Skip to content

review-agent-governance: hooks invoke non-existent protect-mcp evaluate/sign subcommands (gate doesn't run on @0.5.5) #601

Description

@wshobson

Summary

The review-agent-governance plugin's hook integration targets protect-mcp subcommands that do not exist in the pinned version, so the governance gate does not run as shipped.

plugins/review-agent-governance/hooks/hooks.json invokes:

  • PreToolUse: npx protect-mcp@0.5.5 evaluate --policy … --tool … --input …
  • PostToolUse: npx protect-mcp@0.5.5 sign …

But protect-mcp@0.5.5 has no evaluate or sign subcommand. Its actual CLI is:

protect-mcp serve [--port] [--enforce] [--policy] [--cedar <dir>]
protect-mcp init-hooks [--dir] [--port]
protect-mcp simulate --policy <path> [--log] [--tier] [--json]
protect-mcp quickstart | connect | init | demo | trace | status | digest | receipts | bundle | report

Running the shipped command falls through to protect-mcp's "wrapper" mode and errors (Missing "--" separator before the command to wrap). So the PreToolUse gate never enforces the policy, and PostToolUse never signs receipts.

Impact

The plugin's core promise — gating consequential agent actions behind human approval, with Ed25519 receipts — does not function on protect-mcp@0.5.5. (This is separate from #598, which fixed the Cedar policy itself; even a correct policy isn't evaluated because the hook command is wrong.)

protect-mcp's own plugins/protect-mcp/test/run-tests.sh is also affected — it invokes protect-mcp@0.5.5 evaluate … / sign …, so it would fail against the pinned version too.

How it was found

Surfaced while verifying #598 (PR #600): a live npx protect-mcp@0.5.5 evaluate … run returned the wrapper-mode usage error, and --help confirmed the current subcommand set.

Suggested fix

The modern protect-mcp integration is server-based: protect-mcp serve (HTTP hook server, default port 9377) with --cedar <dir> for local Cedar-via-WASM evaluation, and protect-mcp init-hooks generates the correct Claude Code hook config + sample policy.

  • Regenerate hooks/hooks.json via protect-mcp init-hooks (or hand-port to the serve model), and update plugins/protect-mcp/test/run-tests.sh accordingly.
  • Re-pin protect-mcp and verify the deny/permit flow end-to-end against the published CLI.

Affected files

  • plugins/review-agent-governance/hooks/hooks.json
  • plugins/protect-mcp/test/run-tests.sh (same evaluate/sign assumption)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions