protect-mcp 0.6.2 → 0.7.0

package/dist/cli.mjs

@@ -3,20 +3,26 @@ import {
   formatSimulation,
   parseLogFile,
   simulate
-} from "./chunk-S4ICHNSP.mjs";
+} from "./chunk-ZBKJANP7.mjs";
 import {
   ProtectGateway,
   validateCredentials
-} from "./chunk-PLKRTBDR.mjs";
+} from "./chunk-OHUTUFTC.mjs";
 import {
+  evaluateCedar,
   initSigning,
   isCedarAvailable,
   loadCedarPolicies,
-  loadPolicy
-} from "./chunk-UV53U6D4.mjs";
+  loadPolicy,
+  policySetFromSource,
+  runEvaluatorSelfTest,
+  signDecision
+} from "./chunk-546U3A7R.mjs";
 import "./chunk-PQJP2ZCI.mjs";
 
 // src/cli.ts
+import { readFileSync as readFileSyncCli, existsSync as existsSyncCli, appendFileSync as appendFileSyncCli, mkdirSync as mkdirSyncCli } from "fs";
+import { basename as basenameCli, join as joinCli } from "path";
 function printHelp() {
   process.stderr.write(`
 protect-mcp \u2014 Enterprise security gateway for MCP servers & Claude Code hooks
@@ -49,6 +55,8 @@ Options:
 
