protect-mcp 0.5.1 → 0.5.2

package/dist/{chunk-IUFFDQYZ.mjs → chunk-IWDR5WU3.mjs}

@@ -7,7 +7,7 @@ import {
   parseRateLimit,
   signDecision,
   startStatusServer
-} from "./chunk-V52W3XIN.mjs";
+} from "./chunk-N4F76LTC.mjs";
 
 // src/evidence-store.ts
 import { readFileSync, writeFileSync, existsSync } from "fs";

package/dist/{chunk-V52W3XIN.mjs → chunk-N4F76LTC.mjs}

@@ -232,7 +232,7 @@ function buildEntities(req) {
     }
   ];
 }
-async function evaluateCedar(policySet, req) {
+async function evaluateCedar(policySet, req, schema) {
   const available = await ensureCedarWasm();
   if (!available) {
     return {
@@ -243,16 +243,21 @@ async function evaluateCedar(policySet, req) {
   }
   try {
     const agentId = req.agentId || req.tier;
+    const context = {
+      tier: req.tier,
+      ...req.context || {}
+    };
+    if (req.toolInput && Object.keys(req.toolInput).length > 0) {
+      context.input = req.toolInput;
+    }
     const authRequest = {
       principal: { type: "Agent", id: agentId },
       action: { type: "Action", id: "MCP::Tool::call" },
       resource: { type: "Tool", id: req.tool },
-      context: {
-        tier: req.tier,
-        ...req.context || {}
-      }
+      context
     };
     const entities = buildEntities(req);
+    const cedarSchema = schema?.schemaJson ?? null;
     let result;
     if (typeof cedarWasm.isAuthorized === "function") {
       result = cedarWasm.isAuthorized({
@@ -262,8 +267,7 @@ async function evaluateCedar(policySet, req) {
         action: authRequest.action,
         resource: authRequest.resource,
         context: authRequest.context,
-        schema: null
-        // No schema enforcement — Cedar still evaluates correctly
+        schema: cedarSchema
       });
     } else if (typeof cedarWasm.checkAuthorization === "function") {
       result = cedarWasm.checkAuthorization(
@@ -281,7 +285,7 @@ async function evaluateCedar(policySet, req) {
           action: authRequest.action,
           resource: authRequest.resource,
           context: authRequest.context,
-          schema: null
+          schema: cedarSchema
         });
       } else {
         return {

package/dist/{chunk-IAJJA5IW.mjs → chunk-Q4KOQUKV.mjs}

@@ -11,7 +11,7 @@ import {
   loadPolicy,
   parseRateLimit,
   signDecision
-} from "./chunk-V52W3XIN.mjs";
+} from "./chunk-N4F76LTC.mjs";
 
 // src/hook-server.ts
 import { createServer } from "http";

package/dist/{chunk-YKM6W6T7.mjs → chunk-W4U5VNEC.mjs}

@@ -1,11 +1,11 @@
 import {
   meetsMinTier
-} from "./chunk-IUFFDQYZ.mjs";
+} from "./chunk-IWDR5WU3.mjs";
 import {
   checkRateLimit,
   getToolPolicy,
   parseRateLimit
-} from "./chunk-V52W3XIN.mjs";
+} from "./chunk-N4F76LTC.mjs";
 
 // src/simulate.ts
 import { readFileSync } from "fs";

package/dist/cli.js

@@ -682,7 +682,7 @@ function buildEntities(req) {
     }
   ];
 }
-async function evaluateCedar(policySet, req) {
+async function evaluateCedar(policySet, req, schema) {
   const available = await ensureCedarWasm();
   if (!available) {
     return {
@@ -693,16 +693,21 @@ async function evaluateCedar(policySet, req) {
   }
   try {
     const agentId = req.agentId || req.tier;
+    const context = {
+      tier: req.tier,
+      ...req.context || {}
+    };
+    if (req.toolInput && Object.keys(req.toolInput).length > 0) {
+      context.input = req.toolInput;
+    }
     const authRequest = {
       principal: { type: "Agent", id: agentId },
       action: { type: "Action", id: "MCP::Tool::call" },
       resource: { type: "Tool", id: req.tool },
-      context: {
-        tier: req.tier,
-        ...req.context || {}
-      }
+      context
     };
     const entities = buildEntities(req);
+    const cedarSchema = schema?.schemaJson ?? null;
     let result;
     if (typeof cedarWasm.isAuthorized === "function") {
       result = cedarWasm.isAuthorized({
@@ -712,8 +717,7 @@ async function evaluateCedar(policySet, req) {
         action: authRequest.action,
         resource: authRequest.resource,
         context: authRequest.context,
-        schema: null
-        // No schema enforcement — Cedar still evaluates correctly
+        schema: cedarSchema
       });
     } else if (typeof cedarWasm.checkAuthorization === "function") {
       result = cedarWasm.checkAuthorization(
@@ -731,7 +735,7 @@ async function evaluateCedar(policySet, req) {
           action: authRequest.action,
           resource: authRequest.resource,
           context: authRequest.context,
-          schema: null
+          schema: cedarSchema
         });
       } else {
         return {

package/dist/cli.mjs

@@ -3,17 +3,17 @@ import {
   formatSimulation,
   parseLogFile,
   simulate
-} from "./chunk-YKM6W6T7.mjs";
+} from "./chunk-W4U5VNEC.mjs";
 import {
   ProtectGateway,
   validateCredentials
-} from "./chunk-IUFFDQYZ.mjs";
+} from "./chunk-IWDR5WU3.mjs";
 import {
   initSigning,
   isCedarAvailable,
   loadCedarPolicies,
   loadPolicy
-} from "./chunk-V52W3XIN.mjs";
+} from "./chunk-N4F76LTC.mjs";
 import "./chunk-PQJP2ZCI.mjs";
 
