protect-mcp 0.5.5 → 0.6.2

package/README.md

@@ -1,6 +1,78 @@
 # protect-mcp
 
-Enterprise security gateway for MCP servers and Claude Code hooks. Signed receipts, Cedar policies, and swarm-aware audit trails.
+[![npm version](https://img.shields.io/npm/v/protect-mcp)](https://www.npmjs.com/package/protect-mcp)
+[![Downloads](https://img.shields.io/npm/dm/protect-mcp)](https://www.npmjs.com/package/protect-mcp)
+[![Claude Code Marketplace](https://img.shields.io/badge/Claude%20Code-marketplace-d97757?logo=anthropic&logoColor=white)](https://github.com/wshobson/agents/tree/main/plugins/protect-mcp)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue)](./LICENSE)
+
+> A policy check that sits between your AI agent and the tools it calls.
+> Every tool call is evaluated against a rule you wrote. Every decision is signed.
+
+> **Receipt format:** `protect-mcp` emits Veritas Acta receipts. Legacy
+> ScopeBlind receipts remain verifiable, but Acta v0.1 is the canonical
+> format going forward. Spec: [`@veritasacta/protocol`](https://www.npmjs.com/package/@veritasacta/protocol)
+> · IETF: [draft-farley-acta-signed-receipts](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/).
+
+## What it does, in plain English
+
+When an AI agent (Claude Code, Cursor, a custom LangChain app, anything that
+uses the Model Context Protocol) wants to run a command, edit a file, or call
+an API, `protect-mcp` intercepts that request before it executes:
+
+1. **Checks a policy.** You write rules in [Cedar](https://www.cedarpolicy.com/)
+   — the same policy language AWS uses for IAM. Rules like *"never allow
+   `rm -rf /`"*, *"only allow `Bash` during working hours"*, or *"require
+   human approval for anything touching production."*
+2. **Returns a decision.** `allow`, `deny`, or `request_approval`. The agent
+   framework respects the decision — if it's `deny`, the tool call doesn't run.
+3. **Signs a receipt.** An Ed25519-signed, hash-chained record of the decision,
+   written to `.receipts/`. Verifiable offline by anyone with the public key.
+   When your auditor asks *"what did that agent do on 2026-03-14?"* you have
+   cryptographic proof — not a log file you might have tampered with.
+
+You install it once. Your agent keeps working the same way. The difference:
+every action it takes is now policy-checked and audit-evidenced.
+
+## Who this is for
+
+- **Developers using Claude Code / Cursor / Cline** who want *"don't let the
+  agent delete my repo"* enforced rather than hoped for.
+- **Security teams** shipping agents to engineering who need a portable
+  policy layer that travels across frameworks.
+- **Compliance teams** who need tamper-evident evidence of what agents did,
+  verifiable without trusting the vendor.
+
+## How it relates to `sb-runtime`
+
+`protect-mcp` is a **library** — it sits inside your agent framework and
+gates tool calls cooperatively. Right tool when you own the agent's code and
+trust its framework to honour decisions.
+
+[`sb-runtime`](https://github.com/ScopeBlind/sb-runtime) is the companion
+**binary** that wraps the whole agent *process* in an OS-level sandbox
+(Landlock + seccomp on Linux). It enforces decisions at the kernel layer —
+the agent can't ignore them even if it tried. Use `sb-runtime` when you're
+running an agent you didn't write, or when you want belt-and-braces defence
+in depth:
+
+```
+┌─────────────────────────────────────────────────┐
+│  sb-runtime   ← OS refuses forbidden syscalls   │
+│  ┌───────────────────────────────────────────┐  │
+│  │  agent process (Claude Code, Python, …)   │  │
+│  │  ┌─────────────────────────────────────┐  │  │
+│  │  │  protect-mcp                        │  │  │
+│  │  │    ← Cedar decides per tool call,   │  │  │
+│  │  │      receipts every decision        │  │  │
+│  │  └─────────────────────────────────────┘  │  │
+│  └───────────────────────────────────────────┘  │
+└─────────────────────────────────────────────────┘
+```
+
+**One-liner:** `protect-mcp` is the policy hook inside your agent.
+`sb-runtime` is the OS sandbox around it. You want both.
+
+---
 
 ## Quick Start — Claude Code
 
@@ -268,6 +340,42 @@ Free tier: 20,000 receipts/month. No credit card required.
 
