protect-mcp 0.4.6 → 0.5.1

package/dist/chunk-IAJJA5IW.mjs

@@ -0,0 +1,827 @@
+import {
+  ReceiptBuffer,
+  checkRateLimit,
+  evaluateCedar,
+  getSignerInfo,
+  getToolPolicy,
+  initSigning,
+  isCedarAvailable,
+  isSigningEnabled,
+  loadCedarPolicies,
+  loadPolicy,
+  parseRateLimit,
+  signDecision
+} from "./chunk-V52W3XIN.mjs";
+
+// src/hook-server.ts
+import { createServer } from "http";
+import { createHash, randomUUID, randomBytes } from "crypto";
+import { appendFileSync, readFileSync, existsSync, readdirSync } from "fs";
+import { join } from "path";
+var DEFAULT_PORT = 9377;
+var LOG_FILE = ".protect-mcp-log.jsonl";
+var RECEIPTS_FILE = ".protect-mcp-receipts.jsonl";
+var PAYLOAD_HASH_THRESHOLD = 1024;
+function detectSwarmContext() {
+  const teamName = process.env.CLAUDE_CODE_TEAM_NAME;
+  const agentId = process.env.CLAUDE_CODE_AGENT_ID;
+  const agentName = process.env.CLAUDE_CODE_AGENT_NAME;
+  if (!teamName && !agentId) {
+    return { agent_type: "standalone" };
+  }
+  const isLeader = !agentId || agentId === "team-lead";
+  return {
+    team_name: teamName,
+    agent_id: agentId,
+    agent_name: agentName,
+    is_leader: isLeader,
+    agent_type: isLeader ? "coordinator" : "worker"
+  };
+}
+function computePayloadDigest(input) {
+  const content = typeof input === "string" ? input : JSON.stringify(input || {});
+  const size = Buffer.byteLength(content, "utf-8");
+  if (size <= PAYLOAD_HASH_THRESHOLD) {
+    return void 0;
+  }
+  return {
+    input_hash: createHash("sha256").update(content).digest("hex"),
+    input_size: size,
+    truncated: true,
+    preview: content.slice(0, 256)
+  };
+}
+function computeOutputDigest(output) {
+  const content = typeof output === "string" ? output : JSON.stringify(output || {});
+  const size = Buffer.byteLength(content, "utf-8");
+  if (size <= PAYLOAD_HASH_THRESHOLD) {
+    return void 0;
+  }
+  return {
+    output_hash: createHash("sha256").update(content).digest("hex"),
+    output_size: size
+  };
+}
+function detectSandboxState() {
+  if (process.env.SANDBOX_ENABLED === "1" || process.env.CLAUDE_CODE_SANDBOX === "1") {
+    return "enabled";
+  }
+  if (process.platform === "darwin" && process.env.APP_SANDBOX_CONTAINER_ID) {
+    return "enabled";
+  }
+  if (process.platform === "linux") {
+    try {
+      const procStatus = readFileSync("/proc/self/status", "utf-8");
+      if (procStatus.includes("Seccomp:	2")) return "enabled";
+    } catch {
+    }
+  }
+  return "unavailable";
+}
+async function handlePreToolUse(input, state) {
+  const hookStart = Date.now();
+  const toolName = input.toolName || "unknown";
+  const requestId = input.toolUseId || randomUUID().slice(0, 12);
+  state.inflightTools.set(requestId, {
+    tool: toolName,
+    startedAt: hookStart,
+    requestId
+  });
+  const payloadDigest = computePayloadDigest(input.toolInput);
+  const swarm = {
+    ...state.swarmContext,
+    ...input.agentId && { agent_id: input.agentId },
+    ...input.agentName && { agent_name: input.agentName },
+    ...input.teamName && { team_name: input.teamName },
+    ...input.agentType && { agent_type: input.agentType }
+  };
+  if (state.cedarPolicies) {
+    try {
+      const cedarDecision = await evaluateCedar(state.cedarPolicies, {
+        tool: toolName,
+        tier: "unknown",
+        // Hook mode doesn't have admission tier yet
+        agentId: swarm.agent_id,
+        context: {
+          hook_event: "PreToolUse",
+          ...input.toolInput || {}
+        }
+      });
+      if (!cedarDecision.allowed) {
+        const reason = cedarDecision.reason || "cedar_deny";
+        const hookLatency2 = Date.now() - hookStart;
