protect-mcp 0.6.0 → 0.6.2

package/dist/hook-server.js

@@ -205,11 +205,40 @@ async function isCedarAvailable() {
 var import_node_fs2 = require("fs");
 var signerState = null;
 var artifactsModule = null;
+var signingConfigured = false;
+var signingInitError = null;
 async function initSigning(config) {
   const warnings = [];
+  signerState = null;
+  artifactsModule = null;
+  signingConfigured = Boolean(config && config.enabled !== false);
+  signingInitError = null;
   if (!config || config.enabled === false) {
     return warnings;
   }
+  if (!config.key_path) {
+    signingInitError = "signing enabled but key_path is not configured";
+    warnings.push(`signing: ${signingInitError}`);
+    return warnings;
+  }
+  if (!(0, import_node_fs2.existsSync)(config.key_path)) {
+    signingInitError = `key file not found at ${config.key_path}`;
+    warnings.push(`signing: ${signingInitError} \u2014 run "protect-mcp init" to generate`);
+    return warnings;
+  }
+  let keyData;
+  try {
+    keyData = JSON.parse((0, import_node_fs2.readFileSync)(config.key_path, "utf-8"));
+    if (!keyData.privateKey || !keyData.publicKey) {
+      signingInitError = "key file missing privateKey or publicKey fields";
+      warnings.push(`signing: ${signingInitError}`);
+      return warnings;
+    }
+  } catch (err) {
+    signingInitError = `failed to load key file: ${err instanceof Error ? err.message : err}`;
+    warnings.push(`signing: ${signingInitError}`);
+    return warnings;
+  }
   try {
     const moduleName = "@veritasacta/artifacts";
     artifactsModule = await import(
@@ -217,37 +246,48 @@ async function initSigning(config) {
       moduleName
     );
   } catch {
-    warnings.push("signing: @veritasacta/artifacts not available \u2014 receipts will be unsigned");
+    signingInitError = "@veritasacta/artifacts not available";
+    warnings.push(`signing: ${signingInitError} \u2014 enforce mode will fail closed`);
     return warnings;
   }
-  if (config.key_path) {
-    if (!(0, import_node_fs2.existsSync)(config.key_path)) {
-      warnings.push(`signing: key file not found at ${config.key_path} \u2014 run "protect-mcp init" to generate`);
-      return warnings;
-    }
-    try {
-      const keyData = JSON.parse((0, import_node_fs2.readFileSync)(config.key_path, "utf-8"));
-      if (!keyData.privateKey || !keyData.publicKey) {
-        warnings.push("signing: key file missing privateKey or publicKey fields");
-        return warnings;
-      }
-      signerState = {
-        privateKey: keyData.privateKey,
-        publicKey: keyData.publicKey,
-        kid: keyData.kid || artifactsModule.computeKid(keyData.publicKey),
-        issuer: config.issuer || keyData.issuer || "protect-mcp"
-      };
-    } catch (err) {
-      warnings.push(`signing: failed to load key file: ${err instanceof Error ? err.message : err}`);
-    }
+  try {
+    signerState = {
+      privateKey: keyData.privateKey,
+      publicKey: keyData.publicKey,
+      kid: keyData.kid || artifactsModule.computeKid(keyData.publicKey),
+      issuer: config.issuer || keyData.issuer || "protect-mcp"
+    };
+  } catch (err) {
+    signingInitError = `failed to initialize signer: ${err instanceof Error ? err.message : err}`;
+    artifactsModule = null;
+    warnings.push(`signing: ${signingInitError} \u2014 enforce mode will fail closed`);
   }
   return warnings;
 }
 function signDecision(entry) {
+  const artifactType = entry.decision === "deny" ? "gateway_restraint" : "decision_receipt";
+  if (signingConfigured && signingInitError) {
+    return {
+      ok: false,
+      signed: null,
+      artifact_type: artifactType,
+      warning: `signing initialization failed: ${signingInitError}`,
+      error: signingInitError
+    };
+  }
+  if (signingConfigured && (!signerState || !artifactsModule)) {
+    const error = "signing was configured but no signer is ready";
+    return {
+      ok: false,
+      signed: null,
+      artifact_type: artifactType,
+      warning: error,
+      error
+    };
+  }
   if (!signerState || !artifactsModule) {
-    return { signed: null, artifact_type: "none" };
+    return { ok: false, signed: null, artifact_type: "none" };
   }
-  const artifactType = entry.decision === "deny" ? "gateway_restraint" : "decision_receipt";
   try {
     const payload = {
       tool: entry.tool,
@@ -288,14 +328,18 @@ function signDecision(entry) {
       }
     );
     return {
+      ok: true,
       signed: JSON.stringify(result.artifact),
       artifact_type: artifactType
     };
   } catch (err) {
+    const message = err instanceof Error ? err.message : "unknown error";
     return {
+      ok: false,
       signed: null,
       artifact_type: artifactType,
-      warning: `signing failed: ${err instanceof Error ? err.message : "unknown error"}`
+      warning: `signing failed: ${message}`,
+      error: message
     };
   }
 }
@@ -308,7 +352,7 @@ function getSignerInfo() {
   };
 }
 function isSigningEnabled() {
-  return signerState !== null && artifactsModule !== null;
+  return signingConfigured && signingInitError === null && signerState !== null && artifactsModule !== null;
 }
 
