protect-mcp 0.5.4 → 0.6.0

package/README.md

@@ -1,6 +1,73 @@
 # protect-mcp
 
-Enterprise security gateway for MCP servers and Claude Code hooks. Signed receipts, Cedar policies, and swarm-aware audit trails.
+[![npm version](https://img.shields.io/npm/v/protect-mcp)](https://www.npmjs.com/package/protect-mcp)
+[![Downloads](https://img.shields.io/npm/dm/protect-mcp)](https://www.npmjs.com/package/protect-mcp)
+[![Claude Code Marketplace](https://img.shields.io/badge/Claude%20Code-marketplace-d97757?logo=anthropic&logoColor=white)](https://github.com/wshobson/agents/tree/main/plugins/protect-mcp)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue)](./LICENSE)
+
+> A policy check that sits between your AI agent and the tools it calls.
+> Every tool call is evaluated against a rule you wrote. Every decision is signed.
+
+## What it does, in plain English
+
+When an AI agent (Claude Code, Cursor, a custom LangChain app, anything that
+uses the Model Context Protocol) wants to run a command, edit a file, or call
+an API, `protect-mcp` intercepts that request before it executes:
+
+1. **Checks a policy.** You write rules in [Cedar](https://www.cedarpolicy.com/)
+   — the same policy language AWS uses for IAM. Rules like *"never allow
+   `rm -rf /`"*, *"only allow `Bash` during working hours"*, or *"require
+   human approval for anything touching production."*
+2. **Returns a decision.** `allow`, `deny`, or `request_approval`. The agent
+   framework respects the decision — if it's `deny`, the tool call doesn't run.
+3. **Signs a receipt.** An Ed25519-signed, hash-chained record of the decision,
+   written to `.receipts/`. Verifiable offline by anyone with the public key.
+   When your auditor asks *"what did that agent do on 2026-03-14?"* you have
+   cryptographic proof — not a log file you might have tampered with.
+
+You install it once. Your agent keeps working the same way. The difference:
+every action it takes is now policy-checked and audit-evidenced.
+
+## Who this is for
+
+- **Developers using Claude Code / Cursor / Cline** who want *"don't let the
+  agent delete my repo"* enforced rather than hoped for.
+- **Security teams** shipping agents to engineering who need a portable
+  policy layer that travels across frameworks.
+- **Compliance teams** who need tamper-evident evidence of what agents did,
+  verifiable without trusting the vendor.
+
+## How it relates to `sb-runtime`
+
+`protect-mcp` is a **library** — it sits inside your agent framework and
+gates tool calls cooperatively. Right tool when you own the agent's code and
+trust its framework to honour decisions.
+
+[`sb-runtime`](https://github.com/ScopeBlind/sb-runtime) is the companion
+**binary** that wraps the whole agent *process* in an OS-level sandbox
+(Landlock + seccomp on Linux). It enforces decisions at the kernel layer —
+the agent can't ignore them even if it tried. Use `sb-runtime` when you're
+running an agent you didn't write, or when you want belt-and-braces defence
+in depth:
+
+```
+┌─────────────────────────────────────────────────┐
+│  sb-runtime   ← OS refuses forbidden syscalls   │
+│  ┌───────────────────────────────────────────┐  │
+│  │  agent process (Claude Code, Python, …)   │  │
+│  │  ┌─────────────────────────────────────┐  │  │
+│  │  │  protect-mcp                        │  │  │
+│  │  │    ← Cedar decides per tool call,   │  │  │
+│  │  │      receipts every decision        │  │  │
+│  │  └─────────────────────────────────────┘  │  │
+│  └───────────────────────────────────────────┘  │
+└─────────────────────────────────────────────────┘
+```
+
+**One-liner:** `protect-mcp` is the policy hook inside your agent.
+`sb-runtime` is the OS sandbox around it. You want both.
+
+---
 
 ## Quick Start — Claude Code
 
@@ -268,12 +335,30 @@ Free tier: 20,000 receipts/month. No credit card required.
 
 [scopeblind.com/pricing](https://scopeblind.com/pricing)
 
+## Interoperability
+
+The receipt format is independently implemented and verified across multiple systems:
+
+| Evidence | Detail |
+|----------|--------|
+| **4 independent implementations** | TypeScript (protect-mcp), Python (protect-mcp-adk), Rust (Cedar WASM), APS ProxyGateway |
+| **2 IETF Internet-Drafts** | [draft-farley-acta-signed-receipts-01](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/), [draft-pidlisnyi-aps-00](https://datatracker.ietf.org/doc/draft-pidlisnyi-aps/) |
+| **8 cross-engine receipts** | [Composition test](https://github.com/ScopeBlind/examples/tree/main/interop/composition-test): 2 engines, 1 verifier, all VALID |
+| **3 enterprise integrations** | Microsoft AGT [#667](https://github.com/microsoft/agent-governance-toolkit/pull/667), [#1159](https://github.com/microsoft/agent-governance-toolkit/pull/1159), [#1168](https://github.com/microsoft/agent-governance-toolkit/pull/1168) |
+| **1 verifier, zero dependencies** | `npx @veritasacta/verify receipt.json --key <hex>` (Apache-2.0, offline) |
+
+Verify any receipt from any implementation:
+
+```bash
+npx @veritasacta/verify receipt.json --key <public-key-hex>
+# Exit 0 = valid, 1 = tampered, 2 = malformed
+```
+
 ## Standards & IP
 
-- **IETF Internet-Draft**: [draft-farley-acta-signed-receipts-01](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/) — Signed Decision Receipts for Machine-to-Machine Access Control
-- **Patent Status**: 4 Australian provisional patents pending (2025-2026) covering decision receipts with configurable disclosure, tool-calling gateway, agent manifests, and portable identity
-- **Verification**: Apache-2.0 — `npx @veritasacta/verify --self-test`
-- **Microsoft AGT Integration**: [PR #667](https://github.com/microsoft/agent-governance-toolkit/pull/667) — Cedar policy bridge for Agent Governance Toolkit
+- **IETF Internet-Draft**: [draft-farley-acta-signed-receipts-01](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)
+- **Patent Status**: 4 Australian provisional patents pending (2025-2026)
+- **Cedar WASM**: [PR #64](https://github.com/cedar-policy/cedar-for-agents/pull/64) merged + [PR #73](https://github.com/cedar-policy/cedar-for-agents/pull/73) (RequestGenerator, pending review)
 
 ## What's New in v0.5.3
 
@@ -282,12 +367,62 @@ Free tier: 20,000 receipts/month. No credit card required.
 - Anonymous install telemetry (opt-out: `PROTECT_MCP_TELEMETRY=off`)
 - Improved Cedar WASM detection
 
+## Cybersecurity: Vulnerability Disclosure Receipts
+
+protect-mcp provides the infrastructure for receipt-signed vulnerability disclosure workflows. When AI security agents (Claude Code Security, Mythos, or similar) discover vulnerabilities, every step of the disclosure lifecycle can produce a signed, chain-linked receipt:
+
+```
+DISCOVER → DISCLOSE → PATCH → DEPLOY
+(Each step: Ed25519-signed, chain-linked, Cedar policy-bound)
+```
+
+Cedar policies govern what the scanning agent is allowed to do:
+- **CAN**: scan code, report findings internally
+- **CANNOT**: disclose externally or deploy patches without human approval
+- **MUST**: escalate critical findings to humans
+
+See the [security vulnerability disclosure example](https://github.com/ScopeBlind/examples/tree/main/security-vulnerability-disclosure) for a complete working implementation with Cedar policies and example receipt chains.
+
+Related: [Vulnerability Disclosure Receipt Design](https://github.com/scopeblind/scopeblind-gateway/issues/2)
+
 ## Examples
 
-See complete working examples at [github.com/ScopeBlind/examples](https://github.com/ScopeBlind/examples).
+See complete working examples at [github.com/ScopeBlind/examples](https://github.com/ScopeBlind/examples):
+- [Claude Code hooks](https://github.com/ScopeBlind/examples/tree/main/claude-code-hooks) — receipt signing for every tool call
+- [Security vulnerability disclosure](https://github.com/ScopeBlind/examples/tree/main/security-vulnerability-disclosure) — receipt-signed disclosure lifecycle with Cedar governance
+- [MCP server signing](https://github.com/ScopeBlind/examples/tree/main/mcp-server-signing) — Cedar WASM policy engine with audit bundles
+
+## ScopeBlind Dashboard
+
+protect-mcp works fully offline, forever, for free. For teams that want visibility across agents, ScopeBlind offers a hosted dashboard:
+
+```bash
+npx protect-mcp connect
+```
+
+| | Free | Pro | Enterprise |
+|---|---|---|---|
+| Receipts/month | 20,000 | Pay-as-you-go | Annual commit |
+| Price | $0 | $0.50 / 1K | $0.40 / 1K |
+| Receipt explorer | Yes | Yes | Yes |
+| Compliance reports | Yes | Yes | Yes |
+| SSO / SAML | - | - | Yes |
+| SLA | - | - | 99.9% |
+
+No signup required for free tier. No card upfront.
+
+[Dashboard](https://scopeblind.com) | [Docs](https://scopeblind.com/docs/protect-mcp) | [Pricing](https://scopeblind.com/pricing)
+
+## Telemetry
+
+protect-mcp sends a single anonymous install beacon on first run (package name, version, OS, Node version). No PII. Disable with:
+
+```bash
+PROTECT_MCP_TELEMETRY=off
+```
 
 ## License
 
 MIT — free to use, modify, distribute, and build upon without restriction.
 
-[scopeblind.com](https://scopeblind.com) · [npm](https://www.npmjs.com/package/protect-mcp) · [GitHub](https://github.com/scopeblind/scopeblind-gateway) · [IETF Draft](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)
+Built by [ScopeBlind](https://scopeblind.com) | [npm](https://www.npmjs.com/package/protect-mcp) | [GitHub](https://github.com/scopeblind/scopeblind-gateway) | [IETF Draft](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)

package/dist/{ed25519-V7HDL2WC.mjs → chunk-LYKNULYU.mjs}

@@ -12,10 +12,10 @@ import {
   hexToBytes,
   isBytes,
   randomBytes,
+  rotr,
   toBytes,
   utf8ToBytes
 } from "./chunk-D733KAPG.mjs";
-import "./chunk-PQJP2ZCI.mjs";
 
 // node_modules/@noble/hashes/esm/_md.js
 function setBigUint64(view, byteOffset, value, isLE) {
@@ -30,6 +30,12 @@ function setBigUint64(view, byteOffset, value, isLE) {
   view.setUint32(byteOffset + h, wh, isLE);
   view.setUint32(byteOffset + l, wl, isLE);
 }
+function Chi(a, b, c) {
+  return a & b ^ ~a & c;
+}
+function Maj(a, b, c) {
+  return a & b ^ a & c ^ b & c;
+}
 var HashMD = class extends Hash {
   constructor(blockLen, outputLen, padOffset, isLE) {
     super();
@@ -120,6 +126,16 @@ var HashMD = class extends Hash {
     return this._cloneInto();
   }
 };
+var SHA256_IV = /* @__PURE__ */ Uint32Array.from([
+  1779033703,
+  3144134277,
+  1013904242,
+  2773480762,
+  1359893119,
+  2600822924,
+  528734635,
+  1541459225
+]);
 var SHA512_IV = /* @__PURE__ */ Uint32Array.from([
   1779033703,
   4089235720,
@@ -175,6 +191,143 @@ var add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >
 var add5H = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0;
 
