrl ? `Trace: ${notification.traceUrl}` : null
+  ].filter(Boolean).join("\n");
+  const params = new URLSearchParams({
+    To: config.to,
+    From: config.from,
+    Body: body
+  });
+  const response = await fetch(
+    `https://api.twilio.com/2010-04-01/Accounts/${config.accountSid}/Messages.json`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Basic ${Buffer.from(`${config.accountSid}:${config.authToken}`).toString("base64")}`,
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: params.toString()
+    }
+  );
+  if (!response.ok) {
+    throw new Error(`Twilio SMS failed: ${response.status} ${await response.text()}`);
+  }
+}
+async function sendWebhook(config, notification) {
+  let payload;
+  if (config.template === "slack") {
+    payload = {
+      blocks: [
+        {
+          type: "header",
+          text: { type: "plain_text", text: "\u{1F512} Agent Approval Required" }
+        },
+        {
+          type: "section",
+          fields: [
+            { type: "mrkdwn", text: `*Tool:*
+\`${notification.toolName}\`` },
+            { type: "mrkdwn", text: `*Agent:*
+${notification.agentId || "unknown"}` },
+            { type: "mrkdwn", text: `*Policy:*
+${notification.policyName || "default"}` },
+            { type: "mrkdwn", text: `*Time:*
+${notification.timestamp}` }
+          ]
+        },
+        {
+          type: "section",
+          text: { type: "mrkdwn", text: `*Reason:* ${notification.reason}` }
+        },
+        ...notification.approveUrl || notification.traceUrl ? [
+          {
+            type: "actions",
+            elements: [
+              ...notification.approveUrl ? [{ type: "button", text: { type: "plain_text", text: "\u2705 Approve" }, url: notification.approveUrl, style: "primary" }] : [],
+              ...notification.traceUrl ? [{ type: "button", text: { type: "plain_text", text: "\u{1F50D} View Trace" }, url: notification.traceUrl }] : []
+            ]
+          }
+        ] : []
+      ]
+    };
+  } else if (config.template === "pagerduty") {
+    payload = {
+      routing_key: config.headers?.["X-Routing-Key"] || "",
+      event_action: "trigger",
+      payload: {
+        summary: `Agent approval required: ${notification.toolName}`,
+        source: "protect-mcp",
+        severity: "warning",
+        custom_details: {
+          tool: notification.toolName,
+          agent: notification.agentId,
+          policy: notification.policyName,
+          reason: notification.reason,
+          trace_url: notification.traceUrl,
+          approve_url: notification.approveUrl
+        }
+      }
+    };
+  } else {
+    payload = notification;
+  }
+  const response = await fetch(config.url, {
+    method: config.method || "POST",
+    headers: {
+      "Content-Type": "application/json",
+      ...config.headers
+    },
+    body: JSON.stringify(payload)
+  });
+  if (!response.ok) {
+    throw new Error(`Webhook failed: ${response.status}`);
+  }
+}
+async function sendEmail(config, notification) {
+  if (!config.resendApiKey) {
+    console.warn("[protect-mcp] Email notification skipped: no resendApiKey configured");
+    return;
+  }
+  const html = `
+    <div style="font-family: monospace; padding: 20px; background: #0d1117; color: #c9d1d9; border-radius: 8px;">
+      <h2 style="color: #10b981;">\u{1F512} Agent Approval Required</h2>
+      <table style="font-size: 14px; margin: 16px 0;">
+        <tr><td style="color: #8b949e; padding: 4px 16px 4px 0;">Tool:</td><td>${notification.toolName}</td></tr>
+        <tr><td style="color: #8b949e; padding: 4px 16px 4px 0;">Agent:</td><td>${notification.agentId || "unknown"}</td></tr>
+        <tr><td style="color: #8b949e; padding: 4px 16px 4px 0;">Reason:</td><td>${notification.reason}</td></tr>
+        <tr><td style="color: #8b949e; padding: 4px 16px 4px 0;">Time:</td><td>${notification.timestamp}</td></tr>
+      </table>
+      ${notification.approveUrl ? `<a href="${notification.approveUrl}" style="background: #10b981; color: white; padding: 8px 16px; border-radius: 6px; text-decoration: none; margin-right: 8px;">\u2705 Approve</a>` : ""}
+      ${notification.traceUrl ? `<a href="${notification.traceUrl}" style="background: #1f2937; color: #c9d1d9; padding: 8px 16px; border-radius: 6px; text-decoration: none; border: 1px solid #374151;">\u{1F50D} View Trace</a>` : ""}
+    </div>
+  `;
+  const response = await fetch("https://api.resend.com/emails", {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${config.resendApiKey}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      from: "ScopeBlind <noreply@scopeblind.com>",
+      to: config.to,
+      subject: `\u{1F512} Approval required: ${notification.toolName}`,
+      html
+    })
+  });
+  if (!response.ok) {
+    throw new Error(`Resend email failed: ${response.status}`);
+  }
+}
+function parseNotificationConfigFromEnv() {
+  const config = {};
+  let hasConfig = false;
+  const smsTo = process.env.SCOPEBLIND_SMS_TO;
+  const twilioSid = process.env.TWILIO_ACCOUNT_SID;
+  const twilioToken = process.env.TWILIO_AUTH_TOKEN;
+  const twilioFrom = process.env.TWILIO_FROM_NUMBER;
+  if (smsTo && twilioSid && twilioToken && twilioFrom) {
+    config.sms = { accountSid: twilioSid, authToken: twilioToken, from: twilioFrom, to: smsTo };
+    hasConfig = true;
+  }
+  const webhookUrl = process.env.SCOPEBLIND_WEBHOOK_URL;
+  if (webhookUrl) {
+    config.webhook = {
+      url: webhookUrl,
+      template: process.env.SCOPEBLIND_WEBHOOK_TEMPLATE || "custom"
+    };
+    hasConfig = true;
+  }
+  const emailTo = process.env.SCOPEBLIND_EMAIL_TO;
+  if (emailTo) {
+    config.email = { to: emailTo, resendApiKey: process.env.RESEND_API_KEY };
+    hasConfig = true;
+  }
+  return hasConfig ? config : null;
+}
+
+// src/http-server.ts
+var import_node_http = require("http");
+var import_node_fs5 = require("fs");
+var import_node_path3 = require("path");
 var LOG_FILE = ".protect-mcp-log.jsonl";
 var MAX_RECEIPTS = 100;
 var ReceiptBuffer = class {
@@ -721,13 +1096,13 @@ function handleHealth(res, startTime, config) {
   }));
 }
 function handleStatus(res, logDir) {
-  const logPath = (0, import_node_path2.join)(logDir, LOG_FILE);
-  if (!(0, import_node_fs4.existsSync)(logPath)) {
+  const logPath = (0, import_node_path3.join)(logDir, LOG_FILE);
+  if (!(0, import_node_fs5.existsSync)(logPath)) {
     res.writeHead(200);
     res.end(JSON.stringify({ entries: 0, message: "no log file yet" }));
     return;
   }
-  const raw = (0, import_node_fs4.readFileSync)(logPath, "utf-8");
+  const raw = (0, import_node_fs5.readFileSync)(logPath, "utf-8");
   const lines = raw.trim().split("\n").filter(Boolean);
   const entries = [];
   for (const line of lines) {
@@ -865,18 +1240,30 @@ var ProtectGateway = class {
   /** Approval grants keyed by request_id (scoped to the specific action that was requested) */
   approvalStore = /* @__PURE__ */ new Map();
   /** Random nonce generated at startup — required for approval endpoint authentication */
-  approvalNonce = (0, import_node_crypto2.randomBytes)(16).toString("hex");
+  approvalNonce = (0, import_node_crypto3.randomBytes)(16).toString("hex");
   currentTier = "unknown";
   admissionResult = null;
+  /** Notification config for approval gates (SMS, webhook, email) */
+  notificationConfig = null;
   /** HTTP transport mode: pending response resolvers keyed by JSON-RPC id */
   pendingResponses = /* @__PURE__ */ new Map();
   httpMode = false;
+  /** Loaded Cedar policy set (when policy_engine is "cedar") */
+  cedarPolicySet = null;
   constructor(config) {
     this.config = config;
-    this.logFilePath = (0, import_node_path3.join)(process.cwd(), LOG_FILE2);
-    this.receiptFilePath = (0, import_node_path3.join)(process.cwd(), RECEIPTS_FILE);
+    this.logFilePath = (0, import_node_path4.join)(process.cwd(), LOG_FILE2);
+    this.receiptFilePath = (0, import_node_path4.join)(process.cwd(), RECEIPTS_FILE);
     this.evidenceStore = new EvidenceStore();
     this.receiptBuffer = new ReceiptBuffer();
+    this.notificationConfig = parseNotificationConfigFromEnv();
+  }
+  /**
+   * Set the Cedar policy set for local evaluation.
