Cline Integration
Cline (the open-source coding agent for VS Code) connects to MCP servers defined in cline_mcp_settings.json. The Agent Receipts proxy wraps any MCP server transparently — Cline doesn’t know or care that the proxy is there.
Prerequisites
Section titled “Prerequisites”-
agent-receipts-daemoninstalled, initialised, and running — it holds the signing key and writes every receipt -
VS Code with the Cline extension
-
The MCP server you want to audit. The examples below wrap GitHub’s official MCP server:
Terminal window brew install github-mcp-serverThis puts a
github-mcp-serverbinary on your$PATH. Verify withwhich github-mcp-server.
Start the daemon
Section titled “Start the daemon”The proxy holds no signing key of its own — agent-receipts-daemon owns the key and writes every receipt (ADR-0010). Initialise the key once and start the daemon before launching VS Code:
agent-receipts-daemon --init # one-time: generates the Ed25519 signing key pairagent-receipts-daemon # start the daemon (listens on a Unix socket)The proxy reaches the daemon over its default platform socket automatically. See Daemon Setup for install options and socket paths.
Configure cline_mcp_settings.json
Section titled “Configure cline_mcp_settings.json”In the Cline pane, click the MCP Servers icon in the top toolbar, open the Installed tab, and click Configure MCP Servers to open cline_mcp_settings.json. (The file lives in VS Code’s globalStorage — on macOS at ~/Library/Application Support/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json; the equivalent globalStorage path under ~/.config/Code on Linux and %APPDATA%\Code on Windows.) The format uses a top-level mcpServers key.
Cline launches MCP servers without your shell’s PATH, so use absolute paths. Print them first:
echo "op: $(which op)"echo "proxy: $(which mcp-proxy)"echo "server: $(which github-mcp-server)"Recommended: secret manager (op run, aws-vault exec, …)
Section titled “Recommended: secret manager (op run, aws-vault exec, …)”Install the 1Password CLI (brew install 1password-cli), sign in (op signin), and create a referenced env file:
# ~/.local/share/agent-receipts/mcp.env (chmod 600)GITHUB_PERSONAL_ACCESS_TOKEN=op://Personal/GitHub/tokenPoint Cline at op run — it resolves the op:// reference at exec time and injects the value into mcp-proxy’s env without writing it to the settings file:
{ "mcpServers": { "github-audited": { "command": "/opt/homebrew/bin/op", "args": [ "run", "--env-file=/Users/YOU/.local/share/agent-receipts/mcp.env", "--", "/Users/YOU/go/bin/mcp-proxy", "-name", "github", "-issuer-name", "Cline", "-operator-id", "did:web:cline.bot", "-operator-name", "Cline", "/opt/homebrew/bin/github-mcp-server", "stdio" ], "disabled": false, "autoApprove": [] } }}aws-vault exec, chamber exec (AWS Parameter Store), and direnv with op:// references all follow the same wrapping pattern.
Fallback: OS keychain launcher script
Section titled “Fallback: OS keychain launcher script”If you don’t have a secret manager, reuse the launcher script from Claude Desktop’s keychain fallback (one script works across clients). Point command at the launcher and drop the env block — the script sets GITHUB_PERSONAL_ACCESS_TOKEN from the keychain:
{ "mcpServers": { "github-audited": { "command": "/Users/YOU/.local/share/agent-receipts/run-mcp-proxy-github.sh", "args": [ "-name", "github", "-issuer-name", "Cline", "-operator-id", "did:web:cline.bot", "-operator-name", "Cline", "/opt/homebrew/bin/github-mcp-server", "stdio" ], "disabled": false, "autoApprove": [] } }}-issuer-name, -operator-id, and -operator-name stamp each signed receipt so you can tell which client made a given call when reviewing a shared store — setting -issuer-name to Cline here (and to Claude Code, Codex, etc. in the other guides) is what distinguishes them at audit time.
Save the file. Cline reloads MCP servers automatically; the Installed tab should show github-audited with a green/connected indicator and the tools the proxied server exposes. Use Restart there if it doesn’t pick up changes.
Verifying receipts
Section titled “Verifying receipts”The daemon signs and stores every tool call. After making calls through Cline, query and verify the store with the agent-receipts CLI (installed alongside the daemon). It opens the database read-only, so it is safe to run while the daemon is writing:
# List recent receipts (newest first)agent-receipts list
# Verify the chain's signatures and hash linksagent-receipts verify \ --public-key ~/.local/share/agent-receipts/signing.key.pub$ agent-receipts listSEQ TIMESTAMP CHAIN TOOL / ACTION TYPE4 2026-04-24T02:05:19Z default get_file_contents3 2026-04-24T01:58:45Z default create_or_update_file2 2026-04-24T01:56:12Z default search_issues1 2026-04-24T01:45:07Z default list_issuesagent-receipts verify prints Chain default: VALID (4 receipts) when signatures and hash links are intact. Inspect a single receipt — including its action type, risk level, and parameters hash — with agent-receipts show <seq>. See the CLI reference for all subcommands.
Gotchas
Section titled “Gotchas”Absolute paths required. Cline launches MCP servers with a clean PATH. Use the full path to op/mcp-proxy (find each with which) and the full path to the wrapped server binary.
autoApprove is Cline’s own auto-run list — not the proxy’s. Listing a tool in autoApprove only tells Cline to skip its confirmation prompt; it has no effect on the Agent Receipts policy. Risk scoring, pause/block rules, and receipts still apply at the proxy and daemon regardless of what’s in autoApprove.
No receipts appearing? The daemon must be running before Cline starts the proxied server, or emits fail. Confirm with pgrep agent-receipts-daemon, and see the daemon troubleshooting guide. If you run the daemon on a non-default socket, set AGENTRECEIPTS_SOCKET for both the daemon and the proxy.
Want human-in-the-loop approvals? Opt in with -http. The approval listener is off by default. Add -http 127.0.0.1:<port> to args and run an approver — see Approval Server. Without it, a paused call fails immediately with -32003.