protect-mcp 0.6.2 → 0.7.0

package/CHANGELOG.md

@@ -0,0 +1,47 @@
+# Changelog
+
+## 0.7.0 (security release): the gate now fails closed and actually evaluates
+
+This release fixes the way the Cedar policy gate behaves when anything goes
+wrong, and a separate defect that meant Cedar policies were not being evaluated
+at all against the pinned engine. If you rely on protect-mcp to enforce a Cedar
+policy, upgrade.
+
+### Security
+
+- **Fail closed, not open.** Before 0.7.0, if the Cedar engine was unavailable,
+  the result was malformed, evaluation threw, or a policy errored, the evaluator
+  returned ALLOW. A security gate must do the opposite. Every error and
+  uncertainty path now DENIES. The allow-on-error behavior is reachable only by
+  explicitly passing `{ failClosed: false }` (observe mode), and even then the
+  decision is flagged `would_deny: true` so a failure is never silent.
+- **An errored policy can no longer permit-all.** Cedar silently discards a
+  policy that errors at evaluation (for example the `context.<string> in [list]`
+  type error in the 0.5.x and 0.6.x advisory), which could leave a residual
+  permit standing. The evaluator now treats any per-policy error as an
+  evaluation error and denies under enforcement.
+- **Cedar policies are actually evaluated now.** The `isAuthorized` call passed
+  the policy text as a bare string, but `@cedar-policy/cedar-wasm@4.x` requires a
+  structured `PolicySet`. As a result every Cedar evaluation errored against the
+  pinned engine and (with the old fail-open default) allowed everything. The call
+  shape and the response parser are corrected, so a `forbid` rule actually denies
+  and a `permit` actually allows.
+
+### Added
+
+- **`protect-mcp evaluate`** and **`protect-mcp sign`**: one-shot per-call verbs
+  for PreToolUse and PostToolUse hooks. `evaluate` loads a Cedar policy, evaluates
+  one tool call fail-closed, and exits 2 on deny (so the tool is blocked) and 0 on
+  allow; a missing or unloadable policy denies unless `--fail-on-missing-policy
+  false` is set. This makes hook configs that invoke these verbs work as written.
+- **`runEvaluatorSelfTest()`** plus a startup gate: `serve --enforce` runs the
+  self-test before arming and refuses to start if the engine cannot prove it
+  denies a known-forbidden vector. `protect-mcp doctor` reports the same, so the
+  gate verifies its own restraint before it is trusted.
+- A CI tripwire test that fails the build if the discarded `in`-on-String pattern
+  is ever reintroduced into a shipped policy.
+
+### Affected versions
+
+The fail-open behavior and the unevaluated-Cedar defect are present in the
+0.5.x and 0.6.x lines. Upgrade to 0.7.0.

package/README.md

@@ -401,6 +401,17 @@ npx @veritasacta/verify receipt.json --key <public-key-hex>
 - **Patent Status**: 4 Australian provisional patents pending (2025-2026)
 - **Cedar WASM**: [PR #64](https://github.com/cedar-policy/cedar-for-agents/pull/64) merged + [PR #73](https://github.com/cedar-policy/cedar-for-agents/pull/73) (RequestGenerator, pending review)
 
+## What's New in v0.7.0 (security release)
+
+The gate now fails closed. On any policy-evaluation error, a missing engine, or a
+policy that errored, the decision is DENY, not allow. Cedar is also evaluated
+correctly against cedar-wasm 4.x (earlier versions passed the policy in a shape the
+engine rejected, so evaluation errored and the old fail-open default allowed
+everything). `serve --enforce` now runs a restraint self-test before arming and
+refuses to start if it cannot prove it denies a forbidden vector, `doctor` reports
+that self-test, and one-shot `evaluate` and `sign` verbs are available for hooks.
+Upgrade from any 0.5.x or 0.6.x. See CHANGELOG.md.
+
 ## What's New in v0.5.3
 
