AGA MCP Server
Cryptographic runtime governance for AI agents. 20 tools. Sealed policy artifacts, continuous measurement, tamper-evident proof. Ed25519 + SHA-256.
@attested-intelligence/aga-mcp-server v2.0.0
MCP server implementing the Attested Governance Artifact (AGA) protocol - cryptographic compliance enforcement for autonomous AI systems.
What It Does
This server acts as a Portal (zero-trust Policy Enforcement Point) for AI agents. Every tool call is attested, measured against a sealed cryptographic reference, and logged to a tamper-evident continuity chain with signed receipts.
20 tools, 4 resources, 3 prompts, 159 tests
20 MCP Tools
| # | Tool | NIST/Patent Ref | Description |
|---|---|---|---|
| 1 | aga_server_info | - | Server identity, keys, portal state, framework alignment |
| 2 | aga_init_chain | Claim 3a | Initialize continuity chain with genesis event |
| 3 | aga_create_artifact | Claims 1a-1d | Attest subject, generate sealed Policy Artifact |
| 4 | aga_measure_subject | Claims 1e-1g | Measure subject, compare to sealed ref, generate receipt |
| 5 | aga_verify_artifact | Claim 10 | Verify artifact signature against issuer key |
| 6 | aga_start_monitoring | NIST-2025-0035 | Start/restart behavioral monitoring with baseline |
| 7 | aga_get_portal_state | - | Current portal enforcement state and TTL |
| 8 | aga_trigger_measurement | Claims 1e-1g | Trigger measurement with specific type |
| 9 | aga_generate_receipt | V3 Promise | Generate signed measurement receipt manually |
| 10 | aga_export_bundle | Claim 9 | Package artifact + receipts + Merkle proofs |
| 11 | aga_verify_bundle | Section J | 4-step offline bundle verification |
| 12 | aga_disclose_claim | Claim 2 | Privacy-preserving disclosure with auto-substitution |
| 13 | aga_get_chain | Claim 3c | Get chain events with optional integrity verification |
| 14 | aga_quarantine_status | Claim 5 | Quarantine state and forensic capture status |
| 15 | aga_revoke_artifact | NCCoE 3b | Mid-session artifact revocation |
| 16 | aga_set_verification_tier | - | Set verification tier (BRONZE/SILVER/GOLD) |
| 17 | aga_demonstrate_lifecycle | All | Full lifecycle: attest, measure, checkpoint, verify |
| 18 | aga_measure_behavior | NIST-2025-0035 | Behavioral drift detection (tool patterns) |
| 19 | aga_delegate_to_subagent | NCCoE | Constrained sub-agent delegation (scope only diminishes) |
| 20 | aga_rotate_keys | Claim 3 | Key rotation with chain event |
4 Resources
| Resource | URI | Description |
|---|---|---|
| Protocol Spec | aga://specification/protocol-v2 | Full protocol specification with SPIFFE alignment |
| Sample Bundle | aga://resources/sample-bundle | Sample evidence bundle documentation |
| Crypto Primitives | aga://resources/crypto-primitives | Cryptographic primitives documentation |
| Patent Claims | aga://resources/patent-claims | 20 patent claims mapped to tools |
3 Prompts
| Prompt | Description |
|---|---|
nccoe-demo | 4-phase NCCoE lab demo with behavioral drift |
governance-report | Session governance summary report |
drift-analysis | Drift event analysis and remediation |
CoSAI MCP Security Threat Coverage
The AGA MCP Server addresses all 12 threat categories identified in the CoSAI MCP Security whitepaper (Coalition for Secure AI / OASIS, January 2026).