+        const denyKey2 = `${toolName}:${input.sessionId || "default"}`;
+        const denyCount = (state.denyCounter.get(denyKey2) || 0) + 1;
+        state.denyCounter.set(denyKey2, denyCount);
+        const suggestion = `permit(principal, action == Action::"MCP::Tool::call", resource == Tool::"${toolName}");`;
+        state.permissionSuggestions.set(toolName, suggestion);
+        emitDecisionLog(state, {
+          tool: toolName,
+          decision: "deny",
+          reason_code: reason,
+          request_id: requestId,
+          hook_event: "PreToolUse",
+          swarm: swarm.team_name ? swarm : void 0,
+          timing: { hook_latency_ms: hookLatency2, started_at: hookStart },
+          payload_digest: payloadDigest,
+          deny_iteration: denyCount,
+          sandbox_state: detectSandboxState(),
+          plan_receipt_id: state.activePlanReceiptId || void 0
+        });
+        if (denyCount === 1) {
+          process.stderr.write(
+            `[PROTECT_MCP] No Cedar permit for "${toolName}" \u2014 suggest:
+  ${suggestion}
+`
+          );
+        }
+        return {
+          hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            permissionDecision: "deny",
+            permissionDecisionReason: `[ScopeBlind] Denied by Cedar policy. ${reason}. Forbidden: "${toolName}" is not permitted. Try a read-only alternative.` + (denyCount > 1 ? ` (attempt ${denyCount})` : "")
+          }
+        };
+      }
+    } catch (err) {
+      if (state.verbose) {
+        process.stderr.write(`[PROTECT_MCP] Cedar eval error: ${err instanceof Error ? err.message : err}
+`);
+      }
+    }
+  }
+  if (state.jsonPolicy?.policy) {
+    const toolPolicy = getToolPolicy(toolName, state.jsonPolicy.policy);
+    if (toolPolicy.block) {
+      const hookLatency2 = Date.now() - hookStart;
+      emitDecisionLog(state, {
+        tool: toolName,
+        decision: "deny",
+        reason_code: "policy_block",
+        request_id: requestId,
+        hook_event: "PreToolUse",
+        swarm: swarm.team_name ? swarm : void 0,
+        timing: { hook_latency_ms: hookLatency2, started_at: hookStart },
+        payload_digest: payloadDigest,
+        sandbox_state: detectSandboxState()
+      });
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "deny",
+          permissionDecisionReason: `[ScopeBlind] "${toolName}" is blocked by policy.`
+        }
+      };
+    }
+    if (toolPolicy.require_approval) {
+      const hookLatency2 = Date.now() - hookStart;
+      emitDecisionLog(state, {
+        tool: toolName,
+        decision: "require_approval",
+        reason_code: "requires_human_approval",
+        request_id: requestId,
+        hook_event: "PreToolUse",
+        swarm: swarm.team_name ? swarm : void 0,
+        timing: { hook_latency_ms: hookLatency2, started_at: hookStart },
+        sandbox_state: detectSandboxState()
+      });
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "ask",
+          permissionDecisionReason: `[ScopeBlind] "${toolName}" requires human approval. Policy: ${state.policyDigest}`
+        }
+      };
+    }
+    if (toolPolicy.rate_limit) {
+      try {
+        const limit = parseRateLimit(toolPolicy.rate_limit);
+        const key = `tool:${toolName}:hook`;
+        const { allowed, remaining } = checkRateLimit(key, limit, state.rateLimitStore);
+        if (!allowed) {
+          const hookLatency2 = Date.now() - hookStart;
+          emitDecisionLog(state, {
+            tool: toolName,
+            decision: "deny",
+            reason_code: "rate_limit_exceeded",
+            request_id: requestId,
+            hook_event: "PreToolUse",
+            swarm: swarm.team_name ? swarm : void 0,