 // src/cli.ts
@@ -1282,7 +1282,7 @@ async function main() {
   if (useHttp) {
     const portIdx = args.indexOf("--port");
     const httpPort = portIdx >= 0 && args[portIdx + 1] ? parseInt(args[portIdx + 1]) : 3e3;
-    const { startHttpTransport } = await import("./http-transport-GXIXLVJQ.mjs");
+    const { startHttpTransport } = await import("./http-transport-PWCK7JHZ.mjs");
     startHttpTransport({ port: httpPort, config, serverCommand: childCommand });
     return;
   }

package/dist/hook-server.js

@@ -89,7 +89,7 @@ function buildEntities(req) {
     }
   ];
 }
-async function evaluateCedar(policySet, req) {
+async function evaluateCedar(policySet, req, schema) {
   const available = await ensureCedarWasm();
   if (!available) {
     return {
@@ -100,16 +100,21 @@ async function evaluateCedar(policySet, req) {
   }
   try {
     const agentId = req.agentId || req.tier;
+    const context = {
+      tier: req.tier,
+      ...req.context || {}
+    };
+    if (req.toolInput && Object.keys(req.toolInput).length > 0) {
+      context.input = req.toolInput;
+    }
     const authRequest = {
       principal: { type: "Agent", id: agentId },
       action: { type: "Action", id: "MCP::Tool::call" },
       resource: { type: "Tool", id: req.tool },
-      context: {
-        tier: req.tier,
-        ...req.context || {}
-      }
+      context
     };
     const entities = buildEntities(req);
+    const cedarSchema = schema?.schemaJson ?? null;
     let result;
     if (typeof cedarWasm.isAuthorized === "function") {
       result = cedarWasm.isAuthorized({
@@ -119,8 +124,7 @@ async function evaluateCedar(policySet, req) {
         action: authRequest.action,
         resource: authRequest.resource,
         context: authRequest.context,
-        schema: null
-        // No schema enforcement — Cedar still evaluates correctly
+        schema: cedarSchema
       });
     } else if (typeof cedarWasm.checkAuthorization === "function") {
       result = cedarWasm.checkAuthorization(
@@ -138,7 +142,7 @@ async function evaluateCedar(policySet, req) {
           action: authRequest.action,
           resource: authRequest.resource,
           context: authRequest.context,
-          schema: null
+          schema: cedarSchema
         });
       } else {
         return {

package/dist/hook-server.mjs

@@ -1,7 +1,7 @@
 import {
   startHookServer
-} from "./chunk-IAJJA5IW.mjs";
-import "./chunk-V52W3XIN.mjs";
+} from "./chunk-Q4KOQUKV.mjs";
+import "./chunk-N4F76LTC.mjs";
 import "./chunk-PQJP2ZCI.mjs";
 export {
   startHookServer

package/dist/{http-transport-GXIXLVJQ.mjs → http-transport-PWCK7JHZ.mjs}

@@ -1,7 +1,7 @@
 import {
   ProtectGateway
-} from "./chunk-IUFFDQYZ.mjs";
-import "./chunk-V52W3XIN.mjs";
+} from "./chunk-IWDR5WU3.mjs";
+import "./chunk-N4F76LTC.mjs";
 import "./chunk-PQJP2ZCI.mjs";
 
 // src/http-transport.ts

package/dist/index.d.mts

@@ -539,6 +539,45 @@ interface CedarPolicySet {
     /** Filenames loaded */
     files: string[];
 }
+interface CedarEvalRequest {
+    /** Tool name being called */
+    tool: string;
+    /** Trust tier of the agent */
+    tier: TrustTier;
+    /** Agent ID (optional) */
+    agentId?: string;
+    /** Additional context fields */
+    context?: Record<string, unknown>;
+    /** Tool input (for schema-validated evaluation) */
+    toolInput?: Record<string, unknown>;
+}
+/** Cedar schema for typed policy evaluation (generated by cedar-schema.ts) */
+interface CedarSchema {
+    /** The schema as a JSON object for Cedar WASM */
+    schemaJson: Record<string, unknown> | null;
+    /** Namespace used in the schema */
+    namespace?: string;
+}
+/**
+ * Load all .cedar files from a directory and return a compiled policy set.
+ *
+ * Files are sorted alphabetically for deterministic digest computation.
+ * Throws if the directory doesn't exist or contains no .cedar files.
+ */
+declare function loadCedarPolicies(dirPath: string): CedarPolicySet;
+/**
+ * Evaluate a Cedar policy set against a tool call.
+ *
+ * Returns a standard ExternalDecision compatible with the gateway's
+ * decision pipeline. If Cedar WASM is not available, returns a
+ * fallback allow decision (fail-open, logged).
+ */
+declare function evaluateCedar(policySet: CedarPolicySet, req: CedarEvalRequest, schema?: CedarSchema): Promise<ExternalDecision>;
+/**
+ * Validate that Cedar WASM is available.
+ * Useful for CLI startup diagnostics.
+ */
+declare function isCedarAvailable(): Promise<boolean>;
 
 /**
  * MCP tool-calling gateway that intercepts JSON-RPC requests,
@@ -1313,6 +1352,84 @@ declare function validateManifest(manifest: unknown): string[];
  */
 declare function validateEvidenceReceipt(receipt: unknown): string[];
 
