examples

Three complete examples showing how to add signed, independently verifiable audit trails to AI agent tool calls.

Each example uses protect-mcp to wrap MCP tool servers with Cedar policies and Ed25519-signed receipts. Every tool call produces a cryptographic receipt that can be verified offline by anyone -- without contacting the original issuer.

| Example | Description | Time | |---------|-------------|------| | claude-code-hooks | Add protect-mcp as Claude Code hooks. Every tool call gets a signed receipt and Cedar policy check. | ~2 min | | express-api-gateway | Wrap an Express-based MCP server with JSON policies and rate limiting. | ~5 min | | mcp-server-signing | Cedar WASM policy engine with per-tool authorization and full audit bundles. | ~10 min | | takt-workflow-receipts | Add signed receipts to TAKT multi-step workflows. Level 1 external integration. | ~5 min |

• Node.js 20+
• npm 9+

No ScopeBlind account required. All examples run locally.

Every tool call through protect-mcp produces a signed receipt containing:

1. Decision -- whether the call was allowed, denied, or logged (shadow mode)
2. Policy hash -- SHA-256 of the Cedar or JSON policy that produced the decision
3. Timestamp -- when the decision was made
4. Tool context -- tool name, truncated input hash, trust tier
5. Ed25519 signature -- signs all of the above

Receipts are appended to .protect-mcp-receipts.jsonl (one JSON object per line). Anyone can verify them offline using:

npx @veritasacta/verify .protect-mcp-receipts.jsonl

This checks every signature without contacting any server. The verifier is issuer-blind -- it validates cryptographic integrity without knowing or trusting the original signer.