 [scopeblind.com/pricing](https://scopeblind.com/pricing)
 
+### ScopeBlind tenant integration (Founding Plan)
+
+If you have a ScopeBlind Founding Plan tenant, set your `SCOPEBLIND_TOKEN`
+(from the welcome email) in the environment and protect-mcp forwards every
+signed receipt to your dashboard at `https://scopeblind.com/console/<your-slug>`.
+
+```bash
+# Your protect-mcp install with cloud-synced receipts
+SCOPEBLIND_TOKEN=scp_... \
+  npx protect-mcp init-hooks
+```
+
+How it works:
+
+1. On first receipt, the bridge exchanges your token for a short-lived BRASS-v2
+   auth proof at `/fn/brass/issue` (ECDSA P-256 signed, hourly expiry).
+2. Receipts are batched and POSTed to `/fn/console/<slug>/receipts` every 5
+   seconds (up to 128 per batch).
+3. The local `.receipts/` chain remains authoritative regardless of forward
+   status. Network failures are retried; quota exhaustion is reported. No
+   crash, no blocking.
+
+Quota: founding tier 10,000 receipts/day, enterprise 100,000/day. Anything
+above quota is rejected with a structured response; receipts stay safe in
+`.receipts/` until you upgrade or until tomorrow.
+
+Receipt verification by third parties:
+
+```bash
+# Anyone can verify your receipts offline using the public JWKS
+curl https://scopeblind.com/.well-known/jwks.json
+npx @veritasacta/verify .receipts/0001.json
+```
+
+Verification is independent of ScopeBlind — the math doesn't care who runs it.
+
 ## Interoperability
 
 The receipt format is independently implemented and verified across multiple systems:
@@ -277,7 +385,7 @@ The receipt format is independently implemented and verified across multiple sys
 | **4 independent implementations** | TypeScript (protect-mcp), Python (protect-mcp-adk), Rust (Cedar WASM), APS ProxyGateway |
 | **2 IETF Internet-Drafts** | [draft-farley-acta-signed-receipts-01](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/), [draft-pidlisnyi-aps-00](https://datatracker.ietf.org/doc/draft-pidlisnyi-aps/) |
 | **8 cross-engine receipts** | [Composition test](https://github.com/ScopeBlind/examples/tree/main/interop/composition-test): 2 engines, 1 verifier, all VALID |
-| **1 enterprise integration** | [Microsoft AGT PR #667](https://github.com/microsoft/agent-governance-toolkit/pull/667) merged |
+| **PRs merged into microsoft/agent-governance-toolkit** | [#667](https://github.com/microsoft/agent-governance-toolkit/pull/667), [#1159](https://github.com/microsoft/agent-governance-toolkit/pull/1159), [#1168](https://github.com/microsoft/agent-governance-toolkit/pull/1168), [#1186](https://github.com/microsoft/agent-governance-toolkit/pull/1186), [#1197](https://github.com/microsoft/agent-governance-toolkit/pull/1197), [#1202](https://github.com/microsoft/agent-governance-toolkit/pull/1202), [#1203](https://github.com/microsoft/agent-governance-toolkit/pull/1203), [#1205](https://github.com/microsoft/agent-governance-toolkit/pull/1205) |
 | **1 verifier, zero dependencies** | `npx @veritasacta/verify receipt.json --key <hex>` (Apache-2.0, offline) |
 
 Verify any receipt from any implementation:
@@ -291,7 +399,7 @@ npx @veritasacta/verify receipt.json --key <public-key-hex>
 