+/**
+ * @scopeblind/protect-mcp — Cedar Schema Generator for MCP Tools
+ *
+ * Auto-generates a Cedar authorization schema from MCP tool descriptions.
+ * This enables typed Cedar policies that reference tool input attributes:
+ *
+ *   permit(principal, action == Action::"read_file", resource)
+ *   when { context.input.path like "./workspace/*" };
+ *
+ * Compatible with cedar-policy/cedar-for-agents schema format.
+ * Designed to replace `schema: null` in Cedar WASM evaluations.
+ *
+ * @see https://github.com/cedar-policy/cedar-for-agents
+ * @standard RFC 8785 (JCS), Cedar Policy Language v4
+ */
+/** MCP tool description from tools/list response */
+interface McpToolDescription {
+    name: string;
+    description?: string;
+    inputSchema?: JsonSchema;
+}
+/** Subset of JSON Schema that MCP tools use */
+interface JsonSchema {
+    type?: string | string[];
+    properties?: Record<string, JsonSchema>;
+    required?: string[];
+    items?: JsonSchema;
+    enum?: (string | number | boolean)[];
+    format?: string;
+    description?: string;
+    additionalProperties?: boolean | JsonSchema;
+    anyOf?: JsonSchema[];
+    oneOf?: JsonSchema[];
+}
+/** Generated Cedar schema components */
+interface CedarSchemaResult {
+    /** The .cedarschema text (human-readable Cedar schema format) */
+    schemaText: string;
+    /** The schema as a JSON object (for passing to Cedar WASM) */
+    schemaJson: Record<string, unknown>;
+    /** Number of tools mapped */
+    toolCount: number;
+    /** Tool names included */
+    tools: string[];
+}
+interface SchemaGeneratorConfig {
+    /** Namespace for generated types (default: "ScopeBlind") */
+    namespace?: string;
+    /** Include agent tier as principal attribute (default: true) */
+    includeTier?: boolean;
+    /** Include timestamp context (default: true) */
+    includeTimestamp?: boolean;
+    /** Include agent_id as principal attribute (default: true) */
+    includeAgentId?: boolean;
+}
+/**
+ * Generate a Cedar schema from MCP tool descriptions.
+ *
+ * Produces both human-readable .cedarschema text and the JSON
+ * representation that Cedar WASM accepts.
+ *
+ * The generated schema defines:
+ * - Agent entity type (principal) with tier and agent_id attributes
+ * - Tool entity type (resource)
+ * - One action per MCP tool, with typed input context
+ * - A parent action "MCP::Tool::call" for blanket policies
+ *
+ * This enables policies like:
+ *   forbid(principal, action == Action::"execute_command", resource)
+ *   when { context.input has "command" && context.input.command like "rm *" };
+ */
+declare function generateCedarSchema(tools: McpToolDescription[], config?: SchemaGeneratorConfig): CedarSchemaResult;
+/**
+ * Generate a Cedar schema stub file for customization.
+ * This is the starting point for users who want to extend the auto-generated schema.
+ */
+declare function generateSchemaStub(namespace?: string): string;
+
 /**
  * Sigstore Rekor Transparency Log Anchoring
  *
@@ -2639,4 +2756,4 @@ declare function confidentialInference(_prompt: string, _config: ConfidentialInf
     receipt: Record<string, unknown>;
 }>;
 
-export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, ed25519ToDIDKey, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, generateC2PACommand, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };
+export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };

package/dist/index.d.ts

@@ -539,6 +539,45 @@ interface CedarPolicySet {
     /** Filenames loaded */
     files: string[];
 }
+interface CedarEvalRequest {
+    /** Tool name being called */
+    tool: string;
+    /** Trust tier of the agent */
+    tier: TrustTier;
+    /** Agent ID (optional) */
+    agentId?: string;
+    /** Additional context fields */
+    context?: Record<string, unknown>;
+    /** Tool input (for schema-validated evaluation) */
+    toolInput?: Record<string, unknown>;
+}
+/** Cedar schema for typed policy evaluation (generated by cedar-schema.ts) */
+interface CedarSchema {
+    /** The schema as a JSON object for Cedar WASM */
+    schemaJson: Record<string, unknown> | null;
+    /** Namespace used in the schema */
+    namespace?: string;
+}
+/**
+ * Load all .cedar files from a directory and return a compiled policy set.
+ *
+ * Files are sorted alphabetically for deterministic digest computation.
+ * Throws if the directory doesn't exist or contains no .cedar files.
+ */
+declare function loadCedarPolicies(dirPath: string): CedarPolicySet;
+/**
+ * Evaluate a Cedar policy set against a tool call.
+ *
+ * Returns a standard ExternalDecision compatible with the gateway's
+ * decision pipeline. If Cedar WASM is not available, returns a
+ * fallback allow decision (fail-open, logged).
+ */
+declare function evaluateCedar(policySet: CedarPolicySet, req: CedarEvalRequest, schema?: CedarSchema): Promise<ExternalDecision>;
+/**
+ * Validate that Cedar WASM is available.
+ * Useful for CLI startup diagnostics.
+ */
+declare function isCedarAvailable(): Promise<boolean>;
 
 /**
  * MCP tool-calling gateway that intercepts JSON-RPC requests,
@@ -1313,6 +1352,84 @@ declare function validateManifest(manifest: unknown): string[];
  */
 declare function validateEvidenceReceipt(receipt: unknown): string[];
 