 // src/policy.ts
@@ -418,6 +462,154 @@ var ReceiptBuffer = class {
   }
 };
 
+// src/scopeblind-bridge.ts
+var DEFAULT_BASE = "https://scopeblind.com";
+var FLUSH_INTERVAL_MS = 5e3;
+var BATCH_MAX = 128;
+var BRASS_REFRESH_MARGIN_MS = 5 * 60 * 1e3;
+var ScopeBlindBridge = class {
+  token;
+  base;
+  tenantOverride;
+  cachedProof = null;
+  queue = [];
+  flushTimer = null;
+  stats;
+  shuttingDown = false;
+  constructor(env = process.env) {
+    this.token = env.SCOPEBLIND_TOKEN || null;
+    this.base = (env.SCOPEBLIND_BASE || DEFAULT_BASE).replace(/\/$/, "");
+    this.tenantOverride = env.SCOPEBLIND_TENANT || null;
+    this.stats = {
+      enabled: Boolean(this.token),
+      tenant_slug: this.tenantOverride,
+      forwarded_total: 0,
+      rejected_total: 0,
+      last_flush_at: null,
+      last_error: null
+    };
+    if (this.enabled()) {
+      this.flushTimer = setInterval(() => {
+        void this.flush();
+      }, FLUSH_INTERVAL_MS);
+      if (typeof this.flushTimer === "object" && this.flushTimer && "unref" in this.flushTimer) {
+        this.flushTimer.unref?.();
+      }
+      process.on("beforeExit", () => {
+        void this.shutdown();
+      });
+    }
+  }
+  enabled() {
+    return Boolean(this.token);
+  }
+  /** Push a signed receipt into the queue. Non-blocking. */
+  forward(signedReceipt) {
+    if (!this.enabled() || this.shuttingDown) return;
+    this.queue.push(signedReceipt);
+    if (this.queue.length >= BATCH_MAX) void this.flush();
+  }
+  /** Flush the queue. Safe to call concurrently. */
+  async flush() {
+    if (!this.enabled() || this.queue.length === 0) return;
+    const batch = this.queue.splice(0, BATCH_MAX);
+    try {
+      const proof = await this.ensureBrassProof();
+      const slug = this.tenantOverride || proof?.tenant_id;
+      if (!slug) {
+        this.queue.unshift(...batch);
+        return;
+      }
+      this.stats.tenant_slug = slug;
+      const res = await fetch(`${this.base}/fn/console/${slug}/receipts`, {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${this.token}`,
+          "user-agent": "protect-mcp/scopeblind-bridge"
+        },
+        body: JSON.stringify({ receipts: batch })
+      });
+      if (!res.ok) {
+        const errBody = await res.text().catch(() => "");
+        this.stats.last_error = `HTTP ${res.status} ${errBody.slice(0, 160)}`;
+        this.stats.rejected_total += batch.length;
+        if (res.status >= 500 && res.status !== 503) {
+          this.queue.unshift(...batch);
+        }
+        return;
+      }
+      const body = await res.json().catch(() => ({}));
+      this.stats.forwarded_total += body?.accepted ?? batch.length;
+      this.stats.rejected_total += body?.rejected ?? 0;
+      this.stats.last_flush_at = (/* @__PURE__ */ new Date()).toISOString();
+      this.stats.last_error = null;
+    } catch (err) {
+      this.stats.last_error = String(err?.message || err);
+      this.queue.unshift(...batch);
+    }
+  }
+  /** Exchange SCOPEBLIND_TOKEN for a BRASS-v2 proof; refresh near expiry. */
+  async ensureBrassProof() {
+    if (!this.token) return null;
+    const now = Date.now();
+    if (this.cachedProof && Date.parse(this.cachedProof.expires_at) - now > BRASS_REFRESH_MARGIN_MS) {
+      return this.cachedProof;
+    }
+    try {
+      const res = await fetch(`${this.base}/fn/brass/issue`, {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          "user-agent": "protect-mcp/scopeblind-bridge"
+        },
+        body: JSON.stringify({
+          token: this.token,
+          scope: "protect-mcp-receipt-emit",
+          ttl_seconds: 3600
+        })
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        this.stats.last_error = `brass-issue: HTTP ${res.status} ${text.slice(0, 160)}`;
+        return null;
+      }
+      const body = await res.json();
+      if (!body?.auth_proof) {
+        this.stats.last_error = "brass-issue: missing auth_proof in response";
+        return null;
+      }
+      this.cachedProof = body.auth_proof;
+      return this.cachedProof;
+    } catch (err) {
+      this.stats.last_error = `brass-issue: ${err?.message || err}`;
+      return null;
+    }
+  }
+  /**
+   * Return a snapshot of bridge stats. Useful for `protect-mcp scopeblind status`.
+   */
+  getStats() {
+    return {
+      ...this.stats,
+      queued: this.queue.length,