 - `quickstart --connect`: Auto-create dashboard sandbox and configure receipt upload

package/dist/{chunk-UV53U6D4.mjs → chunk-546U3A7R.mjs}

@@ -289,14 +289,18 @@ function buildEntities(req) {
     }
   ];
 }
-async function evaluateCedar(policySet, req, schema) {
+function onEvalError(reason, failClosed, extra) {
+  return {
+    allowed: !failClosed,
+    reason: failClosed ? reason : `${reason} (observe mode; would DENY under enforcement)`,
+    metadata: { error: true, fail_closed: failClosed, would_deny: true, ...extra || {} }
+  };
+}
+async function evaluateCedar(policySet, req, schema, options) {
+  const failClosed = options?.failClosed ?? true;
   const available = await ensureCedarWasm();
   if (!available) {
-    return {
-      allowed: true,
-      reason: "cedar_wasm_not_available",
-      metadata: { fallback: true }
-    };
+    return onEvalError("cedar_wasm_not_available", failClosed, { fallback: true });
   }
   try {
     const agentId = req.agentId || req.tier;
@@ -318,7 +322,7 @@ async function evaluateCedar(policySet, req, schema) {
     let result;
     if (typeof cedarWasm.isAuthorized === "function") {
       result = cedarWasm.isAuthorized({
-        policies: policySet.source,
+        policies: { staticPolicies: policySet.source },
         entities,
         principal: authRequest.principal,
         action: authRequest.action,
@@ -336,7 +340,7 @@ async function evaluateCedar(policySet, req, schema) {
       const cedarEngine = cedarWasm.default || cedarWasm;
       if (typeof cedarEngine.isAuthorized === "function") {
         result = cedarEngine.isAuthorized({
-          policies: policySet.source,
+          policies: { staticPolicies: policySet.source },
           entities,
           principal: authRequest.principal,
           action: authRequest.action,
@@ -345,61 +349,87 @@ async function evaluateCedar(policySet, req, schema) {
           schema: cedarSchema
         });
       } else {
-        return {
-          allowed: true,
-          reason: "cedar_wasm_api_unsupported",
-          metadata: { fallback: true, exports: Object.keys(cedarWasm) }
-        };
+        return onEvalError("cedar_wasm_api_unsupported", failClosed, { exports: Object.keys(cedarWasm) });
       }
     }
-    const decision = parseWasmResult(result);
+    const parsed = parseWasmResult(result);
+    const policyErrors = extractPolicyErrors(result);
+    if (parsed.kind === "error") {
+      return onEvalError(`cedar_unparseable_result: ${parsed.diagnostics}`, failClosed);
+    }
+    if (policyErrors.length > 0) {
+      return onEvalError(
+        `cedar_policy_errored: ${policyErrors.length} policy error(s); decision is unsound`,
+        failClosed,
+        { policy_errors: policyErrors.slice(0, 5), policy_digest: policySet.digest }
+      );
+    }
     return {
-      allowed: decision.allowed,
-      reason: decision.allowed ? void 0 : `cedar_deny${decision.diagnostics ? ": " + decision.diagnostics : ""}`,
+      allowed: parsed.kind === "allow",
+      reason: parsed.kind === "allow" ? void 0 : `cedar_deny${parsed.diagnostics ? ": " + parsed.diagnostics : ""}`,
       metadata: {
         policy_digest: policySet.digest,
-        ...decision.matchedPolicies ? { matched_policies: decision.matchedPolicies } : {}
+        ...parsed.matchedPolicies ? { matched_policies: parsed.matchedPolicies } : {}
       }
     };
   } catch (err) {
-    return {
-      allowed: true,
-      reason: `cedar_eval_error: ${err instanceof Error ? err.message : "unknown"}`,
-      metadata: { fallback: true, error: true }
-    };
+    return onEvalError(`cedar_eval_error: ${err instanceof Error ? err.message : "unknown"}`, failClosed);
   }
 }
 function parseWasmResult(result) {
-  if (!result) {
-    return { allowed: true, diagnostics: "null result from Cedar WASM" };
-  }
-  if (result.type === "allow" || result.type === "Allow") {
-    return { allowed: true };
-  }
-  if (result.type === "deny" || result.type === "Deny") {
-    return {
-      allowed: false,
-      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0,
-      matchedPolicies: result.diagnostics?.reasons
-    };
-  }
-  if (result.decision === "Allow") {
-    return { allowed: true };
-  }
-  if (result.decision === "Deny") {
-    return {
-      allowed: false,
-      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0
-    };
-  }
-  if (typeof result === "boolean") {
-    return { allowed: result };
+  if (!result) return { kind: "error", diagnostics: "null result from Cedar WASM" };
+  if (result.type === "failure") {
+    return { kind: "error", diagnostics: `cedar failure: ${JSON.stringify(result.errors ?? [])}` };
+  }
+  if (result.type === "success" && result.response) {
+    const dec = result.response.decision;
+    const reasons = result.response.diagnostics?.reason;
+    if (dec === "allow" || dec === "Allow") return { kind: "allow", matchedPolicies: reasons };
+    if (dec === "deny" || dec === "Deny") {
+      return { kind: "deny", diagnostics: result.response.diagnostics ? JSON.stringify(result.response.diagnostics) : void 0, matchedPolicies: reasons };
+    }
   }
-  return { allowed: true, diagnostics: `unknown result format: ${JSON.stringify(result)}` };
+  if (result.type === "allow" || result.decision === "Allow") return { kind: "allow" };
+  if (result.type === "deny" || result.decision === "Deny") return { kind: "deny" };
+  if (typeof result === "boolean") return result ? { kind: "allow" } : { kind: "deny" };
+  return { kind: "error", diagnostics: `unknown result format: ${JSON.stringify(result)}` };
+}
+function extractPolicyErrors(result) {
+  if (!result || typeof result !== "object") return [];
+  const raw = result.errors ?? result.response?.diagnostics?.errors ?? result.diagnostics?.errors ?? [];
+  if (!Array.isArray(raw)) return [];
+  return raw.map((e) => typeof e === "string" ? e : e?.message ?? e?.error ?? JSON.stringify(e)).filter(Boolean);
 }
 async function isCedarAvailable() {
   return ensureCedarWasm();
 }
+function policySetFromSource(source, name = "inline") {
+  const digest = createHash2("sha256").update(source).digest("hex").slice(0, 16);
+  return { source, digest, fileCount: 1, files: [name] };
+}
+async function runEvaluatorSelfTest() {
+  const wasmAvailable = await isCedarAvailable();
+  const cases = [];
+  const run = async (name, expected, policy, context) => {
+    const d = await evaluateCedar(policy, { tool: "Bash", tier: "unknown", context }, void 0, { failClosed: true });
+    const actual = d.allowed ? "ALLOW" : "DENY";
+    cases.push({ name, expected, actual, pass: actual === expected, reason: d.reason });
+  };
+  if (!wasmAvailable) {
+    await run("engine unavailable denies", "DENY", policySetFromSource("permit(principal, action, resource);"), {});
+    return { wasmAvailable, passed: cases.every((c) => c.pass), cases };
+  }
+  const correct = policySetFromSource(
+    'forbid(principal, action, resource) when { ["rm", "dd", "mkfs"].contains(context.command) };\npermit(principal, action, resource);'
+  );
+  await run("forbid denies rm", "DENY", correct, { command: "rm" });
+  await run("permit allows ls", "ALLOW", correct, { command: "ls" });
+  const broken = policySetFromSource(
+    'forbid(principal, action, resource) when { context.command in ["rm", "dd"] };\npermit(principal, action, resource);'
+  );
+  await run("in-on-String forbid does not permit-all", "DENY", broken, { command: "rm" });
+  return { wasmAvailable, passed: cases.every((c) => c.pass), cases };
+}
 
