feat: ScopeBlind protect-mcp integration — Cedar policy enforcement + verifiable receipts

packages/agentmesh-integrations/scopeblind-protect-mcp/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Microsoft Corporation.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

packages/agentmesh-integrations/scopeblind-protect-mcp/README.md

@@ -0,0 +1,118 @@
+# ScopeBlind protect-mcp Integration
+
+AgentMesh integration for [protect-mcp](https://www.npmjs.com/package/protect-mcp) — Cedar policy enforcement and verifiable decision receipts for MCP tool calls.
+
+## What protect-mcp does
+
+protect-mcp is a security gateway that wraps any MCP server with:
+
+- **Cedar policy evaluation** (AWS Cedar via WASM, sub-ms latency)
+- **Ed25519 decision receipts** (signed proof of every allow/deny decision)
+- **Issuer-blind verification** (verifier can confirm receipt validity without learning who issued it)
+- **Spending authority** (prove an agent's purchase is authorized without revealing org details)
+
+Published on npm: `npx protect-mcp@latest` | [GitHub](https://github.com/ScopeBlind/scopeblind-gateway) | [Docs](https://scopeblind.com/docs/protect-mcp)
+
+## How it complements AGT
+
+| Layer | AGT | protect-mcp |
+|-------|-----|-------------|
+| Analysis | MCP Security Scanner (static) | Cedar WASM (runtime) |
+| Identity | DID + trust scores | Ed25519 passports + VOPRF |
+| Decisions | PolicyEngine evaluate() | Cedar allow/deny + signed receipts |
+| Proof | Audit log | Cryptographic receipts (offline-verifiable) |
+| Privacy | Trust scores are visible | Issuer-blind (verifier learns nothing about issuer) |
+
+They compose naturally: Cedar is the hard constraint, AGT trust is the soft signal.
+
+## Components
+
+| Component | Purpose |
+|-----------|---------|
+| `CedarPolicyBridge` | Maps Cedar allow/deny into AGT `evaluate()` — Cedar deny is authoritative |
+| `ReceiptVerifier` | Validates receipt structure, extracts AGT-compatible metadata |
+| `SpendingGate` | Enforces issuer-blind spending authority with trust-score gating |
+| `scopeblind_context()` | Builds AGT-compatible context dict from protect-mcp artifacts |
+
+## Quick Start
+
+```python
+from scopeblind_protect_mcp import CedarDecision, CedarPolicyBridge, scopeblind_context
+
+# Cedar denied this tool call (e.g., clinejection policy blocked shell_exec)
+decision = CedarDecision(
+    effect="deny",
+    tool_name="shell_exec",
+    policy_ids=["sb-clinejection-004"],
+)
+
+# Bridge into AGT — Cedar deny is authoritative regardless of trust score
+bridge = CedarPolicyBridge(trust_floor=300)
+result = bridge.evaluate(
+    cedar_decision=decision,
+    agent_trust_score=900,  # high trust doesn't override Cedar deny
+    agent_did="did:mesh:agent-1",
+)
+assert not result["allowed"]  # Cedar deny is final
+
+# Build AGT-compatible context for policy engine
+ctx = scopeblind_context(cedar_decision=decision)
+# Pass to AGT: policy_engine.evaluate(action="tool_call", context=ctx)
+```
+
+## Spending Authority
+
+```python
+from scopeblind_protect_mcp import SpendingGate
+
+gate = SpendingGate(
+    max_single_amount=5000.0,
+    high_util_trust_floor=500,
+    blocked_categories=["gambling"],
+)
+
+# Low-value spend: auto-approved
+result = gate.evaluate_spend(amount=50.0, category="cloud_compute", agent_trust_score=300)
+assert result["allowed"]
+
+# High utilization + low trust: denied
+result = gate.evaluate_spend(
+    amount=50.0,
+    utilization_band="high",
+    agent_trust_score=200,
+)
+assert not result["allowed"]
+```
+
+## Receipt Verification
+
+```python
+from scopeblind_protect_mcp import ReceiptVerifier
+
+verifier = ReceiptVerifier()
+
+receipt = {
+    "type": "scopeblind:decision",
+    "payload": {"effect": "allow", "tool": "web_search", "timestamp": 1711929600},
+    "signature": "base64_ed25519_signature",
+    "publicKey": "base64_ed25519_public_key",
+}
+
+result = verifier.validate_structure_only(receipt)
+assert result["valid"]
+
+# Convert to AGT context
+ctx = verifier.to_agt_context(receipt)
+assert ctx["issuer_blind"] is True
+```
+
+## Design Principles
+
+1. **Cedar deny is authoritative.** No trust score, no override. Formal policy beats behavioral signal.
+2. **Receipts are issuer-blind.** The verifier confirms validity without learning which organization issued the receipt. This prevents supply-chain surveillance.
+3. **Composable, not competing.** protect-mcp handles the tool-call boundary. AGT handles the agent lifecycle. This adapter maps between them.
+4. **Offline-verifiable.** Receipts can be verified without contacting the issuer, using `@veritasacta/verify`.
+
+## Protocol
+
+protect-mcp receipts follow the [Veritas Acta signed receipt format](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/), an IETF Internet-Draft for portable, verifiable decision artifacts.