+            timing: { hook_latency_ms: hookLatency2, started_at: hookStart },
+            sandbox_state: detectSandboxState()
+          });
+          return {
+            hookSpecificOutput: {
+              hookEventName: "PreToolUse",
+              permissionDecision: "deny",
+              permissionDecisionReason: `[ScopeBlind] "${toolName}" rate limit exceeded (${toolPolicy.rate_limit}).`
+            }
+          };
+        }
+      } catch {
+      }
+    }
+  }
+  const hookLatency = Date.now() - hookStart;
+  const denyKey = `${toolName}:${input.sessionId || "default"}`;
+  state.denyCounter.delete(denyKey);
+  emitDecisionLog(state, {
+    tool: toolName,
+    decision: "allow",
+    reason_code: state.cedarPolicies ? "cedar_allow" : state.jsonPolicy ? "policy_allow" : "observe_mode",
+    request_id: requestId,
+    hook_event: "PreToolUse",
+    swarm: swarm.team_name ? swarm : void 0,
+    timing: { hook_latency_ms: hookLatency, started_at: hookStart },
+    payload_digest: payloadDigest,
+    sandbox_state: detectSandboxState(),
+    plan_receipt_id: state.activePlanReceiptId || void 0
+  });
+  return {};
+}
+async function handlePostToolUse(input, state) {
+  const toolName = input.toolName || "unknown";
+  const requestId = input.toolUseId || randomUUID().slice(0, 12);
+  const now = Date.now();
+  const inflight = state.inflightTools.get(requestId);
+  const timing = {
+    completed_at: now
+  };
+  if (inflight) {
+    timing.tool_duration_ms = now - inflight.startedAt;
+    timing.started_at = inflight.startedAt;
+    state.inflightTools.delete(requestId);
+  }
+  const outputDigest = computeOutputDigest(input.toolResult);
+  const receiptId = randomUUID().slice(0, 8);
+  const policyName = state.cedarPolicies ? `cedar:${state.policyDigest}` : state.policyDigest;
+  const additionalContext = `[ScopeBlind] Tool call receipted. Policy: ${policyName}. Decision: allow. Receipt: #${receiptId}.` + (timing.tool_duration_ms !== void 0 ? ` Duration: ${timing.tool_duration_ms}ms.` : "") + (timing.hook_latency_ms !== void 0 ? ` Overhead: ${timing.hook_latency_ms}ms.` : "");
+  emitDecisionLog(state, {
+    tool: toolName,
+    decision: "allow",
+    reason_code: "post_execution_receipt",
+    request_id: requestId,
+    hook_event: "PostToolUse",
+    swarm: state.swarmContext.team_name ? state.swarmContext : void 0,
+    timing,
+    payload_digest: outputDigest ? {
+      truncated: true,
+      output_hash: outputDigest.output_hash,
+      output_size: outputDigest.output_size
+    } : void 0,
+    sandbox_state: detectSandboxState()
+  });
+  return {
+    hookSpecificOutput: {
+      hookEventName: "PostToolUse",
+      additionalContext
+    }
+  };
+}
+function handleSubagentStart(input, state) {
+  const agentId = input.agentId || "unknown";
+  const agentType = input.agentType || "worker";
+  emitDecisionLog(state, {
+    tool: `subagent:${agentId}`,
+    decision: "allow",
+    reason_code: "subagent_started",
+    request_id: randomUUID().slice(0, 12),
+    hook_event: "SubagentStart",
+    swarm: {
+      ...state.swarmContext,
+      agent_id: agentId,
+      agent_name: input.agentName,
+      agent_type: agentType
+    }
+  });
+  if (state.verbose) {
+    process.stderr.write(`[PROTECT_MCP] Subagent started: ${agentId} (${agentType})
+`);
+  }
+  return {};
+}
+function handleSubagentStop(input, state) {
+  const agentId = input.agentId || "unknown";
+  emitDecisionLog(state, {
+    tool: `subagent:${agentId}`,
+    decision: "allow",
+    reason_code: "subagent_stopped",
+    request_id: randomUUID().slice(0, 12),
+    hook_event: "SubagentStop",
+    swarm: {
+      ...state.swarmContext,
+      agent_id: agentId,
+      agent_name: input.agentName