+   * Called during CLI startup when --cedar flag is used.
+   */
+  setCedarPolicies(policySet) {
+    this.cedarPolicySet = policySet;
   }
   async start() {
     const { command, args, verbose } = this.config;
@@ -1007,7 +1394,7 @@ var ProtectGateway = class {
   }
   async interceptToolCall(request) {
     const toolName = request.params?.name || "unknown";
-    const requestId = (0, import_node_crypto2.randomUUID)().slice(0, 12);
+    const requestId = (0, import_node_crypto3.randomUUID)().slice(0, 12);
     const mode = this.config.enforce ? "enforce" : "shadow";
     let resolvedAgentKid = this.admissionResult?.agent_id;
     let effectiveToolPolicy;
@@ -1045,6 +1432,27 @@ var ProtectGateway = class {
         }
       }
     }
+    if (this.config.policy?.policy_engine === "cedar" && this.cedarPolicySet) {
+      try {
+        const cedarDecision = await evaluateCedar(this.cedarPolicySet, {
+          tool: toolName,
+          tier: this.currentTier,
+          agentId: this.admissionResult?.agent_id
+        });
+        if (!cedarDecision.allowed) {
+          const reason = cedarDecision.reason || "cedar_deny";
+          this.emitDecisionLog({ tool: toolName, decision: "deny", reason_code: reason, request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+          if (this.config.enforce) {
+            return this.makeErrorResponse(request.id, -32600, `Tool "${toolName}" denied by Cedar policy`);
+          }
+          return null;
+        }
+        this.emitDecisionLog({ tool: toolName, decision: "allow", reason_code: "cedar_allow", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+        return null;
+      } catch (err) {
+        if (this.config.verbose) this.log(`Cedar evaluation error: ${err instanceof Error ? err.message : err}`);
+      }
+    }
     if (this.config.policy?.external && (this.config.policy.policy_engine === "external" || this.config.policy.policy_engine === "hybrid")) {
       try {
         const ctx = buildDecisionContext(toolName, this.currentTier, {
@@ -1092,6 +1500,20 @@ var ProtectGateway = class {
         return null;
       }
       this.emitDecisionLog({ tool: toolName, decision: "require_approval", reason_code: "requires_human_approval", request_id: requestId, tier: this.currentTier, credential_ref: credentialRef });
+      if (this.notificationConfig) {
+        sendApprovalNotification(this.notificationConfig, {
+          requestId,
+          toolName,
+          agentId: this.admissionResult?.agent_id,
+          policyName: "default",
+          reason: `Policy requires human approval for "${toolName}"`,
+          traceUrl: `https://scopeblind.com/trace`,
+          approveUrl: void 0,
+          // Approve URL provided when HTTP transport is active
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }).catch(() => {
+        });
+      }
       if (this.config.enforce) {
         return {
           jsonrpc: "2.0",
@@ -1139,8 +1561,19 @@ var ProtectGateway = class {
     }
     return policy.rate_limit;
   }
+  /**
+   * Emit a decision log entry with OTel-compatible trace IDs and optional
+   * signed receipt generation.
+   *
+   * @patent Patent-protected construction — decision receipts with configurable
+   * disclosure and issuer-blind properties. Covered by Apache 2.0 patent grant
+   * for users of this code. Clean-room reimplementation requires a patent license.
+   * @see {@link https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/}
+   */
   emitDecisionLog(entry) {
     const mode = this.config.enforce ? "enforce" : "shadow";
+    const otelTraceId = entry.otel_trace_id || (0, import_node_crypto3.randomBytes)(16).toString("hex");
+    const otelSpanId = entry.otel_span_id || (0, import_node_crypto3.randomBytes)(8).toString("hex");
     const log = {
       v: 2,
       tool: entry.tool || "unknown",
@@ -1148,17 +1581,19 @@ var ProtectGateway = class {
       reason_code: entry.reason_code || "default_allow",
       policy_digest: this.config.policyDigest,
       policy_engine: this.config.policy?.policy_engine || "built-in",
-      request_id: entry.request_id || (0, import_node_crypto2.randomUUID)().slice(0, 12),
+      request_id: entry.request_id || (0, import_node_crypto3.randomUUID)().slice(0, 12),
       timestamp: Date.now(),
       mode,
       ...entry.rate_limit_remaining !== void 0 && { rate_limit_remaining: entry.rate_limit_remaining },
       ...entry.tier && { tier: entry.tier },
-      ...entry.credential_ref && { credential_ref: entry.credential_ref }
+      ...entry.credential_ref && { credential_ref: entry.credential_ref },
+      otel_trace_id: otelTraceId,
+      otel_span_id: otelSpanId
     };
     process.stderr.write(`[PROTECT_MCP] ${JSON.stringify(log)}
 `);
     try {
-      (0, import_node_fs5.appendFileSync)(this.logFilePath, JSON.stringify(log) + "\n");
+      (0, import_node_fs6.appendFileSync)(this.logFilePath, JSON.stringify(log) + "\n");
     } catch {
     }
     if (isSigningEnabled()) {
@@ -1167,7 +1602,7 @@ var ProtectGateway = class {
         process.stderr.write(`[PROTECT_MCP_RECEIPT] ${signed.signed}
 `);
         try {
-          (0, import_node_fs5.appendFileSync)(this.receiptFilePath, signed.signed + "\n");
+          (0, import_node_fs6.appendFileSync)(this.receiptFilePath, signed.signed + "\n");
         } catch {
         }
         this.receiptBuffer.add(log.request_id, signed.signed);
@@ -1357,9 +1792,9 @@ function collectSignedReceipts(logs) {
 }
 
 // src/simulate.ts
-var import_node_fs6 = require("fs");
+var import_node_fs7 = require("fs");
 function parseLogFile(path) {
-  const raw = (0, import_node_fs6.readFileSync)(path, "utf-8");
+  const raw = (0, import_node_fs7.readFileSync)(path, "utf-8");
   const entries = [];
   for (const line of raw.split("\n")) {
     const trimmed = line.trim();
@@ -1488,13 +1923,13 @@ function formatSimulation(summary) {
 }
 
 // src/report.ts
-var import_node_fs7 = require("fs");
+var import_node_fs8 = require("fs");
 function generateReport(logPath, receiptPath, periodDays) {
   const now = /* @__PURE__ */ new Date();
   const from = new Date(now.getTime() - periodDays * 864e5);
   const entries = [];
-  if ((0, import_node_fs7.existsSync)(logPath)) {
-    const raw = (0, import_node_fs7.readFileSync)(logPath, "utf-8");
+  if ((0, import_node_fs8.existsSync)(logPath)) {
+    const raw = (0, import_node_fs8.readFileSync)(logPath, "utf-8");
     for (const line of raw.split("\n")) {
       const trimmed = line.trim();
       if (!trimmed) continue;
@@ -1514,8 +1949,8 @@ function generateReport(logPath, receiptPath, periodDays) {
   let receiptsSigned = 0;
   let signerKid = "";
   let signerIssuer = "";
-  if ((0, import_node_fs7.existsSync)(receiptPath)) {
-    const raw = (0, import_node_fs7.readFileSync)(receiptPath, "utf-8");
+  if ((0, import_node_fs8.existsSync)(receiptPath)) {
+    const raw = (0, import_node_fs8.readFileSync)(receiptPath, "utf-8");
     for (const line of raw.split("\n")) {
       const trimmed = line.trim();
       if (!trimmed) continue;
@@ -1802,19 +2237,1270 @@ function validateEvidenceReceipt(receipt) {
   }
   return errors;
 }
+
+// src/rekor-anchor.ts
+var import_node_crypto4 = require("crypto");
+var REKOR_API = "https://rekor.sigstore.dev/api/v1";
+async function anchorToRekor(receiptHash, signature, publicKeyPem) {
+  const entry = {
+    apiVersion: "0.0.1",
+    kind: "hashedrekord",
+    spec: {
+      data: {
+        hash: {
+          algorithm: "sha256",
+          value: receiptHash