 - **IETF Internet-Draft**: [draft-farley-acta-signed-receipts-01](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/)
 - **Patent Status**: 4 Australian provisional patents pending (2025-2026)
-- **Cedar WASM**: [PR #64](https://github.com/cedar-policy/cedar-for-agents/pull/64) on cedar-for-agents (under review)
+- **Cedar WASM**: [PR #64](https://github.com/cedar-policy/cedar-for-agents/pull/64) merged + [PR #73](https://github.com/cedar-policy/cedar-for-agents/pull/73) (RequestGenerator, pending review)
 
 ## What's New in v0.5.3
 

package/dist/{chunk-SPHLVRJ2.mjs → chunk-3YCKR72H.mjs}

@@ -11,13 +11,166 @@ import {
   loadPolicy,
   parseRateLimit,
   signDecision
-} from "./chunk-YTBC72JJ.mjs";
+} from "./chunk-UV53U6D4.mjs";
 
 // src/hook-server.ts
 import { createServer } from "http";
 import { createHash, randomUUID, randomBytes } from "crypto";
 import { appendFileSync, readFileSync, existsSync, readdirSync } from "fs";
 import { join } from "path";
+
+// src/scopeblind-bridge.ts
+var DEFAULT_BASE = "https://scopeblind.com";
+var FLUSH_INTERVAL_MS = 5e3;
+var BATCH_MAX = 128;
+var BRASS_REFRESH_MARGIN_MS = 5 * 60 * 1e3;
+var ScopeBlindBridge = class {
+  token;
+  base;
+  tenantOverride;
+  cachedProof = null;
+  queue = [];
+  flushTimer = null;
+  stats;
+  shuttingDown = false;
+  constructor(env = process.env) {
+    this.token = env.SCOPEBLIND_TOKEN || null;
+    this.base = (env.SCOPEBLIND_BASE || DEFAULT_BASE).replace(/\/$/, "");
+    this.tenantOverride = env.SCOPEBLIND_TENANT || null;
+    this.stats = {
+      enabled: Boolean(this.token),
+      tenant_slug: this.tenantOverride,
+      forwarded_total: 0,
+      rejected_total: 0,
+      last_flush_at: null,
+      last_error: null
+    };
+    if (this.enabled()) {
+      this.flushTimer = setInterval(() => {
+        void this.flush();
+      }, FLUSH_INTERVAL_MS);
+      if (typeof this.flushTimer === "object" && this.flushTimer && "unref" in this.flushTimer) {
+        this.flushTimer.unref?.();
+      }
+      process.on("beforeExit", () => {
+        void this.shutdown();
+      });
+    }
+  }
+  enabled() {
+    return Boolean(this.token);
+  }
+  /** Push a signed receipt into the queue. Non-blocking. */
+  forward(signedReceipt) {
+    if (!this.enabled() || this.shuttingDown) return;
+    this.queue.push(signedReceipt);
+    if (this.queue.length >= BATCH_MAX) void this.flush();
+  }
+  /** Flush the queue. Safe to call concurrently. */
+  async flush() {
+    if (!this.enabled() || this.queue.length === 0) return;
+    const batch = this.queue.splice(0, BATCH_MAX);
+    try {
+      const proof = await this.ensureBrassProof();
+      const slug = this.tenantOverride || proof?.tenant_id;
+      if (!slug) {
+        this.queue.unshift(...batch);
+        return;
+      }
+      this.stats.tenant_slug = slug;
+      const res = await fetch(`${this.base}/fn/console/${slug}/receipts`, {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${this.token}`,
+          "user-agent": "protect-mcp/scopeblind-bridge"
+        },
+        body: JSON.stringify({ receipts: batch })
+      });
+      if (!res.ok) {
+        const errBody = await res.text().catch(() => "");
+        this.stats.last_error = `HTTP ${res.status} ${errBody.slice(0, 160)}`;
+        this.stats.rejected_total += batch.length;
+        if (res.status >= 500 && res.status !== 503) {
+          this.queue.unshift(...batch);
+        }
+        return;
+      }
+      const body = await res.json().catch(() => ({}));
+      this.stats.forwarded_total += body?.accepted ?? batch.length;
+      this.stats.rejected_total += body?.rejected ?? 0;
+      this.stats.last_flush_at = (/* @__PURE__ */ new Date()).toISOString();
+      this.stats.last_error = null;
+    } catch (err) {
+      this.stats.last_error = String(err?.message || err);
+      this.queue.unshift(...batch);
+    }
+  }
+  /** Exchange SCOPEBLIND_TOKEN for a BRASS-v2 proof; refresh near expiry. */
+  async ensureBrassProof() {
+    if (!this.token) return null;
+    const now = Date.now();
+    if (this.cachedProof && Date.parse(this.cachedProof.expires_at) - now > BRASS_REFRESH_MARGIN_MS) {
+      return this.cachedProof;
+    }
+    try {