 // node_modules/@noble/hashes/esm/sha2.js
+var SHA256_K = /* @__PURE__ */ Uint32Array.from([
+  1116352408,
+  1899447441,
+  3049323471,
+  3921009573,
+  961987163,
+  1508970993,
+  2453635748,
+  2870763221,
+  3624381080,
+  310598401,
+  607225278,
+  1426881987,
+  1925078388,
+  2162078206,
+  2614888103,
+  3248222580,
+  3835390401,
+  4022224774,
+  264347078,
+  604807628,
+  770255983,
+  1249150122,
+  1555081692,
+  1996064986,
+  2554220882,
+  2821834349,
+  2952996808,
+  3210313671,
+  3336571891,
+  3584528711,
+  113926993,
+  338241895,
+  666307205,
+  773529912,
+  1294757372,
+  1396182291,
+  1695183700,
+  1986661051,
+  2177026350,
+  2456956037,
+  2730485921,
+  2820302411,
+  3259730800,
+  3345764771,
+  3516065817,
+  3600352804,
+  4094571909,
+  275423344,
+  430227734,
+  506948616,
+  659060556,
+  883997877,
+  958139571,
+  1322822218,
+  1537002063,
+  1747873779,
+  1955562222,
+  2024104815,
+  2227730452,
+  2361852424,
+  2428436474,
+  2756734187,
+  3204031479,
+  3329325298
+]);
+var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
+var SHA256 = class extends HashMD {
+  constructor(outputLen = 32) {
+    super(64, outputLen, 8, false);
+    this.A = SHA256_IV[0] | 0;
+    this.B = SHA256_IV[1] | 0;
+    this.C = SHA256_IV[2] | 0;
+    this.D = SHA256_IV[3] | 0;
+    this.E = SHA256_IV[4] | 0;
+    this.F = SHA256_IV[5] | 0;
+    this.G = SHA256_IV[6] | 0;
+    this.H = SHA256_IV[7] | 0;
+  }
+  get() {
+    const { A, B, C, D, E, F, G, H } = this;
+    return [A, B, C, D, E, F, G, H];
+  }
+  // prettier-ignore
+  set(A, B, C, D, E, F, G, H) {
+    this.A = A | 0;
+    this.B = B | 0;
+    this.C = C | 0;
+    this.D = D | 0;
+    this.E = E | 0;
+    this.F = F | 0;
+    this.G = G | 0;
+    this.H = H | 0;
+  }
+  process(view, offset) {
+    for (let i = 0; i < 16; i++, offset += 4)
+      SHA256_W[i] = view.getUint32(offset, false);
+    for (let i = 16; i < 64; i++) {
+      const W15 = SHA256_W[i - 15];
+      const W2 = SHA256_W[i - 2];
+      const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3;
+      const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10;
+      SHA256_W[i] = s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16] | 0;
+    }
+    let { A, B, C, D, E, F, G, H } = this;
+    for (let i = 0; i < 64; i++) {
+      const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
+      const T1 = H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i] | 0;
+      const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
+      const T2 = sigma0 + Maj(A, B, C) | 0;
+      H = G;
+      G = F;
+      F = E;
+      E = D + T1 | 0;
+      D = C;
+      C = B;
+      B = A;
+      A = T1 + T2 | 0;
+    }
+    A = A + this.A | 0;
+    B = B + this.B | 0;
+    C = C + this.C | 0;
+    D = D + this.D | 0;
+    E = E + this.E | 0;
+    F = F + this.F | 0;
+    G = G + this.G | 0;
+    H = H + this.H | 0;
+    this.set(A, B, C, D, E, F, G, H);
+  }
+  roundClean() {
+    clean(SHA256_W);
+  }
+  destroy() {
+    this.set(0, 0, 0, 0, 0, 0, 0, 0);
+    clean(this.buffer);
+  }
+};
 var K512 = /* @__PURE__ */ (() => split([
   "0x428a2f98d728ae22",
   "0x7137449123ef65cd",
@@ -372,6 +525,7 @@ var SHA512 = class extends HashMD {
     this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
   }
 };
+var sha256 = /* @__PURE__ */ createHasher(() => new SHA256());
 var sha512 = /* @__PURE__ */ createHasher(() => new SHA512());
 
 // node_modules/@noble/curves/esm/utils.js
@@ -2260,23 +2414,25 @@ var hashToCurve = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
 var encodeToCurve = /* @__PURE__ */ (() => ed25519_hasher.encodeToCurve)();
 var hashToRistretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
 var hash_to_ristretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
+
 export {
-  ED25519_TORSION_SUBGROUP,
-  RistrettoPoint,
+  sha256,
   ed25519,
-  ed25519_hasher,
   ed25519ctx,
   ed25519ph,
+  x25519,
+  ed25519_hasher,
+  ristretto255,
+  ristretto255_hasher,
+  ED25519_TORSION_SUBGROUP,
+  edwardsToMontgomeryPub,
   edwardsToMontgomery,
   edwardsToMontgomeryPriv,
-  edwardsToMontgomeryPub,
-  encodeToCurve,
+  RistrettoPoint,
   hashToCurve,
+  encodeToCurve,
   hashToRistretto255,
-  hash_to_ristretto255,
-  ristretto255,
-  ristretto255_hasher,
-  x25519
+  hash_to_ristretto255
 };
 /*! Bundled license information:
 

