com.scopeblind/protect-mcpai

protect-mcp

Verified · yesterday

Fail-closed Cedar policy gate + Ed25519 signed receipts for agent tool calls. Denies on any error.

Install

claude mcp add protect-mcp -- npx -y [email protected]

Our take

Policy gateway that wraps any MCP server and evaluates every tool call against a Cedar policy (AWS's IAM language), denying on any error, missing engine, or evaluation failure — it even refuses to start in enforce mode unless a startup self-test proves a known-forbidden action is denied. Each decision gets an Ed25519-signed, offline-verifiable receipt, and the workflow is sensible: shadow-mode observation, a localhost dashboard with an approval queue, auto-drafted policies, then enforcement. MIT, TypeScript, npx-runnable and local-first, but it is a three-person shop with 8 stars, the '3 IETF Internet-Drafts' are self-authored submissions, and the ~1,850 npm downloads/week look mirror-inflated given 30 releases since March; the paid ScopeBlind service adds hosted digest anchoring, though the free local gate stands alone. For teams putting agents in front of consequential tools who want deny-by-default enforcement with a cryptographic audit trail.

reviewed by hand · 2026-07-05

Something wrong or dead here? Report it

Verification record

last verified
yesterday
github stars
8
last commit
3 days ago
archived
no
license
MIT
downloads / wk
1.8k
latest version
0.7.4
in registry since
2026-06-28

github.com/scopeblind/scopeblind-gateway