+    }
+  });
+  return {};
+}
+function handleTaskCreated(input, state) {
+  emitDecisionLog(state, {
+    tool: `task:${input.taskId || "unknown"}`,
+    decision: "allow",
+    reason_code: "task_created",
+    request_id: randomUUID().slice(0, 12),
+    hook_event: "TaskCreated",
+    swarm: {
+      ...state.swarmContext,
+      agent_name: input.teammateName
+    }
+  });
+  return {};
+}
+function handleTaskCompleted(input, state) {
+  emitDecisionLog(state, {
+    tool: `task:${input.taskId || "unknown"}`,
+    decision: "allow",
+    reason_code: "task_completed",
+    request_id: randomUUID().slice(0, 12),
+    hook_event: "TaskCompleted",
+    swarm: state.swarmContext
+  });
+  return {};
+}
+function handleSessionStart(input, state) {
+  emitDecisionLog(state, {
+    tool: "session",
+    decision: "allow",
+    reason_code: "session_started",
+    request_id: input.sessionId || randomUUID().slice(0, 12),
+    hook_event: "SessionStart",
+    swarm: state.swarmContext,
+    sandbox_state: detectSandboxState()
+  });
+  return {};
+}
+function handleSessionEnd(input, state) {
+  const suggestions = [...state.permissionSuggestions.entries()];
+  if (suggestions.length > 0) {
+    process.stderr.write(`
+[PROTECT_MCP] Session summary \u2014 ${suggestions.length} policy suggestion(s):
+`);
+    for (const [tool, suggestion] of suggestions) {
+      process.stderr.write(`  ${tool}: ${suggestion}
+`);
+    }
+    process.stderr.write("\n");
+  }
+  emitDecisionLog(state, {
+    tool: "session",
+    decision: "allow",
+    reason_code: "session_ended",
+    request_id: input.sessionId || randomUUID().slice(0, 12),
+    hook_event: "SessionEnd",
+    swarm: state.swarmContext
+  });
+  return {};
+}
+function handleTeammateIdle(input, state) {
+  emitDecisionLog(state, {
+    tool: `teammate:${input.agentId || "unknown"}`,
+    decision: "allow",
+    reason_code: "teammate_idle",
+    request_id: randomUUID().slice(0, 12),
+    hook_event: "TeammateIdle",
+    swarm: {
+      ...state.swarmContext,
+      agent_id: input.agentId,
+      agent_name: input.agentName
+    }
+  });
+  return {};
+}
+function handleConfigChange(input, state) {
+  const configPath = input.filePath || input.configPath || "unknown";
+  const source = input.configSource || "unknown";
+  const isSelfModification = configPath.includes("settings.json") || configPath.includes(".claude/");
+  if (isSelfModification) {
+    state.configAlerts.push({
+      timestamp: Date.now(),
+      path: configPath,
+      source
+    });
+    process.stderr.write(
+      `[PROTECT_MCP] \u26A0\uFE0F  TAMPER ALERT: Config file modified: ${configPath} (source: ${source})
+`
+    );
+    emitDecisionLog(state, {
+      tool: "config",
+      decision: "deny",
+      reason_code: "config_tamper_detected",
+      request_id: randomUUID().slice(0, 12),
+      hook_event: "ConfigChange",
+      swarm: state.swarmContext
+    });
+  } else {
+    emitDecisionLog(state, {
+      tool: "config",
+      decision: "allow",
+      reason_code: "config_changed",
+      request_id: randomUUID().slice(0, 12),
+      hook_event: "ConfigChange"
+    });
+  }
+  return {};
+}
+function handleStop(input, state) {
+  const suggestions = [...state.permissionSuggestions.entries()];
+  if (suggestions.length > 0) {
+    process.stderr.write(`
+[PROTECT_MCP] Final policy suggestions:
+`);
+    for (const [tool, suggestion] of suggestions) {
+      process.stderr.write(`  ${suggestion}
+`);
+    }
+    process.stderr.write("\n");
+  }
+  emitDecisionLog(state, {
+    tool: "session",
+    decision: "allow",
+    reason_code: "agent_stopped",
+    request_id: randomUUID().slice(0, 12),
+    hook_event: "Stop",