+      brass_proof_expires_at: this.cachedProof?.expires_at || null
+    };
+  }
+  /** Flush remaining receipts and stop the interval. Called on process exit. */
+  async shutdown() {
+    if (this.shuttingDown) return;
+    this.shuttingDown = true;
+    if (this.flushTimer) clearInterval(this.flushTimer);
+    if (this.queue.length > 0) await this.flush();
+  }
+};
+var singleton = null;
+function getScopeBlindBridge() {
+  if (!singleton) singleton = new ScopeBlindBridge();
+  return singleton;
+}
+
 // src/hook-server.ts
 var DEFAULT_PORT = 9377;
 var LOG_FILE = ".protect-mcp-log.jsonl";
@@ -626,7 +818,7 @@ async function handlePreToolUse(input, state) {
   const hookLatency = Date.now() - hookStart;
   const denyKey = `${toolName}:${input.sessionId || "default"}`;
   state.denyCounter.delete(denyKey);
-  emitDecisionLog(state, {
+  const emit = emitDecisionLog(state, {
     tool: toolName,
     decision: "allow",
     reason_code: state.cedarPolicies ? "cedar_allow" : state.jsonPolicy ? "policy_allow" : "observe_mode",
@@ -638,6 +830,15 @@ async function handlePreToolUse(input, state) {
     sandbox_state: detectSandboxState(),
     plan_receipt_id: state.activePlanReceiptId || void 0
   });
+  if (state.enforce && emit.signingFailed) {
+    return {
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        permissionDecision: "deny",
+        permissionDecisionReason: `[ScopeBlind] "${toolName}" was blocked because its receipt could not be signed. Failing closed: a governed action that cannot be proven is not allowed.`
+      }
+    };
+  }
   return {};
 }
 async function handlePostToolUse(input, state) {
@@ -885,11 +1086,35 @@ function emitDecisionLog(state, entry) {
       } catch {
       }
       state.receiptBuffer.add(log.request_id, signed.signed);
-    } else if (signed.warning) {
-      process.stderr.write(`[PROTECT_MCP] Warning: ${signed.warning}
+      try {
+        const bridge = getScopeBlindBridge();
+        if (bridge.enabled()) {
+          const parsed = typeof signed.signed === "string" ? JSON.parse(signed.signed) : signed.signed;
+          bridge.forward(parsed);
+        }
+      } catch (err) {
+        process.stderr.write(`[PROTECT_MCP] ScopeBlind forward error: ${err instanceof Error ? err.message : err}
+`);
+      }
+    } else if (signed.error) {
+      const tombstone = JSON.stringify({
+        type: "scopeblind.signing_failure.v1",
+        request_id: log.request_id,
+        tool: log.tool,
+        decision: log.decision,
+        error: signed.error,
+        at: new Date(log.timestamp).toISOString()
+      });
+      try {
+        (0, import_node_fs5.appendFileSync)(state.receiptFilePath, tombstone + "\n");
+      } catch {
+      }
+      process.stderr.write(`[PROTECT_MCP_SIGNING_FAILURE] ${tombstone}
 `);
+      return { signingFailed: true };
     }
   }
+  return { signingFailed: false };
 }
 async function routeHookEvent(input, state) {
   switch (input.hookEventName) {
@@ -1231,3 +1456,33 @@ function normalizeHookInput(raw) {
 0 && (module.exports = {
   startHookServer
 });
+/**
+ * scopeblind-bridge.ts
+ *
+ * Optional bridge between protect-mcp (local, MIT) and a paid ScopeBlind
+ * tenant. When SCOPEBLIND_TOKEN is set in the environment, every signed
+ * receipt that protect-mcp emits also gets forwarded to the tenant's
+ * dashboard at https://scopeblind.com/console/<slug>.
+ *
+ * Lifecycle:
+ *   1. On first use, exchange SCOPEBLIND_TOKEN for a short-lived BRASS-v2
+ *      auth proof from /fn/brass/issue. Cache the proof in memory until
+ *      ~5 minutes before expiry, then refresh.
+ *   2. As receipts are emitted by hook-server.ts, push them into an
+ *      in-memory batch queue.
+ *   3. Flush the queue every 5s (or when it reaches 128 receipts) by POSTing
+ *      to /fn/console/<slug>/receipts with Bearer SCOPEBLIND_TOKEN.
+ *
+ * Failure mode: forward errors NEVER throw upstream. protect-mcp continues
+ * to mint and persist receipts locally regardless of dashboard availability.
+ * The bridge logs failures to stderr (best-effort) and retries on the next
+ * flush.
+ *
+ * Configuration:
+ *   SCOPEBLIND_TOKEN        Tenant bearer token (from welcome email).
+ *   SCOPEBLIND_TENANT       Optional slug override. By default we discover
+ *                           the slug from the BRASS proof's tenant_id.
+ *   SCOPEBLIND_BASE         Defaults to https://scopeblind.com.
+ *
+ * @license MIT
+ */