+        }
+      },
+      signature: {
+        content: signature,
+        publicKey: {
+          content: Buffer.from(publicKeyPem).toString("base64")
+        }
+      }
+    }
+  };
+  const response = await fetch(`${REKOR_API}/log/entries`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(entry)
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Rekor anchoring failed: ${response.status} ${errorText}`);
+  }
+  const result = await response.json();
+  const [uuid, data] = Object.entries(result)[0];
+  return {
+    logIndex: data.logIndex,
+    uuid,
+    integratedTime: new Date(data.integratedTime * 1e3).toISOString(),
+    receiptHash,
+    logID: data.logID,
+    body: data.body
+  };
+}
+async function verifyRekorAnchor(logIndex, expectedHash) {
+  const response = await fetch(`${REKOR_API}/log/entries?logIndex=${logIndex}`);
+  if (!response.ok) {
+    return {
+      valid: false,
+      logIndex,
+      integratedTime: "",
+      receiptHashMatch: false
+    };
+  }
+  const result = await response.json();
+  const [, data] = Object.entries(result)[0];
+  let receiptHashMatch = false;
+  try {
+    const bodyJson = JSON.parse(Buffer.from(data.body, "base64").toString());
+    const hash = bodyJson?.spec?.data?.hash?.value;
+    receiptHashMatch = hash === expectedHash;
+  } catch {
+  }
+  return {
+    valid: receiptHashMatch,
+    logIndex,
+    integratedTime: new Date(data.integratedTime * 1e3).toISOString(),
+    receiptHashMatch
+  };
+}
+function hashReceipt(receipt) {
+  const canonical = JSON.stringify(receipt, Object.keys(receipt).sort());
+  return (0, import_node_crypto4.createHash)("sha256").update(canonical).digest("hex");
+}
+function createLogAnchorField(anchor) {
+  return {
+    transparency_log: "rekor.sigstore.dev",
+    log_index: anchor.logIndex,
+    integrated_time: anchor.integratedTime,
+    receipt_hash: anchor.receiptHash,
+    verify_url: `https://search.sigstore.dev/?logIndex=${anchor.logIndex}`
+  };
+}
+
+// src/selective-disclosure.ts
+var import_node_crypto5 = require("crypto");
+function redactFields(receipt, fieldsToRedact) {
+  const redacted = JSON.parse(JSON.stringify(receipt));
+  const salts = [];
+  const redactedFields = [];
+  const originalHash = hashObject(receipt);
+  for (const fieldPath of fieldsToRedact) {
+    const parts = fieldPath.split(".");
+    let current = redacted;
+    let parent = null;
+    let lastKey = "";
+    for (let i = 0; i < parts.length; i++) {
+      const key = parts[i];
+      if (i === parts.length - 1) {
+        if (key in current) {
+          const originalValue = current[key];
+          const salt = (0, import_node_crypto5.randomBytes)(16).toString("hex");
+          const commitment = computeCommitment(salt, originalValue);
+          salts.push({ field: fieldPath, salt, originalValue });
+          current[key] = `sha256(salt + ${typeof originalValue === "string" ? "..." : JSON.stringify(originalValue).slice(0, 20) + "..."})`;
+          redactedFields.push(fieldPath);
+          if (!redacted._commitments) {
+            redacted._commitments = {};
+          }
+          redacted._commitments[fieldPath] = commitment;
+        }
+      } else {
+        if (typeof current[key] === "object" && current[key] !== null) {
+          parent = current;
+          lastKey = key;
+          current = current[key];
+        } else {
+          break;
+        }
+      }
+    }
+  }
+  return { redacted, salts, redactedFields, originalHash };
+}
+function revealField(redactedReceipt, salts, fieldPath) {
+  const salt = salts.find((s) => s.field === fieldPath);
+  if (!salt) {
+    throw new Error(`No salt found for field: ${fieldPath}`);
+  }
+  const revealed = JSON.parse(JSON.stringify(redactedReceipt));
+  const parts = fieldPath.split(".");
+  let current = revealed;
+  for (let i = 0; i < parts.length; i++) {
+    const key = parts[i];
+    if (i === parts.length - 1) {
+      current[key] = salt.originalValue;
+    } else {
+      current = current[key];
+    }
+  }
+  return revealed;
+}
+function verifyCommitment(commitment, salt, value) {
+  const expected = computeCommitment(salt, value);
+  return commitment === expected;
+}
+function verifyAllCommitments(redactedReceipt, salts) {
+  const commitments = redactedReceipt._commitments;
+  if (!commitments) {
+    return { valid: true, fields: {} };
+  }
+  const fields = {};
+  let allValid = true;
+  for (const salt of salts) {
+    const commitment = commitments[salt.field];
+    if (commitment) {
+      const valid = verifyCommitment(commitment, salt.salt, salt.originalValue);
+      fields[salt.field] = valid;
+      if (!valid) allValid = false;
+    }
+  }
+  return { valid: allValid, fields };
+}
+function createDisclosurePackage(allSalts, fieldsToDisclose) {
+  const disclosed = allSalts.filter((s) => fieldsToDisclose.includes(s.field)).map((s) => ({ field: s.field, salt: s.salt, value: s.originalValue }));
+  return {
+    version: "0.1",
+    disclosed_fields: fieldsToDisclose,
+    salts: disclosed
+  };
+}
+function computeCommitment(salt, value) {
+  const serialized = typeof value === "string" ? value : JSON.stringify(value);
+  return (0, import_node_crypto5.createHash)("sha256").update(salt + serialized).digest("hex");
+}
+function hashObject(obj) {
+  const canonical = JSON.stringify(obj, Object.keys(obj).sort());
+  return (0, import_node_crypto5.createHash)("sha256").update(canonical).digest("hex");
+}
+
+// src/huggingface-export.ts
+function receiptsToHFRows(receipts) {
+  return receipts.map((r) => {
+    const raw = r;
+    const payload = raw.payload || {};
+    const edges = Array.isArray(raw.parent_receipts) ? raw.parent_receipts : [];
+    return {
+      receipt_id: String(raw.receipt_id || raw.id || ""),
+      receipt_type: String(raw.receipt_type || raw.type || "unknown"),
+      tool_name: payload.tool_name ? String(payload.tool_name) : null,
+      decision: payload.decision ? String(payload.decision) : null,
+      agent_id: payload.agent_id ? String(payload.agent_id) : raw.subject_id ? String(raw.subject_id) : null,
+      issuer_id: String(raw.issuer_id || "unknown"),
+      timestamp: String(raw.timestamp || raw.event_time || (/* @__PURE__ */ new Date()).toISOString()),
+      policy_hash: payload.active_policy_hash ? String(payload.active_policy_hash) : null,
+      edges,
+      edge_count: edges.length,
+      signature: raw.signature ? String(raw.signature) : null,
+      signed: Boolean(raw.signature),
+      context_hash: raw.context_hash ? String(raw.context_hash) : null,
+      chain_id: raw.chain_id ? String(raw.chain_id) : null
+    };
+  });
+}
+function generateHFMetadata(rows, name) {
+  const types = {};
+  const decisions = {};
+  const agents = /* @__PURE__ */ new Set();
+  const tools = /* @__PURE__ */ new Set();
+  let minTime = Infinity;
+  let maxTime = -Infinity;
+  for (const row of rows) {
+    types[row.receipt_type] = (types[row.receipt_type] || 0) + 1;
+    if (row.decision) decisions[row.decision] = (decisions[row.decision] || 0) + 1;
+    if (row.agent_id) agents.add(row.agent_id);
+    if (row.tool_name) tools.add(row.tool_name);
+    const t = new Date(row.timestamp).getTime();
+    if (t < minTime) minTime = t;
+    if (t > maxTime) maxTime = t;
+  }
+  return {
+    name: name || "scopeblind-acta-receipts",
+    description: "Cryptographically signed decision receipts from AI agent tool calls. Each row is an Ed25519-signed receipt capturing a machine decision, its causal context, and policy evaluation result. Produced by protect-mcp and verified with @veritasacta/verify.",