+    swarm: state.swarmContext
+  });
+  return {};
+}
+function emitDecisionLog(state, entry) {
+  const mode = state.enforce ? "enforce" : "shadow";
+  const otelTraceId = randomBytes(16).toString("hex");
+  const otelSpanId = randomBytes(8).toString("hex");
+  const log = {
+    v: 2,
+    tool: entry.tool || "unknown",
+    decision: entry.decision || "allow",
+    reason_code: entry.reason_code || "default_allow",
+    policy_digest: state.policyDigest,
+    policy_engine: state.cedarPolicies ? "cedar" : "built-in",
+    request_id: entry.request_id || randomUUID().slice(0, 12),
+    timestamp: Date.now(),
+    mode,
+    otel_trace_id: otelTraceId,
+    otel_span_id: otelSpanId,
+    ...entry.tier && { tier: entry.tier },
+    ...entry.hook_event && { hook_event: entry.hook_event },
+    ...entry.swarm && { swarm: entry.swarm },
+    ...entry.timing && { timing: entry.timing },
+    ...entry.payload_digest && { payload_digest: entry.payload_digest },
+    ...entry.deny_iteration && { deny_iteration: entry.deny_iteration },
+    ...entry.sandbox_state && { sandbox_state: entry.sandbox_state },
+    ...entry.plan_receipt_id && { plan_receipt_id: entry.plan_receipt_id }
+  };
+  process.stderr.write(`[PROTECT_MCP] ${JSON.stringify(log)}
+`);
+  try {
+    appendFileSync(state.logFilePath, JSON.stringify(log) + "\n");
+  } catch {
+  }
+  if (isSigningEnabled()) {
+    const signed = signDecision(log);
+    if (signed.signed) {
+      try {
+        appendFileSync(state.receiptFilePath, signed.signed + "\n");
+      } catch {
+      }
+      state.receiptBuffer.add(log.request_id, signed.signed);
+    } else if (signed.warning) {
+      process.stderr.write(`[PROTECT_MCP] Warning: ${signed.warning}
+`);
+    }
+  }
+}
+async function routeHookEvent(input, state) {
+  switch (input.hookEventName) {
+    case "PreToolUse":
+      return handlePreToolUse(input, state);
+    case "PostToolUse":
+      return handlePostToolUse(input, state);
+    case "SubagentStart":
+      return handleSubagentStart(input, state);
+    case "SubagentStop":
+      return handleSubagentStop(input, state);
+    case "TaskCreated":
+      return handleTaskCreated(input, state);
+    case "TaskCompleted":
+      return handleTaskCompleted(input, state);
+    case "SessionStart":
+      return handleSessionStart(input, state);
+    case "SessionEnd":
+      return handleSessionEnd(input, state);
+    case "TeammateIdle":
+      return handleTeammateIdle(input, state);
+    case "ConfigChange":
+      return handleConfigChange(input, state);
+    case "Stop":
+      return handleStop(input, state);
+    default:
+      if (state.verbose) {
+        process.stderr.write(`[PROTECT_MCP] Unknown hook event: ${input.hookEventName}
+`);
+      }
+      return {};
+  }
+}
+async function startHookServer(options = {}) {
+  const port = options.port || DEFAULT_PORT;
+  const verbose = options.verbose || false;
+  const enforce = options.enforce || false;
+  let cedarPolicies = null;
+  let jsonPolicy = null;
+  let policyDigest = "none";
+  const cedarDir = options.cedarDir || findCedarDir();
+  if (cedarDir) {
+    try {
+      cedarPolicies = loadCedarPolicies(cedarDir);
+      policyDigest = cedarPolicies.digest;
+      process.stderr.write(
+        `[PROTECT_MCP] Cedar policies loaded: ${cedarPolicies.fileCount} files from ${cedarDir} (digest: ${policyDigest})
+`
+      );
+      const cedarAvailable = await isCedarAvailable();
+      if (!cedarAvailable) {
+        process.stderr.write(
+          "[PROTECT_MCP] Warning: @cedar-policy/cedar-wasm not installed. Cedar policies loaded but evaluation fallback is allow-all.\n"
+        );
+      }
+    } catch (err) {