packages/agentmesh-integrations/scopeblind-protect-mcp/SECURITY.md

@@ -0,0 +1,13 @@
+# Security
+
+## Reporting
+
+Please report security vulnerabilities via https://github.com/microsoft/agent-governance-toolkit/security/advisories
+
+For ScopeBlind-specific issues: [email protected]
+
+## Design
+
+This integration does not handle cryptographic material directly.
+Receipt verification and key management are delegated to the `protect-mcp` runtime
+and the `@veritasacta/verify` offline verifier.

packages/agentmesh-integrations/scopeblind-protect-mcp/pyproject.toml

@@ -0,0 +1,31 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "scopeblind-protect-mcp"
+version = "0.1.1"
+description = "AgentMesh integration for ScopeBlind protect-mcp — Cedar policy enforcement and verifiable decision receipts for MCP tool calls"
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.9"
+authors = [
+    { name = "Tom Farley" },
+    { name = "ScopeBlind Pty Ltd" }
+]
+keywords = ["mcp", "cedar", "policy", "receipts", "agentmesh", "scopeblind", "trust"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+]
+dependencies = []
+
+[project.optional-dependencies]
+dev = ["pytest>=7.0"]
+
+[project.urls]
+Homepage = "https://github.com/microsoft/agent-governance-toolkit"
+Repository = "https://github.com/microsoft/agent-governance-toolkit"
+Documentation = "https://scopeblind.com/docs/protect-mcp"

packages/agentmesh-integrations/scopeblind-protect-mcp/scopeblind_protect_mcp/__init__.py

@@ -0,0 +1,33 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+"""
+ScopeBlind protect-mcp integration for AgentMesh.
+
+Bridges protect-mcp's Cedar policy enforcement and Ed25519 decision receipts
+into AGT's PolicyEngine as verifiable trust signals.
+
+protect-mcp provides runtime enforcement (evaluate Cedar policies on every
+MCP tool call). AGT provides governance infrastructure (trust scoring,
+identity, SLOs). This adapter connects them:
+
+- CedarPolicyBridge: maps Cedar allow/deny decisions into AGT evaluate()
+- ReceiptVerifier: validates Ed25519-signed decision receipts offline
+- SpendingGate: enforces issuer-blind spending authority checks
+- scopeblind_context(): builds AGT-compatible context from protect-mcp artifacts
+"""
+
+from .adapter import (
+    CedarDecision,
+    CedarPolicyBridge,
+    ReceiptVerifier,
+    SpendingGate,
+    scopeblind_context,
+)
+
+__all__ = [
+    "CedarDecision",
+    "CedarPolicyBridge",
+    "ReceiptVerifier",
+    "SpendingGate",
+    "scopeblind_context",
+]