+    num_rows: rows.length,
+    type_distribution: types,
+    decision_distribution: decisions,
+    time_range: {
+      from: isFinite(minTime) ? new Date(minTime).toISOString() : "",
+      to: isFinite(maxTime) ? new Date(maxTime).toISOString() : ""
+    },
+    unique_agents: agents.size,
+    unique_tools: tools.size,
+    exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+    license: "MIT",
+    tags: [
+      "ai-safety",
+      "agent-governance",
+      "cryptographic-receipts",
+      "veritas-acta",
+      "scopeblind",
+      "mcp",
+      "ed25519",
+      "causal-dag",
+      "decision-evidence"
+    ]
+  };
+}
+function exportJSONL(rows) {
+  return rows.map((row) => JSON.stringify(row)).join("\n") + "\n";
+}
+function generateDatasetCard(metadata) {
+  return `---
+license: mit
+task_categories:
+  - text-classification
+tags:
+${metadata.tags.map((t) => `  - ${t}`).join("\n")}
+size_categories:
+  - ${metadata.num_rows < 1e3 ? "n<1K" : metadata.num_rows < 1e4 ? "1K<n<10K" : "10K<n<100K"}
+---
+
+# ${metadata.name}
+
+${metadata.description}
+
+## Dataset Structure
+
+Each row is a cryptographically signed receipt representing a single machine decision.
+
+| Field | Type | Description |
+|-------|------|-------------|
+| receipt_id | string | Unique receipt identifier (content-addressed hash) |
+| receipt_type | string | decision, execution, outcome, policy_load, observation, approval |
+| tool_name | string | MCP tool that was called |
+| decision | string | allow, deny, or null |
+| agent_id | string | Pseudonymous agent identifier |
+| timestamp | string | ISO 8601 timestamp |
+| policy_hash | string | SHA-256 hash of the active policy |
+| edges | array | Typed causal edges to parent receipts |
+| signature | string | Ed25519 signature (hex) |
+| signed | boolean | Whether the receipt has a valid signature |
+
+## Statistics
+
+- **Total receipts:** ${metadata.num_rows.toLocaleString()}
+- **Unique agents:** ${metadata.unique_agents}
+- **Unique tools:** ${metadata.unique_tools}
+- **Time range:** ${metadata.time_range.from} \u2192 ${metadata.time_range.to}
+
+### Type distribution
+${Object.entries(metadata.type_distribution).map(([k, v]) => `- ${k}: ${v}`).join("\n")}
+
+### Decision distribution
+${Object.entries(metadata.decision_distribution).map(([k, v]) => `- ${k}: ${v}`).join("\n")}
+
+## Verification
+
+Every receipt in this dataset can be independently verified:
+
+\`\`\`bash
+npx @veritasacta/verify receipt.json
+\`\`\`
+
+The verification is offline, MIT-licensed, and does not contact any server.
+
+## Source
+
+- Protocol: [Veritas Acta](https://veritasacta.com)
+- Gateway: [protect-mcp](https://npmjs.com/package/protect-mcp)
+- IETF Draft: [draft-farley-acta-signed-receipts](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)
+
+## License
+
+MIT
+`;
+}
+
+// src/webauthn-approval.ts
+var import_node_crypto6 = require("crypto");
+function createApprovalChallenge(requestId, toolName, agentId, rpId = "scopeblind.com", timeoutSeconds = 300) {
+  const challengeBytes = (0, import_node_crypto6.randomBytes)(32);
+  const contextHash = (0, import_node_crypto6.createHash)("sha256").update(JSON.stringify({ requestId, toolName, agentId, timestamp: Date.now() })).digest("hex");
+  return {
+    challenge: base64urlEncode(challengeBytes),
+    requestId,
+    toolName,
+    agentId,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    timeoutSeconds,
+    rpId,
+    contextHash
+  };
+}
+function toCredentialRequestOptions(challenge, allowCredentials) {
+  return {
+    publicKey: {
+      challenge: base64urlDecode(challenge.challenge).buffer,
+      rpId: challenge.rpId,
+      timeout: challenge.timeoutSeconds * 1e3,
+      userVerification: "required",
+      // Always require biometric
+      ...allowCredentials ? {
+        allowCredentials: allowCredentials.map((c) => ({
+          id: base64urlDecode(c.id).buffer,
+          type: "public-key"
+        }))
+      } : {}
+    }
+  };
+}
+function verifyApprovalAssertion(challenge, assertion) {
+  const createdAt = new Date(challenge.createdAt).getTime();
+  const now = Date.now();
+  if (now - createdAt > challenge.timeoutSeconds * 1e3) {
+    return {
+      valid: false,
+      credentialId: assertion.credentialId,
+      authenticatorType: "unknown",
+      userVerified: false,
+      signCount: 0,
+      contextHash: challenge.contextHash,
+      approvedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  const authData = base64urlDecode(assertion.authenticatorData);
+  const flags = authData[32];
+  const userPresent = !!(flags & 1);
+  const userVerified = !!(flags & 4);
+  const attestedCredData = !!(flags & 64);
+  const signCount = authData.length >= 37 ? authData[33] << 24 | authData[34] << 16 | authData[35] << 8 | authData[36] : 0;
+  let authenticatorType = "unknown";
+  try {
+    const clientData = JSON.parse(Buffer.from(base64urlDecode(assertion.clientDataJSON)).toString());
+    if (clientData.type === "webauthn.get") {
+      authenticatorType = "platform";
+    }
+  } catch {
+  }
+  return {
+    valid: userPresent,
+    // At minimum, user must be present
+    credentialId: assertion.credentialId,
+    authenticatorType,
+    userVerified,
+    signCount,
+    contextHash: challenge.contextHash,
+    approvedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function createApprovalReceiptPayload(challenge, result) {
+  return {
+    type: "acta:approval",
+    approval_method: "webauthn",
+    tool_name: challenge.toolName,
+    request_id: challenge.requestId,
+    agent_id: challenge.agentId,
+    authenticator_type: result.authenticatorType,
+    user_verified: result.userVerified,
+    context_hash: result.contextHash,
+    approved_at: result.approvedAt,
+    // Hash the credential ID for privacy — don't store the raw ID
+    credential_id_hash: (0, import_node_crypto6.createHash)("sha256").update(result.credentialId).digest("hex").slice(0, 16)
+  };
+}
+function base64urlEncode(buffer) {
+  return Buffer.from(buffer).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(str) {
+  const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+  return new Uint8Array(Buffer.from(padded, "base64"));
+}
+
+// src/did-vc.ts
+function ed25519ToDIDKey(publicKeyHex) {
+  const multicodecPrefix = Buffer.from([237, 1]);
+  const publicKeyBytes = Buffer.from(publicKeyHex, "hex");
+  const multicodecKey = Buffer.concat([multicodecPrefix, publicKeyBytes]);
+  const base58 = base58btcEncode(multicodecKey);
+  return `did:key:z${base58}`;
+}
+function manifestToVC(manifest) {
+  const did = ed25519ToDIDKey(manifest.public_key);
+  return {
+    "@context": [
+      "https://www.w3.org/2018/credentials/v1",
+      "https://veritasacta.com/contexts/agent-manifest/v1"
+    ],
+    type: ["VerifiableCredential", "AgentManifestCredential"],
+    issuer: did,
+    issuanceDate: manifest.created_at || (/* @__PURE__ */ new Date()).toISOString(),
+    credentialSubject: {
+      id: did,
+      agentId: manifest.agent_id,
+      displayName: manifest.display_name,
+      capabilities: manifest.capabilities || [],
+      policyDigest: manifest.policy_digest,
+      publicKey: manifest.public_key
+    },
+    ...manifest.signature ? {
+      proof: {
+        type: "Ed25519Signature2020",
+        created: manifest.created_at || (/* @__PURE__ */ new Date()).toISOString(),
+        verificationMethod: `${did}#key-1`,