 Commands:
   serve             Start HTTP hook server for Claude Code integration (port 9377)
+  evaluate          Evaluate one tool call against a Cedar policy (PreToolUse gate; exit 2 = deny, fail-closed)
+  sign              Sign one tool call into a receipt (PostToolUse)
   init-hooks        Generate Claude Code hook config + skill + sample Cedar policy
   quickstart        Zero-config onboarding: init + demo + show receipts in one command
   connect           Create a ScopeBlind sandbox dashboard and configure receipt upload
@@ -1273,6 +1281,88 @@ async function sendInstallTelemetry() {
   } catch {
   }
 }
+function flagValue(argv, name) {
+  const i = argv.indexOf(name);
+  return i >= 0 && argv[i + 1] ? argv[i + 1] : void 0;
+}
+function loadPolicyArg(argv) {
+  const cedarDir = flagValue(argv, "--cedar");
+  const policyFile = flagValue(argv, "--policy");
+  try {
+    if (cedarDir) return loadCedarPolicies(cedarDir);
+    if (policyFile && existsSyncCli(policyFile)) {
+      return policySetFromSource(readFileSyncCli(policyFile, "utf-8"), basenameCli(policyFile));
+    }
+  } catch {
+  }
+  return null;
+}
+async function handleEvaluate(argv) {
+  const tool = flagValue(argv, "--tool") || "";
+  const inputRaw = flagValue(argv, "--input") || "{}";
+  const contextRaw = flagValue(argv, "--context");
+  const failOnMissing = flagValue(argv, "--fail-on-missing-policy") !== "false";
+  const policySet = loadPolicyArg(argv);
+  if (!policySet) {
+    if (failOnMissing) {
+      process.stderr.write("protect-mcp evaluate: policy not found; denying (fail-closed). Pass --fail-on-missing-policy false to allow.\n");
+      process.exit(2);
+    }
+    process.stdout.write(JSON.stringify({ allowed: true, reason: "no_policy_configured" }) + "\n");
+    process.exit(0);
+  }
+  let input = {};
+  try {
+    input = JSON.parse(inputRaw);
+  } catch {
+  }
+  let extra = {};
+  if (contextRaw) {
+    try {
+      extra = JSON.parse(contextRaw);
+    } catch {
+    }
+  }
+  const context = { ...input, ...extra };
+  if (typeof input.command === "string" && context.command_pattern === void 0) {
+    context.command_pattern = input.command;
+  }
+  const decision = await evaluateCedar(policySet, { tool, tier: "unknown", context }, void 0, { failClosed: true });
+  process.stdout.write(JSON.stringify({ allowed: decision.allowed, reason: decision.reason, policy_digest: policySet.digest }) + "\n");
+  process.exit(decision.allowed ? 0 : 2);
+}
+async function handleSign(argv) {
+  const tool = flagValue(argv, "--tool") || "";
+  const receiptsDir = flagValue(argv, "--receipts") || "./receipts/";
+  const keyPath = flagValue(argv, "--key");
+  if (keyPath && existsSyncCli(keyPath)) {
+    try {
+      await initSigning({ enabled: true, key_path: keyPath });
+    } catch {
+    }
+  }
+  const requestId = `tu-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
+  const signed = signDecision({
+    tool,
+    decision: "allow",
+    reason_code: "post_execution_receipt",
+    policy_digest: "none",
+    request_id: requestId,
+    mode: "enforce",
+    timestamp: Date.now()
+  });
+  try {
+    mkdirSyncCli(receiptsDir, { recursive: true });
+  } catch {
+  }
+  const line = signed.signed ?? JSON.stringify({ tool, request_id: requestId, signed: false, note: signed.warning || "no signer configured" });
+  try {
+    appendFileSyncCli(joinCli(receiptsDir, "receipts.jsonl"), line + "\n");
+  } catch {
+  }
