@attested-intelligence/aga-mcp-server v2.0.0

MCP server implementing the Attested Governance Artifact (AGA) protocol - cryptographic compliance enforcement for autonomous AI systems.

What It Does

This server acts as a Portal (zero-trust Policy Enforcement Point) for AI agents. Every tool call is attested, measured against a sealed cryptographic reference, and logged to a tamper-evident continuity chain with signed receipts.

20 tools, 4 resources, 3 prompts, 159 tests

20 MCP Tools

#	Tool	NIST/Patent Ref	Description
1	`aga_server_info`	-	Server identity, keys, portal state, framework alignment
2	`aga_init_chain`	Claim 3a	Initialize continuity chain with genesis event
3	`aga_create_artifact`	Claims 1a-1d	Attest subject, generate sealed Policy Artifact
4	`aga_measure_subject`	Claims 1e-1g	Measure subject, compare to sealed ref, generate receipt
5	`aga_verify_artifact`	Claim 10	Verify artifact signature against issuer key
6	`aga_start_monitoring`	NIST-2025-0035	Start/restart behavioral monitoring with baseline
7	`aga_get_portal_state`	-	Current portal enforcement state and TTL
8	`aga_trigger_measurement`	Claims 1e-1g	Trigger measurement with specific type
9	`aga_generate_receipt`	V3 Promise	Generate signed measurement receipt manually
10	`aga_export_bundle`	Claim 9	Package artifact + receipts + Merkle proofs
11	`aga_verify_bundle`	Section J	4-step offline bundle verification
12	`aga_disclose_claim`	Claim 2	Privacy-preserving disclosure with auto-substitution
13	`aga_get_chain`	Claim 3c	Get chain events with optional integrity verification
14	`aga_quarantine_status`	Claim 5	Quarantine state and forensic capture status
15	`aga_revoke_artifact`	NCCoE 3b	Mid-session artifact revocation
16	`aga_set_verification_tier`	-	Set verification tier (BRONZE/SILVER/GOLD)
17	`aga_demonstrate_lifecycle`	All	Full lifecycle: attest, measure, checkpoint, verify
18	`aga_measure_behavior`	NIST-2025-0035	Behavioral drift detection (tool patterns)
19	`aga_delegate_to_subagent`	NCCoE	Constrained sub-agent delegation (scope only diminishes)
20	`aga_rotate_keys`	Claim 3	Key rotation with chain event

4 Resources

Resource	URI	Description
Protocol Spec	`aga://specification/protocol-v2`	Full protocol specification with SPIFFE alignment
Sample Bundle	`aga://resources/sample-bundle`	Sample evidence bundle documentation
Crypto Primitives	`aga://resources/crypto-primitives`	Cryptographic primitives documentation
Patent Claims	`aga://resources/patent-claims`	20 patent claims mapped to tools

3 Prompts

Prompt	Description
`nccoe-demo`	4-phase NCCoE lab demo with behavioral drift
`governance-report`	Session governance summary report
`drift-analysis`	Drift event analysis and remediation

CoSAI MCP Security Threat Coverage

The AGA MCP Server addresses all 12 threat categories identified in the CoSAI MCP Security whitepaper (Coalition for Secure AI / OASIS, January 2026).

CoSAI Category	Threat Domain	AGA Governance Mechanism
T1: Improper Authentication	Identity & Access	Ed25519 artifact signatures, pinned issuer keys, TTL re-attestation, key rotation chain events
T2: Missing Access Control	Identity & Access	Portal as mandatory enforcement boundary, sealed constraints, delegation with scope diminishment
T3: Input Validation Failures	Input Handling	Runtime measurement against sealed reference, behavioral drift detection
T4: Data/Control Boundary Failures	Input Handling	Behavioral baseline (permitted tools, forbidden sequences, rate limits), phantom execution forensics
T5: Inadequate Data Protection	Data & Code	Salted commitments, privacy-preserving disclosure with substitution, inference risk prevention
T6: Missing Integrity Controls	Data & Code	Content-addressable hash binding, 10 measurement embodiments, continuous runtime verification
T7: Session/Transport Security	Network & Transport	TTL-based artifact expiration, fail-closed on expiry, mid-session revocation, Ed25519 signed receipts
T8: Network Isolation Failures	Network & Transport	Two-process architecture, agent holds no credentials, NETWORK_ISOLATE enforcement action
T9: Trust Boundary Failures	Trust & Design	Enforcement pre-committed by human authorities in sealed artifact, not delegated to LLM
T10: Resource Management	Trust & Design	Per-tool rate limits in behavioral baseline, configurable measurement cadence (10ms to 3600s)
T11: Supply Chain Failures	Operational	Content-addressable hashing at attestation, runtime hash comparison blocks modified components
T12: Insufficient Observability	Operational	Signed receipts, tamper-evident continuity chain, Merkle anchoring, offline evidence bundles

Full mapping details available via the aga://specification resource.

Quick Start

npm install && npm run build && npm test

Connect to Claude Desktop

Add to %APPDATA%\Claude\claude_desktop_config.json:

{
  "mcpServers": {
    "aga": { "command": "node", "args": ["C:/Users/neuro/AIH/aga-mcp-server/dist/index.js"] }
  }
}

Architecture

MCP Client (Claude Desktop)
    │ JSON-RPC over stdio
    ▼
src/server.ts - 20 tools + 4 resources + 3 prompts
    │
    ├── src/tools/          20 individual tool handlers
    ├── src/core/           Protocol logic (artifact, chain, portal, etc.)
    ├── src/crypto/         Ed25519 + SHA-256 + Merkle + canonical JSON
    ├── src/middleware/     Zero-trust governance PEP
    ├── src/storage/        In-memory + optional SQLite
    ├── src/resources/      Protocol docs + patent claims
    └── src/prompts/        Demo + report + analysis prompts

Test Coverage

Suite	Tests	What
Crypto	33	SHA-256, Ed25519, Merkle, salt, canonical, keys
Core	56	Artifact, chain, portal, governance, behavioral, delegation, privacy, revocation, fail-closed
Tools	25	All 20 tool handlers
Integration	38	Bundle tamper, lifecycle, performance, NCCoE demo, crucible compatibility
Total	159