+        proofPurpose: "assertionMethod",
+        proofValue: manifest.signature
+      }
+    } : {}
+  };
+}
+function receiptToVP(receipt, issuerPublicKey) {
+  const did = ed25519ToDIDKey(issuerPublicKey);
+  return {
+    "@context": ["https://www.w3.org/2018/credentials/v1"],
+    type: ["VerifiablePresentation"],
+    holder: did,
+    verifiableCredential: [{
+      "@context": [
+        "https://www.w3.org/2018/credentials/v1",
+        "https://veritasacta.com/contexts/decision-receipt/v1"
+      ],
+      type: ["VerifiableCredential", "DecisionReceiptCredential"],
+      issuer: did,
+      issuanceDate: receipt.event_time || (/* @__PURE__ */ new Date()).toISOString(),
+      credentialSubject: {
+        receiptId: receipt.receipt_id,
+        receiptType: receipt.receipt_type,
+        toolName: receipt.payload?.tool_name,
+        decision: receipt.payload?.decision
+      }
+    }]
+  };
+}
+function base58btcEncode(buffer) {
+  const ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+  let num = BigInt("0x" + buffer.toString("hex"));
+  let result = "";
+  while (num > 0n) {
+    result = ALPHABET[Number(num % 58n)] + result;
+    num = num / 58n;
+  }
+  for (const byte of buffer) {
+    if (byte === 0) result = "1" + result;
+    else break;
+  }
+  return result;
+}
+
+// src/sandbox.ts
+async function createSandbox(config) {
+  const runtime = config.runtime || (config.apiKey || process.env.E2B_API_KEY ? "e2b" : "docker");
+  if (runtime === "e2b") {
+    return createE2BSandbox(config);
+  }
+  return createDockerSandbox(config);
+}
+async function runInSandbox(sandbox, toolCall, policy) {
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const decision = evaluatePolicy(toolCall.tool, policy);
+  const receipt = {
+    tool: toolCall.tool,
+    decision,
+    executed: decision === "allow",
+    timestamp
+  };
+  if (decision === "allow") {
+    try {
+      const result = await executeInSandbox(sandbox, toolCall);
+      receipt.result = result;
+      receipt.executed = true;
+    } catch (err) {
+      receipt.result = {
+        success: false,
+        output: "",
+        error: err instanceof Error ? err.message : String(err),
+        durationMs: 0
+      };
+    }
+  }
+  sandbox.receipts.push(receipt);
+  return receipt;
+}
+function generateSafetyTranscript(sandbox, template) {
+  const receipts = sandbox.receipts;
+  const allowed = receipts.filter((r) => r.decision === "allow").length;
+  const denied = receipts.filter((r) => r.decision === "deny").length;
+  const requireApproval = receipts.filter((r) => r.decision === "require_approval").length;
+  const executed = receipts.filter((r) => r.executed && r.result);
+  const successful = executed.filter((r) => r.result?.success);
+  const denyScore = denied > 0 ? 40 : allowed > 0 ? 20 : 40;
+  const successRate = executed.length > 0 ? successful.length / executed.length : 1;
+  const successScore = 30 * successRate;
+  const approvalScore = requireApproval === 0 ? 30 : 15;
+  const safetyScore = Math.round(denyScore + successScore + approvalScore);
+  return {
+    sandboxId: sandbox.id,
+    template,
+    totalCalls: receipts.length,
+    allowed,
+    denied,
+    requireApproval,
+    successRate,
+    receipts,
+    durationMs: 0,
+    // Would be calculated from first/last receipt timestamps
+    evaluatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    safetyScore: Math.min(100, Math.max(0, safetyScore))
+  };
+}
+async function destroySandbox(sandbox) {
+  sandbox.status = "destroyed";
+  if (sandbox.runtime === "docker") {
+    try {
+      const { execSync } = await import("child_process");
+      execSync(`docker rm -f ${sandbox.id} 2>/dev/null`, { stdio: "pipe" });
+    } catch {
+    }
+  }
+}
+async function createE2BSandbox(config) {
+  const apiKey = config.apiKey || process.env.E2B_API_KEY;
+  if (!apiKey) {
+    throw new Error("E2B_API_KEY not set. Get one at https://e2b.dev");
+  }
+  const response = await fetch("https://api.e2b.dev/sandboxes", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "X-API-Key": apiKey
+    },
+    body: JSON.stringify({
+      templateID: config.template,
+      timeout: config.timeoutSeconds || 300
+    })
+  });
+  if (!response.ok) {
+    throw new Error(`E2B sandbox creation failed: ${response.status}`);
+  }
+  const data = await response.json();
+  return {
+    id: data.sandboxID,
+    runtime: "e2b",
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    status: "running",
+    receipts: []
+  };
+}
+async function createDockerSandbox(config) {
+  const { execSync } = await import("child_process");
+  const { randomUUID: randomUUID3 } = await import("crypto");
+  const id = `scopeblind-sandbox-${randomUUID3().slice(0, 8)}`;
+  const image = config.template.includes(":") ? config.template : `node:${config.template.replace("node-", "")}`;
+  const memoryFlag = config.memoryMB ? `--memory=${config.memoryMB}m` : "";
+  const timeout = config.timeoutSeconds || 300;
+  try {
+    execSync(
+      `docker run -d --name ${id} ${memoryFlag} --network=none --stop-timeout=${timeout} ${image} sleep ${timeout}`,
+      { stdio: "pipe" }
+    );
+  } catch (err) {
+    throw new Error(`Docker sandbox creation failed: ${err instanceof Error ? err.message : err}`);
+  }
+  return {
+    id,
+    runtime: "docker",
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    status: "running",
+    receipts: []
+  };
+}
+async function executeInSandbox(sandbox, toolCall) {
+  const start = Date.now();
+  if (sandbox.runtime === "docker") {
+    const { execSync } = await import("child_process");
+    try {
+      const command = toolCall.args.command || `echo "Tool: ${toolCall.tool}"`;
+      const output = execSync(
+        `docker exec ${sandbox.id} sh -c '${command.replace(/'/g, "'\\''")}'`,
+        { stdio: "pipe", timeout: 3e4 }
+      ).toString();
+      return {
+        success: true,
+        output: output.trim(),
+        durationMs: Date.now() - start,
+        exitCode: 0
+      };
+    } catch (err) {
+      const execErr = err;
+      return {
+        success: false,
+        output: "",
+        error: execErr.stderr?.toString() || String(err),
+        durationMs: Date.now() - start,
+        exitCode: execErr.status || 1
+      };
+    }
+  }
+  return {
+    success: true,
+    output: `[E2B] Executed ${toolCall.tool} in sandbox ${sandbox.id}`,
+    durationMs: Date.now() - start
+  };
+}
+function evaluatePolicy(tool, policy) {
+  if (!policy) return "allow";
+  const tools = policy.tools;
+  if (!tools) return "allow";
+  const toolPolicy = tools[tool] || tools["*"];
+  if (!toolPolicy) return "allow";
+  if (toolPolicy.block) return "deny";
+  if (toolPolicy.require_approval) return "require_approval";
+  return "allow";
+}
+
+// src/evidence-authenticity.ts
+var import_node_crypto7 = require("crypto");
+async function createEvidenceAttestation(input) {
+  const tlsNotaryAvailable = await isTLSNotaryAvailable();
+  if (tlsNotaryAvailable) {
+    return createTLSNotaryAttestation(input);
+  }
+  return {
+    version: "0.1-beta",
+    method: "self-reported",
+    url: input.url,
+    httpMethod: input.httpMethod || "GET",
+    responseHash: input.responseHash,
+    statusCode: input.statusCode || 200,
+    fetchedAt: input.timestamp || (/* @__PURE__ */ new Date()).toISOString(),
+    verified: false,
+    verificationNote: "Self-reported attestation. No third-party verification. TLSNotary integration planned for Q3 2026."
