A security gateway that sits between Claude and your MCP servers, enforcing Cedar policies on every tool call and signing execution receipts with Ed25519. Built for two modes: as an HTTP hook server for Claude Code (intercepting PreToolUse and PostToolUse events) or as a transparent stdio proxy wrapping any MCP server. Ships with CVE-anchored policy packs covering real incidents like the Cline OAuth hijack and autonomous Terraform destruction. Every decision gets logged to JSONL with swarm topology tracking, retry counts, and OpenTelemetry spans. Integrates with Microsoft's Agent Governance Toolkit and follows the IETF signed receipts draft. Reach for this when you need cryptographic audit trails and enforceable guardrails on agent tool execution.
claude mcp add --transport stdio io.github.tomjwxf-protect-mcp uvx protect-mcp