+      process.stderr.write(`[PROTECT_MCP] Cedar load error: ${err instanceof Error ? err.message : err}
+`);
+    }
+  }
+  if (options.policyPath) {
+    try {
+      jsonPolicy = loadPolicy(options.policyPath);
+      if (!cedarPolicies) policyDigest = jsonPolicy.digest;
+      process.stderr.write(`[PROTECT_MCP] JSON policy loaded from ${options.policyPath}
+`);
+      if (jsonPolicy.signing) {
+        const warnings = await initSigning(jsonPolicy.signing);
+        for (const w of warnings) {
+          process.stderr.write(`[PROTECT_MCP] Warning: ${w}
+`);
+        }
+      }
+    } catch (err) {
+      process.stderr.write(`[PROTECT_MCP] Policy load error: ${err instanceof Error ? err.message : err}
+`);
+    }
+  }
+  if (!jsonPolicy?.signing) {
+    const keyPath = join(process.cwd(), "keys", "gateway.json");
+    if (existsSync(keyPath)) {
+      const warnings = await initSigning({ key_path: keyPath, issuer: "protect-mcp", enabled: true });
+      for (const w of warnings) {
+        process.stderr.write(`[PROTECT_MCP] Warning: ${w}
+`);
+      }
+    }
+  }
+  const state = {
+    cedarPolicies,
+    jsonPolicy,
+    rateLimitStore: /* @__PURE__ */ new Map(),
+    receiptBuffer: new ReceiptBuffer(),
+    inflightTools: /* @__PURE__ */ new Map(),
+    denyCounter: /* @__PURE__ */ new Map(),
+    swarmContext: detectSwarmContext(),
+    activePlanReceiptId: null,
+    startTime: Date.now(),
+    port,
+    verbose,
+    enforce,
+    policyDigest,
+    logFilePath: join(process.cwd(), LOG_FILE),
+    receiptFilePath: join(process.cwd(), RECEIPTS_FILE),
+    permissionSuggestions: /* @__PURE__ */ new Map(),
+    configAlerts: []
+  };
+  const server = createServer(async (req, res) => {
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+    res.setHeader("Content-Type", "application/json");
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    const url = new URL(req.url || "/", `http://localhost:${port}`);
+    if (url.pathname === "/health" && req.method === "GET") {
+      const signerInfo = getSignerInfo();
+      res.writeHead(200);
+      res.end(JSON.stringify({
+        status: "ok",
+        server: "protect-mcp-hooks",
+        version: "0.5.0",
+        uptime_ms: Date.now() - state.startTime,
+        mode: enforce ? "enforce" : "shadow",
+        policy_digest: policyDigest,
+        policy_engine: cedarPolicies ? "cedar" : jsonPolicy ? "built-in" : "none",
+        signing: isSigningEnabled(),
+        swarm: state.swarmContext,
+        signer: signerInfo ? { kid: signerInfo.kid, issuer: signerInfo.issuer } : null,
+        cedar_files: cedarPolicies?.fileCount || 0
+      }));
+      return;
+    }
+    if (url.pathname === "/receipts" && req.method === "GET") {
+      const limit = parseInt(url.searchParams.get("limit") || "20", 10);
+      const receipts = state.receiptBuffer.getAll().slice(0, Math.min(limit, 100));
+      res.writeHead(200);
+      res.end(JSON.stringify({ count: receipts.length, total: state.receiptBuffer.count(), receipts }));
+      return;
+    }
+    if (url.pathname === "/receipts/latest" && req.method === "GET") {
+      const latest = state.receiptBuffer.getLatest();
+      if (!latest) {
+        res.writeHead(404);
+        res.end(JSON.stringify({ error: "no_receipts" }));
+        return;
+      }
+      res.writeHead(200);
+      res.end(JSON.stringify(latest));
+      return;
+    }
+    if (url.pathname === "/suggestions" && req.method === "GET") {
+      const suggestions = [...state.permissionSuggestions.entries()].map(([tool, rule]) => ({ tool, cedar_rule: rule }));
+      res.writeHead(200);
+      res.end(JSON.stringify({ count: suggestions.length, suggestions }));
+      return;
+    }
