protect-mcp

Enterprise security gateway for MCP servers and Claude Code hooks. Signed receipts, Cedar policies, and swarm-aware audit trails.

Integrated into Microsoft Agent Governance Toolkit | IETF Internet-Draft | Live demo: acta.today/wiki

Quick Start — Claude Code

Two commands. Every tool call is receipted.

# 1. Generate hooks, keys, Cedar policy, and /verify-receipt skill
npx protect-mcp init-hooks

# 2. Start the hook server
npx protect-mcp serve

Open Claude Code in the same project. Every tool call is now intercepted, evaluated, and signed.

What init-hooks creates

| File | Purpose | |------|---------| | .claude/settings.json | Hook config (PreToolUse, PostToolUse, + 9 lifecycle events) | | keys/gateway.json | Ed25519 signing keypair (auto-gitignored) | | policies/agent.cedar | Starter Cedar policy — customize to your needs | | protect-mcp.json | JSON policy with signing + rate limits | | .claude/skills/verify-receipt/SKILL.md | /verify-receipt skill for Claude Code |

Architecture

Claude Code  →  POST /hook  →  protect-mcp (Cedar + sign)  →  response
                                    ↓
                            .protect-mcp-log.jsonl
                            .protect-mcp-receipts.jsonl

• PreToolUse: synchronous Cedar policy check → deny blocks the tool
• PostToolUse: async receipt signing → zero latency impact
• deny is architecturally final — it cannot be overridden by the model or other hooks

Endpoints

| Method | Path | Description | |--------|------|-------------| | POST | /hook | Claude Code hook endpoint | | GET | /health | Server status, policy info, signer info | | GET | /receipts | Recent signed receipts | | GET | /receipts/latest | Most recent receipt | | GET | /suggestions | Auto-generated Cedar policy fix suggestions | | GET | /alerts | Config tamper detection alerts |

Verify receipts

# Inside Claude Code:
/verify-receipt

# From terminal:
curl http://127.0.0.1:9377/receipts/latest | jq .
npx protect-mcp receipts

# Check policy suggestions:
curl http://127.0.0.1:9377/suggestions | jq .

Quick Start — MCP Server Wrapper

Wrap any stdio MCP server as a transparent proxy:

# Shadow mode — log every tool call, enforce nothing
npx protect-mcp -- node my-server.js

# Enforce mode with policy
npx protect-mcp --policy protect-mcp.json --enforce -- node my-server.js

# Generate keys + config template
npx protect-mcp init

How It Works

protect-mcp evaluates every tool call against a policy (JSON, Cedar, or external PDP), signs the decision as an Ed25519 receipt, and logs the result.

Two integration modes:

| Mode | Transport | Use Case | |------|-----------|----------| | Hook Server | HTTP (npx protect-mcp serve) | Claude Code, agent swarms | | Stdio Proxy | stdin/stdout (npx protect-mcp -- ...) | Claude Desktop, Cursor, any MCP client |

Three policy engines:

| Engine | Config | Notes | |--------|--------|-------| | JSON | `--policy

... View full README on GitHub