+      const res = await fetch(`${this.base}/fn/brass/issue`, {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          "user-agent": "protect-mcp/scopeblind-bridge"
+        },
+        body: JSON.stringify({
+          token: this.token,
+          scope: "protect-mcp-receipt-emit",
+          ttl_seconds: 3600
+        })
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        this.stats.last_error = `brass-issue: HTTP ${res.status} ${text.slice(0, 160)}`;
+        return null;
+      }
+      const body = await res.json();
+      if (!body?.auth_proof) {
+        this.stats.last_error = "brass-issue: missing auth_proof in response";
+        return null;
+      }
+      this.cachedProof = body.auth_proof;
+      return this.cachedProof;
+    } catch (err) {
+      this.stats.last_error = `brass-issue: ${err?.message || err}`;
+      return null;
+    }
+  }
+  /**
+   * Return a snapshot of bridge stats. Useful for `protect-mcp scopeblind status`.
+   */
+  getStats() {
+    return {
+      ...this.stats,
+      queued: this.queue.length,
+      brass_proof_expires_at: this.cachedProof?.expires_at || null
+    };
+  }
+  /** Flush remaining receipts and stop the interval. Called on process exit. */
+  async shutdown() {
+    if (this.shuttingDown) return;
+    this.shuttingDown = true;
+    if (this.flushTimer) clearInterval(this.flushTimer);
+    if (this.queue.length > 0) await this.flush();
+  }
+};
+var singleton = null;
+function getScopeBlindBridge() {
+  if (!singleton) singleton = new ScopeBlindBridge();
+  return singleton;
+}
+function forwardReceipt(signedReceipt) {
+  getScopeBlindBridge().forward(signedReceipt);
+}
+
+// src/hook-server.ts
 var DEFAULT_PORT = 9377;
 var LOG_FILE = ".protect-mcp-log.jsonl";
 var RECEIPTS_FILE = ".protect-mcp-receipts.jsonl";
@@ -225,7 +378,7 @@ async function handlePreToolUse(input, state) {
   const hookLatency = Date.now() - hookStart;
   const denyKey = `${toolName}:${input.sessionId || "default"}`;
   state.denyCounter.delete(denyKey);
-  emitDecisionLog(state, {
+  const emit = emitDecisionLog(state, {
     tool: toolName,
     decision: "allow",
     reason_code: state.cedarPolicies ? "cedar_allow" : state.jsonPolicy ? "policy_allow" : "observe_mode",
@@ -237,6 +390,15 @@ async function handlePreToolUse(input, state) {
     sandbox_state: detectSandboxState(),
     plan_receipt_id: state.activePlanReceiptId || void 0
   });
+  if (state.enforce && emit.signingFailed) {
+    return {
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        permissionDecision: "deny",
+        permissionDecisionReason: `[ScopeBlind] "${toolName}" was blocked because its receipt could not be signed. Failing closed: a governed action that cannot be proven is not allowed.`
+      }
+    };
+  }
   return {};
 }
 async function handlePostToolUse(input, state) {
@@ -484,11 +646,35 @@ function emitDecisionLog(state, entry) {
       } catch {
       }
       state.receiptBuffer.add(log.request_id, signed.signed);
-    } else if (signed.warning) {
-      process.stderr.write(`[PROTECT_MCP] Warning: ${signed.warning}
+      try {
+        const bridge = getScopeBlindBridge();
+        if (bridge.enabled()) {
+          const parsed = typeof signed.signed === "string" ? JSON.parse(signed.signed) : signed.signed;
+          bridge.forward(parsed);
+        }
+      } catch (err) {
+        process.stderr.write(`[PROTECT_MCP] ScopeBlind forward error: ${err instanceof Error ? err.message : err}
+`);
+      }
+    } else if (signed.error) {
+      const tombstone = JSON.stringify({
+        type: "scopeblind.signing_failure.v1",
+        request_id: log.request_id,
+        tool: log.tool,
+        decision: log.decision,
+        error: signed.error,
+        at: new Date(log.timestamp).toISOString()
+      });
+      try {
+        appendFileSync(state.receiptFilePath, tombstone + "\n");
+      } catch {
+      }
+      process.stderr.write(`[PROTECT_MCP_SIGNING_FAILURE] ${tombstone}
 `);
+      return { signingFailed: true };
     }
   }
+  return { signingFailed: false };
 }
 async function routeHookEvent(input, state) {
   switch (input.hookEventName) {
@@ -828,5 +1014,38 @@ function normalizeHookInput(raw) {
 }
 
