saferagenticai-mcp Server

Read-only MCP server exposing the Safer Agentic AI safety framework: 238 patterns + 14 operational heuristics via 12 query tools; Python stdio.

Documentation

SaferAgenticAI MCP Server

Serves the SaferAgenticAI framework (canonical criteria + Implementation Patterns layer) to coding assistants via the Model Context Protocol.

Available in

Published to the canonical MCP catalogues — install from a registry-aware client or the CLI below:

Also rolling out across the wider MCP ecosystem: mcp.directory, mcpservers.org, PulseMCP (via the registry ingest), and mcp.so.

Install

Pick the path that matches your setup.

Option 1 — uvx (fastest, no manual venv)

If you have uv installed, point your MCP client at:

uvx --from git+https://github.com/NellInc/saferagenticai-mcp saferagenticai-mcp

uv handles isolation and caches the install. Works for single-command config lines in ~/.claude/mcp.json.

Option 2 — pipx (isolated global install)

pipx install "git+https://github.com/NellInc/saferagenticai-mcp"

Exposes saferagenticai-mcp globally; updated with pipx upgrade saferagenticai-mcp.

Option 3 — manual venv (works offline from a checkout)

Homebrew / system Python blocks direct pip install under PEP 668, so if you've cloned the repo and want an editable install:

python3 -m venv research/mcp/.venv
research/mcp/.venv/bin/pip install -e research/mcp/server

Produces research/mcp/.venv/bin/saferagenticai-mcp. Pattern YAML edits in the repo are picked up live (editable mode).

Option 4 — from PyPI

pipx install saferagenticai-mcp
# or, with the modern uv toolchain:
uv tool install saferagenticai-mcp
# or plain pip:
pip install --user saferagenticai-mcp

For audit-trail reproducibility, pin the version: pipx install saferagenticai-mcp==0.3.3. The package bundles criteria-v1.json + 238 pattern YAMLs + 4 exemplars

  • operational_heuristics.yaml inside saferagenticai_mcp/_data/, so a wheel install works without any repo checkout. (The 0.3.0 wheel predates the corpus extension and bundles only 214 patterns, no heuristics; 0.3.1 is the first complete build.)

Configure (Claude Code)

Add to ~/.claude/mcp.json (or your IDE's MCP config). Pick the variant that matches your install option.

With uvx

{
  "mcpServers": {
    "saferagenticai": {
      "command": "uvx",
      "args": [
        "--from",
        "git+https://github.com/NellInc/saferagenticai-mcp",
        "saferagenticai-mcp"
      ]
    }
  }
}

With pipx or manual venv

{
  "mcpServers": {
    "saferagenticai": {
      "command": "/absolute/path/to/saferagenticai-mcp"
    }
  }
}

For a manual venv checkout, the absolute path is <repo>/research/mcp/.venv/bin/saferagenticai-mcp.

Restart Claude Code / your IDE after editing. The server will load on the first tool call from your assistant.

Tools (12 total)

ToolInputReturns
list_suites16 suites with titles and subgoal counts
get_requirementid, include_patternone subgoal + its Pattern layer; falls back to fuzzy candidates if no exact match
list_requirementssuite/type/content_type/confidence filtersfiltered subgoal list with reliability signals
search_patternsquery, limit, verbosityfield-weighted ranked matches with matched_in and (in full mode) snippets + confidence flags. Field weights: title 10×, summary 4×, sfr 3×, description 2×, body 1×
get_cross_referencesid, include_inferredoutgoing adjacencies
get_reverse_referencesidincoming adjacencies (who cites this pattern)
resolve_idquerycanonicalise a partial id, slug fragment, or display_id; always returns candidates
find_patterns_for_tasktask, limit, verbositytop patterns grouped by suite for a task description; defaults to compact mode for cheap triage
list_unreviewedlimitpatterns without reviewed_by, sorted low-confidence first
review_statscoverage %, per-suite, per-confidence; plus validation issue count
list_operational_heuristicssuite_id?, query?operational heuristics distilled from production agentic AI deployment, optionally filtered by suite or keyword
get_operational_heuristicidsingle operational heuristic by id (e.g. OH::geoffrey-pattern); returns full entry with principle, framework mapping, design patterns, and discovery narrative

Data sources

  • Canonical framework: assessor/src/data/criteria-v1.json (extracted from framework.html)
  • Pattern layer: research/mcp/suites/<SUITE>/<pattern_id>.yaml (238 files)
  • Exemplars: research/mcp/exemplars/*.yaml (fallback for four anchor subgoals)
  • Operational heuristics: research/mcp/operational_heuristics.yaml (14 heuristics)

At startup the server loads both and builds an in-memory index keyed by pattern_id. display_id lookups are also supported but may resolve to multiple subgoals (underlined variants).

Smoke test (without MCP installed)

python3 -c "
from saferagenticai_mcp.framework_loader import load_framework
idx = load_framework()
print(f'{len(idx.subgoals)} subgoals, {sum(1 for s in idx.subgoals.values() if s.has_pattern)} with patterns')
"

Versioning

  • Canonical framework: follows criteria-v1.json's version field.
  • Pattern layer: v1-draft while this directory is being populated; v1 once reviewed.
  • Server: semantic versioning. Current release is 0.3.3 (full 238-pattern corpus + operational heuristics bundled; argument validation in dispatch; MIT license with bundled LICENSE, corrected package metadata, and MCP-registry ownership token). Pin explicitly for audit reproducibility.

What's already built in

  • Hot reload — server stat-walks the source tree on each tool call; edits show up without restart.
  • Load-time validation — required fields, content_type enum, confidence enum. Invalid patterns log WARNINGs but don't fail the server.
  • find_patterns_for_task — natural-language task → top patterns grouped by suite. Replaces the need for a separate embedding index at current scale.
  • Reverse xref index — built at load, queried by get_reverse_references.

Not implemented

  • Auth / remote transport (stdio only).
  • Embedding-based semantic search — the field-weighted keyword scoring is sufficient at 238 patterns; embeddings would be worth it at 10× this scale.
  • mark_reviewed write tool — deliberately not added. Phase 3 review edits go through the YAML directly (editor + git diff = auditable); the MCP stays read-only.

License

This server (the code in this directory) is licensed MIT — see LICENSE.

The safety-framework content it serves (the patterns, canonical criteria, and operational heuristics bundled under saferagenticai_mcp/_data/) is part of the SaferAgenticAI framework, published under CC-BY-4.0 at the repository root. Attribution: Nell Watson and the Agentic AI Safety Community of Practice.