AGA MCP Server
Cryptographic runtime governance for AI agents. 20 tools. Sealed policy artifacts, continuous measurement, tamper-evident proof. Ed25519 + SHA-256.
@attested-intelligence/aga-mcp-server v2.0.0
MCP server implementing the Attested Governance Artifact (AGA) protocol - cryptographic compliance enforcement for autonomous AI systems.
What It Does
This server acts as a Portal (zero-trust Policy Enforcement Point) for AI agents. Every tool call is attested, measured against a sealed cryptographic reference, and logged to a tamper-evident continuity chain with signed receipts.
20 tools, 3 resources, 3 prompts, 159 tests
20 MCP Tools
| # | Tool | Description |
|---|---|---|
| 1 | aga_server_info | Server identity, keys, portal state, framework alignment |
| 2 | aga_init_chain | Initialize continuity chain with genesis event |
| 3 | aga_create_artifact | Attest subject, generate sealed Policy Artifact |
| 4 | aga_measure_subject | Measure subject, compare to sealed ref, generate receipt |
| 5 | aga_verify_artifact | Verify artifact signature against issuer key |
| 6 | aga_start_monitoring | Start/restart behavioral monitoring with baseline |
| 7 | aga_get_portal_state | Current portal enforcement state and TTL |
| 8 | aga_trigger_measurement | Trigger measurement with specific type |
| 9 | aga_generate_receipt | Generate signed measurement receipt manually |
| 10 | aga_export_bundle | Package artifact + receipts + Merkle proofs |
| 11 | aga_verify_bundle | 4-step offline bundle verification |
| 12 | aga_disclose_claim | Privacy-preserving disclosure with auto-substitution |
| 13 | aga_get_chain | Get chain events with optional integrity verification |
| 14 | aga_quarantine_status | Quarantine state and forensic capture status |
| 15 | aga_revoke_artifact | Mid-session artifact revocation |
| 16 | aga_set_verification_tier | Set verification tier (BRONZE/SILVER/GOLD) |
| 17 | aga_demonstrate_lifecycle | Full lifecycle: attest, measure, checkpoint, verify |
| 18 | aga_measure_behavior | Behavioral drift detection (tool patterns) |
| 19 | aga_delegate_to_subagent | Constrained sub-agent delegation (scope only diminishes) |
| 20 | aga_rotate_keys | Key rotation with chain event |
3 Resources
| Resource | URI | Description |
|---|---|---|
| Protocol Spec | aga://specification/protocol-v2 | Full protocol specification with SPIFFE alignment |
| Sample Bundle | aga://resources/sample-bundle | Sample evidence bundle documentation |
| Crypto Primitives | aga://resources/crypto-primitives | Cryptographic primitives documentation |
3 Prompts
| Prompt | Description |
|---|---|
nccoe-demo | 4-phase NCCoE lab demo with behavioral drift |
governance-report | Session governance summary report |
drift-analysis | Drift event analysis and remediation |
CoSAI MCP Security Threat Coverage
The AGA MCP Server addresses all 12 threat categories identified in the CoSAI MCP Security whitepaper (Coalition for Secure AI / OASIS, January 2026).
| CoSAI Category | Threat Domain | AGA Governance Mechanism |
|---|---|---|
| T1: Improper Authentication | Identity & Access | Ed25519 artifact signatures, pinned issuer keys, TTL re-attestation, key rotation chain events |
| T2: Missing Access Control | Identity & Access | Portal as mandatory enforcement boundary, sealed constraints, delegation with scope diminishment |
| T3: Input Validation Failures | Input Handling | Runtime measurement against sealed reference, behavioral drift detection |
| T4: Data/Control Boundary Failures | Input Handling | Behavioral baseline (permitted tools, forbidden sequences, rate limits), phantom execution forensics |
| T5: Inadequate Data Protection | Data & Code | Salted commitments, privacy-preserving disclosure with substitution, inference risk prevention |
| T6: Missing Integrity Controls | Data & Code | Content-addressable hash binding, 10 measurement embodiments, continuous runtime verification |
| T7: Session/Transport Security | Network & Transport | TTL-based artifact expiration, fail-closed on expiry, mid-session revocation, Ed25519 signed receipts |
| T8: Network Isolation Failures | Network & Transport | Two-process architecture, agent holds no credentials, NETWORK_ISOLATE enforcement action |
| T9: Trust Boundary Failures | Trust & Design | Enforcement pre-committed by human authorities in sealed artifact, not delegated to LLM |
| T10: Resource Management | Trust & Design | Per-tool rate limits in behavioral baseline, configurable measurement cadence (10ms to 3600s) |
| T11: Supply Chain Failures | Operational | Content-addressable hashing at attestation, runtime hash comparison blocks modified components |
| T12: Insufficient Observability | Operational | Signed receipts, tamper-evident continuity chain, Merkle anchoring, offline evidence bundles |
Full mapping details available via the aga://specification resource.
Quick Start
npm install && npm run build && npm test
Connect to an MCP Client
Add to your MCP client config:
{
"mcpServers": {
"aga": { "command": "node", "args": ["/path/to/aga-mcp-server/dist/index.js"] }
}
}
Architecture
MCP Client
│ JSON-RPC over stdio
▼
src/server.ts - 20 tools + 3 resources + 3 prompts
│
├── src/tools/ 20 individual tool handlers
├── src/core/ Protocol logic (artifact, chain, portal, etc.)
├── src/crypto/ Ed25519 + SHA-256 + Merkle + canonical JSON
├── src/middleware/ Zero-trust governance PEP
├── src/storage/ In-memory + optional SQLite
├── src/resources/ Protocol docs + crypto primitives
└── src/prompts/ Demo + report + analysis prompts
Test Coverage
| Suite | Tests | What |
|---|---|---|
| Crypto | 33 | SHA-256, Ed25519, Merkle, salt, canonical, keys |
| Core | 56 | Artifact, chain, portal, governance, behavioral, delegation, privacy, revocation, fail-closed |
| Tools | 25 | All 20 tool handlers |
| Integration | 38 | Bundle tamper, lifecycle, performance, NCCoE demo, crucible compatibility |
| Total | 159 |
License
MIT - Attested Intelligence Holdings LLC
関連サーバー
Cred Protocol
On-chain credit scoring, financial reporting, and identity verification for Ethereum addresses. Get credit scores (300-1000), portfolio values, and identity attestations.
MCP OCR Server
An MCP server for Optical Character Recognition (OCR) using the Tesseract engine.
Zomato MCP
An mcp server for your food ordering needs.
mcp-dice
Rolls dice using standard notation (e.g., 1d20) and returns individual rolls and their sum.
Memento-cmp
A Three-Layer Memory Architecture for LLMs (Redis + Postgres + Vector) MCP
MCP-Airflow-API
MCP-Airflow-API is an MCP server that leverages the Model Context Protocol (MCP) to transform Apache Airflow REST API operations into natural language tools. This project hides the complexity of API structures and enables intuitive management of Airflow clusters through natural language commands.
Bitcoin MCP Server
MCP server dedicated to the Bitcoin ecosystem for traders, analysts, developers, and more.
Barevalue MCP
AI podcast editing as a service. Upload raw audio or submit a URL, get back edited episodes with filler words removed, noise reduction, transcripts, show notes, and social clips. Includes webhooks for automation.
Interzoid Data Quality
AI-powered data matching, enrichment, standardization, and verification APIs. 29 tools for company/name/address deduplication, business intelligence, email trust scoring, and more. Supports x402 crypto micropayments.
trainedby.ai
Connect wearables to ChatGPT, so your AI coach knows you without typing a word