phionyx-mcp-server
The phionyx-mcp-server is a tamper-evident audit proxy for MCP tool calls, sitting between an MCP-capable host and third-party MCP servers to detect tool poisoning, shadowing, and rug pulls via signed, hash-chained evidence envelopes (RGE v0.2).
Core capabilities:
Verify tool descriptors (
verify_tool_descriptor): Hash an MCP tool descriptor and compare it against a user-approved baseline to detect post-approval drift. Returns the current hash and achange_detectedflag.Record tool calls (
record_tool_call): Emit signed RGE v0.2 envelopes capturing tool call I/O hashes, approval state, anomaly flags, permission scope, and policy basis, appended to the session's tamper-evident chain.Verify chain integrity (
verify_chain_integrity): Walk the persisted envelope chain for a given trace, verifying every hash link. Refuses mixed-schema chains and reports tampering or reordering.Query audit history (
query_audit_history): Replay envelopes for a trace (most-recent first) for post-incident review or compliance inspection.Audit record decision (
audit_record_decision): Log non-MCP runtime decisions (release/block/defer/redact) into the same audit chain.Record user approval (
record_user_approval) (stub): Placeholder for capturing user approval state; returns anot_implementedmarker pending host-side UX definition.Flag anomaly (
flag_anomaly) (stub): Placeholder for forwarding anomaly observations into audit envelopes; drift scoring planned for a future version.Shared session traces: Interoperates with
phionyx-pipeline-mcpunder a single session trace ID for unified governance evidence.
Audit data is persisted locally (default: ~/.phionyx/mcp_audit/), and CLI tools (phionyx-mcp) allow viewing the chain head, verifying integrity, and inspecting individual envelopes.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@phionyx-mcp-serververify the tool descriptor against the approved baseline"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
phionyx-mcp-server
The MCP trust boundary in the Phionyx runtime — descriptor signing, signed evidence envelopes, and a tamper-evident audit chain over third-party MCP tool calls.
phionyx-mcp-server sits between an MCP-capable host (Claude Desktop, Cursor, Zed,
VS Code, JetBrains) and any third-party MCP server it talks to, producing
tamper-evident evidence at every trust-boundary crossing. It closes a security gap
the MCP specification
(2025-11-25) explicitly
defers to implementors:
"MCP itself cannot enforce these security principles at the protocol level; implementors SHOULD..."
The threat surface is aligned with arXiv:2512.06556 (Jamshidi et al., Securing the Model Context Protocol) — tool poisoning, shadowing, rug pulls.
Where it fits
Phionyx ships three distinct things, each on its own version line — don't cross-attribute them:
Engine —
phionyx-core: the deterministic governance runtime (46-block canonical pipeline, kill switch, HITL queue, ethics/safety gates, signed audit chain).pip install phionyx-core.Gate —
phionyx-pipeline-mcp: an agent self-claim gate that verifies "I fixed / I tested / this changed" against the repository's actual diff.Format — AI Runtime Evidence Protocol (AIREP): an experimental, vendor-neutral open format for an AI decision receipt — one signed, hash-chained, offline-checkable record per runtime decision, readable by anyone and tied to no vendor. AIREP is a proposed format, not a ratified standard. Phionyx's Reasoned Governance Envelope (RGE) is AIREP's reference producer (the first system that emits AIREP records; it matures by conforming).
This package is the outward MCP trust boundary — it produces signed, hash-chained evidence over third-party MCP tool calls. The envelopes it emits are RGE records (a Phionyx profile of AIREP). It interoperates with the gate through a shared session trace, so both governance surfaces share one view.
Related MCP server: heddle
Status
v0.2.0. Five of eight capabilities are fully implemented; three are explicit
stubs that return structured not_implemented markers (callers can detect server
maturity). The two load-bearing capabilities — descriptor verification and
tool-call audit — are live. Envelopes follow RGE v0.2 (Reasoned Governance
Envelope), the Phionyx profile of AIREP.
# | Capability | Status |
1 | Tool descriptor hash | ✅ implemented |
2 | Descriptor change detection | ✅ implemented |
3 | Tool permission scope | 🟡 envelope field populated; policy logic stub |
4 | Tool call I/O hash | ✅ implemented |
5 | User approval state | 🟡 envelope field populated; UX surface stub |
6 | Runtime anomaly record | 🟡 records to the audit side-log; drift scoring stub |
7 | Signed evidence envelope | ✅ implemented (RGE v0.2) |
8 | Chain verification command | ✅ implemented ( |
Install
pip install phionyx-mcp-server
phionyx-mcp --helpUse — as an MCP server
Add to your MCP-capable host (Claude Desktop example):
{
"mcpServers": {
"phionyx-governance": { "command": "phionyx-mcp-server" }
}
}The host then sees four production MCP tools:
verify_tool_descriptor(descriptor, baseline_hash)— hash and compare against an approved baseline (full descriptor, includingprotocolVersion).record_tool_call(turn_index, user_text, producer, …, trace_id=None)— emit a signed RGE v0.2 envelope.trace_idis optional; resolved fromPHIONYX_TRACE_IDor~/.phionyx/active_trace.verify_chain_integrity(trace_id=None)— walk the chain, refuse mixed schemas.query_audit_history(trace_id=None, limit=50)— replay envelopes for review.
Plus three stub tools returning structured not_implemented markers.
Shared trace with the gate
When installed alongside phionyx-pipeline-mcp, the two servers share a single
trace_id per session, so one session's evidence spans both governance surfaces:
PHIONYX_TRACE_IDenv var → highest precedence.PHIONYX_ACTIVE_TRACE_FILE(default~/.phionyx/active_trace) → file fallback.The first caller generates a UUID-derived trace and persists it.
Use — as a CLI
phionyx-mcp head --trace trace-abc123 # current chain head
phionyx-mcp verify-chain --trace trace-abc123 # walk + verify the chain
phionyx-mcp show --trace trace-abc123 --turn 7 # show one envelopeThe CLI exits 0 on a valid chain, 1 on tamper/break, 2 on invocation error.
Persistence
Envelopes are written under $PHIONYX_MCP_AUDIT_ROOT (default ~/.phionyx/mcp_audit/):
<root>/<trace_id>/chain.jsonl (append-only index)
<root>/<trace_id>/<turn:06d>.json (full canonical-JSON envelope)Swap the persistence layer by passing an alternative EnvelopeStore-protocol
implementation (S3, DynamoDB, …).
Schema — RGE v0.2
Envelopes conform to RGE v0.2 (Reasoned Governance Envelope), the Phionyx
profile of the AI Runtime Evidence Protocol (AIREP). The signature
covers all envelope content except the self-referential
mcp_tool_audit.signed_envelope_ref. The schema, RFC, and worked examples ship in
this repository.
Tests
pip install -e .
pytest -qThe suite pins descriptor-hash semantics (full descriptor including
protocolVersion), RGE v0.2 schema conformance (jsonschema Draft 2020-12), and
hash-chain integrity (tamper, reorder, and mixed-schema detection).
See also
Engine — phionyx-core on PyPI
Gate — phionyx-pipeline-mcp
Evidence format — AI Runtime Evidence Protocol (AIREP)
Runtime narrative — phionyx.ai
License
AGPL-3.0-or-later.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/halvrenofviryel/phionyx-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server