protect-mcp-setup

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

protect-mcp — Policy Enforcement + Signed Receipts

protect-mcp — 策略强制执行 + 签名收据

Cryptographic governance for every Claude Code tool call. Each invocation is evaluated against a Cedar policy and produces an Ed25519-signed receipt that anyone can verify offline.

为每一次Claude Code工具调用提供加密管控。每次调用都会根据Cedar策略进行评估，并生成可离线验证的Ed25519签名收据。

Overview

概述

Claude Code runs powerful tools:

Bash

Edit

Write

WebFetch

. By default there is no audit trail, no policy enforcement, and no way to prove what was decided after the fact.

protect-mcp

closes all three gaps:

Cedar policies (AWS's open authorization engine) evaluate every tool call before execution. Cedar deny is authoritative.
Ed25519 receipts record each decision with its inputs, the policy that governed it, and the outcome. Receipts are hash-chained.
Offline verification via
```
npx @veritasacta/verify
```
. No server, no account, no trust in the operator.

Claude Code可运行强大的工具：

Bash

、

Edit

、

Write

、

WebFetch

。默认情况下，没有审计跟踪、策略强制执行机制，也无法事后证明做出了哪些决策。

protect-mcp

填补了这三项空白：

Cedar策略（AWS的开源授权引擎）会在执行前评估每一次工具调用。Cedar的拒绝决定具有权威性。
Ed25519收据记录每一项决策的输入、管控策略及结果。收据采用哈希链式结构。
离线验证通过
```
npx @veritasacta/verify
```
实现。无需服务器、账户，也无需信任操作员。

Problem

问题背景

AI agents make decisions that affect money, safety, and rights. The Claude Code session log records what happened, but the log is:

Mutable — anyone with access can edit it
Unsigned — there is no way to prove integrity
Operator-bound — verification requires trusting whoever holds the log

For compliance contexts (finance, healthcare, regulated research), this is not sufficient. You need tamper-evident evidence that can be verified by third parties without trusting you.

AI Agent做出的决策会影响资金、安全和权益。Claude Code会话日志会记录发生的操作，但该日志存在以下问题：

可篡改——任何有权限的人都能编辑它
未签名——无法证明其完整性
依赖操作员——验证需要信任持有日志的人

对于合规场景（金融、医疗、受监管的研究），这并不足够。你需要防篡改的证据，且第三方无需信任你即可验证。

Solution

解决方案

Add

protect-mcp

to your Claude Code project:

bash

undefined

将

protect-mcp

添加到你的Claude Code项目中：

bash

undefined

1. Install the plugin (adds hooks + skill to your project)

1. 安装插件（为项目添加钩子和skill）

claude plugin install wshobson/agents/protect-mcp

2. Configure hooks in .claude/settings.json (see below)

2. 在.claude/settings.json中配置钩子（见下文）

3. Start the receipt-signing server (runs locally, no external calls)

3. 启动收据签名服务器（本地运行，无外部调用）

npx protect-mcp@latest serve --enforce

4. Use Claude Code normally. Every tool call is now policy-evaluated

4. 正常使用Claude Code。现在每一次工具调用都会经过策略评估

and produces a signed receipt in ./receipts/

并在./receipts/目录下生成签名收据

undefined

undefined

Hook Configuration

钩子配置

Add the following to your project's

.claude/settings.json

json

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": ".*",
        "hook": {
          "type": "command",
          "command": "npx protect-mcp@latest evaluate --policy ./protect.cedar --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\" || exit 2"
        }
      }
    ],
    "PostToolUse": [
      {
        "matcher": ".*",
        "hook": {
          "type": "command",
          "command": "npx protect-mcp@latest sign --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\" --output \"$TOOL_OUTPUT\" --receipts ./receipts/"
        }
      }
    ]
  }
}