package/dist/{chunk-FAELTNS7.mjs → chunk-SPHLVRJ2.mjs}

@@ -696,48 +696,53 @@ async function startHookServer(options = {}) {
     }));
   });
   server.listen(port, "127.0.0.1", () => {
-    process.stderr.write(`
+    const w = (s) => process.stderr.write(s);
+    const pad = (s, n = 46) => s.padEnd(n);
+    w(`
 `);
-    process.stderr.write(`[PROTECT_MCP] \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+    w(`  protect-mcp v0.5.4
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  protect-mcp Hook Server v0.5.3                \u2502
+    w(`  ScopeBlind \u2014 https://scopeblind.com
 `);
-    process.stderr.write(`[PROTECT_MCP] \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+    w(`
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Listening:  http://127.0.0.1:${String(port).padEnd(5)}             \u2502
+    w(`  Listening     http://127.0.0.1:${port}
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Mode:       ${(enforce ? "enforce" : "shadow").padEnd(36)}\u2502
+    w(`  Mode          ${enforce ? "enforce" : "shadow"}
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Policy:     ${(cedarPolicies ? `Cedar (${cedarPolicies.fileCount} files)` : jsonPolicy ? "JSON" : "none").padEnd(36)}\u2502
+    w(`  Policy        ${cedarPolicies ? `Cedar (${cedarPolicies.fileCount} files)` : jsonPolicy ? "JSON" : "none"}
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Signing:    ${(isSigningEnabled() ? "Ed25519 \u2713" : "disabled").padEnd(36)}\u2502
+    w(`  Signing       ${isSigningEnabled() ? "Ed25519" : "disabled"}
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Swarm:      ${(state.swarmContext.team_name ? `${state.swarmContext.team_name} (${state.swarmContext.agent_type})` : "standalone").padEnd(36)}\u2502
+    if (state.swarmContext.team_name) {
+      w(`  Swarm         ${state.swarmContext.team_name} (${state.swarmContext.agent_type})
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Sandbox:    ${detectSandboxState().padEnd(36)}\u2502
+    }
+    w(`
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+    w(`  POST /hook         Hook receiver
 `);
-    process.stderr.write(`
+    w(`  GET  /health       Health + signer info
 `);
-    process.stderr.write(`[PROTECT_MCP] Endpoints:
+    w(`  GET  /receipts     Signed receipts
 `);
-    process.stderr.write(`  POST /hook           \u2014 Claude Code hook receiver
+    w(`  GET  /suggestions  Cedar policy suggestions
 `);
-    process.stderr.write(`  GET  /health         \u2014 Health check + signer info
+    w(`
 `);
-    process.stderr.write(`  GET  /receipts       \u2014 Recent signed receipts
+    w(`  deny is authoritative \u2014 cannot be overridden.
 `);
-    process.stderr.write(`  GET  /suggestions    \u2014 Auto-generated Cedar policy suggestions
+    w(`
 `);
-    process.stderr.write(`  GET  /alerts         \u2014 Config tamper alerts
+    const hasSlug = process.env.SCOPEBLIND_SLUG || existsSync(join(process.cwd(), ".scopeblind"));
+    if (!hasSlug) {
+      w(`  Dashboard  npx protect-mcp connect
 `);
-    process.stderr.write(`
+      w(`             Free up to 20,000 receipts/month
 `);
-    process.stderr.write(`[PROTECT_MCP] deny decisions are AUTHORITATIVE \u2014 they cannot be overridden.
-`);
-    process.stderr.write(`
+      w(`
 `);
+    }
   });
   const shutdown = () => {
     process.stderr.write("\n[PROTECT_MCP] Shutting down hook server...\n");