 export {
+  ScopeBlindBridge,
+  getScopeBlindBridge,
+  forwardReceipt,
   startHookServer
 };
+/**
+ * scopeblind-bridge.ts
+ *
+ * Optional bridge between protect-mcp (local, MIT) and a paid ScopeBlind
+ * tenant. When SCOPEBLIND_TOKEN is set in the environment, every signed
+ * receipt that protect-mcp emits also gets forwarded to the tenant's
+ * dashboard at https://scopeblind.com/console/<slug>.
+ *
+ * Lifecycle:
+ *   1. On first use, exchange SCOPEBLIND_TOKEN for a short-lived BRASS-v2
+ *      auth proof from /fn/brass/issue. Cache the proof in memory until
+ *      ~5 minutes before expiry, then refresh.
+ *   2. As receipts are emitted by hook-server.ts, push them into an
+ *      in-memory batch queue.
+ *   3. Flush the queue every 5s (or when it reaches 128 receipts) by POSTing
+ *      to /fn/console/<slug>/receipts with Bearer SCOPEBLIND_TOKEN.
+ *
+ * Failure mode: forward errors NEVER throw upstream. protect-mcp continues
+ * to mint and persist receipts locally regardless of dashboard availability.
+ * The bridge logs failures to stderr (best-effort) and retries on the next
+ * flush.
+ *
+ * Configuration:
+ *   SCOPEBLIND_TOKEN        Tenant bearer token (from welcome email).
+ *   SCOPEBLIND_TENANT       Optional slug override. By default we discover
+ *                           the slug from the BRASS proof's tenant_id.
+ *   SCOPEBLIND_BASE         Defaults to https://scopeblind.com.
+ *
+ * @license MIT
+ */

package/dist/{ed25519-V7HDL2WC.mjs → chunk-LYKNULYU.mjs}

@@ -12,10 +12,10 @@ import {
   hexToBytes,
   isBytes,
   randomBytes,
+  rotr,
   toBytes,
   utf8ToBytes
 } from "./chunk-D733KAPG.mjs";
-import "./chunk-PQJP2ZCI.mjs";
 