+/**
+ * @scopeblind/protect-mcp — Cedar Schema Generator for MCP Tools
+ *
+ * Auto-generates a Cedar authorization schema from MCP tool descriptions.
+ * This enables typed Cedar policies that reference tool input attributes:
+ *
+ *   permit(principal, action == Action::"read_file", resource)
+ *   when { context.input.path like "./workspace/*" };
+ *
+ * Compatible with cedar-policy/cedar-for-agents schema format.
+ * Designed to replace `schema: null` in Cedar WASM evaluations.
+ *
+ * @see https://github.com/cedar-policy/cedar-for-agents
+ * @standard RFC 8785 (JCS), Cedar Policy Language v4
+ */
+/** MCP tool description from tools/list response */
+interface McpToolDescription {
+    name: string;
+    description?: string;
+    inputSchema?: JsonSchema;
+}
+/** Subset of JSON Schema that MCP tools use */
+interface JsonSchema {
+    type?: string | string[];
+    properties?: Record<string, JsonSchema>;
+    required?: string[];
+    items?: JsonSchema;
+    enum?: (string | number | boolean)[];
+    format?: string;
+    description?: string;
+    additionalProperties?: boolean | JsonSchema;
+    anyOf?: JsonSchema[];
+    oneOf?: JsonSchema[];
+}
+/** Generated Cedar schema components */
+interface CedarSchemaResult {
+    /** The .cedarschema text (human-readable Cedar schema format) */
+    schemaText: string;
+    /** The schema as a JSON object (for passing to Cedar WASM) */
+    schemaJson: Record<string, unknown>;
+    /** Number of tools mapped */
+    toolCount: number;
+    /** Tool names included */
+    tools: string[];
+}
+interface SchemaGeneratorConfig {
+    /** Namespace for generated types (default: "ScopeBlind") */
+    namespace?: string;
+    /** Include agent tier as principal attribute (default: true) */
+    includeTier?: boolean;
+    /** Include timestamp context (default: true) */
+    includeTimestamp?: boolean;
+    /** Include agent_id as principal attribute (default: true) */
+    includeAgentId?: boolean;
+}
+/**
+ * Generate a Cedar schema from MCP tool descriptions.
+ *
+ * Produces both human-readable .cedarschema text and the JSON
+ * representation that Cedar WASM accepts.
+ *
+ * The generated schema defines:
+ * - Agent entity type (principal) with tier and agent_id attributes
+ * - Tool entity type (resource)
+ * - One action per MCP tool, with typed input context
+ * - A parent action "MCP::Tool::call" for blanket policies
+ *
+ * This enables policies like:
+ *   forbid(principal, action == Action::"execute_command", resource)
+ *   when { context.input has "command" && context.input.command like "rm *" };
+ */
+declare function generateCedarSchema(tools: McpToolDescription[], config?: SchemaGeneratorConfig): CedarSchemaResult;
+/**
+ * Generate a Cedar schema stub file for customization.
+ * This is the starting point for users who want to extend the auto-generated schema.
+ */
+declare function generateSchemaStub(namespace?: string): string;
+
 /**
  * Sigstore Rekor Transparency Log Anchoring
  *
@@ -2639,4 +2756,4 @@ declare function confidentialInference(_prompt: string, _config: ConfidentialInf
     receipt: Record<string, unknown>;
 }>;
 
-export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, ed25519ToDIDKey, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, generateC2PACommand, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };
+export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };

package/dist/index.js

@@ -35041,18 +35041,21 @@ __export(index_exports, {
   createSandboxServer: () => createSandboxServer,
   destroySandbox: () => destroySandbox,
   ed25519ToDIDKey: () => ed25519ToDIDKey,
+  evaluateCedar: () => evaluateCedar,
   evaluateTier: () => evaluateTier,
   exportC2PAManifestJSON: () => exportC2PAManifestJSON,
   exportJSONL: () => exportJSONL,
   formatReportMarkdown: () => formatReportMarkdown,
   formatSimulation: () => formatSimulation,
   generateC2PACommand: () => generateC2PACommand,
+  generateCedarSchema: () => generateCedarSchema,
   generateDatasetCard: () => generateDatasetCard,
   generateHFMetadata: () => generateHFMetadata,
   generateHookSettings: () => generateHookSettings,
   generateReport: () => generateReport,
   generateSafetyTranscript: () => generateSafetyTranscript,
   generateSampleCedarPolicy: () => generateSampleCedarPolicy,
+  generateSchemaStub: () => generateSchemaStub,
   generateVerifyReceiptSkill: () => generateVerifyReceiptSkill,
   getSignerInfo: () => getSignerInfo,
   getToolPolicy: () => getToolPolicy,
@@ -35060,11 +35063,13 @@ __export(index_exports, {
   hashResponseBody: () => hashResponseBody,
   initSigning: () => initSigning,
   isAgentId: () => isAgentId,
+  isCedarAvailable: () => isCedarAvailable,
   isDisclosureMode: () => isDisclosureMode,
   isEvidenceType: () => isEvidenceType,
   isManifestStatus: () => isManifestStatus,
   isSigningEnabled: () => isSigningEnabled,
   listCredentialLabels: () => listCredentialLabels,
+  loadCedarPolicies: () => loadCedarPolicies,
   loadPolicy: () => loadPolicy,
   manifestToVC: () => manifestToVC,
   meetsMinTier: () => meetsMinTier,
@@ -35731,7 +35736,7 @@ function buildEntities(req) {
     }
   ];
 }
-async function evaluateCedar(policySet, req) {
+async function evaluateCedar(policySet, req, schema) {
   const available = await ensureCedarWasm();
   if (!available) {
     return {
@@ -35742,16 +35747,21 @@ async function evaluateCedar(policySet, req) {
   }
   try {
     const agentId = req.agentId || req.tier;
+    const context = {
+      tier: req.tier,
+      ...req.context || {}
+    };
+    if (req.toolInput && Object.keys(req.toolInput).length > 0) {
+      context.input = req.toolInput;
+    }
     const authRequest = {
       principal: { type: "Agent", id: agentId },
       action: { type: "Action", id: "MCP::Tool::call" },
       resource: { type: "Tool", id: req.tool },
-      context: {
-        tier: req.tier,
-        ...req.context || {}
-      }
+      context
     };
     const entities = buildEntities(req);
+    const cedarSchema = schema?.schemaJson ?? null;
     let result;
     if (typeof cedarWasm.isAuthorized === "function") {
       result = cedarWasm.isAuthorized({
@@ -35761,8 +35771,7 @@ async function evaluateCedar(policySet, req) {
         action: authRequest.action,
         resource: authRequest.resource,
         context: authRequest.context,
-        schema: null
-        // No schema enforcement — Cedar still evaluates correctly
+        schema: cedarSchema
       });
     } else if (typeof cedarWasm.checkAuthorization === "function") {
       result = cedarWasm.checkAuthorization(
@@ -35780,7 +35789,7 @@ async function evaluateCedar(policySet, req) {
           action: authRequest.action,
           resource: authRequest.resource,
           context: authRequest.context,
-          schema: null
+          schema: cedarSchema
         });
       } else {
         return {
@@ -38381,6 +38390,273 @@ If swarm data exists, show the agent topology (coordinator \u2192 workers).
 `;
 }
 