+  process.stdout.write(JSON.stringify({ signed: Boolean(signed.signed), artifact_type: signed.artifact_type, request_id: requestId }) + "\n");
+  process.exit(0);
+}
 async function main() {
   sendInstallTelemetry().catch(() => {
   });
@@ -1281,6 +1371,14 @@ async function main() {
     printHelp();
     process.exit(0);
   }
+  if (args[0] === "evaluate") {
+    await handleEvaluate(args.slice(1));
+    return;
+  }
+  if (args[0] === "sign") {
+    await handleSign(args.slice(1));
+    return;
+  }
   if (args[0] === "serve") {
     const { startHookServer } = await import("./hook-server.mjs");
     const portIdx = args.indexOf("--port");
@@ -1289,13 +1387,22 @@ async function main() {
     const policyPath2 = policyIdx >= 0 && args[policyIdx + 1] ? args[policyIdx + 1] : void 0;
     const cedarIdx = args.indexOf("--cedar");
     const cedarDir2 = cedarIdx >= 0 && args[cedarIdx + 1] ? args[cedarIdx + 1] : void 0;
-    await startHookServer({
-      port,
-      policyPath: policyPath2,
-      cedarDir: cedarDir2,
-      enforce: args.includes("--enforce"),
-      verbose: args.includes("--verbose") || args.includes("-v")
-    });
+    const enforce2 = args.includes("--enforce");
+    const verbose2 = args.includes("--verbose") || args.includes("-v");
+    if (enforce2) {
+      const selfTest = await runEvaluatorSelfTest();
+      if (!selfTest.passed) {
+        process.stderr.write("protect-mcp serve --enforce: the policy-engine restraint self-test FAILED. Refusing to arm the gate.\n");
+        for (const c of selfTest.cases.filter((c2) => !c2.pass)) {
+          process.stderr.write(`  [FAIL] ${c.name}: expected ${c.expected}, got ${c.actual}
+`);
+        }
+        process.exit(1);
+      }
+      if (verbose2) process.stderr.write(`protect-mcp: restraint self-test passed (${selfTest.cases.length} vectors). Arming gate.
+`);
+    }
+    await startHookServer({ port, policyPath: policyPath2, cedarDir: cedarDir2, enforce: enforce2, verbose: verbose2 });
     return;
   }
   if (args[0] === "init-hooks") {
@@ -1442,7 +1549,7 @@ async function main() {
   if (useHttp) {
     const portIdx = args.indexOf("--port");
     const httpPort = portIdx >= 0 && args[portIdx + 1] ? parseInt(args[portIdx + 1]) : 3e3;
-    const { startHttpTransport } = await import("./http-transport-MO32ESHZ.mjs");
+    const { startHttpTransport } = await import("./http-transport-R5AO7X6D.mjs");
     startHttpTransport({ port: httpPort, config, serverCommand: childCommand });
     return;
   }
@@ -1605,6 +1712,24 @@ async function handleDoctor() {
   } catch {
     process.stdout.write(dim2("  ScopeBlind API not reachable \u2014 offline mode (receipts stored locally)\n"));
   }
+  process.stdout.write("\nRestraint self-test:\n");
+  try {
+    const st = await runEvaluatorSelfTest();
+    if (!st.wasmAvailable) {
+      process.stdout.write(dim2("  Cedar WASM not installed; the gate fails closed (denies) until it is.\n"));
+    }
+    for (const c of st.cases) {
+      process.stdout.write(c.pass ? green2(`  ${c.name}
+`) : `\x1B[31m  FAIL: ${c.name} (expected ${c.expected}, got ${c.actual})
+\x1B[0m`);
+    }
+    if (!st.passed) issues++;
+    else process.stdout.write(green2("  the gate denies what it should and allows what it should\n"));
+  } catch (err) {
+    process.stdout.write(yellow2(`  self-test could not run: ${err instanceof Error ? err.message : "unknown"}
+`));
+    issues++;
+  }
   process.stdout.write("\n");
   if (issues === 0) {
     process.stdout.write("\x1B[32m\x1B[1mAll checks passed.\x1B[0m Ready to wrap MCP servers.\n");

