README.md
Cryptographic compliance enforcement for autonomous AI systems.
@attested-intelligence/aga-mcp-server v2.1.0
MCP server and governance proxy implementing the Attested Governance Artifact (AGA) protocol - cryptographic compliance enforcement for autonomous AI systems.
What It Does
This server acts as a Portal (zero-trust Policy Enforcement Point) for AI agents. Every tool call is attested, measured against a sealed cryptographic reference, and logged to a tamper-evident continuity chain with signed receipts.
20 tools, 3 resources, 3 prompts, governance proxy, 199 tests
Governance Proxy (New in v2.1.0)
Sits between any MCP client (OpenClaw, Claude Desktop, etc.) and any downstream MCP server. Intercepts every tools/call, evaluates it against a sealed policy, and produces Ed25519-signed receipts in the canonical Ed25519-SHA256-JCS format (compatible with the Python SDK, gateway, and browser verifier).
MCP Client --> AGA Proxy (:18800) --> Downstream MCP Server
|
+-- Policy evaluation
+-- Signed receipt per tool call
+-- Merkle tree + evidence bundle
Proxy Quick Start
# Start with a downstream MCP server
npx tsx src/proxy/index.ts start --upstream "node server.js" --profile standard
# Policy profiles: permissive, standard, restrictive
npx tsx src/proxy/index.ts start --upstream-url http://localhost:3000 --profile restrictive
# Export evidence bundle (verifiable at attestedintelligence.com/verify)
npx tsx src/proxy/index.ts export --output bundle.json
# Verify a bundle
npx tsx src/proxy/index.ts verify bundle.json
Proxy Features
- Policy modes: allowlist, denylist, audit_only
- Rate limiting: per-tool calls/minute with sliding window
- Path constraints: restrict file tools to allowed prefixes
- Denied patterns: block dangerous argument patterns
- Receipt format: Ed25519-SHA256-JCS (canonical across all AGA SDKs)
- Evidence bundles: verifiable at
attestedintelligence.com/verify - Two-process boundary: proxy holds all signing keys, client holds none
20 MCP Tools
| # | Tool | Description |
|---|---|---|
| 1 | aga_server_info |
Server identity, keys, portal state, framework alignment |
| 2 | aga_init_chain |
Initialize continuity chain with genesis event |
| 3 | aga_create_artifact |
Attest subject, generate sealed Policy Artifact |
| 4 | aga_measure_subject |
Measure subject, compare to sealed ref, generate receipt |
| 5 | aga_verify_artifact |
Verify artifact signature against issuer key |
| 6 | aga_start_monitoring |
Start/restart behavioral monitoring with baseline |
| 7 | aga_get_portal_state |
Current portal enforcement state and TTL |
| 8 | aga_trigger_measurement |
Trigger measurement with specific type |
| 9 | aga_generate_receipt |
Generate signed measurement receipt manually |
| 10 | aga_export_bundle |
Package artifact + receipts + Merkle proofs |
| 11 | aga_verify_bundle |
4-step offline bundle verification |
| 12 | aga_disclose_claim |
Privacy-preserving disclosure with auto-substitution |
| 13 | aga_get_chain |
Get chain events with optional integrity verification |
| 14 | aga_quarantine_status |
Quarantine state and forensic capture status |
| 15 | aga_revoke_artifact |
Mid-session artifact revocation |
| 16 | aga_set_verification_tier |
Set verification tier (BRONZE/SILVER/GOLD) |
| 17 | aga_demonstrate_lifecycle |
Full lifecycle: attest, measure, checkpoint, verify |
| 18 | aga_measure_behavior |
Behavioral drift detection (tool patterns) |
| 19 | aga_delegate_to_subagent |
Constrained sub-agent delegation (scope only diminishes) |
| 20 | aga_rotate_keys |
Key rotation with chain event |
3 Resources
| Resource | URI | Description |
|---|---|---|
| Protocol Spec | aga://specification/protocol-v2 |
Full protocol specification with SPIFFE alignment |
| Sample Bundle | aga://resources/sample-bundle |
Sample evidence bundle documentation |
| Crypto Primitives | aga://resources/crypto-primitives |
Cryptographic primitives documentation |
3 Prompts
| Prompt | Description |
|---|---|
nccoe-demo |
4-phase NCCoE lab demo with behavioral drift |
governance-report |
Session governance summary report |
drift-analysis |
Drift event analysis and remediation |
CoSAI MCP Security Threat Coverage
The AGA MCP Server addresses all 12 threat categories identified in the CoSAI MCP Security whitepaper (Coalition for Secure AI / OASIS, January 2026).
| CoSAI Category | Threat Domain | AGA Governance Mechanism |
|---|---|---|
| T1: Improper Authentication | Identity & Access | Ed25519 artifact signatures, pinned issuer keys, TTL re-attestation, key rotation chain event |
Tools (20)
aga_server_infoReturns server identity, keys, portal state, and framework alignment.aga_init_chainInitializes the continuity chain with a genesis event.aga_create_artifactAttests a subject and generates a sealed Policy Artifact.aga_measure_subjectMeasures a subject, compares it to a sealed reference, and generates a receipt.aga_verify_artifactVerifies an artifact signature against the issuer key.aga_start_monitoringStarts or restarts behavioral monitoring with a baseline.aga_get_portal_stateReturns the current portal enforcement state and TTL.aga_trigger_measurementTriggers a measurement with a specific type.aga_generate_receiptManually generates a signed measurement receipt.aga_export_bundlePackages artifact, receipts, and Merkle proofs.aga_verify_bundlePerforms 4-step offline bundle verification.aga_disclose_claimPerforms privacy-preserving disclosure with auto-substitution.aga_get_chainRetrieves chain events with optional integrity verification.aga_quarantine_statusReturns quarantine state and forensic capture status.aga_revoke_artifactPerforms mid-session artifact revocation.aga_set_verification_tierSets the verification tier (BRONZE/SILVER/GOLD).aga_demonstrate_lifecycleExecutes a full lifecycle: attest, measure, checkpoint, and verify.aga_measure_behaviorDetects behavioral drift based on tool patterns.aga_delegate_to_subagentHandles constrained sub-agent delegation.aga_rotate_keysPerforms key rotation with a chain event.Configuration
claude_desktop_config.json
{"mcpServers": {"aga-mcp-server": {"command": "npx", "args": ["-y", "@attested-intelligence/aga-mcp-server"]}}}Try it
→Check the current portal enforcement state and TTL using aga_get_portal_state.
→Run a full lifecycle demonstration including attestation, measurement, and verification.
→Analyze recent tool usage patterns to detect any behavioral drift.
→Export the current evidence bundle for external verification.
→Rotate the current security keys and log the event to the chain.