package/dist/cli.js

@@ -5447,48 +5447,53 @@ async function startHookServer(options = {}) {
     }));
   });
   server.listen(port, "127.0.0.1", () => {
-    process.stderr.write(`
+    const w = (s) => process.stderr.write(s);
+    const pad = (s, n = 46) => s.padEnd(n);
+    w(`
 `);
-    process.stderr.write(`[PROTECT_MCP] \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+    w(`  protect-mcp v0.5.4
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  protect-mcp Hook Server v0.5.3                \u2502
+    w(`  ScopeBlind \u2014 https://scopeblind.com
 `);
-    process.stderr.write(`[PROTECT_MCP] \u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+    w(`
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Listening:  http://127.0.0.1:${String(port).padEnd(5)}             \u2502
+    w(`  Listening     http://127.0.0.1:${port}
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Mode:       ${(enforce ? "enforce" : "shadow").padEnd(36)}\u2502
+    w(`  Mode          ${enforce ? "enforce" : "shadow"}
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Policy:     ${(cedarPolicies ? `Cedar (${cedarPolicies.fileCount} files)` : jsonPolicy ? "JSON" : "none").padEnd(36)}\u2502
+    w(`  Policy        ${cedarPolicies ? `Cedar (${cedarPolicies.fileCount} files)` : jsonPolicy ? "JSON" : "none"}
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Signing:    ${(isSigningEnabled() ? "Ed25519 \u2713" : "disabled").padEnd(36)}\u2502
+    w(`  Signing       ${isSigningEnabled() ? "Ed25519" : "disabled"}
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Swarm:      ${(state.swarmContext.team_name ? `${state.swarmContext.team_name} (${state.swarmContext.agent_type})` : "standalone").padEnd(36)}\u2502
+    if (state.swarmContext.team_name) {
+      w(`  Swarm         ${state.swarmContext.team_name} (${state.swarmContext.agent_type})
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2502  Sandbox:    ${detectSandboxState().padEnd(36)}\u2502
+    }
+    w(`
 `);
-    process.stderr.write(`[PROTECT_MCP] \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+    w(`  POST /hook         Hook receiver
 `);
-    process.stderr.write(`
+    w(`  GET  /health       Health + signer info
 `);
-    process.stderr.write(`[PROTECT_MCP] Endpoints:
+    w(`  GET  /receipts     Signed receipts
 `);
-    process.stderr.write(`  POST /hook           \u2014 Claude Code hook receiver
+    w(`  GET  /suggestions  Cedar policy suggestions
 `);
-    process.stderr.write(`  GET  /health         \u2014 Health check + signer info
+    w(`
 `);
-    process.stderr.write(`  GET  /receipts       \u2014 Recent signed receipts
+    w(`  deny is authoritative \u2014 cannot be overridden.
 `);
-    process.stderr.write(`  GET  /suggestions    \u2014 Auto-generated Cedar policy suggestions
+    w(`
 `);
-    process.stderr.write(`  GET  /alerts         \u2014 Config tamper alerts
+    const hasSlug = process.env.SCOPEBLIND_SLUG || (0, import_node_fs8.existsSync)((0, import_node_path5.join)(process.cwd(), ".scopeblind"));
+    if (!hasSlug) {
+      w(`  Dashboard  npx protect-mcp connect
 `);
-    process.stderr.write(`
+      w(`             Free up to 20,000 receipts/month
 `);
-    process.stderr.write(`[PROTECT_MCP] deny decisions are AUTHORITATIVE \u2014 they cannot be overridden.
-`);
-    process.stderr.write(`
+      w(`
 `);
+    }
   });
   const shutdown = () => {
     process.stderr.write("\n[PROTECT_MCP] Shutting down hook server...\n");
@@ -6125,6 +6130,12 @@ Examples:
   protect-mcp status
   protect-mcp bundle --output audit.json
 
+Dashboard:
+  npx protect-mcp connect        Create a free ScopeBlind dashboard
+                                  Free up to 20,000 receipts/month
+
+  https://scopeblind.com          Docs, pricing, enterprise
+
 `);
 }
 function parseArgs(argv) {
@@ -7312,7 +7323,7 @@ async function sendInstallTelemetry() {
     }
     writeFileSync2(markerFile, String(Date.now()), "utf-8");
     process.stderr.write(
-      "[protect-mcp] Anonymous install telemetry sent (disable: PROTECT_MCP_TELEMETRY=off)\n"
+      "[protect-mcp] Thanks for installing! Anonymous telemetry sent (disable: PROTECT_MCP_TELEMETRY=off)\n[protect-mcp] Free dashboard: npx protect-mcp connect | https://scopeblind.com\n"
     );
   } catch {
   }

package/dist/cli.mjs

@@ -75,6 +75,12 @@ Examples:
   protect-mcp status
   protect-mcp bundle --output audit.json
 
