nobulex-mcp-server
This server provides AI agent behavioral governance through covenant-based rules, runtime enforcement, and cryptographically verifiable audit trails.
Set Covenant Rules (
set_rules): Define behavioral policies usingpermit,forbid, andrequiresyntax (e.g.,'forbid delete_user','permit read_data'), establishing what actions are allowed or blocked.Check Action Compliance (
check_action): Evaluate whether a specific action (with optional parameters) is permitted or blocked under the active rules, enabling pre-execution enforcement before an action runs.Retrieve Audit Log (
get_audit_log): Fetch the full hash-chained audit trail of all compliance checks, providing a tamper-evident history of every action evaluation.Verify Log Integrity (
verify_log): Independently verify the cryptographic integrity of the audit log to detect any tampering, ensuring the trustworthiness of the agent's behavioral history.
Provides GitHub repository hosting for the Nobulex project, including source code, documentation, and issue tracking for the proof-of-behavior protocol.
Hosts the Nobulex repository with CI/CD workflows, documentation, and community collaboration features for the proof-of-behavior protocol development.
Provides drop-in compliance middleware for LangChain, allowing behavioral rule enforcement and cryptographic proof of agent actions within LangChain applications.
Provides npm package distribution for the Nobulex SDK and related packages, enabling installation and integration via npm ecosystem.
Provides PyPI distribution for langchain-nobulex package, enabling Python developers to integrate proof-of-behavior verification into LangChain applications.
Provides TypeScript SDK and packages for implementing proof-of-behavior protocol, with strict TypeScript support for type-safe behavioral rule definition and verification.
Every person has a credit score. Every business has one. AI agents have nothing.
Nobulex is the credit and trust protocol for autonomous AI agents. Agents earn trust score through verified behavior. Higher trust, more access. Autonomy earned, not granted.
Website · Try it live · Quickstart · Spec · PyPI · npm
Break the AI. Win $7,400.
Five AI agents, each with rules they must not break. Make them violate their own rules. Beat Level 5 to claim the bounty. 29 attempts, 0 winners so far.
Install
pip install nobulexnpm install @nobulex/corefrom nobulex.agent import Agent
agent = Agent("my-agent")
receipt = agent.act("send_email", scope="user@example.com")
assert receipt.verify() # tamper-proofRelated MCP server: DCL Evaluator
How it works
Every agent action produces a cryptographic receipt -- Ed25519 signed before and after execution, hash-chained for tamper evidence. A third party can verify the full history without trusting the agent or the operator.
Here is the whole idea in one run (python -m nobulex demo):
generated 3 receipts
allow: 141ca2947a7e819b8bdebbf8... verified=True
allow: f3377758ac94d812535cbb99... verified=True
deny: 85b2dfd6b87f2678795726e4... verified=True
trust score: 23.26
tamper test:
modified receipt verified=False (tamper detected)Change one byte of a receipt and verification fails. That is the whole guarantee.
Performance: ~13,683 signed receipts/sec at p50 (Python SDK, single core). Full signed-and-chained receipt takes ~73 μs end-to-end. See BENCHMARKS.md for the full breakdown; reproduce with python3 scripts/benchmark.py.
Receipts accumulate into trust score -- a credit score for the agent.
Tier | trust score | Access Level |
Restricted | 0 -- 30 | Read-only, sandboxed execution |
Standard | 30 -- 60 | Financial ops up to $500, API access |
Trusted | 60 -- 85 | Cross-org operations, regulated markets |
Sovereign | 85+ | Full autonomy, self-directed |
Agents that create more value earn more access. Agents that deviate get cut off automatically. Not as punishment -- as math.
Quick start
Python (recommended for AI agents)
pip install nobulexOne line to add receipts to any function:
from nobulex import track
@track(agent_id="my-agent")
def send_email(to, subject, body):
# your existing code, unchanged
return smtp.send(to, subject, body)
# Every call now produces a signed receipt automatically
send_email("user@example.com", "Hello", "Report attached")
