protect-mcp
Provides security policy packs to protect GitHub integrations from prompt injection attacks and unauthorized tool use via crafted issues.
Offers specialized safety policies designed to prevent autonomous agents from accidentally performing destructive operations on production infrastructure.
protect-mcp
Enterprise security gateway for MCP servers and Claude Code hooks. Signed receipts, Cedar policies, and swarm-aware audit trails.
Integrated into Microsoft Agent Governance Toolkit | IETF Internet-Draft | Live demo: acta.today/wiki
Quick Start — Claude Code
Two commands. Every tool call is receipted.
# 1. Generate hooks, keys, Cedar policy, and /verify-receipt skill
npx protect-mcp init-hooks
# 2. Start the hook server
npx protect-mcp serveOpen Claude Code in the same project. Every tool call is now intercepted, evaluated, and signed.
What init-hooks creates
File | Purpose |
| Hook config (PreToolUse, PostToolUse, + 9 lifecycle events) |
| Ed25519 signing keypair (auto-gitignored) |
| Starter Cedar policy — customize to your needs |
| JSON policy with signing + rate limits |
|
|
Architecture
Claude Code → POST /hook → protect-mcp (Cedar + sign) → response
↓
.protect-mcp-log.jsonl
.protect-mcp-receipts.jsonlPreToolUse: synchronous Cedar policy check → deny blocks the tool
PostToolUse: async receipt signing → zero latency impact
deny is architecturally final — it cannot be overridden by the model or other hooks
Endpoints
Method | Path | Description |
POST |
| Claude Code hook endpoint |
GET |
| Server status, policy info, signer info |
GET |
| Recent signed receipts |
GET |
| Most recent receipt |
GET |
| Auto-generated Cedar policy fix suggestions |
GET |
| Config tamper detection alerts |
Verify receipts
# Inside Claude Code:
/verify-receipt
# From terminal:
curl http://127.0.0.1:9377/receipts/latest | jq .
npx protect-mcp receipts
# Check policy suggestions:
curl http://127.0.0.1:9377/suggestions | jq .Related MCP server: verify-mcp
Quick Start — MCP Server Wrapper
Wrap any stdio MCP server as a transparent proxy:
# Shadow mode — log every tool call, enforce nothing
npx protect-mcp -- node my-server.js
# Enforce mode with policy
npx protect-mcp --policy protect-mcp.json --enforce -- node my-server.js
# Generate keys + config template
npx protect-mcp initHow It Works
protect-mcp evaluates every tool call against a policy (JSON, Cedar, or external PDP), signs the decision as an Ed25519 receipt, and logs the result.
Two integration modes:
Mode | Transport | Use Case |
Hook Server | HTTP ( | Claude Code, agent swarms |
Stdio Proxy | stdin/stdout ( | Claude Desktop, Cursor, any MCP client |
Three policy engines:
Engine | Config | Notes |
JSON |
| Simple per-tool rules |
Cedar |
| Local WASM evaluation via |
External PDP |
| OPA, Cerbos, or any HTTP PDP |
Swarm Tracking
In multi-agent sessions, protect-mcp automatically tracks the swarm topology.
11 hook events handled:
Event | Type | Description |
| Sync | Cedar/policy evaluation before tool execution |
| Async | Receipt signing after tool execution |
| Lifecycle | Worker agent spawn/completion |
| Lifecycle | Coordinator task assignment |
| Lifecycle | Session lifecycle with sandbox detection |
| Lifecycle | Agent utilization monitoring |
| Security | Tamper detection for |
| Lifecycle | Finalization + policy suggestion summary |
Each receipt includes:
swarm.agent_id,swarm.agent_type,swarm.team_nametiming.tool_duration_ms,timing.hook_latency_mspayload_digest(SHA-256 hash for payloads >1KB)deny_iteration(retry count after denial)sandbox_state(enabled/disabled/unavailable)OpenTelemetry
otel_trace_idandotel_span_id
Policy File
{
"default_tier": "unknown",
"tools": {
"dangerous_tool": { "block": true },
"admin_tool": { "min_tier": "signed-known", "rate_limit": "5/hour" },
"read_tool": { "require": "any", "rate_limit": "100/hour" },
"*": { "rate_limit": "500/hour" }
},
"signing": {
"key_path": "./keys/gateway.json",
"issuer": "protect-mcp",
"enabled": true
}
}Cedar Policies
Cedar deny decisions are authoritative — they cannot be overridden.
// Allow read-only tools
permit(
principal,
action == Action::"MCP::Tool::call",
resource == Tool::"Read"
);
// Block destructive tools
forbid(
principal,
action == Action::"MCP::Tool::call",
resource == Tool::"delete_file"
);When a tool is denied, protect-mcp auto-suggests the minimal Cedar permit() rule via GET /suggestions.
CVE-Anchored Policy Packs
Each prevents a real attack:
Policy | Incident | OWASP |
| CVE-2025-6514: MCP OAuth proxy hijack (437K environments) | A01, A03 |
| Autonomous Terraform agent destroys production | A05, A06 |
| Prompt injection via crafted GitHub issue | A01, A02, A03 |
| Agent data theft via outbound tool abuse | A02, A04 |
| Unauthorized financial transaction | A05, A06 |
Cedar equivalents available in policies/cedar/.