 // src/http-server.ts
 import { createServer } from "http";
@@ -638,6 +668,8 @@ export {
   loadCedarPolicies,
   evaluateCedar,
   isCedarAvailable,
+  policySetFromSource,
+  runEvaluatorSelfTest,
   ReceiptBuffer,
   startStatusServer
 };

package/dist/{chunk-PLKRTBDR.mjs → chunk-OHUTUFTC.mjs}

@@ -7,7 +7,7 @@ import {
   parseRateLimit,
   signDecision,
   startStatusServer
-} from "./chunk-UV53U6D4.mjs";
+} from "./chunk-546U3A7R.mjs";
 
 // src/evidence-store.ts
 import { readFileSync, writeFileSync, existsSync } from "fs";

package/dist/{chunk-3YCKR72H.mjs → chunk-X63ELMU4.mjs}

@@ -11,7 +11,7 @@ import {
   loadPolicy,
   parseRateLimit,
   signDecision
-} from "./chunk-UV53U6D4.mjs";
+} from "./chunk-546U3A7R.mjs";
 
 // src/hook-server.ts
 import { createServer } from "http";

package/dist/{chunk-S4ICHNSP.mjs → chunk-ZBKJANP7.mjs}

@@ -1,11 +1,11 @@
 import {
   meetsMinTier
-} from "./chunk-PLKRTBDR.mjs";
+} from "./chunk-OHUTUFTC.mjs";
 import {
   checkRateLimit,
   getToolPolicy,
   parseRateLimit
-} from "./chunk-UV53U6D4.mjs";
+} from "./chunk-546U3A7R.mjs";
 
 // src/simulate.ts
 import { readFileSync } from "fs";

package/dist/cli.js

@@ -739,14 +739,18 @@ function buildEntities(req) {
     }
   ];
 }
-async function evaluateCedar(policySet, req, schema) {
+function onEvalError(reason, failClosed, extra) {
+  return {
+    allowed: !failClosed,
+    reason: failClosed ? reason : `${reason} (observe mode; would DENY under enforcement)`,
+    metadata: { error: true, fail_closed: failClosed, would_deny: true, ...extra || {} }
+  };
+}
+async function evaluateCedar(policySet, req, schema, options) {
+  const failClosed = options?.failClosed ?? true;
   const available = await ensureCedarWasm();
   if (!available) {
-    return {
-      allowed: true,
-      reason: "cedar_wasm_not_available",
-      metadata: { fallback: true }
-    };
+    return onEvalError("cedar_wasm_not_available", failClosed, { fallback: true });
   }
   try {
     const agentId = req.agentId || req.tier;
@@ -768,7 +772,7 @@ async function evaluateCedar(policySet, req, schema) {
     let result;
     if (typeof cedarWasm.isAuthorized === "function") {
       result = cedarWasm.isAuthorized({
-        policies: policySet.source,
+        policies: { staticPolicies: policySet.source },
         entities,
         principal: authRequest.principal,
         action: authRequest.action,
@@ -786,7 +790,7 @@ async function evaluateCedar(policySet, req, schema) {
       const cedarEngine = cedarWasm.default || cedarWasm;
       if (typeof cedarEngine.isAuthorized === "function") {
         result = cedarEngine.isAuthorized({
-          policies: policySet.source,
+          policies: { staticPolicies: policySet.source },
           entities,
           principal: authRequest.principal,
           action: authRequest.action,
@@ -795,61 +799,87 @@ async function evaluateCedar(policySet, req, schema) {
           schema: cedarSchema
         });
       } else {
-        return {
-          allowed: true,
-          reason: "cedar_wasm_api_unsupported",
-          metadata: { fallback: true, exports: Object.keys(cedarWasm) }
-        };
+        return onEvalError("cedar_wasm_api_unsupported", failClosed, { exports: Object.keys(cedarWasm) });
       }
     }
-    const decision = parseWasmResult(result);
+    const parsed = parseWasmResult(result);
+    const policyErrors = extractPolicyErrors(result);
+    if (parsed.kind === "error") {
+      return onEvalError(`cedar_unparseable_result: ${parsed.diagnostics}`, failClosed);
+    }
+    if (policyErrors.length > 0) {
+      return onEvalError(
+        `cedar_policy_errored: ${policyErrors.length} policy error(s); decision is unsound`,
+        failClosed,
+        { policy_errors: policyErrors.slice(0, 5), policy_digest: policySet.digest }
+      );
+    }
     return {
-      allowed: decision.allowed,
-      reason: decision.allowed ? void 0 : `cedar_deny${decision.diagnostics ? ": " + decision.diagnostics : ""}`,
+      allowed: parsed.kind === "allow",
+      reason: parsed.kind === "allow" ? void 0 : `cedar_deny${parsed.diagnostics ? ": " + parsed.diagnostics : ""}`,
       metadata: {
         policy_digest: policySet.digest,
-        ...decision.matchedPolicies ? { matched_policies: decision.matchedPolicies } : {}
+        ...parsed.matchedPolicies ? { matched_policies: parsed.matchedPolicies } : {}
       }
     };
   } catch (err) {
-    return {
-      allowed: true,
-      reason: `cedar_eval_error: ${err instanceof Error ? err.message : "unknown"}`,
-      metadata: { fallback: true, error: true }
-    };
+    return onEvalError(`cedar_eval_error: ${err instanceof Error ? err.message : "unknown"}`, failClosed);
   }
 }
 function parseWasmResult(result) {
-  if (!result) {
-    return { allowed: true, diagnostics: "null result from Cedar WASM" };
-  }
-  if (result.type === "allow" || result.type === "Allow") {
-    return { allowed: true };
-  }