+// src/cedar-schema.ts
+function jsonSchemaToCedarType(schema, namespace, path) {
+  if (schema.enum) {
+    return "String";
+  }
+  const type = Array.isArray(schema.type) ? schema.type[0] : schema.type;
+  switch (type) {
+    case "string":
+      if (schema.format === "date-time") return "String";
+      if (schema.format === "uri") return "String";
+      return "String";
+    case "integer":
+    case "number":
+      return "Long";
+    case "boolean":
+      return "Bool";
+    case "array":
+      if (schema.items) {
+        const itemType = jsonSchemaToCedarType(schema.items, namespace, path + "_item");
+        return `Set<${itemType}>`;
+      }
+      return "Set<String>";
+    // Default to Set<String> for untyped arrays
+    case "object":
+      if (schema.properties && Object.keys(schema.properties).length > 0) {
+        const fields = Object.entries(schema.properties).map(([key, prop]) => {
+          const cedarType = jsonSchemaToCedarType(prop, namespace, path + "_" + sanitizeIdentifier(key));
+          const isRequired = schema.required?.includes(key) ?? false;
+          return `    "${sanitizeIdentifier(key)}": ${cedarType}${isRequired ? "" : "?"}`;
+        });
+        return `{
+${fields.join(",\n")}
+  }`;
+      }
+      return "Record";
+    // Empty objects
+    default:
+      return "String";
+  }
+}
+function sanitizeIdentifier(name) {
+  return name.replace(/[^a-zA-Z0-9_]/g, "_").replace(/^(\d)/, "_$1");
+}
+function cedarActionId(toolName) {
+  if (/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(toolName)) {
+    return toolName;
+  }
+  return toolName;
+}
+function generateCedarSchema(tools, config = {}) {
+  const ns = config.namespace || "ScopeBlind";
+  const includeTier = config.includeTier !== false;
+  const includeTimestamp = config.includeTimestamp !== false;
+  const includeAgentId = config.includeAgentId !== false;
+  const agentAttrs = [];
+  if (includeTier) agentAttrs.push('    "tier": String');
+  if (includeAgentId) agentAttrs.push('    "agent_id": String?');
+  const sessionFields = [];
+  if (includeTimestamp) sessionFields.push('    "timestamp": String?');
+  sessionFields.push('    "hook_event": String?');
+  const actionDeclarations = [];
+  const inputTypeDeclarations = [];
+  for (const tool of tools) {
+    const actionName = cedarActionId(tool.name);
+    const inputTypeName = `${sanitizeIdentifier(tool.name)}_Input`;
+    if (tool.inputSchema?.properties && Object.keys(tool.inputSchema.properties).length > 0) {
+      const fields = Object.entries(tool.inputSchema.properties).map(([key, prop]) => {
+        const cedarType = jsonSchemaToCedarType(prop, ns, sanitizeIdentifier(tool.name) + "_" + sanitizeIdentifier(key));
+        const isRequired = tool.inputSchema?.required?.includes(key) ?? false;
+        return `    "${sanitizeIdentifier(key)}": ${cedarType}${isRequired ? "" : "?"}`;
+      });
+      inputTypeDeclarations.push(
+        `  // Input type for tool: ${tool.name}` + (tool.description ? `
+  // ${tool.description}` : "") + `
+  type ${inputTypeName} = {
+${fields.join(",\n")}
+  };`
+      );
+      actionDeclarations.push(
+        `  action "${actionName}" in [Action::"MCP::Tool::call"] appliesTo {
+    principal: [Agent],
+    resource: [Tool],
+    context: {
+      "input": ${inputTypeName},
+      "tier": String${includeTimestamp ? ',\n      "timestamp": String?' : ""}${includeAgentId ? ',\n      "agent_id": String?' : ""}
+    }
+  };`
+      );
+    } else {
+      actionDeclarations.push(
+        `  action "${actionName}" in [Action::"MCP::Tool::call"] appliesTo {
+    principal: [Agent],
+    resource: [Tool],
+    context: {
+      "tier": String${includeTimestamp ? ',\n      "timestamp": String?' : ""}${includeAgentId ? ',\n      "agent_id": String?' : ""}
+    }
+  };`
+      );
+    }
+  }
+  actionDeclarations.push(
+    `  // Blanket action for policies matching any tool call
+  action "MCP::Tool::call" appliesTo {
+    principal: [Agent],
+    resource: [Tool],
+    context: {
+      "tier": String${includeTimestamp ? ',\n      "timestamp": String?' : ""}${includeAgentId ? ',\n      "agent_id": String?' : ""}
+    }
+  };`
+  );
+  const schemaText = [
+    `// Cedar schema for MCP tool governance`,
+    `// Generated by protect-mcp from ${tools.length} tool description(s)`,
+    `// Compatible with cedar-policy/cedar-for-agents`,
+    ``,
+    `namespace ${ns} {`,
+    ``,
+    `  // \u2500\u2500 Entity types \u2500\u2500`,
+    ``,
+    `  entity Agent${agentAttrs.length > 0 ? ` = {
+${agentAttrs.join(",\n")}
+  }` : ""};`,
+    ``,
+    `  entity Tool;`,
+    ``,
+    ...inputTypeDeclarations.length > 0 ? [`  // \u2500\u2500 Tool input types \u2500\u2500`, ``, ...inputTypeDeclarations, ``] : [],
+    `  // \u2500\u2500 Actions \u2500\u2500`,
+    ``,
+    ...actionDeclarations,
+    ``,
+    `}`,
+    ``
+  ].join("\n");
+  const schemaJson = buildSchemaJson(tools, ns, config);
+  return {
+    schemaText,
+    schemaJson,
+    toolCount: tools.length,
+    tools: tools.map((t) => t.name)
+  };
+}
+function buildSchemaJson(tools, namespace, config) {
+  const entityTypes = {
+    Agent: {
+      shape: {
+        type: "Record",
+        attributes: {
+          ...config.includeTier !== false ? { tier: { type: "String", required: false } } : {},
+          ...config.includeAgentId !== false ? { agent_id: { type: "String", required: false } } : {}
+        }
+      },
+      memberOfTypes: []
+    },
+    Tool: {
+      shape: { type: "Record", attributes: {} },
+      memberOfTypes: []
+    }
+  };
+  const actions = {};
+  for (const tool of tools) {
+    const contextAttrs = {
+      tier: { type: "String", required: false }
+    };
+    if (config.includeTimestamp !== false) {
+      contextAttrs["timestamp"] = { type: "String", required: false };
+    }
+    if (config.includeAgentId !== false) {
+      contextAttrs["agent_id"] = { type: "String", required: false };
+    }
+    if (tool.inputSchema?.properties) {
+      const inputAttrs = {};
+      for (const [key, prop] of Object.entries(tool.inputSchema.properties)) {
+        inputAttrs[sanitizeIdentifier(key)] = {
+          type: jsonSchemaToSchemaJsonType(prop),
+          required: tool.inputSchema.required?.includes(key) ?? false
+        };
+      }
+      contextAttrs["input"] = {
+        type: "Record",
+        attributes: inputAttrs,
+        required: false
+      };
+    }
+    actions[tool.name] = {
+      appliesTo: {
+        principalTypes: ["Agent"],
+        resourceTypes: ["Tool"],
+        context: { type: "Record", attributes: contextAttrs }
+      },
+      memberOf: [{ id: "MCP::Tool::call" }]
+    };
+  }
+  const blanketContext = {
+    tier: { type: "String", required: false }
+  };
+  if (config.includeTimestamp !== false) {
+    blanketContext["timestamp"] = { type: "String", required: false };
+  }
+  if (config.includeAgentId !== false) {
+    blanketContext["agent_id"] = { type: "String", required: false };
+  }
+  actions["MCP::Tool::call"] = {
+    appliesTo: {
+      principalTypes: ["Agent"],
+      resourceTypes: ["Tool"],
+      context: { type: "Record", attributes: blanketContext }
+    }
+  };
+  return {
+    [namespace]: {
+      entityTypes,
+      actions
+    }
+  };
+}
+function jsonSchemaToSchemaJsonType(schema) {
+  if (schema.enum) return "String";
+  const type = Array.isArray(schema.type) ? schema.type[0] : schema.type;
+  switch (type) {
+    case "string":
+      return "String";
+    case "integer":
+    case "number":
+      return "Long";
+    case "boolean":
+      return "EntityOrCommon";
+    // Cedar JSON schema uses this for Bool
+    case "array":
+      return "Set";
+    default:
+      return "String";
+  }
+}
+function generateSchemaStub(namespace = "ScopeBlind") {
+  return [
+    `// Cedar schema stub for protect-mcp`,
+    `// This defines the principal and resource entity types.`,
+    `// Tool-specific actions are auto-generated from MCP tools/list.`,
+    `//`,
+    `// Compatible with cedar-policy/cedar-for-agents @mcp_principal/@mcp_resource annotations.`,
+    `// See: https://github.com/cedar-policy/cedar-for-agents`,
+    ``,
+    `namespace ${namespace} {`,
+    ``,
+    `  // @mcp_principal`,
+    `  entity Agent = {`,
+    `    "tier": String,`,
+    `    "agent_id": String?`,
+    `  };`,
+    ``,
+    `  // @mcp_resource`,
+    `  entity Tool;`,
+    ``,
+    `  // @mcp_action`,
+    `  action "MCP::Tool::call" appliesTo {`,
+    `    principal: [Agent],`,
+    `    resource: [Tool],`,
+    `    context: {`,
+    `      "tier": String`,
+    `    }`,
+    `  };`,
+    ``,
+    `}`,
+    ``
+  ].join("\n");
+}
+
 // src/rekor-anchor.ts
 var import_node_crypto5 = require("crypto");
 var REKOR_API = "https://rekor.sigstore.dev/api/v1";
@@ -39807,18 +40083,21 @@ function createSandboxServer() {
   createSandboxServer,
   destroySandbox,
   ed25519ToDIDKey,
+  evaluateCedar,
   evaluateTier,
   exportC2PAManifestJSON,
   exportJSONL,
   formatReportMarkdown,
   formatSimulation,
   generateC2PACommand,
+  generateCedarSchema,
   generateDatasetCard,
   generateHFMetadata,
   generateHookSettings,
   generateReport,
   generateSafetyTranscript,
   generateSampleCedarPolicy,
+  generateSchemaStub,
   generateVerifyReceiptSkill,
   getSignerInfo,
   getToolPolicy,
@@ -39826,11 +40105,13 @@ function createSandboxServer() {
   hashResponseBody,
   initSigning,
   isAgentId,
+  isCedarAvailable,
   isDisclosureMode,
   isEvidenceType,
   isManifestStatus,
   isSigningEnabled,
   listCredentialLabels,
+  loadCedarPolicies,
   loadPolicy,
   manifestToVC,
   meetsMinTier,