+  };
+}
+async function verifyEvidenceAttestation(attestation) {
+  switch (attestation.method) {
+    case "self-reported":
+      return {
+        valid: false,
+        method: "self-reported",
+        note: "Self-reported attestation cannot be independently verified. The response hash is included for integrity checking if the original data is available."
+      };
+    case "tlsnotary":
+      if (!attestation.notaryPublicKey || !attestation.notarySignature) {
+        return {
+          valid: false,
+          method: "tlsnotary",
+          note: "TLSNotary attestation is missing notary public key or signature."
+        };
+      }
+      return {
+        valid: false,
+        method: "tlsnotary",
+        note: "TLSNotary verification not yet implemented. Attestation format is correct but signature cannot be checked."
+      };
+    case "oracle":
+      return {
+        valid: attestation.verified,
+        method: "oracle",
+        note: attestation.verified ? "Attestation verified by oracle service." : "Oracle verification pending or failed."
+      };
+    case "witness":
+      return {
+        valid: attestation.verified,
+        method: "witness",
+        note: attestation.verified ? "Attestation witnessed by independent third party." : "Witness verification pending."
+      };
+    default:
+      return {
+        valid: false,
+        method: "unknown",
+        note: "Unknown attestation method."
+      };
+  }
+}
+function hashResponseBody(body) {
+  return (0, import_node_crypto7.createHash)("sha256").update(typeof body === "string" ? body : body).digest("hex");
+}
+function createAttestationField(attestation) {
+  return {
+    evidence_authenticity: {
+      version: attestation.version,
+      method: attestation.method,
+      url_hash: (0, import_node_crypto7.createHash)("sha256").update(attestation.url).digest("hex").slice(0, 16),
+      response_hash: attestation.responseHash,
+      fetched_at: attestation.fetchedAt,
+      verified: attestation.verified,
+      note: attestation.verificationNote
+    }
+  };
+}
+async function isTLSNotaryAvailable() {
+  try {
+    await import("tlsn-js");
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function createTLSNotaryAttestation(input) {
+  return {
+    version: "0.1-beta",
+    method: "tlsnotary",
+    url: input.url,
+    httpMethod: input.httpMethod || "GET",
+    responseHash: input.responseHash,
+    statusCode: input.statusCode || 200,
+    fetchedAt: input.timestamp || (/* @__PURE__ */ new Date()).toISOString(),
+    verified: false,
+    verificationNote: "TLSNotary SDK integration in progress. Attestation format is stable; verification will be enabled in a future release."
+  };
+}
+
+// src/c2pa-credentials.ts
+var import_node_crypto8 = require("crypto");
+function createC2PAManifest(receipts, options) {
+  const generator = options.generator || "protect-mcp";
+  const version = options.version || "0.3.3";
+  const decisions = receipts.filter(
+    (r) => r.receipt_type?.includes("decision") || r.type?.includes("decision")
+  );
+  const allows = decisions.filter(
+    (r) => r.payload?.decision === "allow"
+  );
+  const denies = decisions.filter(
+    (r) => r.payload?.decision === "deny"
+  );
+  const receiptHashes = receipts.map(
+    (r) => (0, import_node_crypto8.createHash)("sha256").update(JSON.stringify(r)).digest("hex")
+  );
+  const merkleRoot = computeMerkleRoot(receiptHashes);
+  const assertions = [
+    // Acta decision provenance — the core assertion
+    {
+      label: "acta.decision-provenance",
+      data: {
+        protocol: "veritas-acta",
+        protocol_version: "0.1",
+        ietf_draft: "draft-farley-acta-signed-receipts-00",
+        receipt_count: receipts.length,
+        decision_count: decisions.length,
+        allows: allows.length,
+        denies: denies.length,
+        merkle_root: merkleRoot,
+        signing_algorithm: "Ed25519",
+        canonicalization: "JCS (RFC 8785)",
+        verifier: "npx @veritasacta/verify",
+        verify_url: "https://scopeblind.com/verify",
+        trace_url: "https://scopeblind.com/trace"
+      }
+    },
+    // Policy compliance assertion
+    {
+      label: "acta.policy-compliance",
+      data: {
+        policy_violations: denies.length,
+        total_decisions: decisions.length,
+        compliance_rate: decisions.length > 0 ? (allows.length / decisions.length * 100).toFixed(1) + "%" : "N/A",
+        policy_engine: "Cedar + JSON",
+        human_approvals: receipts.filter(
+          (r) => r.receipt_type?.includes("approval") || r.type?.includes("approval")
+        ).length
+      }
+    },
+    // Standard C2PA actions
+    {
+      label: "c2pa.actions",
+      data: {
+        actions: [
+          {
+            action: "c2pa.created",
+            when: (/* @__PURE__ */ new Date()).toISOString(),
+            softwareAgent: `${generator}/${version}`,
+            parameters: {
+              description: "Content generated by AI agent with ScopeBlind governance"
+            }
+          }
+        ]
+      }
+    }
+  ];
+  if (options.includeFullReceipts) {
+    assertions.push({
+      label: "acta.receipt-chain",
+      data: {
+        receipts: receipts.map((r) => ({
+          id: r.receipt_id || r.id,
+          type: r.receipt_type || r.type,
+          tool: r.payload?.tool_name,
+          decision: r.payload?.decision,
+          timestamp: r.timestamp || r.event_time
+        }))
+      }
+    });
+  } else {
+    assertions.push({
+      label: "acta.receipt-chain",
+      data: {
+        receipt_hashes: receiptHashes,
+        merkle_root: merkleRoot,
+        note: "Full receipts available via verify URL. Hashes provided for integrity verification."