MCP Client Configuration
Claude Desktop
{
"mcpServers": {
"my-protected-server": {
"command": "npx",
"args": [
"-y", "protect-mcp",
"--policy", "/path/to/protect-mcp.json",
"--enforce",
"--", "node", "my-server.js"
]
}
}
}Cursor / VS Code
Same pattern — replace the server command with protect-mcp wrapping it.
CLI Commands
Commands:
serve Start HTTP hook server for Claude Code (port 9377)
init-hooks Generate Claude Code hook config + skill + sample Cedar policy
quickstart Zero-config onboarding: init + demo + show receipts
init Generate Ed25519 keypair + config template
demo Start a demo server wrapped with protect-mcp
doctor Check your setup: keys, policies, verifier, connectivity
trace <id> Visualize the receipt DAG from a given receipt_id
status Show tool call statistics from the decision log
digest Generate a human-readable summary of agent activity
receipts Show recent persisted signed receipts
bundle Export an offline-verifiable audit bundle
simulate Dry-run a policy against recorded tool calls
report Generate a compliance report from an audit bundle
Options:
--policy <path> Policy/config JSON file
--cedar <dir> Cedar policy directory
--enforce Enable enforcement mode (default: shadow)
--port <port> HTTP server port (default: 9377 for serve)
--verbose Enable debug loggingDecision Logs
Every tool call emits structured JSON to stderr:
[PROTECT_MCP] {"v":2,"tool":"read_file","decision":"allow","reason_code":"cedar_allow","policy_digest":"a1b2c3...","mode":"enforce","hook_event":"PreToolUse","timing":{"hook_latency_ms":1},"otel_trace_id":"..."}When signing is configured, a signed receipt is persisted to .protect-mcp-receipts.jsonl.
Audit Bundles
npx protect-mcp bundle --output audit.jsonSelf-contained offline-verifiable bundle with receipts + signing keys. Verify with npx @veritasacta/verify.
Verified Knowledge Base (acta.today/wiki)
protect-mcp's receipt signing powers the world's first verified multi-model knowledge base at acta.today/wiki.
Every Knowledge Unit is produced by 4 frontier models deliberating in 3 adversarial rounds, with Ed25519 receipts on every model response. The current roster:
Model | Provider | Origin |
Claude Opus 4.6 | Anthropic | US |
GPT-5.4 | OpenAI | US |
Grok 4.20 | xAI | US |
Gemini 3.1 Pro | US | |
DeepSeek V3.2 | DeepSeek | CN |
MiniMax M2.7 | MiniMax | CN |
Kimi K2.5 | Moonshot | CN |
Qwen 2.5 72B | Alibaba | CN |
Every KU is independently verifiable: npx @veritasacta/verify receipt.json
Ecosystem Integrations
Project | Stars | Integration | Status |
600+ | Cedar policy bridge + receipt signing | Merged (PR #667) | |
3,700+ | Ed25519 receipt signing for MCP audit pipeline | PR #556 submitted | |
— | Signed receipts as evidence source | Active discussion (#1029) | |
24,500+ | Cryptographic audit trail for skill execution | Issue #5041 | |
57,600+ | Cryptographic integrity for persistence layer | Discussion #1855 | |
1,500+ | MCP config recommendation | PR #41 | |
1,400+ | Cryptographic receipts for validator verdicts | Issue #464 |
Standards & IP
IETF Internet-Drafts:
draft-farley-acta-signed-receipts-01 — Signed Decision Receipts for Machine-to-Machine Access Control
draft-farley-acta-knowledge-units-00 — Knowledge Units for Multi-Model Deliberation
Source: VeritasActa/drafts
Patent Status: 4 Australian provisional patents pending (2025-2026) covering decision receipts with configurable disclosure, tool-calling gateway, agent manifests, and portable identity
Verification: Apache-2.0 —
npx @veritasacta/verify --self-testMicrosoft AGT Integration: PR #667 — Cedar policy bridge for Agent Governance Toolkit
Related Repositories
Repository | Description |
Open protocol for contestable public records (Apache-2.0) | |
IETF Internet-Draft source files | |
Integration examples: Claude Code hooks, Express API, MCP server signing | |
Offline receipt verifier (Apache-2.0) | |
Agent identity SDK (Apache-2.0) | |
Google ADK receipt signing plugin (MIT, Python) |
Contributing
Issues and pull requests are welcome. Please open an issue first for significant changes.
Bug reports: Include the protect-mcp version, Node.js version, and steps to reproduce
Cedar policies: Share reusable policies via PR to the
policies/cedar/directoryIntegration examples: Add to ScopeBlind/examples
License
MIT — free to use, modify, distribute, and build upon without restriction.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ScopeBlind/scopeblind-gateway'
If you have feedback or need assistance with the MCP directory API, please join our Discord server