feat(caprock): add sheaf-based permission-tracker vat and hook

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: grypez

packages/caprock/.claude-plugin/plugin.json

@@ -0,0 +1,8 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
+  "name": "caprock",
+  "version": "0.1.0",
+  "description": "Routes Claude Code tool invocations through an ocap-kernel permission vat (POLA enforcement).",
+  "repository": "https://github.com/MetaMask/ocap-kernel",
+  "license": "MIT"
+}

packages/caprock/CHANGELOG.md

@@ -0,0 +1,10 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+[Unreleased]: https://github.com/MetaMask/ocap-kernel/

packages/caprock/README.md

@@ -0,0 +1,15 @@
+# `@ocap/caprock`
+
+Claude Code plugin: routes tool invocations through an ocap-kernel permission vat (POLA enforcement)
+
+## Installation
+
+`yarn add @ocap/caprock`
+
+or
+
+`npm install @ocap/caprock`
+
+## Contributing
+
+This package is part of a monorepo. Instructions for contributing can be found in the [monorepo README](https://github.com/MetaMask/ocap-kernel#readme).

packages/caprock/bin/harden-shim.ts

@@ -0,0 +1,12 @@
+/*
+ * No-op harden shim for the hook process.
+ *
+ * The hook is not a vat — it must not run SES lockdown because full lockdown
+ * is incompatible with native tree-sitter bindings. @endo modules call
+ * harden() at module-evaluation time, so we install a benign identity
+ * function as the global before any @endo import evaluates.
+ *
+ * ESM evaluates modules depth-first in import order, so placing this as
+ * the first import in hook.ts guarantees it runs before @endo/promise-kit.
+ */
+(globalThis as { harden?: <T>(value: T) => T }).harden ??= (value) => value;