+      },
+      is_hash: true
+    });
+  }
+  if (options.additionalAssertions) {
+    assertions.push(...options.additionalAssertions);
+  }
+  return {
+    claim_generator: `${generator}/${version}`,
+    claim_generator_info: [
+      {
+        name: generator,
+        version
+      }
+    ],
+    title: options.title,
+    assertions
+  };
+}
+function exportC2PAManifestJSON(manifest) {
+  return JSON.stringify(manifest, null, 2);
+}
+function generateC2PACommand(manifestPath, inputPath, outputPath) {
+  return `c2patool ${inputPath} -m ${manifestPath} -o ${outputPath}`;
+}
+function verifyActaC2PAAssertions(c2paManifestJson) {
+  try {
+    const manifest = JSON.parse(c2paManifestJson);
+    const assertions = manifest.assertions || [];
+    const provenanceAssertion = assertions.find(
+      (a) => a.label === "acta.decision-provenance"
+    );
+    const complianceAssertion = assertions.find(
+      (a) => a.label === "acta.policy-compliance"
+    );
+    if (!provenanceAssertion) {
+      return {
+        hasActaProvenance: false,
+        receiptCount: 0,
+        merkleRoot: null,
+        complianceRate: null,
+        verifyUrl: null
+      };
+    }
+    return {
+      hasActaProvenance: true,
+      receiptCount: provenanceAssertion.data.receipt_count || 0,
+      merkleRoot: provenanceAssertion.data.merkle_root || null,
+      complianceRate: complianceAssertion ? complianceAssertion.data.compliance_rate : null,
+      verifyUrl: provenanceAssertion.data.verify_url || null
+    };
+  } catch {
+    return {
+      hasActaProvenance: false,
+      receiptCount: 0,
+      merkleRoot: null,
+      complianceRate: null,
+      verifyUrl: null
+    };
+  }
+}
+function computeMerkleRoot(hashes) {
+  if (hashes.length === 0) return "";
+  if (hashes.length === 1) return hashes[0];
+  const nextLevel = [];
+  for (let i = 0; i < hashes.length; i += 2) {
+    const left = hashes[i];
+    const right = i + 1 < hashes.length ? hashes[i + 1] : left;
+    nextLevel.push(
+      (0, import_node_crypto8.createHash)("sha256").update(left + right).digest("hex")
+    );
+  }
+  return computeMerkleRoot(nextLevel);
+}
+
+// src/prediction-bridge.ts
+function computeCalibration(predictions, resolutions) {
+  let totalSquaredError = 0;
+  let resolved = 0;
+  const buckets = /* @__PURE__ */ new Map();
+  for (const pred of predictions) {
+    const resolution = resolutions.get(pred.receipt_id);
+    if (!resolution || resolution.payload.resolution_value === "ambiguous") continue;
+    resolved++;
+    const actual = resolution.payload.resolution_value === "true" ? 1 : 0;
+    const error = (pred.payload.probability - actual) ** 2;
+    totalSquaredError += error;
+    const bucketKey = `${Math.floor(pred.payload.probability * 10) / 10}-${Math.ceil(pred.payload.probability * 10) / 10}`;
+    const bucket = buckets.get(bucketKey) || { sum: 0, actual: 0, count: 0 };
+    bucket.sum += pred.payload.probability;
+    bucket.actual += actual;
+    bucket.count++;
+    buckets.set(bucketKey, bucket);
+  }
+  return {
+    total_predictions: predictions.length,
+    resolved,
+    brier_score: resolved > 0 ? totalSquaredError / resolved : 0,
+    calibration_buckets: Array.from(buckets.entries()).map(([bucket, data]) => ({
+      bucket,
+      predicted_probability: data.sum / data.count,
+      actual_frequency: data.actual / data.count,
+      count: data.count
+    }))
+  };
+}
+function toMetaculusFormat(prediction) {
+  return {
+    prediction_value: prediction.payload.probability,
+    acta_receipt_id: prediction.receipt_id,
+    acta_signature: prediction.signature
+  };
+}
+function toManifoldFormat(prediction) {
+  return {
+    probability: prediction.payload.probability,
+    acta_receipt_id: prediction.receipt_id,
+    acta_signature: prediction.signature
+  };
+}
+
+// src/agent-exchange.ts
+var import_node_crypto9 = require("crypto");
+var ReceiptPropagator = class {
+  issuer;
+  signer;
+  receipts = /* @__PURE__ */ new Map();
+  delegationCallCounts = /* @__PURE__ */ new Map();
+  constructor(config) {
+    this.issuer = config.issuer;
+    this.signer = config.signer;
+  }
+  /**
+   * Create a delegation receipt authorizing another agent to use specific tools.
+   *
+   * @patent Patent-protected construction — delegated signing with receipt chain
+   * propagation. Covered by Apache 2.0 patent grant for users of this code.
+   * Clean-room reimplementation requires a patent license.
+   * @see {@link https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/}
+   */
+  delegate(delegateId, options) {
+    const now = /* @__PURE__ */ new Date();
+    const receipt = {
+      receipt_id: `del_${(0, import_node_crypto9.randomUUID)().slice(0, 12)}`,
+      receipt_type: "delegation",
+      issuer_id: this.issuer,
+      event_time: now.toISOString(),
+      payload: {
+        delegate_id: delegateId,
+        authorized_tools: options.tools,
+        scope: options.scope,
+        ttl: options.ttl,
+        expires_at: new Date(now.getTime() + options.ttl * 1e3).toISOString(),
+        max_calls: options.maxCalls,
+        allow_subdelegation: options.allowSubdelegation ?? false
+      },
+      parent_receipts: options.parentReceipts || []
+    };
+    if (this.signer) {
+      const signed = this.signer(receipt);
+      Object.assign(receipt, signed);
+    }
+    this.receipts.set(receipt.receipt_id, receipt);
+    this.delegationCallCounts.set(receipt.receipt_id, 0);
+    return receipt;
+  }
+  /**
+   * Wrap a tool call with a receipt that references the delegation.
+   * Validates the delegation is still valid (not expired, within call limit,
+   * tool is authorized).
+   *
+   * @patent Patent-protected construction — delegated signing with receipt chain
+   * propagation. Covered by Apache 2.0 patent grant for users of this code.
+   * Clean-room reimplementation requires a patent license.
+   * @see {@link https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/}
+   */
+  wrapAction(toolName, options) {
+    const delegation = this.receipts.get(options.delegation_receipt);
+    let decision = "allow";
+    if (!delegation) {
+      decision = "deny";
+    } else if (delegation.receipt_type !== "delegation") {
+      decision = "deny";
+    } else {
+      if (new Date(delegation.payload.expires_at) < /* @__PURE__ */ new Date()) {
+        decision = "deny";
+      }
+      if (!delegation.payload.authorized_tools.includes(toolName) && !delegation.payload.authorized_tools.includes("*")) {
+        decision = "deny";
+      }
+      if (delegation.payload.max_calls !== void 0) {
+        const count = this.delegationCallCounts.get(options.delegation_receipt) || 0;
+        if (count >= delegation.payload.max_calls) {
+          decision = "deny";
+        }
+      }
+    }
+    const currentCount = this.delegationCallCounts.get(options.delegation_receipt) || 0;
+    this.delegationCallCounts.set(options.delegation_receipt, currentCount + 1);
+    const receipt = {
+      receipt_id: `act_${(0, import_node_crypto9.randomUUID)().slice(0, 12)}`,
+      receipt_type: "execution",
+      issuer_id: this.issuer,
+      event_time: (/* @__PURE__ */ new Date()).toISOString(),
+      payload: {
+        tool_name: toolName,
+        decision,
+        delegation_receipt: options.delegation_receipt,
+        scope: delegation?.payload.scope || "unknown",
+        call_index: currentCount + 1
+      },
+      parent_receipts: [options.delegation_receipt]
+    };
+    if (this.signer) {
+      const signed = this.signer(receipt);
+      Object.assign(receipt, signed);
+    }
+    this.receipts.set(receipt.receipt_id, receipt);
+    return receipt;
+  }
+  /**
+   * Trace the full receipt chain from a given receipt back to the root delegation.