| CoSAI Category | Threat Domain | AGA Governance Mechanism |
|---|---|---|
| T1: Improper Authentication | Identity & Access | Ed25519 artifact signatures, pinned issuer keys, TTL re-attestation, key rotation chain events |
| T2: Missing Access Control | Identity & Access | Portal as mandatory enforcement boundary, sealed constraints, delegation with scope diminishment |
| T3: Input Validation Failures | Input Handling | Runtime measurement against sealed reference, behavioral drift detection |
| T4: Data/Control Boundary Failures | Input Handling | Behavioral baseline (permitted tools, forbidden sequences, rate limits), phantom execution forensics |
| T5: Inadequate Data Protection | Data & Code | Salted commitments, privacy-preserving disclosure with substitution, inference risk prevention |
| T6: Missing Integrity Controls | Data & Code | Content-addressable hash binding, 10 measurement embodiments, continuous runtime verification |
| T7: Session/Transport Security | Network & Transport | TTL-based artifact expiration, fail-closed on expiry, mid-session revocation, Ed25519 signed receipts |
| T8: Network Isolation Failures | Network & Transport | Two-process architecture, agent holds no credentials, NETWORK_ISOLATE enforcement action |
| T9: Trust Boundary Failures | Trust & Design | Enforcement pre-committed by human authorities in sealed artifact, not delegated to LLM |
| T10: Resource Management | Trust & Design | Per-tool rate limits in behavioral baseline, configurable measurement cadence (10ms to 3600s) |
| T11: Supply Chain Failures | Operational | Content-addressable hashing at attestation, runtime hash comparison blocks modified components |
| T12: Insufficient Observability | Operational | Signed receipts, tamper-evident continuity chain, Merkle anchoring, offline evidence bundles |
Full mapping details available via the aga://specification resource.
Quick Start
npm install && npm run build && npm test
Connect to Claude Desktop
Add to %APPDATA%\Claude\claude_desktop_config.json:
{
"mcpServers": {
"aga": { "command": "node", "args": ["C:/Users/neuro/AIH/aga-mcp-server/dist/index.js"] }
}
}
Architecture
MCP Client (Claude Desktop)
│ JSON-RPC over stdio
▼
src/server.ts - 20 tools + 4 resources + 3 prompts
│
├── src/tools/ 20 individual tool handlers
├── src/core/ Protocol logic (artifact, chain, portal, etc.)
├── src/crypto/ Ed25519 + SHA-256 + Merkle + canonical JSON
├── src/middleware/ Zero-trust governance PEP
├── src/storage/ In-memory + optional SQLite
├── src/resources/ Protocol docs + patent claims
└── src/prompts/ Demo + report + analysis prompts
Test Coverage
| Suite | Tests | What |
|---|---|---|
| Crypto | 33 | SHA-256, Ed25519, Merkle, salt, canonical, keys |
| Core | 56 | Artifact, chain, portal, governance, behavioral, delegation, privacy, revocation, fail-closed |
| Tools | 25 | All 20 tool handlers |
| Integration | 38 | Bundle tamper, lifecycle, performance, NCCoE demo, crucible compatibility |
| Total | 159 |
License
MIT - Attested Intelligence Holdings LLC
Related Servers
MCP OCR Server
An MCP server for Optical Character Recognition (OCR) using the Tesseract engine.
SuricataMCP
A server that allows MCP clients to use Suricata for network traffic analysis.
Crypto Price & Market Analysis (JJ Fork)
Provides real-time cryptocurrency price data, market analysis, and historical trends using the CoinCap API.
Jilebi
A secure, extensible MCP runtime with JS plugins
Tokyo WBGT MCP Server
Provides real-time and forecast WBGT (Heat Index) data for Tokyo from Japan's Ministry of the Environment.
ROT Trading Intelligence
The first financial intelligence MCP server. Live AI-scored trading signals from Reddit, SEC filings, FDA approvals, Congressional trades, and 15+ sources. 7 tools, 2 resources, hosted remotely, free, no API key required.
Gaggiuino MCP
An MCP server for the Gaggiuino open-source espresso machine, providing real-time local network access to machine status and shot data.
US Safety Recalls MCP
Search NHTSA vehicle recalls and FDA food/drug recalls in real-time. 4 MCP tools for product safet monitoring.
AgentAuth
Auth0, but for agents. Identity and authentication service for AI agents.
Rami Levy
An MCP server for interacting with the Rami Levy online grocery store API.