+Dashboard:
+  npx protect-mcp connect        Create a free ScopeBlind dashboard
+                                  Free up to 20,000 receipts/month
+
+  https://scopeblind.com          Docs, pricing, enterprise
+
 `);
 }
 function parseArgs(argv) {
@@ -139,7 +145,7 @@ async function handleInit(argv) {
   let keypair;
   {
     const { randomBytes } = await import("crypto");
-    const { ed25519 } = await import("./ed25519-V7HDL2WC.mjs");
+    const { ed25519 } = await import("./ed25519-DZMMNNVE.mjs");
     const { bytesToHex } = await import("./utils-6AYZFE5A.mjs");
     const privateKey = randomBytes(32);
     const publicKey = ed25519.getPublicKey(privateKey);
@@ -759,7 +765,7 @@ ${bold("protect-mcp quickstart")}
   const { randomBytes } = await import("crypto");
   let keypair;
   try {
-    const { ed25519 } = await import("./ed25519-V7HDL2WC.mjs");
+    const { ed25519 } = await import("./ed25519-DZMMNNVE.mjs");
     const { bytesToHex } = await import("./utils-6AYZFE5A.mjs");
     const privateKey = randomBytes(32);
     const publicKey = ed25519.getPublicKey(privateKey);
@@ -1105,7 +1111,7 @@ ${bold("protect-mcp init-hooks")}
     if (!existsSync(keysDir)) mkdirSync(keysDir, { recursive: true });
     const { randomBytes: rb } = await import("crypto");
     try {
-      const { ed25519 } = await import("./ed25519-V7HDL2WC.mjs");
+      const { ed25519 } = await import("./ed25519-DZMMNNVE.mjs");
       const { bytesToHex } = await import("./utils-6AYZFE5A.mjs");
       const privateKey = rb(32);
       const publicKey = ed25519.getPublicKey(privateKey);
@@ -1262,7 +1268,7 @@ async function sendInstallTelemetry() {
     }
     writeFileSync(markerFile, String(Date.now()), "utf-8");
     process.stderr.write(
-      "[protect-mcp] Anonymous install telemetry sent (disable: PROTECT_MCP_TELEMETRY=off)\n"
+      "[protect-mcp] Thanks for installing! Anonymous telemetry sent (disable: PROTECT_MCP_TELEMETRY=off)\n[protect-mcp] Free dashboard: npx protect-mcp connect | https://scopeblind.com\n"
     );
   } catch {
   }

package/dist/ed25519-DZMMNNVE.mjs

@@ -0,0 +1,38 @@
+import {
+  ED25519_TORSION_SUBGROUP,
+  RistrettoPoint,
+  ed25519,
+  ed25519_hasher,
+  ed25519ctx,
+  ed25519ph,
+  edwardsToMontgomery,
+  edwardsToMontgomeryPriv,
+  edwardsToMontgomeryPub,
+  encodeToCurve,
+  hashToCurve,
+  hashToRistretto255,
+  hash_to_ristretto255,
+  ristretto255,
+  ristretto255_hasher,
+  x25519
+} from "./chunk-LYKNULYU.mjs";
+import "./chunk-D733KAPG.mjs";
+import "./chunk-PQJP2ZCI.mjs";
+export {
+  ED25519_TORSION_SUBGROUP,
+  RistrettoPoint,
+  ed25519,
+  ed25519_hasher,
+  ed25519ctx,
+  ed25519ph,
+  edwardsToMontgomery,
+  edwardsToMontgomeryPriv,
+  edwardsToMontgomeryPub,
+  encodeToCurve,
+  hashToCurve,
+  hashToRistretto255,
+  hash_to_ristretto255,
+  ristretto255,
+  ristretto255_hasher,
+  x25519
+};