package/dist/hook-server.mjs

@@ -1,7 +1,7 @@
 import {
   startHookServer
-} from "./chunk-SPHLVRJ2.mjs";
-import "./chunk-YTBC72JJ.mjs";
+} from "./chunk-3YCKR72H.mjs";
+import "./chunk-UV53U6D4.mjs";
 import "./chunk-PQJP2ZCI.mjs";
 export {
   startHookServer

package/dist/{http-transport-LNBENGXD.mjs → http-transport-MO32ESHZ.mjs}

@@ -1,7 +1,7 @@
 import {
   ProtectGateway
-} from "./chunk-BYYWYSHM.mjs";
-import "./chunk-YTBC72JJ.mjs";
+} from "./chunk-PLKRTBDR.mjs";
+import "./chunk-UV53U6D4.mjs";
 import "./chunk-PQJP2ZCI.mjs";
 
 // src/http-transport.ts

package/dist/index.d.mts

@@ -803,9 +803,9 @@ declare function validateCredentials(credentials: Record<string, CredentialConfi
  * Produces signed v2 artifact receipts for tool call decisions.
  * Uses @veritasacta/artifacts as a required dependency (Sprint 2+).
  *
- * If signing is configured, every decision produces a signed artifact.
- * If signing fails, the receipt is emitted unsigned with signature: null
- * and a warning — never crashes, never silently drops.
+ * If signing is configured, every decision must produce a signed artifact.
+ * Initialization and signing failures are returned as explicit errors so the
+ * enforce path can deny rather than silently proceeding without evidence.
  */
 