将以下内容添加到项目的

.claude/settings.json

中：

json

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": ".*",
        "hook": {
          "type": "command",
          "command": "npx protect-mcp@latest evaluate --policy ./protect.cedar --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\" || exit 2"
        }
      }
    ],
    "PostToolUse": [
      {
        "matcher": ".*",
        "hook": {
          "type": "command",
          "command": "npx protect-mcp@latest sign --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\" --output \"$TOOL_OUTPUT\" --receipts ./receipts/"
        }
      }
    ]
  }
}

What each hook does

各钩子的作用

PreToolUse — Runs BEFORE the tool executes. Evaluates the tool call against your Cedar policy file. If Cedar returns

deny

, the hook exits with code 2 and Claude Code blocks the tool call entirely.

PostToolUse — Runs AFTER the tool completes. Signs a receipt containing the tool name, input hash, output hash, decision, policy digest, and timestamp. Writes the receipt to

./receipts/<timestamp>.json

PreToolUse — 在工具执行前运行。根据你的Cedar策略文件评估工具调用。如果Cedar返回

deny

，钩子会以代码2退出，Claude Code会完全阻止该工具调用。

PostToolUse — 在工具执行完成后运行。对包含工具名称、输入哈希、输出哈希、决策结果、策略摘要和时间戳的收据进行签名。将收据写入

./receipts/<timestamp>.json

。

Cedar Policy File

Cedar策略文件

Create

./protect.cedar

at the project root:

cedar

// Allow read-only tools by default
permit (
    principal,
    action in [Action::"Read", Action::"Glob", Action::"Grep", Action::"WebFetch"],
    resource
);

// Require explicit allow for destructive tools
permit (
    principal,
    action == Action::"Bash",
    resource
) when {
    // Allow safe commands only
    context.command_pattern in ["git", "npm", "ls", "cat", "echo", "pwd", "test"]
};

// Never allow recursive deletion
forbid (
    principal,
    action == Action::"Bash",
    resource
) when {
    context.command_pattern == "rm -rf"
};

// Require confirmation for writes outside the project
forbid (
    principal,
    action in [Action::"Edit", Action::"Write"],
    resource
) when {
    context.path_starts_with != "."
};

在项目根目录创建

./protect.cedar

文件：

cedar

// 默认允许只读工具
permit (
    principal,
    action in [Action::"Read", Action::"Glob", Action::"Grep", Action::"WebFetch"],
    resource
);

// 破坏性工具需要明确允许
permit (
    principal,
    action == Action::"Bash",
    resource
) when {
    // 仅允许安全命令
    context.command_pattern in ["git", "npm", "ls", "cat", "echo", "pwd", "test"]
};

// 绝不允许递归删除
forbid (
    principal,
    action == Action::"Bash",
    resource
) when {
    context.command_pattern == "rm -rf"
};

// 对项目外部的写入操作需要确认
forbid (
    principal,
    action in [Action::"Edit", Action::"Write"],
    resource
) when {
    context.path_starts_with != "."
};

Verification

验证

Verify a single receipt:

bash

npx @veritasacta/verify receipts/2026-04-15T10-30-00Z.json

验证单个收据：

bash

npx @veritasacta/verify receipts/2026-04-15T10-30-00Z.json

Exit 0 = valid

退出码0 = 有效

Exit 1 = tampered

退出码1 = 已篡改

Exit 2 = malformed

退出码2 = 格式错误


Verify the entire chain:

```bash
npx @veritasacta/verify receipts/*.json

Use the plugin's slash commands from within Claude Code:

/verify-receipt receipts/latest.json
/audit-chain ./receipts/ --last 20


验证整个收据链：