package/dist/index.mjs

@@ -6,7 +6,7 @@ import {
   formatSimulation,
   parseLogFile,
   simulate
-} from "./chunk-YKM6W6T7.mjs";
+} from "./chunk-W4U5VNEC.mjs";
 import {
   ProtectGateway,
   buildDecisionContext,
@@ -18,7 +18,7 @@ import {
   resolveCredential,
   sendApprovalNotification,
   validateCredentials
-} from "./chunk-IUFFDQYZ.mjs";
+} from "./chunk-IWDR5WU3.mjs";
 import {
   createSandboxServer
 } from "./chunk-SU2FZH7U.mjs";
@@ -30,17 +30,20 @@ import {
 } from "./chunk-UEHLYOJY.mjs";
 import {
   startHookServer
-} from "./chunk-IAJJA5IW.mjs";
+} from "./chunk-Q4KOQUKV.mjs";
 import {
   checkRateLimit,
+  evaluateCedar,
   getSignerInfo,
   getToolPolicy,
   initSigning,
+  isCedarAvailable,
   isSigningEnabled,
+  loadCedarPolicies,
   loadPolicy,
   parseRateLimit,
   signDecision
-} from "./chunk-V52W3XIN.mjs";
+} from "./chunk-N4F76LTC.mjs";
 import {
   collectSignedReceipts,
   createAuditBundle
@@ -202,6 +205,273 @@ function validateEvidenceReceipt(receipt) {
   return errors;
 }
 
+// src/cedar-schema.ts
+function jsonSchemaToCedarType(schema, namespace, path) {
+  if (schema.enum) {
+    return "String";
+  }
+  const type = Array.isArray(schema.type) ? schema.type[0] : schema.type;
+  switch (type) {
+    case "string":
+      if (schema.format === "date-time") return "String";
+      if (schema.format === "uri") return "String";
+      return "String";
+    case "integer":
+    case "number":
+      return "Long";
+    case "boolean":
+      return "Bool";
+    case "array":
+      if (schema.items) {
+        const itemType = jsonSchemaToCedarType(schema.items, namespace, path + "_item");
+        return `Set<${itemType}>`;
+      }
+      return "Set<String>";
+    // Default to Set<String> for untyped arrays
+    case "object":
+      if (schema.properties && Object.keys(schema.properties).length > 0) {
+        const fields = Object.entries(schema.properties).map(([key, prop]) => {
+          const cedarType = jsonSchemaToCedarType(prop, namespace, path + "_" + sanitizeIdentifier(key));
+          const isRequired = schema.required?.includes(key) ?? false;
+          return `    "${sanitizeIdentifier(key)}": ${cedarType}${isRequired ? "" : "?"}`;
+        });
+        return `{
+${fields.join(",\n")}
+  }`;
+      }
+      return "Record";
+    // Empty objects
+    default:
+      return "String";
+  }
+}
+function sanitizeIdentifier(name) {
+  return name.replace(/[^a-zA-Z0-9_]/g, "_").replace(/^(\d)/, "_$1");
+}
+function cedarActionId(toolName) {
+  if (/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(toolName)) {
+    return toolName;
+  }
+  return toolName;
+}
+function generateCedarSchema(tools, config = {}) {
+  const ns = config.namespace || "ScopeBlind";
+  const includeTier = config.includeTier !== false;
+  const includeTimestamp = config.includeTimestamp !== false;
+  const includeAgentId = config.includeAgentId !== false;
+  const agentAttrs = [];
+  if (includeTier) agentAttrs.push('    "tier": String');
+  if (includeAgentId) agentAttrs.push('    "agent_id": String?');
+  const sessionFields = [];
+  if (includeTimestamp) sessionFields.push('    "timestamp": String?');
+  sessionFields.push('    "hook_event": String?');
+  const actionDeclarations = [];
+  const inputTypeDeclarations = [];
+  for (const tool of tools) {
+    const actionName = cedarActionId(tool.name);
+    const inputTypeName = `${sanitizeIdentifier(tool.name)}_Input`;
+    if (tool.inputSchema?.properties && Object.keys(tool.inputSchema.properties).length > 0) {
+      const fields = Object.entries(tool.inputSchema.properties).map(([key, prop]) => {
+        const cedarType = jsonSchemaToCedarType(prop, ns, sanitizeIdentifier(tool.name) + "_" + sanitizeIdentifier(key));
+        const isRequired = tool.inputSchema?.required?.includes(key) ?? false;
+        return `    "${sanitizeIdentifier(key)}": ${cedarType}${isRequired ? "" : "?"}`;
+      });
+      inputTypeDeclarations.push(
+        `  // Input type for tool: ${tool.name}` + (tool.description ? `
+  // ${tool.description}` : "") + `
+  type ${inputTypeName} = {
+${fields.join(",\n")}
+  };`
+      );
+      actionDeclarations.push(
+        `  action "${actionName}" in [Action::"MCP::Tool::call"] appliesTo {
+    principal: [Agent],
+    resource: [Tool],
+    context: {
+      "input": ${inputTypeName},
+      "tier": String${includeTimestamp ? ',\n      "timestamp": String?' : ""}${includeAgentId ? ',\n      "agent_id": String?' : ""}
+    }
+  };`
+      );
+    } else {
+      actionDeclarations.push(
+        `  action "${actionName}" in [Action::"MCP::Tool::call"] appliesTo {
+    principal: [Agent],
+    resource: [Tool],
+    context: {
+      "tier": String${includeTimestamp ? ',\n      "timestamp": String?' : ""}${includeAgentId ? ',\n      "agent_id": String?' : ""}
+    }
+  };`
+      );
+    }
+  }
+  actionDeclarations.push(
+    `  // Blanket action for policies matching any tool call
+  action "MCP::Tool::call" appliesTo {
+    principal: [Agent],
+    resource: [Tool],
+    context: {
+      "tier": String${includeTimestamp ? ',\n      "timestamp": String?' : ""}${includeAgentId ? ',\n      "agent_id": String?' : ""}
+    }
+  };`
+  );
+  const schemaText = [
+    `// Cedar schema for MCP tool governance`,
+    `// Generated by protect-mcp from ${tools.length} tool description(s)`,
+    `// Compatible with cedar-policy/cedar-for-agents`,
+    ``,
+    `namespace ${ns} {`,
+    ``,
+    `  // \u2500\u2500 Entity types \u2500\u2500`,
+    ``,
+    `  entity Agent${agentAttrs.length > 0 ? ` = {
+${agentAttrs.join(",\n")}
+  }` : ""};`,
+    ``,
+    `  entity Tool;`,
+    ``,
+    ...inputTypeDeclarations.length > 0 ? [`  // \u2500\u2500 Tool input types \u2500\u2500`, ``, ...inputTypeDeclarations, ``] : [],
+    `  // \u2500\u2500 Actions \u2500\u2500`,
+    ``,
+    ...actionDeclarations,
+    ``,
+    `}`,
+    ``
+  ].join("\n");
+  const schemaJson = buildSchemaJson(tools, ns, config);
+  return {
+    schemaText,