package/dist/hook-server.js

@@ -89,14 +89,18 @@ function buildEntities(req) {
     }
   ];
 }
-async function evaluateCedar(policySet, req, schema) {
+function onEvalError(reason, failClosed, extra) {
+  return {
+    allowed: !failClosed,
+    reason: failClosed ? reason : `${reason} (observe mode; would DENY under enforcement)`,
+    metadata: { error: true, fail_closed: failClosed, would_deny: true, ...extra || {} }
+  };
+}
+async function evaluateCedar(policySet, req, schema, options) {
+  const failClosed = options?.failClosed ?? true;
   const available = await ensureCedarWasm();
   if (!available) {
-    return {
-      allowed: true,
-      reason: "cedar_wasm_not_available",
-      metadata: { fallback: true }
-    };
+    return onEvalError("cedar_wasm_not_available", failClosed, { fallback: true });
   }
   try {
     const agentId = req.agentId || req.tier;
@@ -118,7 +122,7 @@ async function evaluateCedar(policySet, req, schema) {
     let result;
     if (typeof cedarWasm.isAuthorized === "function") {
       result = cedarWasm.isAuthorized({
-        policies: policySet.source,
+        policies: { staticPolicies: policySet.source },
         entities,
         principal: authRequest.principal,
         action: authRequest.action,
@@ -136,7 +140,7 @@ async function evaluateCedar(policySet, req, schema) {
       const cedarEngine = cedarWasm.default || cedarWasm;
       if (typeof cedarEngine.isAuthorized === "function") {
         result = cedarEngine.isAuthorized({
-          policies: policySet.source,
+          policies: { staticPolicies: policySet.source },
           entities,
           principal: authRequest.principal,
           action: authRequest.action,
@@ -145,57 +149,56 @@ async function evaluateCedar(policySet, req, schema) {
           schema: cedarSchema
         });
       } else {
-        return {
-          allowed: true,
-          reason: "cedar_wasm_api_unsupported",
-          metadata: { fallback: true, exports: Object.keys(cedarWasm) }
-        };
+        return onEvalError("cedar_wasm_api_unsupported", failClosed, { exports: Object.keys(cedarWasm) });
       }
     }
-    const decision = parseWasmResult(result);
+    const parsed = parseWasmResult(result);
+    const policyErrors = extractPolicyErrors(result);
+    if (parsed.kind === "error") {
+      return onEvalError(`cedar_unparseable_result: ${parsed.diagnostics}`, failClosed);
+    }
+    if (policyErrors.length > 0) {
+      return onEvalError(
+        `cedar_policy_errored: ${policyErrors.length} policy error(s); decision is unsound`,
+        failClosed,
+        { policy_errors: policyErrors.slice(0, 5), policy_digest: policySet.digest }
+      );
+    }
     return {
-      allowed: decision.allowed,
-      reason: decision.allowed ? void 0 : `cedar_deny${decision.diagnostics ? ": " + decision.diagnostics : ""}`,
+      allowed: parsed.kind === "allow",
+      reason: parsed.kind === "allow" ? void 0 : `cedar_deny${parsed.diagnostics ? ": " + parsed.diagnostics : ""}`,
       metadata: {
         policy_digest: policySet.digest,
-        ...decision.matchedPolicies ? { matched_policies: decision.matchedPolicies } : {}
+        ...parsed.matchedPolicies ? { matched_policies: parsed.matchedPolicies } : {}
       }
     };
   } catch (err) {
-    return {
-      allowed: true,
-      reason: `cedar_eval_error: ${err instanceof Error ? err.message : "unknown"}`,
-      metadata: { fallback: true, error: true }
-    };
+    return onEvalError(`cedar_eval_error: ${err instanceof Error ? err.message : "unknown"}`, failClosed);
   }
 }
 function parseWasmResult(result) {
-  if (!result) {
-    return { allowed: true, diagnostics: "null result from Cedar WASM" };
-  }
-  if (result.type === "allow" || result.type === "Allow") {
-    return { allowed: true };
-  }
-  if (result.type === "deny" || result.type === "Deny") {
-    return {
-      allowed: false,
-      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0,
-      matchedPolicies: result.diagnostics?.reasons
-    };
-  }
-  if (result.decision === "Allow") {
-    return { allowed: true };
-  }
-  if (result.decision === "Deny") {
-    return {
-      allowed: false,
-      diagnostics: result.diagnostics ? JSON.stringify(result.diagnostics) : void 0
-    };
-  }
-  if (typeof result === "boolean") {
-    return { allowed: result };
+  if (!result) return { kind: "error", diagnostics: "null result from Cedar WASM" };
+  if (result.type === "failure") {
+    return { kind: "error", diagnostics: `cedar failure: ${JSON.stringify(result.errors ?? [])}` };
+  }
+  if (result.type === "success" && result.response) {
+    const dec = result.response.decision;
+    const reasons = result.response.diagnostics?.reason;
+    if (dec === "allow" || dec === "Allow") return { kind: "allow", matchedPolicies: reasons };
+    if (dec === "deny" || dec === "Deny") {
+      return { kind: "deny", diagnostics: result.response.diagnostics ? JSON.stringify(result.response.diagnostics) : void 0, matchedPolicies: reasons };
+    }
   }
-  return { allowed: true, diagnostics: `unknown result format: ${JSON.stringify(result)}` };
+  if (result.type === "allow" || result.decision === "Allow") return { kind: "allow" };
+  if (result.type === "deny" || result.decision === "Deny") return { kind: "deny" };
+  if (typeof result === "boolean") return result ? { kind: "allow" } : { kind: "deny" };
+  return { kind: "error", diagnostics: `unknown result format: ${JSON.stringify(result)}` };
+}
+function extractPolicyErrors(result) {
+  if (!result || typeof result !== "object") return [];
+  const raw = result.errors ?? result.response?.diagnostics?.errors ?? result.diagnostics?.errors ?? [];
+  if (!Array.isArray(raw)) return [];
+  return raw.map((e) => typeof e === "string" ? e : e?.message ?? e?.error ?? JSON.stringify(e)).filter(Boolean);
 }
 async function isCedarAvailable() {
   return ensureCedarWasm();