# Success = receipt. Exception = DENY receipt. Trust score accumulates.
print(send_email.receipts) # signed, tamper-evident
print(send_email.trust_score) # earned over timeOr use the Agent API directly:
from nobulex import Agent
agent = Agent("my-agent")
receipt = agent.act("send_email", scope="user@example.com")
assert receipt.verify() # any third party can check
print(agent.trust_score) # builds with every actionLangChain integration
from nobulex.integrations.langchain import NobulexAuditHandler
handler = NobulexAuditHandler(agent_id="my-agent")
agent.invoke({"input": "..."}, config={"callbacks": [handler]})
handler.export("audit.json") # signed, hash-chained audit trailCrewAI integration
from nobulex.integrations.crewai import NobulexCrewAudit
audit = NobulexCrewAudit(agent_id="my-crew")
audit.record_task("credit_check", "loan-app-4821")
audit.export("audit.json")Google ADK integration
from nobulex.integrations.google_adk import NobulexADKCallback
cb = NobulexADKCallback(agent_id="my-agent")
@cb.wrap_tool("web_search")
def search(query):
return do_search(query)
cb.export("audit.json")PydanticAI integration
from nobulex.integrations.pydantic_ai import NobulexPydanticAIAudit
audit = NobulexPydanticAIAudit(agent_id="typed-agent")
audit.record_tool("get_weather", {"city": "Berlin"}, {"temp": 22})
audit.export("audit.json")Haystack integration
from nobulex.integrations.haystack import NobulexHaystackAudit
audit = NobulexHaystackAudit(agent_id="my-pipeline")
audit.record_component("Retriever", {"query": "test"}, {"docs": 5})
audit.export("audit.json")LlamaIndex integration
from nobulex.integrations.llama_index import NobulexLlamaIndexAudit
audit = NobulexLlamaIndexAudit(agent_id="llama-agent")
audit.record_tool("web_search", {"query": "test"}, {"results": 5})
audit.export("audit.json")Verify any exported trail (no operator trust)
from nobulex.chain import verify_audit_trail
report = verify_audit_trail("audit.json", authorized_keys=AGENT_PUBLIC_KEY)
assert report["chain_intact"] and report["authenticated"]JavaScript / TypeScript
npm install @nobulex/core
npx tsx examples/trust-capital-demo.tsAgent starts at RESTRICTED tier (trust score: 0)
Action 1: read_data - ALLOWED (trust score: 12)
Action 2: read_data - ALLOWED (trust score: 24)
Action 3: process_payment - BLOCKED (insufficient trust)
Action 4: read_data - ALLOWED (trust score: 36)
Action 5: read_data - ALLOWED (trust score: 48)
Agent promoted to STANDARD tier
Action 6: process_payment - ALLOWED (trust score: 65)
Agent promoted to TRUSTED tier (trust score: 89)
Action 8: approve_contract - ALLOWEDWho is accountable?
An agent key is free to generate. So if the score lives on the key, the score is theater: an agent with a bad record deletes the key, makes a new one, and starts clean in thirty seconds. A human can't do that with a credit score, because the SSN is scarce. That scarcity is what makes a score mean anything.
So the file doesn't live on the key. It lives on the operator: the legal entity accountable for the agent. Agents inherit trust from their operator the way a corporate card inherits its limit from the company rather than from the plastic.
from nobulex import Agent, OperatorRegistry, VerificationLevel
registry = OperatorRegistry()
registry.register("acme", "Acme Corporation", VerificationLevel.KYB)
registry.bind_agent("acme", agent.public_key)
# The question a relying party actually asks:
registry.is_accountable(agent.public_key, VerificationLevel.KYB) # True
registry.operator_for(agent.public_key).legal_name # "Acme Corporation"Burning a key doesn't escape the record:
before the burn | after | |
agent's own score | 8.0 | 0.0 (fresh key) |
operator score | 8.0 | 3.4 (history survived) |
churn ratio | 0.0 | 0.5 (the burn is visible) |
new agent starts at | 2.72, not 0 |
And the attack doesn't work one level up either: an unverified operator
can claim a score of 99 and passes exactly 0.0 to a new agent, so
registering fake operators to farm trust fails by construction.
Meanwhile the honest operator gets paid for it. Acme at 90 with zero churn means their next agent starts at 60 instead of 0. That's the reason to bind keys rather than stay anonymous.
python packages/python/examples/sybil_resistance.pyThe protocol
DECLARE ──► ENFORCE ──► PROVE ──► ACCUMULATE
Covenant Pre-execution Receipt chain trust score
defines receipt blocks verified by earned over
the rules violations third parties time
before they
happen ──► more access
──► more receipts
──► higher trustThe flywheel: more trust score leads to more valuable work, which produces more receipts, which builds higher trust score. Accountability becomes the most profitable strategy.