 /**
@@ -827,9 +827,11 @@ declare function initSigning(config: SigningConfig | undefined): Promise<string[
  * @standard RFC 8032 (Ed25519), RFC 8785 (JCS)
  */
 declare function signDecision(entry: DecisionLog): {
+    ok: boolean;
     signed: string | null;
     artifact_type: string;
     warning?: string;
+    error?: string;
 };
 /**
  * Get the signer's public key info for discovery/verification.
@@ -2911,4 +2913,73 @@ declare function confidentialInference(_prompt: string, _config: ConfidentialInf
     receipt: Record<string, unknown>;
 }>;
 
-export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };
+/**
+ * scopeblind-bridge.ts
+ *
+ * Optional bridge between protect-mcp (local, MIT) and a paid ScopeBlind
+ * tenant. When SCOPEBLIND_TOKEN is set in the environment, every signed
+ * receipt that protect-mcp emits also gets forwarded to the tenant's
+ * dashboard at https://scopeblind.com/console/<slug>.
+ *
+ * Lifecycle:
+ *   1. On first use, exchange SCOPEBLIND_TOKEN for a short-lived BRASS-v2
+ *      auth proof from /fn/brass/issue. Cache the proof in memory until
+ *      ~5 minutes before expiry, then refresh.
+ *   2. As receipts are emitted by hook-server.ts, push them into an
+ *      in-memory batch queue.
+ *   3. Flush the queue every 5s (or when it reaches 128 receipts) by POSTing
+ *      to /fn/console/<slug>/receipts with Bearer SCOPEBLIND_TOKEN.
+ *
+ * Failure mode: forward errors NEVER throw upstream. protect-mcp continues
+ * to mint and persist receipts locally regardless of dashboard availability.
+ * The bridge logs failures to stderr (best-effort) and retries on the next
+ * flush.
+ *
+ * Configuration:
+ *   SCOPEBLIND_TOKEN        Tenant bearer token (from welcome email).
+ *   SCOPEBLIND_TENANT       Optional slug override. By default we discover
+ *                           the slug from the BRASS proof's tenant_id.
+ *   SCOPEBLIND_BASE         Defaults to https://scopeblind.com.
+ *
+ * @license MIT
+ */
+interface BridgeStats {
+    enabled: boolean;
+    tenant_slug: string | null;
+    forwarded_total: number;
+    rejected_total: number;
+    last_flush_at: string | null;
+    last_error: string | null;
+}
+declare class ScopeBlindBridge {
+    private readonly token;
+    private readonly base;
+    private readonly tenantOverride;
+    private cachedProof;
+    private queue;
+    private flushTimer;
+    private stats;
+    private shuttingDown;
+    constructor(env?: Record<string, string | undefined>);
+    enabled(): boolean;
+    /** Push a signed receipt into the queue. Non-blocking. */
+    forward(signedReceipt: any): void;
+    /** Flush the queue. Safe to call concurrently. */
+    flush(): Promise<void>;
+    /** Exchange SCOPEBLIND_TOKEN for a BRASS-v2 proof; refresh near expiry. */
+    private ensureBrassProof;
+    /**
+     * Return a snapshot of bridge stats. Useful for `protect-mcp scopeblind status`.
+     */
+    getStats(): BridgeStats & {
+        queued: number;
+        brass_proof_expires_at: string | null;
+    };
+    /** Flush remaining receipts and stop the interval. Called on process exit. */
+    shutdown(): Promise<void>;
+}
+declare function getScopeBlindBridge(): ScopeBlindBridge;
+/** Convenience: forward a signed receipt without instantiating yourself. */
+declare function forwardReceipt(signedReceipt: any): void;
+
+export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, ScopeBlindBridge, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, forwardReceipt, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getScopeBlindBridge, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };

package/dist/index.d.ts

@@ -803,9 +803,9 @@ declare function validateCredentials(credentials: Record<string, CredentialConfi
  * Produces signed v2 artifact receipts for tool call decisions.
  * Uses @veritasacta/artifacts as a required dependency (Sprint 2+).
  *
- * If signing is configured, every decision produces a signed artifact.
- * If signing fails, the receipt is emitted unsigned with signature: null
- * and a warning — never crashes, never silently drops.
+ * If signing is configured, every decision must produce a signed artifact.
+ * Initialization and signing failures are returned as explicit errors so the
+ * enforce path can deny rather than silently proceeding without evidence.
  */
 
