Summary
The review-agent-governance plugin's hook integration targets protect-mcp subcommands that do not exist in the pinned version, so the governance gate does not run as shipped.
plugins/review-agent-governance/hooks/hooks.json invokes:
- PreToolUse:
npx protect-mcp@0.5.5 evaluate --policy … --tool … --input …
- PostToolUse:
npx protect-mcp@0.5.5 sign …
But protect-mcp@0.5.5 has no evaluate or sign subcommand. Its actual CLI is:
protect-mcp serve [--port] [--enforce] [--policy] [--cedar <dir>]
protect-mcp init-hooks [--dir] [--port]
protect-mcp simulate --policy <path> [--log] [--tier] [--json]
protect-mcp quickstart | connect | init | demo | trace | status | digest | receipts | bundle | report
Running the shipped command falls through to protect-mcp's "wrapper" mode and errors (Missing "--" separator before the command to wrap). So the PreToolUse gate never enforces the policy, and PostToolUse never signs receipts.
Impact
The plugin's core promise — gating consequential agent actions behind human approval, with Ed25519 receipts — does not function on protect-mcp@0.5.5. (This is separate from #598, which fixed the Cedar policy itself; even a correct policy isn't evaluated because the hook command is wrong.)
protect-mcp's own plugins/protect-mcp/test/run-tests.sh is also affected — it invokes protect-mcp@0.5.5 evaluate … / sign …, so it would fail against the pinned version too.
How it was found
Surfaced while verifying #598 (PR #600): a live npx protect-mcp@0.5.5 evaluate … run returned the wrapper-mode usage error, and --help confirmed the current subcommand set.
Suggested fix
The modern protect-mcp integration is server-based: protect-mcp serve (HTTP hook server, default port 9377) with --cedar <dir> for local Cedar-via-WASM evaluation, and protect-mcp init-hooks generates the correct Claude Code hook config + sample policy.
- Regenerate
hooks/hooks.json via protect-mcp init-hooks (or hand-port to the serve model), and update plugins/protect-mcp/test/run-tests.sh accordingly.
- Re-pin
protect-mcp and verify the deny/permit flow end-to-end against the published CLI.
Affected files
plugins/review-agent-governance/hooks/hooks.json
plugins/protect-mcp/test/run-tests.sh (same evaluate/sign assumption)
Summary
The
review-agent-governanceplugin's hook integration targetsprotect-mcpsubcommands that do not exist in the pinned version, so the governance gate does not run as shipped.plugins/review-agent-governance/hooks/hooks.jsoninvokes:npx protect-mcp@0.5.5 evaluate --policy … --tool … --input …npx protect-mcp@0.5.5 sign …But
protect-mcp@0.5.5has noevaluateorsignsubcommand. Its actual CLI is:Running the shipped command falls through to protect-mcp's "wrapper" mode and errors (
Missing "--" separator before the command to wrap). So the PreToolUse gate never enforces the policy, and PostToolUse never signs receipts.Impact
The plugin's core promise — gating consequential agent actions behind human approval, with Ed25519 receipts — does not function on
protect-mcp@0.5.5. (This is separate from #598, which fixed the Cedar policy itself; even a correct policy isn't evaluated because the hook command is wrong.)protect-mcp's ownplugins/protect-mcp/test/run-tests.shis also affected — it invokesprotect-mcp@0.5.5 evaluate …/sign …, so it would fail against the pinned version too.How it was found
Surfaced while verifying #598 (PR #600): a live
npx protect-mcp@0.5.5 evaluate …run returned the wrapper-mode usage error, and--helpconfirmed the current subcommand set.Suggested fix
The modern protect-mcp integration is server-based:
protect-mcp serve(HTTP hook server, default port 9377) with--cedar <dir>for local Cedar-via-WASM evaluation, andprotect-mcp init-hooksgenerates the correct Claude Code hook config + sample policy.hooks/hooks.jsonviaprotect-mcp init-hooks(or hand-port to theservemodel), and updateplugins/protect-mcp/test/run-tests.shaccordingly.protect-mcpand verify the deny/permit flow end-to-end against the published CLI.Affected files
plugins/review-agent-governance/hooks/hooks.jsonplugins/protect-mcp/test/run-tests.sh(sameevaluate/signassumption)