+   *
+   * @patent Patent-protected construction — delegated signing with receipt chain
+   * propagation. Covered by Apache 2.0 patent grant for users of this code.
+   * Clean-room reimplementation requires a patent license.
+   * @see {@link https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/}
+   */
+  traceChain(receiptId) {
+    const chain = [];
+    const visited = /* @__PURE__ */ new Set();
+    const walk = (id) => {
+      if (visited.has(id)) return;
+      visited.add(id);
+      const receipt = this.receipts.get(id);
+      if (!receipt) return;
+      for (const parentId of receipt.parent_receipts) {
+        walk(parentId);
+      }
+      chain.push(receipt);
+    };
+    walk(receiptId);
+    return chain;
+  }
+  /**
+   * Export all receipts as a JSON array (for verification, archival, or Trace visualization).
+   */
+  exportAll() {
+    return Array.from(this.receipts.values());
+  }
+  /**
+   * Validate that a delegation chain is intact and all signatures verify.
+   *
+   * @patent Patent-protected construction — delegated signing with receipt chain
+   * propagation. Covered by Apache 2.0 patent grant for users of this code.
+   * Clean-room reimplementation requires a patent license.
+   * @see {@link https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/}
+   */
+  validateChain(receiptId) {
+    const chain = this.traceChain(receiptId);
+    const issues = [];
+    if (chain.length === 0) {
+      return { valid: false, chain_length: 0, issues: ["Receipt not found"] };
+    }
+    let sawAction = false;
+    for (const receipt of chain) {
+      if (receipt.receipt_type === "delegation" && sawAction) {
+        issues.push(`Delegation ${receipt.receipt_id} appears after action in chain`);
+      }
+      if (receipt.receipt_type === "execution") sawAction = true;
+    }
+    for (const receipt of chain) {
+      for (const parentId of receipt.parent_receipts) {
+        if (!this.receipts.has(parentId)) {
+          issues.push(`Missing parent receipt: ${parentId}`);
+        }
+      }
+    }
+    return {
+      valid: issues.length === 0,
+      chain_length: chain.length,
+      issues
+    };
+  }
+};
+function createReceiptChannel(orchestratorId) {
+  const propagator = new ReceiptPropagator({ issuer: orchestratorId });
+  return {
+    propagator,
+    async withDelegation(delegateId, tools, fn, options) {
+      const delegation = propagator.delegate(delegateId, {
+        tools,
+        scope: options?.scope || `task-${(0, import_node_crypto9.randomUUID)().slice(0, 8)}`,
+        ttl: options?.ttl || 3600,
+        maxCalls: options?.maxCalls
+      });
+      const result = await fn({ delegation, propagator });
+      return {
+        result,
+        delegation,
+        chain: propagator.exportAll()
+      };
+    }
+  };
+}
+
+// src/confidential.ts
+var ConfidentialGate = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Evaluate an attestation document and determine the resulting trust tier.
+   */
+  evaluateAttestation(doc) {
+    if (!this.config.accepted_providers.includes(doc.provider)) {
+      return {
+        accepted: false,
+        tier: "unknown",
+        provider: doc.provider,
+        reason: `Provider ${doc.provider} not in accepted list: ${this.config.accepted_providers.join(", ")}`
+      };
+    }
+    if (this.config.max_attestation_age) {
+      const age = (Date.now() - new Date(doc.timestamp).getTime()) / 1e3;
+      if (age > this.config.max_attestation_age) {
+        return {
+          accepted: false,
+          tier: "unknown",
+          provider: doc.provider,
+          reason: `Attestation expired: age ${Math.floor(age)}s exceeds max ${this.config.max_attestation_age}s`
+        };
+      }
+    }
+    if (this.config.expected_measurements) {
+      for (const [key, expected] of Object.entries(this.config.expected_measurements)) {
+        const actual = doc.measurements[key];
+        if (actual !== expected) {
+          return {
+            accepted: false,
+            tier: "signed",
+            provider: doc.provider,
+            reason: `Measurement mismatch: ${key} expected ${expected}, got ${actual || "missing"}`
+          };
+        }
+      }
+    }
+    return {
+      accepted: true,
+      tier: "privileged",
+      provider: doc.provider,
+      reason: `Attestation verified: ${doc.provider} enclave with valid measurements`
+    };
+  }
+  /**
+   * Check if an agent's current tier requires attestation.
+   */
+  requiresAttestation(currentTier) {
+    if (!this.config.require_attestation) return false;
+    const tierOrder = ["unknown", "signed", "evidenced", "privileged"];
+    const requiredIdx = tierOrder.indexOf(this.config.min_trust_tier);
+    const currentIdx = tierOrder.indexOf(currentTier);
+    return currentIdx >= requiredIdx;
+  }
+  /**
+   * Generate an attestation receipt documenting the evaluation.
+   */
+  toReceipt(result, agentId) {
+    return {
+      receipt_type: "attestation",
+      issuer_id: "confidential-gate",
+      event_time: (/* @__PURE__ */ new Date()).toISOString(),
+      payload: {
+        agent_id: agentId,
+        provider: result.provider,
+        accepted: result.accepted,
+        resulting_tier: result.tier,
+        reason: result.reason
+      }
+    };
+  }
+};
+async function confidentialInference(_prompt, _config) {
+  throw new Error(
+    "Confidential inference requires a TEE/HE provider SDK. See docs at scopeblind.com/docs/confidential for setup instructions. Supported providers: Gramine (local_tee), Zama Concrete ML (homomorphic), NVIDIA Confidential Computing (secure_enclave)."
+  );
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  ConfidentialGate,
   ProtectGateway,
+  ReceiptPropagator,
+  anchorToRekor,
   buildDecisionContext,
   checkRateLimit,
   collectSignedReceipts,
+  computeCalibration,
+  confidentialInference,
+  createApprovalChallenge,
+  createApprovalReceiptPayload,
+  createAttestationField,
   createAuditBundle,
+  createC2PAManifest,
+  createDisclosurePackage,
+  createEvidenceAttestation,
+  createLogAnchorField,
+  createReceiptChannel,
+  createSandbox,
+  destroySandbox,
+  ed25519ToDIDKey,
   evaluateTier,
+  exportC2PAManifestJSON,
+  exportJSONL,
   formatReportMarkdown,
   formatSimulation,
+  generateC2PACommand,
+  generateDatasetCard,
+  generateHFMetadata,
   generateReport,
+  generateSafetyTranscript,
   getSignerInfo,
   getToolPolicy,
+  hashReceipt,
+  hashResponseBody,
   initSigning,
   isAgentId,
   isDisclosureMode,
@@ -1823,14 +3509,31 @@ function validateEvidenceReceipt(receipt) {
   isSigningEnabled,
   listCredentialLabels,
   loadPolicy,
+  manifestToVC,
   meetsMinTier,
   parseLogFile,
+  parseNotificationConfigFromEnv,
   parseRateLimit,
   queryExternalPDP,
+  receiptToVP,
+  receiptsToHFRows,
+  redactFields,
   resolveCredential,
+  revealField,
+  runInSandbox,
+  sendApprovalNotification,
   signDecision,
   simulate,
+  toCredentialRequestOptions,
+  toManifoldFormat,
+  toMetaculusFormat,
   validateCredentials,
   validateEvidenceReceipt,
-  validateManifest
+  validateManifest,
+  verifyActaC2PAAssertions,
+  verifyAllCommitments,
+  verifyApprovalAssertion,
+  verifyCommitment,
+  verifyEvidenceAttestation,
+  verifyRekorAnchor
 });