 // node_modules/@noble/hashes/esm/_md.js
 function setBigUint64(view, byteOffset, value, isLE) {
@@ -30,6 +30,12 @@ function setBigUint64(view, byteOffset, value, isLE) {
   view.setUint32(byteOffset + h, wh, isLE);
   view.setUint32(byteOffset + l, wl, isLE);
 }
+function Chi(a, b, c) {
+  return a & b ^ ~a & c;
+}
+function Maj(a, b, c) {
+  return a & b ^ a & c ^ b & c;
+}
 var HashMD = class extends Hash {
   constructor(blockLen, outputLen, padOffset, isLE) {
     super();
@@ -120,6 +126,16 @@ var HashMD = class extends Hash {
     return this._cloneInto();
   }
 };
+var SHA256_IV = /* @__PURE__ */ Uint32Array.from([
+  1779033703,
+  3144134277,
+  1013904242,
+  2773480762,
+  1359893119,
+  2600822924,
+  528734635,
+  1541459225
+]);
 var SHA512_IV = /* @__PURE__ */ Uint32Array.from([
   1779033703,
   4089235720,
@@ -175,6 +191,143 @@ var add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >
 var add5H = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0;
 
 // node_modules/@noble/hashes/esm/sha2.js
+var SHA256_K = /* @__PURE__ */ Uint32Array.from([
+  1116352408,
+  1899447441,
+  3049323471,
+  3921009573,
+  961987163,
+  1508970993,
+  2453635748,
+  2870763221,
+  3624381080,
+  310598401,
+  607225278,
+  1426881987,
+  1925078388,
+  2162078206,
+  2614888103,
+  3248222580,
+  3835390401,
+  4022224774,
+  264347078,
+  604807628,
+  770255983,
+  1249150122,
+  1555081692,
+  1996064986,
+  2554220882,
+  2821834349,
+  2952996808,
+  3210313671,
+  3336571891,
+  3584528711,
+  113926993,
+  338241895,
+  666307205,
+  773529912,
+  1294757372,
+  1396182291,
+  1695183700,
+  1986661051,
+  2177026350,
+  2456956037,
+  2730485921,
+  2820302411,
+  3259730800,
+  3345764771,
+  3516065817,
+  3600352804,
+  4094571909,
+  275423344,
+  430227734,
+  506948616,
+  659060556,
+  883997877,
+  958139571,
+  1322822218,
+  1537002063,
+  1747873779,
+  1955562222,
+  2024104815,
+  2227730452,
+  2361852424,
+  2428436474,
+  2756734187,
+  3204031479,
+  3329325298
+]);
+var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
+var SHA256 = class extends HashMD {
+  constructor(outputLen = 32) {
+    super(64, outputLen, 8, false);
+    this.A = SHA256_IV[0] | 0;
+    this.B = SHA256_IV[1] | 0;
+    this.C = SHA256_IV[2] | 0;
+    this.D = SHA256_IV[3] | 0;
+    this.E = SHA256_IV[4] | 0;
+    this.F = SHA256_IV[5] | 0;
+    this.G = SHA256_IV[6] | 0;
+    this.H = SHA256_IV[7] | 0;
+  }
+  get() {
+    const { A, B, C, D, E, F, G, H } = this;
+    return [A, B, C, D, E, F, G, H];
+  }
+  // prettier-ignore
+  set(A, B, C, D, E, F, G, H) {
+    this.A = A | 0;
+    this.B = B | 0;
+    this.C = C | 0;
+    this.D = D | 0;
+    this.E = E | 0;
+    this.F = F | 0;
+    this.G = G | 0;
+    this.H = H | 0;
+  }
+  process(view, offset) {
+    for (let i = 0; i < 16; i++, offset += 4)
+      SHA256_W[i] = view.getUint32(offset, false);
+    for (let i = 16; i < 64; i++) {
+      const W15 = SHA256_W[i - 15];
+      const W2 = SHA256_W[i - 2];
+      const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3;
+      const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10;
+      SHA256_W[i] = s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16] | 0;
+    }
+    let { A, B, C, D, E, F, G, H } = this;
+    for (let i = 0; i < 64; i++) {
+      const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
+      const T1 = H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i] | 0;
+      const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
+      const T2 = sigma0 + Maj(A, B, C) | 0;
+      H = G;
+      G = F;
+      F = E;
+      E = D + T1 | 0;
+      D = C;
+      C = B;
+      B = A;
+      A = T1 + T2 | 0;
+    }
+    A = A + this.A | 0;
+    B = B + this.B | 0;
+    C = C + this.C | 0;
+    D = D + this.D | 0;
+    E = E + this.E | 0;
+    F = F + this.F | 0;
+    G = G + this.G | 0;
+    H = H + this.H | 0;
+    this.set(A, B, C, D, E, F, G, H);
+  }
+  roundClean() {
+    clean(SHA256_W);
+  }
+  destroy() {
+    this.set(0, 0, 0, 0, 0, 0, 0, 0);
+    clean(this.buffer);
+  }
+};
 var K512 = /* @__PURE__ */ (() => split([
   "0x428a2f98d728ae22",
   "0x7137449123ef65cd",
@@ -372,6 +525,7 @@ var SHA512 = class extends HashMD {
     this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
   }
 };
+var sha256 = /* @__PURE__ */ createHasher(() => new SHA256());
 var sha512 = /* @__PURE__ */ createHasher(() => new SHA512());
 