+    if (url.pathname === "/alerts" && req.method === "GET") {
+      res.writeHead(200);
+      res.end(JSON.stringify({ count: state.configAlerts.length, alerts: state.configAlerts }));
+      return;
+    }
+    if (url.pathname === "/hook" && req.method === "POST") {
+      let body = "";
+      req.on("data", (chunk) => {
+        body += chunk;
+      });
+      req.on("end", async () => {
+        try {
+          const raw = JSON.parse(body);
+          const input = normalizeHookInput(raw);
+          if (!input.hookEventName) {
+            res.writeHead(400);
+            res.end(JSON.stringify({ error: "missing_hook_event_name", hint: "Expected hook_event_name or hookEventName in POST body" }));
+            return;
+          }
+          const response = await routeHookEvent(input, state);
+          res.writeHead(200);
+          res.end(JSON.stringify(response));
+        } catch (err) {
+          if (verbose) {
+            process.stderr.write(`[PROTECT_MCP] Hook error: ${err instanceof Error ? err.message : err}
+`);
+          }
+          res.writeHead(400);
+          res.end(JSON.stringify({ error: "invalid_request" }));
+        }
+      });
+      return;
+    }
+    res.writeHead(404);
+    res.end(JSON.stringify({
+      error: "not_found",
+      endpoints: [
+        "POST /hook           \u2014 Claude Code hook endpoint",
+        "GET  /health         \u2014 Health check",
+        "GET  /receipts       \u2014 Recent receipts",
+        "GET  /receipts/latest \u2014 Most recent receipt",
+        "GET  /suggestions    \u2014 Policy suggestions",
+        "GET  /alerts         \u2014 Config tamper alerts"
+      ]
+    }));
+  });
+  server.listen(port, "127.0.0.1", () => {
+    process.stderr.write(`
+`);
+    process.stderr.write(`[PROTECT_MCP] \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+`);
+    process.stderr.write(`[PROTECT_MCP] \u2502  protect-mcp Hook Server v0.5.0                \u2502
+`);
+    process.stderr.write(`[PROTECT_MCP] \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+`);
+    process.stderr.write(`[PROTECT_MCP] \u2502  Listening:  http://127.0.0.1:${String(port).padEnd(5)}             \u2502
+`);
+    process.stderr.write(`[PROTECT_MCP] \u2502  Mode:       ${(enforce ? "enforce" : "shadow").padEnd(36)}\u2502
+`);
+    process.stderr.write(`[PROTECT_MCP] \u2502  Policy:     ${(cedarPolicies ? `Cedar (${cedarPolicies.fileCount} files)` : jsonPolicy ? "JSON" : "none").padEnd(36)}\u2502
+`);
+    process.stderr.write(`[PROTECT_MCP] \u2502  Signing:    ${(isSigningEnabled() ? "Ed25519 \u2713" : "disabled").padEnd(36)}\u2502
+`);
+    process.stderr.write(`[PROTECT_MCP] \u2502  Swarm:      ${(state.swarmContext.team_name ? `${state.swarmContext.team_name} (${state.swarmContext.agent_type})` : "standalone").padEnd(36)}\u2502
+`);
+    process.stderr.write(`[PROTECT_MCP] \u2502  Sandbox:    ${detectSandboxState().padEnd(36)}\u2502
+`);
+    process.stderr.write(`[PROTECT_MCP] \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+`);
+    process.stderr.write(`
+`);
+    process.stderr.write(`[PROTECT_MCP] Endpoints:
+`);
+    process.stderr.write(`  POST /hook           \u2014 Claude Code hook receiver
+`);
+    process.stderr.write(`  GET  /health         \u2014 Health check + signer info
+`);
+    process.stderr.write(`  GET  /receipts       \u2014 Recent signed receipts
+`);
+    process.stderr.write(`  GET  /suggestions    \u2014 Auto-generated Cedar policy suggestions
+`);
+    process.stderr.write(`  GET  /alerts         \u2014 Config tamper alerts
+`);
+    process.stderr.write(`
+`);
+    process.stderr.write(`[PROTECT_MCP] deny decisions are AUTHORITATIVE \u2014 they cannot be overridden.
