[FEATURE]: protect-mcp plugin — signed receipts for tool calls

[tomjwxf]

Feature hasn't been suggested before.

• I have verified this feature I'm about to request hasn't been suggested before.

Note: This is related to #13952 (Merkle tree audit logs) but proposes a different implementation — Ed25519-signed receipts per tool call rather than a local Merkle tree. The approaches are complementary: Merkle trees prove ordering, Ed25519 signatures prove authorization.

Describe the enhancement you want to request

OpenCode makes tool calls (file edits, shell commands, MCP invocations) that produce unsigned log output. A governance plugin could sign every tool call with Ed25519, producing independently verifiable receipts.

Use case: For teams using OpenCode on production codebases, the audit question matters: "Can you prove which tool calls the agent made, in what order, and under what policy?" Unsigned logs can be edited after the fact. Signed receipts break if tampered.

Proposed approach: protect-mcp (MIT, v0.5.3) already provides this for Claude Code via hooks. The pattern maps to OpenCode's plugin model:

1. Pre-tool hook: evaluate Cedar policy (allow/deny/rate-limit)
2. Post-tool hook: sign the tool call + result with Ed25519
3. Receipt storage: append to .protect-mcp-receipts.jsonl
4. Verification: npx @veritasacta/verify .protect-mcp-receipts.jsonl (offline, no server)

Shadow mode logs everything without blocking — safe to adopt incrementally.

Why this fits OpenCode:

• OpenCode already supports MCP servers, so protect-mcp works out of the box as a declared MCP server
• A native plugin would auto-inject hooks without manual config
• Proves OpenCode's governance story is agent-agnostic

Context:

• npm: https://www.npmjs.com/package/protect-mcp (2,300+ downloads/month)
• Integrated into Microsoft Agent Governance Toolkit
• IETF Internet-Draft: https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/
• Examples: https://github.com/ScopeBlind/examples

Happy to build the plugin if there's interest.

[github-actions]

This issue doesn't fully meet our contributing guidelines.

What needs to be fixed:

• Feature request issues must use the feature request template, which requires a verification checkbox and a title prefixed with [FEATURE]:
• The title should be updated to start with [FEATURE]: (e.g., [FEATURE]: protect-mcp plugin — signed receipts for tool calls)

Please edit this issue to address the above within 2 hours, or it will be automatically closed.

---

This issue might be a duplicate of existing issues. Please check:

• Proposal: Immutable Audit Logs for Agent Actions via Local Merkle Tree #13952: Proposal for immutable, tamper-evident audit logs of agent tool calls using a hash chain (Merkle Tree) — very similar goal of cryptographically verifiable agent action history

If you believe this was flagged incorrectly, please let a maintainer know.

[github-actions]

Thanks for updating the issue! It now follows the contributing guidelines and looks good. We appreciate you taking the time to revise it.