package/dist/hook-server.mjs

@@ -1,7 +1,7 @@
 import {
   startHookServer
-} from "./chunk-3YCKR72H.mjs";
-import "./chunk-UV53U6D4.mjs";
+} from "./chunk-X63ELMU4.mjs";
+import "./chunk-546U3A7R.mjs";
 import "./chunk-PQJP2ZCI.mjs";
 export {
   startHookServer

package/dist/{http-transport-MO32ESHZ.mjs → http-transport-R5AO7X6D.mjs}

@@ -1,7 +1,7 @@
 import {
   ProtectGateway
-} from "./chunk-PLKRTBDR.mjs";
-import "./chunk-UV53U6D4.mjs";
+} from "./chunk-OHUTUFTC.mjs";
+import "./chunk-546U3A7R.mjs";
 import "./chunk-PQJP2ZCI.mjs";
 
 // src/http-transport.ts

package/dist/index.d.mts

@@ -595,19 +595,52 @@ interface CedarSchema {
  * Throws if the directory doesn't exist or contains no .cedar files.
  */
 declare function loadCedarPolicies(dirPath: string): CedarPolicySet;
+interface CedarEvalOptions {
+    /**
+     * Default true (0.7.0+). When true, ANY evaluation error, engine
+     * unavailability, malformed result, or per-policy error DENIES. When false
+     * (explicit observe/shadow use only), those paths ALLOW but are flagged
+     * would_deny:true in the decision metadata so the failure is never silent.
+     */
+    failClosed?: boolean;
+}
 /**
  * Evaluate a Cedar policy set against a tool call.
  *
- * Returns a standard ExternalDecision compatible with the gateway's
- * decision pipeline. If Cedar WASM is not available, returns a
- * fallback allow decision (fail-open, logged).
+ * FAIL-CLOSED by default (0.7.0+): if Cedar is unavailable, the engine API is
+ * unsupported, evaluation throws, the result is malformed, or ANY policy errored
+ * during evaluation (which Cedar otherwise silently discards, leaving a residual
+ * permit standing), this returns DENY. The allow-on-error behavior is reachable
+ * only by explicitly passing { failClosed: false }, and even then it is flagged.
  */
-declare function evaluateCedar(policySet: CedarPolicySet, req: CedarEvalRequest, schema?: CedarSchema): Promise<ExternalDecision>;
+declare function evaluateCedar(policySet: CedarPolicySet, req: CedarEvalRequest, schema?: CedarSchema, options?: CedarEvalOptions): Promise<ExternalDecision>;
 /**
  * Validate that Cedar WASM is available.
  * Useful for CLI startup diagnostics.
  */
 declare function isCedarAvailable(): Promise<boolean>;
+/** Build a CedarPolicySet from inline source (for the self-test). */
+declare function policySetFromSource(source: string, name?: string): CedarPolicySet;
+interface SelfTestCase {
+    name: string;
+    expected: 'ALLOW' | 'DENY';
+    actual: 'ALLOW' | 'DENY';
+    pass: boolean;
+    reason?: string;
+}
+interface SelfTestReport {
+    wasmAvailable: boolean;
+    passed: boolean;
+    cases: SelfTestCase[];
+}
+/**
+ * Run known deny/allow vectors through the LIVE evaluator before the gate is
+ * trusted. Always proves the fail-closed invariant (the engine being unable to
+ * decide must DENY). When Cedar WASM is present it also proves a real forbid
+ * denies, a permit allows, and a policy using the silently-discarded
+ * `in`-on-String pattern DENIES rather than permit-all (the 0.6.x regression).
+ */
+declare function runEvaluatorSelfTest(): Promise<SelfTestReport>;
 
 /**
  * MCP tool-calling gateway that intercepts JSON-RPC requests,
@@ -2982,4 +3015,4 @@ declare function getScopeBlindBridge(): ScopeBlindBridge;
 /** Convenience: forward a signed receipt without instantiating yourself. */
 declare function forwardReceipt(signedReceipt: any): void;
 
-export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, ScopeBlindBridge, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, forwardReceipt, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getScopeBlindBridge, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };
+export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalOptions, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, ScopeBlindBridge, type SelfTestCase, type SelfTestReport, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, forwardReceipt, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getScopeBlindBridge, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, policySetFromSource, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runEvaluatorSelfTest, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };

package/dist/index.d.ts

@@ -595,19 +595,52 @@ interface CedarSchema {
  * Throws if the directory doesn't exist or contains no .cedar files.
  */
 declare function loadCedarPolicies(dirPath: string): CedarPolicySet;
+interface CedarEvalOptions {
+    /**
+     * Default true (0.7.0+). When true, ANY evaluation error, engine
+     * unavailability, malformed result, or per-policy error DENIES. When false
+     * (explicit observe/shadow use only), those paths ALLOW but are flagged
+     * would_deny:true in the decision metadata so the failure is never silent.
+     */
+    failClosed?: boolean;
+}
 /**
  * Evaluate a Cedar policy set against a tool call.
  *
- * Returns a standard ExternalDecision compatible with the gateway's
- * decision pipeline. If Cedar WASM is not available, returns a
- * fallback allow decision (fail-open, logged).
+ * FAIL-CLOSED by default (0.7.0+): if Cedar is unavailable, the engine API is
+ * unsupported, evaluation throws, the result is malformed, or ANY policy errored
+ * during evaluation (which Cedar otherwise silently discards, leaving a residual
+ * permit standing), this returns DENY. The allow-on-error behavior is reachable
+ * only by explicitly passing { failClosed: false }, and even then it is flagged.
  */
-declare function evaluateCedar(policySet: CedarPolicySet, req: CedarEvalRequest, schema?: CedarSchema): Promise<ExternalDecision>;
+declare function evaluateCedar(policySet: CedarPolicySet, req: CedarEvalRequest, schema?: CedarSchema, options?: CedarEvalOptions): Promise<ExternalDecision>;
 /**
  * Validate that Cedar WASM is available.
  * Useful for CLI startup diagnostics.
  */
 declare function isCedarAvailable(): Promise<boolean>;
+/** Build a CedarPolicySet from inline source (for the self-test). */
+declare function policySetFromSource(source: string, name?: string): CedarPolicySet;
+interface SelfTestCase {
+    name: string;
+    expected: 'ALLOW' | 'DENY';
+    actual: 'ALLOW' | 'DENY';
+    pass: boolean;
+    reason?: string;
+}
+interface SelfTestReport {
+    wasmAvailable: boolean;
+    passed: boolean;
+    cases: SelfTestCase[];
+}
+/**
+ * Run known deny/allow vectors through the LIVE evaluator before the gate is
+ * trusted. Always proves the fail-closed invariant (the engine being unable to
+ * decide must DENY). When Cedar WASM is present it also proves a real forbid
+ * denies, a permit allows, and a policy using the silently-discarded
+ * `in`-on-String pattern DENIES rather than permit-all (the 0.6.x regression).
+ */
+declare function runEvaluatorSelfTest(): Promise<SelfTestReport>;
 
 /**
  * MCP tool-calling gateway that intercepts JSON-RPC requests,
@@ -2982,4 +3015,4 @@ declare function getScopeBlindBridge(): ScopeBlindBridge;
 /** Convenience: forward a signed receipt without instantiating yourself. */
 declare function forwardReceipt(signedReceipt: any): void;
 