+`);
+    process.stderr.write(`
+`);
+  });
+  const shutdown = () => {
+    process.stderr.write("\n[PROTECT_MCP] Shutting down hook server...\n");
+    const suggestions = [...state.permissionSuggestions.entries()];
+    if (suggestions.length > 0) {
+      process.stderr.write(`[PROTECT_MCP] ${suggestions.length} policy suggestion(s) accumulated:
+`);
+      for (const [tool, suggestion] of suggestions) {
+        process.stderr.write(`  ${suggestion}
+`);
+      }
+    }
+    server.close();
+    process.exit(0);
+  };
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+  return server;
+}
+function findCedarDir() {
+  for (const candidate of ["cedar", "policies", "."]) {
+    try {
+      if (existsSync(candidate)) {
+        const files = readdirSync(candidate, { encoding: "utf-8" });
+        if (files.some((f) => f.endsWith(".cedar"))) {
+          return candidate;
+        }
+      }
+    } catch {
+    }
+  }
+  return void 0;
+}
+var SNAKE_TO_CAMEL_MAP = {
+  hook_event_name: "hookEventName",
+  session_id: "sessionId",
+  transcript_path: "transcriptPath",
+  permission_mode: "permissionMode",
+  agent_id: "agentId",
+  agent_type: "agentType",
+  tool_name: "toolName",
+  tool_input: "toolInput",
+  tool_use_id: "toolUseId",
+  tool_response: "toolResult",
+  // Claude Code sends tool_response, we read toolResult
+  stop_hook_active: "stopHookActive",
+  agent_transcript_path: "agentTranscriptPath",
+  last_assistant_message: "lastAssistantMessage",
+  teammate_name: "teammateName",
+  team_name: "teamName",
+  task_id: "taskId",
+  task_subject: "taskSubject",
+  task_description: "taskDescription",
+  file_path: "filePath",
+  config_path: "configPath",
+  old_cwd: "oldCwd",
+  new_cwd: "newCwd",
+  notification_type: "notificationType",
+  is_interrupt: "isInterrupt",
+  error_details: "errorDetails",
+  compact_summary: "compactSummary",
+  custom_instructions: "customInstructions",
+  worktree_path: "worktreePath",
+  trigger_file_path: "triggerFilePath",
+  parent_file_path: "parentFilePath",
+  memory_type: "memoryType",
+  load_reason: "loadReason",
+  mcp_server_name: "mcpServerName",
+  elicitation_id: "elicitationId",
+  requested_schema: "requestedSchema",
+  permission_suggestions: "permissionSuggestions"
+};
+function normalizeHookInput(raw) {
+  const result = {};
+  for (const [key, value] of Object.entries(raw)) {
+    const camelKey = SNAKE_TO_CAMEL_MAP[key] || key;
+    result[camelKey] = value;
+  }
+  if (raw.source !== void 0 && raw.hook_event_name === "ConfigChange" && !raw.config_source) {
+    result["configSource"] = raw.source;
+  }
+  return result;
+}
+
+export {
+  startHookServer
+};