```bash
npx @veritasacta/verify receipts/*.json

在Claude Code中使用插件的斜杠命令：

/verify-receipt receipts/latest.json
/audit-chain ./receipts/ --last 20

Receipt Format

收据格式

Each receipt is a JSON file with this structure:

json

{
  "receipt_id": "rec_8f92a3b1",
  "receipt_version": "1.0",
  "issuer_id": "claude-code-protect-mcp",
  "event_time": "2026-04-15T10:30:00.000Z",
  "tool_name": "Bash",
  "input_hash": "sha256:a3f8...",
  "decision": "allow",
  "policy_id": "autoresearch-safe",
  "policy_digest": "sha256:b7e2...",
  "parent_receipt_id": "rec_3d1ab7c2",
  "public_key": "4437ca56815c0516...",
  "signature": "4cde814b7889e987..."
}

Ed25519 signatures (RFC 8032)
JCS canonicalization (RFC 8785) before signing
Hash-chained to the previous receipt via
```
parent_receipt_id
```
Offline verifiable — no network call, no vendor lookup

每个收据都是JSON文件，结构如下：

json

{
  "receipt_id": "rec_8f92a3b1",
  "receipt_version": "1.0",
  "issuer_id": "claude-code-protect-mcp",
  "event_time": "2026-04-15T10:30:00.000Z",
  "tool_name": "Bash",
  "input_hash": "sha256:a3f8...",
  "decision": "allow",
  "policy_id": "autoresearch-safe",
  "policy_digest": "sha256:b7e2...",
  "parent_receipt_id": "rec_3d1ab7c2",
  "public_key": "4437ca56815c0516...",
  "signature": "4cde814b7889e987..."
}

Ed25519签名（RFC 8032）
签名前采用JCS规范化（RFC 8785）
通过
```
parent_receipt_id
```
与上一个收据形成哈希链式结构
可离线验证——无需网络调用，无需查询供应商

Why This Matters

重要性

Before	After
"Trust me, the agent only read files"	Cryptographically provable: every Read logged and signed
"The log shows it happened"	The receipt proves it happened, and no one can edit it
"You'd have to audit our system"	Anyone can verify every receipt offline
"Logs might be different by now"	Ed25519 signatures lock the record at signing time

之前	之后
"相信我，Agent只读取了文件"	可加密证明：每一次读取操作都已记录并签名
"日志显示操作已执行"	收据可证明操作已执行，且无人能篡改
"你得审计我们的系统"	任何人都可离线验证所有收据
"日志现在可能已不同"	Ed25519签名在签署时就锁定了记录

Standards

遵循标准

Ed25519 — RFC 8032 (digital signatures)
JCS — RFC 8785 (deterministic JSON canonicalization)
Cedar — AWS's open authorization policy language
IETF draft — draft-farley-acta-signed-receipts

Ed25519 — RFC 8032（数字签名）
JCS — RFC 8785（确定性JSON规范化）
Cedar — AWS的开源授权策略语言
IETF草案 — draft-farley-acta-signed-receipts

protect-mcp-setup

Original

Translation

protect-mcp — Policy Enforcement + Signed Receipts

protect-mcp — 策略强制执行 + 签名收据

Overview

概述

Problem

问题背景

Solution

解决方案

1. Install the plugin (adds hooks + skill to your project)

1. 安装插件（为项目添加钩子和skill）

2. Configure hooks in .claude/settings.json (see below)

2. 在.claude/settings.json中配置钩子（见下文）

3. Start the receipt-signing server (runs locally, no external calls)

3. 启动收据签名服务器（本地运行，无外部调用）

4. Use Claude Code normally. Every tool call is now policy-evaluated

4. 正常使用Claude Code。现在每一次工具调用都会经过策略评估

and produces a signed receipt in ./receipts/

并在./receipts/目录下生成签名收据

Hook Configuration

钩子配置

What each hook does

各钩子的作用

Cedar Policy File

Cedar策略文件

Verification

验证

Exit 0 = valid

退出码0 = 有效

Exit 1 = tampered

退出码1 = 已篡改

Exit 2 = malformed

退出码2 = 格式错误

Receipt Format

收据格式

Why This Matters

重要性

Standards

遵循标准

Related

相关资源