protect-mcp
Verified · yesterdayFail-closed Cedar policy gate + Ed25519 signed receipts for agent tool calls. Denies on any error.
Install
claude mcp add protect-mcp -- npx -y [email protected]
Our take
Policy gateway that wraps any MCP server and evaluates every tool call against a Cedar policy (AWS's IAM language), denying on any error, missing engine, or evaluation failure — it even refuses to start in enforce mode unless a startup self-test proves a known-forbidden action is denied. Each decision gets an Ed25519-signed, offline-verifiable receipt, and the workflow is sensible: shadow-mode observation, a localhost dashboard with an approval queue, auto-drafted policies, then enforcement. MIT, TypeScript, npx-runnable and local-first, but it is a three-person shop with 8 stars, the '3 IETF Internet-Drafts' are self-authored submissions, and the ~1,850 npm downloads/week look mirror-inflated given 30 releases since March; the paid ScopeBlind service adds hosted digest anchoring, though the free local gate stands alone. For teams putting agents in front of consequential tools who want deny-by-default enforcement with a cryptographic audit trail.
Verification record
- yesterday
- 8
- 3 days ago
- no
- MIT
- 1.8k
- 0.7.4
- 2026-06-28