 // node_modules/@noble/curves/esm/utils.js
@@ -2260,23 +2414,25 @@ var hashToCurve = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
 var encodeToCurve = /* @__PURE__ */ (() => ed25519_hasher.encodeToCurve)();
 var hashToRistretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
 var hash_to_ristretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
+
 export {
-  ED25519_TORSION_SUBGROUP,
-  RistrettoPoint,
+  sha256,
   ed25519,
-  ed25519_hasher,
   ed25519ctx,
   ed25519ph,
+  x25519,
+  ed25519_hasher,
+  ristretto255,
+  ristretto255_hasher,
+  ED25519_TORSION_SUBGROUP,
+  edwardsToMontgomeryPub,
   edwardsToMontgomery,
   edwardsToMontgomeryPriv,
-  edwardsToMontgomeryPub,
-  encodeToCurve,
+  RistrettoPoint,
   hashToCurve,
+  encodeToCurve,
   hashToRistretto255,
-  hash_to_ristretto255,
-  ristretto255,
-  ristretto255_hasher,
-  x25519
+  hash_to_ristretto255
 };
 /*! Bundled license information:
 

package/dist/{chunk-BYYWYSHM.mjs → chunk-PLKRTBDR.mjs}

@@ -7,7 +7,7 @@ import {
   parseRateLimit,
   signDecision,
   startStatusServer
-} from "./chunk-YTBC72JJ.mjs";
+} from "./chunk-UV53U6D4.mjs";
 
 // src/evidence-store.ts
 import { readFileSync, writeFileSync, existsSync } from "fs";
@@ -974,8 +974,20 @@ var ProtectGateway = class {
             this.evidenceStore.save();
           }
         }
-      } else if (signed.warning) {
-        process.stderr.write(`[PROTECT_MCP] Warning: ${signed.warning}
+      } else if (signed.error) {
+        const tombstone = JSON.stringify({
+          type: "scopeblind.signing_failure.v1",
+          request_id: log.request_id,
+          tool: log.tool,
+          decision: log.decision,
+          error: signed.error,
+          at: new Date(log.timestamp).toISOString()
+        });
+        try {
+          appendFileSync(this.receiptFilePath, tombstone + "\n");
+        } catch {
+        }
+        process.stderr.write(`[PROTECT_MCP_SIGNING_FAILURE] ${tombstone}
 `);
       }
     }

package/dist/{chunk-GQWJCHQV.mjs → chunk-S4ICHNSP.mjs}

@@ -1,11 +1,11 @@
 import {
   meetsMinTier
-} from "./chunk-BYYWYSHM.mjs";
+} from "./chunk-PLKRTBDR.mjs";
 import {
   checkRateLimit,
   getToolPolicy,
   parseRateLimit
-} from "./chunk-YTBC72JJ.mjs";
+} from "./chunk-UV53U6D4.mjs";
 
 // src/simulate.ts
 import { readFileSync } from "fs";