Code
import { createDID, parseSource, EnforcementMiddleware, verify } from '@nobulex/core';
const agent = await createDID();
const spec = parseSource(`
covenant SafeTrader {
permit read;
permit transfer (amount <= 500);
forbid transfer (amount > 500);
forbid delete;
}
`);
const mw = new EnforcementMiddleware({ agentDid: agent.did, spec });
await mw.execute(
{ action: 'transfer', params: { amount: 300 } }, // allowed
async () => ({ success: true }),
);
await mw.execute(
{ action: 'transfer', params: { amount: 600 } }, // BLOCKED before execution
async () => ({ success: true }), // never runs
);
const result = verify(spec, mw.getLog());
console.log(result.compliant); // trueTraction
Independent, verifiable signals (each links to evidence):
What | Evidence | |
OWASP Agentic Skills Top 10 (AST09) | Bilateral receipt pattern merged as normative guidance (PR #35). Vendor listing in the solutions catalog (PR #38). Fixture-corpus proposal (PR #46, merged as a discussion doc, not a normative spec). All merged by project lead Ken Huang, Jun-Jul 2026. The | |
IETF Conformance | draft-farley-acta-signed-receipts: 4/4 vectors pass. Implementation PR #12 filed | |
OWASP CheatSheetSeries | Sections 8-11 (JCS canonicalization, cross-agent accountability, sanctions-list freshness, regulatory mapping) merged into master by Jim Manico, Jun 2026 (PR #2210) | |
Dify Plugin Marketplace | Plugin merged into official dify-plugins repository (PR #2500). Nobulex receipts available to 90K+ star Dify ecosystem | |
Microsoft AI Agents for Beginners | PR open to add nobulex as the Python production receipt library in Lesson 18 - Securing AI Agents with Cryptographic Receipts (PR #571) | |
AgentAudit AI | Design-partner conversation. A signed specimen receipt verifies end-to-end in 10 lines of Python (fixture) | |
Microsoft AGT | Listed in ADOPTERS (PR merged by Microsoft maintainers) | |
builderz-labs / mission-control | Cross-session trust score RFC accepted as open issue; TypeScript reference implementation delivered |
EU AI Act Article 12 enforcement: December 2, 2027.
Verify API
The SDK is free. The hosted verification layer is the product.
# Verify a receipt
curl -X POST https://nobulex.com/api/verify \
-H "Content-Type: application/json" \
-d '{"agent_id":"my-agent","action_type":"tool:search",...}'
# Check an agent's trust score
curl https://nobulex.com/api/verify?action=score&agent_id=my-agentEndpoint | What it does | Tier |
| Verify signature + recompute action_ref | Free |
| Verify chain integrity | Pro |
| Compliance report for regulators | Pro |
| Trust score (A-F grade) | Free |
| Live tamper detection demo | Free |
Free: 100/day. Pro ($99/mo): 10K/day. Scale ($499/mo): unlimited.
Pricing | API docs | Methodology
Why now
AI agents are being deployed into production with no accountability infrastructure.
86% of AI agents deployed without security approval (CSA, 2026)
UUMit launched the first A2A marketplace with zero identity verification
$138B+ committed to physical AI with zero accountability layer
Top models score 10-15% on real problems (LemmaBench) with zero traceability on failure
The agents are deployed. The money is flowing. The accountability infrastructure doesn't exist yet. We're building it.
Standards
Standard | Status |
Proof-of-Behavior spec | |
Microsoft AGT | Listed in ADOPTERS (PR merged) |
CTEF v0.3.2 | 14/14 byte-match conformance |
A2A Protocol | Receipt row proposed; URN scheme |
NIST RFI | Formal comments submitted |
Development
git clone https://github.com/arian-gogani/nobulex.git
cd nobulex && npm install
npx vitest run # tests
npx tsx examples/demo.ts # end-to-end
npx tsx benchmarks/bench.ts # benchmarksWebsite · Try it · npm · Spec · X @nobulexlabs
Star this repo to follow the project
MIT License
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/arian-gogani/nobulex'
If you have feedback or need assistance with the MCP directory API, please join our Discord server