-  if (result.type === "deny" || result.type === "Deny") {
-    return {
-      allowed: false,
-      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0,
-      matchedPolicies: result.diagnostics?.reasons
-    };
-  }
-  if (result.decision === "Allow") {
-    return { allowed: true };
-  }
-  if (result.decision === "Deny") {
-    return {
-      allowed: false,
-      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0
-    };
+  if (!result) return { kind: "error", diagnostics: "null result from Cedar WASM" };
+  if (result.type === "failure") {
+    return { kind: "error", diagnostics: `cedar failure: ${JSON.stringify(result.errors ?? [])}` };
   }
-  if (typeof result === "boolean") {
-    return { allowed: result };
+  if (result.type === "success" && result.response) {
+    const dec = result.response.decision;
+    const reasons = result.response.diagnostics?.reason;
+    if (dec === "allow" || dec === "Allow") return { kind: "allow", matchedPolicies: reasons };
+    if (dec === "deny" || dec === "Deny") {
+      return { kind: "deny", diagnostics: result.response.diagnostics ? JSON.stringify(result.response.diagnostics) : void 0, matchedPolicies: reasons };
+    }
   }
-  return { allowed: true, diagnostics: `unknown result format: ${JSON.stringify(result)}` };
+  if (result.type === "allow" || result.decision === "Allow") return { kind: "allow" };
+  if (result.type === "deny" || result.decision === "Deny") return { kind: "deny" };
+  if (typeof result === "boolean") return result ? { kind: "allow" } : { kind: "deny" };
+  return { kind: "error", diagnostics: `unknown result format: ${JSON.stringify(result)}` };
+}
+function extractPolicyErrors(result) {
+  if (!result || typeof result !== "object") return [];
+  const raw = result.errors ?? result.response?.diagnostics?.errors ?? result.diagnostics?.errors ?? [];
+  if (!Array.isArray(raw)) return [];
+  return raw.map((e) => typeof e === "string" ? e : e?.message ?? e?.error ?? JSON.stringify(e)).filter(Boolean);
 }
 async function isCedarAvailable() {
   return ensureCedarWasm();
 }
+function policySetFromSource(source, name = "inline") {
+  const digest = (0, import_node_crypto2.createHash)("sha256").update(source).digest("hex").slice(0, 16);
+  return { source, digest, fileCount: 1, files: [name] };
+}
+async function runEvaluatorSelfTest() {
+  const wasmAvailable = await isCedarAvailable();
+  const cases = [];
+  const run = async (name, expected, policy, context) => {
+    const d = await evaluateCedar(policy, { tool: "Bash", tier: "unknown", context }, void 0, { failClosed: true });
+    const actual = d.allowed ? "ALLOW" : "DENY";
+    cases.push({ name, expected, actual, pass: actual === expected, reason: d.reason });
+  };
+  if (!wasmAvailable) {
+    await run("engine unavailable denies", "DENY", policySetFromSource("permit(principal, action, resource);"), {});
+    return { wasmAvailable, passed: cases.every((c) => c.pass), cases };
+  }
+  const correct = policySetFromSource(
+    'forbid(principal, action, resource) when { ["rm", "dd", "mkfs"].contains(context.command) };\npermit(principal, action, resource);'
+  );
+  await run("forbid denies rm", "DENY", correct, { command: "rm" });
+  await run("permit allows ls", "ALLOW", correct, { command: "ls" });
+  const broken = policySetFromSource(
+    'forbid(principal, action, resource) when { context.command in ["rm", "dd"] };\npermit(principal, action, resource);'
+  );
+  await run("in-on-String forbid does not permit-all", "DENY", broken, { command: "rm" });
+  return { wasmAvailable, passed: cases.every((c) => c.pass), cases };
+}
 var import_node_crypto2, import_node_fs4, import_node_path2, cedarWasm, loadAttempted;
 var init_cedar_evaluator = __esm({
   "src/cedar-evaluator.ts"() {
@@ -6315,6 +6345,8 @@ function formatSimulation(summary) {
 