-export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, ScopeBlindBridge, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, forwardReceipt, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getScopeBlindBridge, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };
+export { type ActionReceipt, type AdmissionResult, type AgentId, type AgentManifest, type ApprovalAssertion, type ApprovalChallenge, type ApprovalNotification, type ApprovalResult, type ArenaPayload, type ArenaReceipt, type AttestationDocument, type AttestationPayload, type AttestationProvider, type AttestationReceipt, type AttestationResult, type AuditBundle, type AuditBundleOptions, type BenchmarkPayload, type BenchmarkReceipt, type BuilderId, type C2PAAssertion, type C2PAIngredient, type C2PAManifest, type C2PAOptions, type CCRConnectorConfig, type CCRSessionContext, type CalibrationScore, type CedarEvalOptions, type CedarEvalRequest, type CedarPolicySet, type CedarSchema, type CedarSchemaResult, type CommittedFieldOpening, type CommittedSignResult, type ComplianceReport, ConfidentialGate, type ConfidentialGateConfig, type ConfidentialInferenceConfig, type CredentialConfig, type DecisionContext, type DecisionLog, type DelegationReceipt, type DisclosureMode, type Ed25519PublicKey, type EvidenceAttestation, type EvidenceAttestationInput, type EvidenceIssuer, type EvidenceReceipt, type EvidenceReceiptBase, type EvidenceSummary, type EvidenceSummaryEntry, type EvidenceType, type ExternalDecision, type ExternalPDPConfig, type HFDatasetMetadata, type HFReceiptRow, type HookEventName, type HookInput, type HookResponse, type IssuerType, type JsonRpcRequest, type JsonRpcResponse, type LeaseCompatibility, type ManifestBuilder, type ManifestCapabilities, type ManifestConfig, type ManifestIdentity, type ManifestPresentation, type ManifestSignature, type ManifestStatus, type McpToolDescription, type MinimalDisclosure, type NotificationConfig, type PassportTokenClaims, type PayloadDigest, type PlanReceipt, type PolicyEngineMode, type PredictionReceipt, type PredictionResolution, type PropagatorConfig, type ProtectConfig, ProtectGateway, type ProtectPolicy, type RateLimit, ReceiptPropagator, type RedactedResult, type RedactionSalt, type RekorAnchor, type RekorVerification, type RestraintPayload, type RestraintReceipt, type SHA256Hash, type SafetyTranscript, type Sandbox, type SandboxConfig, type SandboxReceipt, type SandboxResult, type SandboxToolCall, type SchemaGeneratorConfig, ScopeBlindBridge, type SelfTestCase, type SelfTestReport, type SigningConfig, type SimulationResult, type SimulationSummary, type SwarmContext, type TierOverrides, type TimingMetrics, type ToolPolicy, type TrustTier, type WorkPayload, type WorkReceipt, anchorToRekor, buildDecisionContext, checkRateLimit, collectSignedReceipts, computeCalibration, confidentialInference, createApprovalChallenge, createApprovalReceiptPayload, createAttestationField, createAuditBundle, createC2PAManifest, createDisclosurePackage, createEvidenceAttestation, createLogAnchorField, createReceiptChannel, createSandbox, destroySandbox, discloseField, ed25519ToDIDKey, evaluateCedar, evaluateTier, exportC2PAManifestJSON, exportJSONL, formatReportMarkdown, formatSimulation, forwardReceipt, generateC2PACommand, generateCedarSchema, generateDatasetCard, generateHFMetadata, generateReport, generateSafetyTranscript, generateSchemaStub, getScopeBlindBridge, getSignerInfo, getToolPolicy, hashReceipt, hashResponseBody, initSigning, isAgentId, isCedarAvailable, isDisclosureMode, isEvidenceType, isManifestStatus, isSigningEnabled, listCredentialLabels, loadCedarPolicies, loadPolicy, manifestToVC, meetsMinTier, parseLogFile, parseNotificationConfigFromEnv, parseRateLimit, policySetFromSource, queryExternalPDP, receiptToVP, receiptsToHFRows, redactFields, resolveCredential, revealField, runEvaluatorSelfTest, runInSandbox, sendApprovalNotification, signCommittedDecision, signDecision, simulate, toCredentialRequestOptions, toManifoldFormat, toMetaculusFormat, validateCredentials, validateEvidenceReceipt, validateManifest, verifyActaC2PAAssertions, verifyAllCommitments, verifyApprovalAssertion, verifyCommitment, verifyEvidenceAttestation, verifyRekorAnchor };