+    schemaJson,
+    toolCount: tools.length,
+    tools: tools.map((t) => t.name)
+  };
+}
+function buildSchemaJson(tools, namespace, config) {
+  const entityTypes = {
+    Agent: {
+      shape: {
+        type: "Record",
+        attributes: {
+          ...config.includeTier !== false ? { tier: { type: "String", required: false } } : {},
+          ...config.includeAgentId !== false ? { agent_id: { type: "String", required: false } } : {}
+        }
+      },
+      memberOfTypes: []
+    },
+    Tool: {
+      shape: { type: "Record", attributes: {} },
+      memberOfTypes: []
+    }
+  };
+  const actions = {};
+  for (const tool of tools) {
+    const contextAttrs = {
+      tier: { type: "String", required: false }
+    };
+    if (config.includeTimestamp !== false) {
+      contextAttrs["timestamp"] = { type: "String", required: false };
+    }
+    if (config.includeAgentId !== false) {
+      contextAttrs["agent_id"] = { type: "String", required: false };
+    }
+    if (tool.inputSchema?.properties) {
+      const inputAttrs = {};
+      for (const [key, prop] of Object.entries(tool.inputSchema.properties)) {
+        inputAttrs[sanitizeIdentifier(key)] = {
+          type: jsonSchemaToSchemaJsonType(prop),
+          required: tool.inputSchema.required?.includes(key) ?? false
+        };
+      }
+      contextAttrs["input"] = {
+        type: "Record",
+        attributes: inputAttrs,
+        required: false
+      };
+    }
+    actions[tool.name] = {
+      appliesTo: {
+        principalTypes: ["Agent"],
+        resourceTypes: ["Tool"],
+        context: { type: "Record", attributes: contextAttrs }
+      },
+      memberOf: [{ id: "MCP::Tool::call" }]
+    };
+  }
+  const blanketContext = {
+    tier: { type: "String", required: false }
+  };
+  if (config.includeTimestamp !== false) {
+    blanketContext["timestamp"] = { type: "String", required: false };
+  }
+  if (config.includeAgentId !== false) {
+    blanketContext["agent_id"] = { type: "String", required: false };
+  }
+  actions["MCP::Tool::call"] = {
+    appliesTo: {
+      principalTypes: ["Agent"],
+      resourceTypes: ["Tool"],
+      context: { type: "Record", attributes: blanketContext }
+    }
+  };
+  return {
+    [namespace]: {
+      entityTypes,
+      actions
+    }
+  };
+}
+function jsonSchemaToSchemaJsonType(schema) {
+  if (schema.enum) return "String";
+  const type = Array.isArray(schema.type) ? schema.type[0] : schema.type;
+  switch (type) {
+    case "string":
+      return "String";
+    case "integer":
+    case "number":
+      return "Long";
+    case "boolean":
+      return "EntityOrCommon";
+    // Cedar JSON schema uses this for Bool
+    case "array":
+      return "Set";
+    default:
+      return "String";
+  }
+}
+function generateSchemaStub(namespace = "ScopeBlind") {
+  return [
+    `// Cedar schema stub for protect-mcp`,
+    `// This defines the principal and resource entity types.`,
+    `// Tool-specific actions are auto-generated from MCP tools/list.`,
+    `//`,
+    `// Compatible with cedar-policy/cedar-for-agents @mcp_principal/@mcp_resource annotations.`,
+    `// See: https://github.com/cedar-policy/cedar-for-agents`,
+    ``,
+    `namespace ${namespace} {`,
+    ``,
+    `  // @mcp_principal`,
+    `  entity Agent = {`,
+    `    "tier": String,`,
+    `    "agent_id": String?`,
+    `  };`,
+    ``,
+    `  // @mcp_resource`,
+    `  entity Tool;`,
+    ``,
+    `  // @mcp_action`,
+    `  action "MCP::Tool::call" appliesTo {`,
+    `    principal: [Agent],`,
+    `    resource: [Tool],`,
+    `    context: {`,
+    `      "tier": String`,
+    `    }`,
+    `  };`,
+    ``,
+    `}`,
+    ``
+  ].join("\n");
+}
+
 // src/rekor-anchor.ts
 import { createHash } from "crypto";
 var REKOR_API = "https://rekor.sigstore.dev/api/v1";
@@ -1452,18 +1722,21 @@ export {
   createSandboxServer,
   destroySandbox,
   ed25519ToDIDKey,
+  evaluateCedar,
   evaluateTier,
   exportC2PAManifestJSON,
   exportJSONL,
   formatReportMarkdown,
   formatSimulation,
   generateC2PACommand,
+  generateCedarSchema,
   generateDatasetCard,
   generateHFMetadata,
   generateHookSettings,
   generateReport,
   generateSafetyTranscript,
   generateSampleCedarPolicy,
+  generateSchemaStub,
   generateVerifyReceiptSkill,
   getSignerInfo,
   getToolPolicy,
@@ -1471,11 +1744,13 @@ export {
   hashResponseBody,
   initSigning,
   isAgentId,
+  isCedarAvailable,
   isDisclosureMode,
   isEvidenceType,
   isManifestStatus,
   isSigningEnabled,
   listCredentialLabels,
+  loadCedarPolicies,
   loadPolicy,
   manifestToVC,
   meetsMinTier,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "protect-mcp",
-  "version": "0.5.1",
+  "version": "0.5.2",
   "mcpName": "io.github.tomjwxf/protect-mcp",
   "description": "Enterprise security gateway for MCP servers and Claude Code hooks. Cedar policies, Ed25519-signed receipts, swarm tracking, and tamper detection. Shadow or enforce mode.",
   "main": "dist/index.js",