 // src/cli.ts
 init_cedar_evaluator();
+var import_node_fs10 = require("fs");
+var import_node_path6 = require("path");
 var import_meta = {};
 function printHelp() {
   process.stderr.write(`
@@ -6348,6 +6380,8 @@ Options:
 
 Commands:
   serve             Start HTTP hook server for Claude Code integration (port 9377)
+  evaluate          Evaluate one tool call against a Cedar policy (PreToolUse gate; exit 2 = deny, fail-closed)
+  sign              Sign one tool call into a receipt (PostToolUse)
   init-hooks        Generate Claude Code hook config + skill + sample Cedar policy
   quickstart        Zero-config onboarding: init + demo + show receipts in one command
   connect           Create a ScopeBlind sandbox dashboard and configure receipt upload
@@ -7572,6 +7606,88 @@ async function sendInstallTelemetry() {
   } catch {
   }
 }
+function flagValue(argv, name) {
+  const i = argv.indexOf(name);
+  return i >= 0 && argv[i + 1] ? argv[i + 1] : void 0;
+}
+function loadPolicyArg(argv) {
+  const cedarDir = flagValue(argv, "--cedar");
+  const policyFile = flagValue(argv, "--policy");
+  try {
+    if (cedarDir) return loadCedarPolicies(cedarDir);
+    if (policyFile && (0, import_node_fs10.existsSync)(policyFile)) {
+      return policySetFromSource((0, import_node_fs10.readFileSync)(policyFile, "utf-8"), (0, import_node_path6.basename)(policyFile));
+    }
+  } catch {
+  }
+  return null;
+}
+async function handleEvaluate(argv) {
+  const tool = flagValue(argv, "--tool") || "";
+  const inputRaw = flagValue(argv, "--input") || "{}";
+  const contextRaw = flagValue(argv, "--context");
+  const failOnMissing = flagValue(argv, "--fail-on-missing-policy") !== "false";
+  const policySet = loadPolicyArg(argv);
+  if (!policySet) {
+    if (failOnMissing) {
+      process.stderr.write("protect-mcp evaluate: policy not found; denying (fail-closed). Pass --fail-on-missing-policy false to allow.\n");
+      process.exit(2);
+    }
+    process.stdout.write(JSON.stringify({ allowed: true, reason: "no_policy_configured" }) + "\n");
+    process.exit(0);
+  }
+  let input = {};
+  try {
+    input = JSON.parse(inputRaw);
+  } catch {
+  }
+  let extra = {};
+  if (contextRaw) {
+    try {
+      extra = JSON.parse(contextRaw);
+    } catch {
+    }
+  }
+  const context = { ...input, ...extra };
+  if (typeof input.command === "string" && context.command_pattern === void 0) {
+    context.command_pattern = input.command;
+  }
+  const decision = await evaluateCedar(policySet, { tool, tier: "unknown", context }, void 0, { failClosed: true });
+  process.stdout.write(JSON.stringify({ allowed: decision.allowed, reason: decision.reason, policy_digest: policySet.digest }) + "\n");
+  process.exit(decision.allowed ? 0 : 2);
+}
+async function handleSign(argv) {
+  const tool = flagValue(argv, "--tool") || "";
+  const receiptsDir = flagValue(argv, "--receipts") || "./receipts/";
+  const keyPath = flagValue(argv, "--key");
+  if (keyPath && (0, import_node_fs10.existsSync)(keyPath)) {
+    try {
+      await initSigning({ enabled: true, key_path: keyPath });
+    } catch {
+    }
+  }
+  const requestId = `tu-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
+  const signed = signDecision({
+    tool,
+    decision: "allow",
+    reason_code: "post_execution_receipt",
+    policy_digest: "none",
+    request_id: requestId,
+    mode: "enforce",
+    timestamp: Date.now()
+  });
+  try {
+    (0, import_node_fs10.mkdirSync)(receiptsDir, { recursive: true });
+  } catch {
+  }
+  const line = signed.signed ?? JSON.stringify({ tool, request_id: requestId, signed: false, note: signed.warning || "no signer configured" });
+  try {
+    (0, import_node_fs10.appendFileSync)((0, import_node_path6.join)(receiptsDir, "receipts.jsonl"), line + "\n");
+  } catch {
+  }
+  process.stdout.write(JSON.stringify({ signed: Boolean(signed.signed), artifact_type: signed.artifact_type, request_id: requestId }) + "\n");
+  process.exit(0);
+}
 async function main() {
   sendInstallTelemetry().catch(() => {
   });
@@ -7580,6 +7696,14 @@ async function main() {
     printHelp();
     process.exit(0);
   }
+  if (args[0] === "evaluate") {
+    await handleEvaluate(args.slice(1));
+    return;
+  }
+  if (args[0] === "sign") {
+    await handleSign(args.slice(1));
+    return;
+  }
   if (args[0] === "serve") {
     const { startHookServer: startHookServer2 } = await Promise.resolve().then(() => (init_hook_server(), hook_server_exports));
     const portIdx = args.indexOf("--port");
@@ -7588,13 +7712,22 @@ async function main() {
     const policyPath2 = policyIdx >= 0 && args[policyIdx + 1] ? args[policyIdx + 1] : void 0;
     const cedarIdx = args.indexOf("--cedar");
     const cedarDir2 = cedarIdx >= 0 && args[cedarIdx + 1] ? args[cedarIdx + 1] : void 0;
-    await startHookServer2({
-      port,
-      policyPath: policyPath2,
-      cedarDir: cedarDir2,
-      enforce: args.includes("--enforce"),
-      verbose: args.includes("--verbose") || args.includes("-v")
-    });
+    const enforce2 = args.includes("--enforce");
+    const verbose2 = args.includes("--verbose") || args.includes("-v");
+    if (enforce2) {
+      const selfTest = await runEvaluatorSelfTest();
+      if (!selfTest.passed) {
+        process.stderr.write("protect-mcp serve --enforce: the policy-engine restraint self-test FAILED. Refusing to arm the gate.\n");
+        for (const c of selfTest.cases.filter((c2) => !c2.pass)) {
+          process.stderr.write(`  [FAIL] ${c.name}: expected ${c.expected}, got ${c.actual}
+`);
+        }
+        process.exit(1);
+      }
+      if (verbose2) process.stderr.write(`protect-mcp: restraint self-test passed (${selfTest.cases.length} vectors). Arming gate.
+`);
+    }
+    await startHookServer2({ port, policyPath: policyPath2, cedarDir: cedarDir2, enforce: enforce2, verbose: verbose2 });
     return;
   }
   if (args[0] === "init-hooks") {
@@ -7904,6 +8037,24 @@ async function handleDoctor() {
   } catch {
     process.stdout.write(dim2("  ScopeBlind API not reachable \u2014 offline mode (receipts stored locally)\n"));
   }
+  process.stdout.write("\nRestraint self-test:\n");
+  try {
+    const st = await runEvaluatorSelfTest();
+    if (!st.wasmAvailable) {
+      process.stdout.write(dim2("  Cedar WASM not installed; the gate fails closed (denies) until it is.\n"));
+    }
+    for (const c of st.cases) {
+      process.stdout.write(c.pass ? green2(`  ${c.name}
+`) : `\x1B[31m  FAIL: ${c.name} (expected ${c.expected}, got ${c.actual})
+\x1B[0m`);
+    }
+    if (!st.passed) issues++;
+    else process.stdout.write(green2("  the gate denies what it should and allows what it should\n"));
+  } catch (err) {
+    process.stdout.write(yellow2(`  self-test could not run: ${err instanceof Error ? err.message : "unknown"}
+`));
+    issues++;
+  }
   process.stdout.write("\n");
   if (issues === 0) {
     process.stdout.write("\x1B[32m\x1B[1mAll checks passed.\x1B[0m Ready to wrap MCP servers.\n");