 /**
@@ -827,9 +827,11 @@ declare function initSigning(config: SigningConfig | undefined): Promise<string[
  * @standard RFC 8032 (Ed25519), RFC 8785 (JCS)
  */
 declare function signDecision(entry: DecisionLog): {
+    ok: boolean;
     signed: string | null;
     artifact_type: string;
     warning?: string;
+    error?: string;
 };
 /**
  * Get the signer's public key info for discovery/verification.
@@ -2911,4 +2913,73 @@ declare function confidentialInference(_prompt: string, _config: ConfidentialInf
     receipt: Record<string, unknown>;
 }>;
 
-export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };
+/**
+ * scopeblind-bridge.ts
+ *
+ * Optional bridge between protect-mcp (local, MIT) and a paid ScopeBlind
+ * tenant. When SCOPEBLIND_TOKEN is set in the environment, every signed
+ * receipt that protect-mcp emits also gets forwarded to the tenant's
+ * dashboard at https://scopeblind.com/console/<slug>.
+ *
+ * Lifecycle:
+ *   1. On first use, exchange SCOPEBLIND_TOKEN for a short-lived BRASS-v2
+ *      auth proof from /fn/brass/issue. Cache the proof in memory until
+ *      ~5 minutes before expiry, then refresh.
+ *   2. As receipts are emitted by hook-server.ts, push them into an
+ *      in-memory batch queue.
+ *   3. Flush the queue every 5s (or when it reaches 128 receipts) by POSTing
+ *      to /fn/console/<slug>/receipts with Bearer SCOPEBLIND_TOKEN.
+ *
+ * Failure mode: forward errors NEVER throw upstream. protect-mcp continues
+ * to mint and persist receipts locally regardless of dashboard availability.
+ * The bridge logs failures to stderr (best-effort) and retries on the next
+ * flush.
+ *
+ * Configuration:
+ *   SCOPEBLIND_TOKEN        Tenant bearer token (from welcome email).
+ *   SCOPEBLIND_TENANT       Optional slug override. By default we discover
+ *                           the slug from the BRASS proof's tenant_id.
+ *   SCOPEBLIND_BASE         Defaults to https://scopeblind.com.
+ *
+ * @license MIT
+ */
+interface BridgeStats {
+    enabled: boolean;
+    tenant_slug: string | null;
+    forwarded_total: number;
+    rejected_total: number;
+    last_flush_at: string | null;
+    last_error: string | null;
+}
+declare class ScopeBlindBridge {
+    private readonly token;
+    private readonly base;
+    private readonly tenantOverride;
+    private cachedProof;
+    private queue;
+    private flushTimer;
+    private stats;
+    private shuttingDown;
+    constructor(env?: Record<string, string | undefined>);
+    enabled(): boolean;
+    /** Push a signed receipt into the queue. Non-blocking. */
+    forward(signedReceipt: any): void;
+    /** Flush the queue. Safe to call concurrently. */
+    flush(): Promise<void>;
+    /** Exchange SCOPEBLIND_TOKEN for a BRASS-v2 proof; refresh near expiry. */
+    private ensureBrassProof;
+    /**
+     * Return a snapshot of bridge stats. Useful for `protect-mcp scopeblind status`.
+     */
+    getStats(): BridgeStats & {
+        queued: number;
+        brass_proof_expires_at: string | null;
+    };
+    /** Flush remaining receipts and stop the interval. Called on process exit. */
+    shutdown(): Promise<void>;
+}
+declare function getScopeBlindBridge(): ScopeBlindBridge;
+/** Convenience: forward a signed receipt without instantiating yourself. */
+declare function forwardReceipt(signedReceipt: any): void;
+
+export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, ScopeBlindBridge, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, forwardReceipt, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getScopeBlindBridge, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };