@attested-intelligence/aga-mcp-server 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGA_MCP_SERVER_SPEC.md +632 -0
- package/LICENSE +21 -0
- package/README.md +42 -0
- package/dist/core/artifact.d.ts +19 -0
- package/dist/core/artifact.d.ts.map +1 -0
- package/dist/core/artifact.js +27 -0
- package/dist/core/artifact.js.map +1 -0
- package/dist/core/attestation.d.ts +19 -0
- package/dist/core/attestation.d.ts.map +1 -0
- package/dist/core/attestation.js +12 -0
- package/dist/core/attestation.js.map +1 -0
- package/dist/core/behavioral.d.ts +45 -0
- package/dist/core/behavioral.d.ts.map +1 -0
- package/dist/core/behavioral.js +88 -0
- package/dist/core/behavioral.js.map +1 -0
- package/dist/core/bundle.d.ts +13 -0
- package/dist/core/bundle.d.ts.map +1 -0
- package/dist/core/bundle.js +31 -0
- package/dist/core/bundle.js.map +1 -0
- package/dist/core/chain.d.ts +13 -0
- package/dist/core/chain.d.ts.map +1 -0
- package/dist/core/chain.js +63 -0
- package/dist/core/chain.js.map +1 -0
- package/dist/core/checkpoint.d.ts +8 -0
- package/dist/core/checkpoint.d.ts.map +1 -0
- package/dist/core/checkpoint.js +21 -0
- package/dist/core/checkpoint.js.map +1 -0
- package/dist/core/delegation.d.ts +37 -0
- package/dist/core/delegation.d.ts.map +1 -0
- package/dist/core/delegation.js +104 -0
- package/dist/core/delegation.js.map +1 -0
- package/dist/core/disclosure.d.ts +12 -0
- package/dist/core/disclosure.d.ts.map +1 -0
- package/dist/core/disclosure.js +25 -0
- package/dist/core/disclosure.js.map +1 -0
- package/dist/core/index.d.ts +12 -0
- package/dist/core/index.d.ts.map +1 -0
- package/dist/core/index.js +12 -0
- package/dist/core/index.js.map +1 -0
- package/dist/core/portal.d.ts +28 -0
- package/dist/core/portal.d.ts.map +1 -0
- package/dist/core/portal.js +95 -0
- package/dist/core/portal.js.map +1 -0
- package/dist/core/quarantine.d.ts +8 -0
- package/dist/core/quarantine.d.ts.map +1 -0
- package/dist/core/quarantine.js +13 -0
- package/dist/core/quarantine.js.map +1 -0
- package/dist/core/receipt.d.ts +17 -0
- package/dist/core/receipt.d.ts.map +1 -0
- package/dist/core/receipt.js +17 -0
- package/dist/core/receipt.js.map +1 -0
- package/dist/core/subject.d.ts +4 -0
- package/dist/core/subject.d.ts.map +1 -0
- package/dist/core/subject.js +9 -0
- package/dist/core/subject.js.map +1 -0
- package/dist/core/types.d.ts +167 -0
- package/dist/core/types.d.ts.map +1 -0
- package/dist/core/types.js +2 -0
- package/dist/core/types.js.map +1 -0
- package/dist/crypto/hash.d.ts +9 -0
- package/dist/crypto/hash.d.ts.map +1 -0
- package/dist/crypto/hash.js +30 -0
- package/dist/crypto/hash.js.map +1 -0
- package/dist/crypto/index.d.ts +6 -0
- package/dist/crypto/index.d.ts.map +1 -0
- package/dist/crypto/index.js +6 -0
- package/dist/crypto/index.js.map +1 -0
- package/dist/crypto/merkle.d.ts +8 -0
- package/dist/crypto/merkle.d.ts.map +1 -0
- package/dist/crypto/merkle.js +42 -0
- package/dist/crypto/merkle.js.map +1 -0
- package/dist/crypto/salt.d.ts +5 -0
- package/dist/crypto/salt.d.ts.map +1 -0
- package/dist/crypto/salt.js +14 -0
- package/dist/crypto/salt.js.map +1 -0
- package/dist/crypto/sign.d.ts +11 -0
- package/dist/crypto/sign.d.ts.map +1 -0
- package/dist/crypto/sign.js +37 -0
- package/dist/crypto/sign.js.map +1 -0
- package/dist/crypto/types.d.ts +24 -0
- package/dist/crypto/types.d.ts.map +1 -0
- package/dist/crypto/types.js +2 -0
- package/dist/crypto/types.js.map +1 -0
- package/dist/index.d.ts +3 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +11 -0
- package/dist/index.js.map +1 -0
- package/dist/middleware/governance.d.ts +27 -0
- package/dist/middleware/governance.d.ts.map +1 -0
- package/dist/middleware/governance.js +65 -0
- package/dist/middleware/governance.js.map +1 -0
- package/dist/middleware/index.d.ts +2 -0
- package/dist/middleware/index.d.ts.map +1 -0
- package/dist/middleware/index.js +2 -0
- package/dist/middleware/index.js.map +1 -0
- package/dist/server.d.ts +13 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +369 -0
- package/dist/server.js.map +1 -0
- package/dist/storage/index.d.ts +4 -0
- package/dist/storage/index.d.ts.map +1 -0
- package/dist/storage/index.js +3 -0
- package/dist/storage/index.js.map +1 -0
- package/dist/storage/interface.d.ts +21 -0
- package/dist/storage/interface.d.ts.map +1 -0
- package/dist/storage/interface.js +2 -0
- package/dist/storage/interface.js.map +1 -0
- package/dist/storage/memory.d.ts +26 -0
- package/dist/storage/memory.d.ts.map +1 -0
- package/dist/storage/memory.js +24 -0
- package/dist/storage/memory.js.map +1 -0
- package/dist/storage/sqlite.d.ts +25 -0
- package/dist/storage/sqlite.d.ts.map +1 -0
- package/dist/storage/sqlite.js +44 -0
- package/dist/storage/sqlite.js.map +1 -0
- package/dist/utils/canonical.d.ts +3 -0
- package/dist/utils/canonical.d.ts.map +1 -0
- package/dist/utils/canonical.js +17 -0
- package/dist/utils/canonical.js.map +1 -0
- package/dist/utils/constants.d.ts +4 -0
- package/dist/utils/constants.d.ts.map +1 -0
- package/dist/utils/constants.js +4 -0
- package/dist/utils/constants.js.map +1 -0
- package/dist/utils/timestamp.d.ts +4 -0
- package/dist/utils/timestamp.d.ts.map +1 -0
- package/dist/utils/timestamp.js +13 -0
- package/dist/utils/timestamp.js.map +1 -0
- package/dist/utils/uuid.d.ts +2 -0
- package/dist/utils/uuid.d.ts.map +1 -0
- package/dist/utils/uuid.js +3 -0
- package/dist/utils/uuid.js.map +1 -0
- package/package.json +45 -0
- package/src/core/artifact.ts +45 -0
- package/src/core/attestation.ts +33 -0
- package/src/core/behavioral.ts +132 -0
- package/src/core/bundle.ts +31 -0
- package/src/core/chain.ts +72 -0
- package/src/core/checkpoint.ts +22 -0
- package/src/core/delegation.ts +146 -0
- package/src/core/disclosure.ts +32 -0
- package/src/core/index.ts +11 -0
- package/src/core/portal.ts +96 -0
- package/src/core/quarantine.ts +16 -0
- package/src/core/receipt.ts +33 -0
- package/src/core/subject.ts +11 -0
- package/src/core/types.ts +244 -0
- package/src/crypto/hash.ts +33 -0
- package/src/crypto/index.ts +5 -0
- package/src/crypto/merkle.ts +43 -0
- package/src/crypto/salt.ts +18 -0
- package/src/crypto/sign.ts +35 -0
- package/src/crypto/types.ts +19 -0
- package/src/index.ts +12 -0
- package/src/middleware/governance.ts +95 -0
- package/src/middleware/index.ts +1 -0
- package/src/server.ts +436 -0
- package/src/storage/index.ts +3 -0
- package/src/storage/interface.ts +21 -0
- package/src/storage/memory.ts +27 -0
- package/src/storage/sqlite.ts +45 -0
- package/src/tools/README.md +13 -0
- package/src/utils/canonical.ts +14 -0
- package/src/utils/constants.ts +3 -0
- package/src/utils/timestamp.ts +12 -0
- package/src/utils/uuid.ts +2 -0
|
@@ -0,0 +1,632 @@
|
|
|
1
|
+
# AGA MCP Server — Complete Implementation Specification
|
|
2
|
+
|
|
3
|
+
**Package:** `@attested-intelligence/aga-mcp-server@0.1.0`
|
|
4
|
+
**Repository:** https://github.com/attestedintelligence/aga-mcp-server
|
|
5
|
+
**Location:** `C:\Users\neuro\AIH\aga-mcp-server`
|
|
6
|
+
**Patent:** USPTO Application No. 19/433,835
|
|
7
|
+
**NIST References:** NIST-2025-0035 (AI Agent Transparency), NCCoE AI Agent Identity and Authorization
|
|
8
|
+
**Date:** 2026-03-05
|
|
9
|
+
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
## 1. WHAT THIS IS
|
|
13
|
+
|
|
14
|
+
A reference implementation of the **Attested Governance Artifact (AGA)** protocol, built as an MCP (Model Context Protocol) server. The server acts as a cryptographic **Portal** — a zero-trust Policy Enforcement Point that sits between an AI agent and the systems it interacts with. Every operation is attested, measured against a sealed cryptographic reference, and logged to a tamper-evident continuity chain with signed receipts.
|
|
15
|
+
|
|
16
|
+
This codebase is:
|
|
17
|
+
- The working code behind two NIST public comments and a USPTO patent application
|
|
18
|
+
- A live MCP server any AI agent (Claude, GPT, etc.) can connect to via Claude Desktop or any MCP client
|
|
19
|
+
- Benchmarked at 3.7ms per measurement cycle (NIST target: <10ms)
|
|
20
|
+
- Fully tested with 63 tests across 11 test files
|
|
21
|
+
|
|
22
|
+
---
|
|
23
|
+
|
|
24
|
+
## 2. CODEBASE METRICS
|
|
25
|
+
|
|
26
|
+
| Metric | Value |
|
|
27
|
+
|---|---|
|
|
28
|
+
| TypeScript source files | 35 |
|
|
29
|
+
| Test files | 11 |
|
|
30
|
+
| Total tests | 63 (all passing) |
|
|
31
|
+
| MCP tools | 16 |
|
|
32
|
+
| Git commits | 5 |
|
|
33
|
+
| Git tags | 4 (v0.1.0, v0.2.0, v0.3.0, v0.4.0) |
|
|
34
|
+
| Benchmark | 3.74ms per measure+receipt cycle |
|
|
35
|
+
| Build | Zero TypeScript errors |
|
|
36
|
+
| Dependencies | @noble/ed25519, @noble/hashes, @modelcontextprotocol/sdk, uuid, zod |
|
|
37
|
+
| Node requirement | >= 20.0.0 |
|
|
38
|
+
| Module system | ESM only |
|
|
39
|
+
|
|
40
|
+
---
|
|
41
|
+
|
|
42
|
+
## 3. ARCHITECTURE
|
|
43
|
+
|
|
44
|
+
```
|
|
45
|
+
┌─────────────────────────────────────────────────────────┐
|
|
46
|
+
│ MCP CLIENT (Claude Desktop) │
|
|
47
|
+
└──────────────────────────┬──────────────────────────────┘
|
|
48
|
+
│ JSON-RPC over stdio
|
|
49
|
+
┌──────────────────────────▼──────────────────────────────┐
|
|
50
|
+
│ src/index.ts │
|
|
51
|
+
│ StdioServerTransport │
|
|
52
|
+
└──────────────────────────┬──────────────────────────────┘
|
|
53
|
+
│
|
|
54
|
+
┌──────────────────────────▼──────────────────────────────┐
|
|
55
|
+
│ src/server.ts │
|
|
56
|
+
│ McpServer + 16 Tool Handlers │
|
|
57
|
+
│ │
|
|
58
|
+
│ ┌─────────────────────────────────────────────────┐ │
|
|
59
|
+
│ │ src/middleware/governance.ts │ │
|
|
60
|
+
│ │ Governance Wrapper (zero-trust PEP) │ │
|
|
61
|
+
│ │ - Blocks governed tools when TERMINATED │ │
|
|
62
|
+
│ │ - Captures forensic inputs during QUARANTINE │ │
|
|
63
|
+
│ │ - Records behavioral invocations │ │
|
|
64
|
+
│ └─────────────────────────────────────────────────┘ │
|
|
65
|
+
└───┬──────────┬───────────┬──────────┬───────────────────┘
|
|
66
|
+
│ │ │ │
|
|
67
|
+
▼ ▼ ▼ ▼
|
|
68
|
+
src/core/ src/crypto/ src/storage/ src/utils/
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
### Directory Structure
|
|
72
|
+
|
|
73
|
+
```
|
|
74
|
+
aga-mcp-server/
|
|
75
|
+
├── src/
|
|
76
|
+
│ ├── crypto/ Cryptographic primitives
|
|
77
|
+
│ │ ├── types.ts Type aliases (PublicKey, SecretKey, HashHex, etc.)
|
|
78
|
+
│ │ ├── hash.ts SHA-256, BLAKE2b, sha256Cat, sha256HexCat
|
|
79
|
+
│ │ ├── sign.ts Ed25519 sign/verify via @noble/ed25519
|
|
80
|
+
│ │ ├── salt.ts 128-bit salts, salted commitments
|
|
81
|
+
│ │ ├── merkle.ts Merkle tree build, inclusion proofs
|
|
82
|
+
│ │ └── index.ts Barrel export
|
|
83
|
+
│ │
|
|
84
|
+
│ ├── core/ Protocol logic
|
|
85
|
+
│ │ ├── types.ts All interfaces (patent ref numerals annotated)
|
|
86
|
+
│ │ ├── subject.ts Subject identity (bytes hash + metadata hash)
|
|
87
|
+
│ │ ├── attestation.ts Sealed hash generation
|
|
88
|
+
│ │ ├── artifact.ts Policy artifact generation + signature
|
|
89
|
+
│ │ ├── receipt.ts Signed measurement receipts (every measurement)
|
|
90
|
+
│ │ ├── chain.ts Continuity chain (leaf hash excludes payload)
|
|
91
|
+
│ │ ├── portal.ts Portal state machine (6 states, fail-closed)
|
|
92
|
+
│ │ ├── quarantine.ts Phantom execution (capture inputs, sever outputs)
|
|
93
|
+
│ │ ├── checkpoint.ts Merkle checkpoints over chain events
|
|
94
|
+
│ │ ├── bundle.ts Offline-verifiable evidence bundles
|
|
95
|
+
│ │ ├── disclosure.ts Privacy-preserving claims + auto-substitution
|
|
96
|
+
│ │ ├── behavioral.ts Behavioral drift detection (tool patterns)
|
|
97
|
+
│ │ ├── delegation.ts Constrained sub-agent delegation
|
|
98
|
+
│ │ └── index.ts Barrel export
|
|
99
|
+
│ │
|
|
100
|
+
│ ├── middleware/ Governance enforcement layer
|
|
101
|
+
│ │ ├── governance.ts Zero-trust PEP wrapper for MCP tools
|
|
102
|
+
│ │ └── index.ts Barrel export
|
|
103
|
+
│ │
|
|
104
|
+
│ ├── storage/ Persistence layer
|
|
105
|
+
│ │ ├── interface.ts AGAStorage interface
|
|
106
|
+
│ │ ├── memory.ts In-memory implementation (active)
|
|
107
|
+
│ │ ├── sqlite.ts SQLite implementation (optional)
|
|
108
|
+
│ │ └── index.ts Barrel export
|
|
109
|
+
│ │
|
|
110
|
+
│ ├── utils/ Shared utilities
|
|
111
|
+
│ │ ├── constants.ts Protocol version constants
|
|
112
|
+
│ │ ├── canonical.ts Deterministic JSON serialization
|
|
113
|
+
│ │ ├── timestamp.ts Time utilities (TTL, expiry)
|
|
114
|
+
│ │ └── uuid.ts UUID v4 wrapper
|
|
115
|
+
│ │
|
|
116
|
+
│ ├── server.ts MCP server factory (16 tools)
|
|
117
|
+
│ └── index.ts Entry point (stdio transport)
|
|
118
|
+
│
|
|
119
|
+
├── tests/
|
|
120
|
+
│ ├── crypto/ 22 tests (hash, sign, salt, merkle)
|
|
121
|
+
│ ├── core/ 39 tests (artifact, chain, portal, governance,
|
|
122
|
+
│ │ behavioral, delegation)
|
|
123
|
+
│ └── integration/ 2 tests (full NCCoE lab scenario)
|
|
124
|
+
│
|
|
125
|
+
├── scripts/
|
|
126
|
+
│ ├── demo.ts Full lifecycle console demo
|
|
127
|
+
│ ├── benchmark.ts Performance benchmark (NIST <10ms)
|
|
128
|
+
│ └── generate-keypair.ts Ed25519 keypair generation
|
|
129
|
+
│
|
|
130
|
+
├── config/
|
|
131
|
+
│ ├── claude-desktop-config.json Template
|
|
132
|
+
│ └── claude-desktop-config-local.json Resolved absolute path
|
|
133
|
+
│
|
|
134
|
+
├── package.json
|
|
135
|
+
├── tsconfig.json
|
|
136
|
+
├── vitest.config.ts
|
|
137
|
+
├── LICENSE MIT — Attested Intelligence Holdings LLC
|
|
138
|
+
├── README.md
|
|
139
|
+
├── PATENT_MAPPING.md Claim-to-code mapping + NIST alignment
|
|
140
|
+
└── .npmignore
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
---
|
|
144
|
+
|
|
145
|
+
## 4. THE 16 MCP TOOLS
|
|
146
|
+
|
|
147
|
+
### Ungoverned (always available)
|
|
148
|
+
|
|
149
|
+
| # | Tool | Patent Ref | Description |
|
|
150
|
+
|---|---|---|---|
|
|
151
|
+
| 1 | `get_server_info` | — | Server version, public keys, portal state |
|
|
152
|
+
| 2 | `get_portal_state` | — | Current enforcement state, artifact info, TTL, quarantine status |
|
|
153
|
+
| 3 | `init_chain` | Claim 3a | Initialize continuity chain with genesis event |
|
|
154
|
+
| 4 | `attest_subject` | Claims 1a-1d | Hash content, attest, seal, generate signed artifact, load into portal. Accepts optional `behavioral_baseline` |
|
|
155
|
+
| 5 | `verify_chain` | Claim 3c | Verify chain integrity (leaf hashes, linkage, payload hashes) |
|
|
156
|
+
| 6 | `list_claims` | Claim 2 | List available claims with sensitivity levels |
|
|
157
|
+
| 7 | `measure_behavior` | NIST-2025-0035 | Measure behavioral patterns — unauthorized tools, rate violations, forbidden sequences |
|
|
158
|
+
| 8 | `get_receipts` | — | Get all signed receipts, filter by artifact |
|
|
159
|
+
| 9 | `get_chain_events` | — | Get continuity chain events, filter by sequence range |
|
|
160
|
+
|
|
161
|
+
### Governed (blocked when TERMINATED/QUARANTINED/UNATTESTED)
|
|
162
|
+
|
|
163
|
+
| # | Tool | Patent Ref | Description |
|
|
164
|
+
|---|---|---|---|
|
|
165
|
+
| 10 | `measure_integrity` | Claims 1e-1g | Measure content against sealed hash, enforce on drift, generate receipt |
|
|
166
|
+
| 11 | `revoke_artifact` | NCCoE 3b | Mid-session artifact revocation, pushes REVOCATION chain event |
|
|
167
|
+
| 12 | `create_checkpoint` | Claims 3d-3f | Build Merkle tree over chain events, produce checkpoint |
|
|
168
|
+
| 13 | `generate_evidence_bundle` | Claim 9 | Package artifact + receipts + Merkle proofs for offline verification |
|
|
169
|
+
| 14 | `verify_bundle_offline` | Section J | 4-step offline verification (artifact sig, receipt sigs, Merkle proofs, anchor) |
|
|
170
|
+
| 15 | `request_claim` | Claim 2 | Privacy-preserving disclosure with sensitivity-based auto-substitution |
|
|
171
|
+
| 16 | `delegate_to_subagent` | NCCoE | Derive constrained artifact for sub-agent (scope only diminishes) |
|
|
172
|
+
|
|
173
|
+
### Governance Behavior
|
|
174
|
+
|
|
175
|
+
When a governed tool is called:
|
|
176
|
+
|
|
177
|
+
| Portal State | Behavior |
|
|
178
|
+
|---|---|
|
|
179
|
+
| `INITIALIZATION` | Blocked — "Call attest_subject first" |
|
|
180
|
+
| `ARTIFACT_VERIFICATION` | Blocked — attestation in progress |
|
|
181
|
+
| `ACTIVE_MONITORING` | Allowed — invocation recorded for behavioral analysis |
|
|
182
|
+
| `DRIFT_DETECTED` | Allowed — enforcement may follow |
|
|
183
|
+
| `PHANTOM_QUARANTINE` | Blocked — tool call captured as forensic input, outputs severed |
|
|
184
|
+
| `TERMINATED` | Blocked — "Agent governance has been revoked" |
|
|
185
|
+
|
|
186
|
+
---
|
|
187
|
+
|
|
188
|
+
## 5. CRYPTOGRAPHIC DESIGN
|
|
189
|
+
|
|
190
|
+
### 5.1 Key Algorithms
|
|
191
|
+
|
|
192
|
+
| Operation | Algorithm | Library |
|
|
193
|
+
|---|---|---|
|
|
194
|
+
| Hashing | SHA-256 | @noble/hashes |
|
|
195
|
+
| Signing | Ed25519 | @noble/ed25519 |
|
|
196
|
+
| Salts | 128-bit (16 bytes) CSPRNG | @noble/hashes/utils |
|
|
197
|
+
| Merkle trees | SHA-256 binary tree | Custom (src/crypto/merkle.ts) |
|
|
198
|
+
| Canonical serialization | Sorted-key JSON.stringify | Custom (src/utils/canonical.ts) |
|
|
199
|
+
|
|
200
|
+
### 5.2 Sealed Hash (Patent Core)
|
|
201
|
+
|
|
202
|
+
```
|
|
203
|
+
sealed_hash = SHA-256(bytes_hash || metadata_hash || policy_reference || seal_salt)
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
- No delimiters between fields — raw hex concatenation via `sha256HexCat()`
|
|
207
|
+
- `bytes_hash` = SHA-256 of subject content bytes
|
|
208
|
+
- `metadata_hash` = SHA-256 of canonicalized metadata JSON
|
|
209
|
+
- `seal_salt` = 128-bit random salt (32 hex chars), stored in artifact
|
|
210
|
+
|
|
211
|
+
### 5.3 Leaf Hash (Claim 3c — Privacy Innovation)
|
|
212
|
+
|
|
213
|
+
```
|
|
214
|
+
leaf_hash = SHA-256(
|
|
215
|
+
sequence_number || "||" ||
|
|
216
|
+
event_type || "||" ||
|
|
217
|
+
event_id || "||" ||
|
|
218
|
+
timestamp || "||" ||
|
|
219
|
+
prev_leaf_hash || "||" ||
|
|
220
|
+
payload_hash
|
|
221
|
+
)
|
|
222
|
+
```
|
|
223
|
+
|
|
224
|
+
**The actual payload is EXCLUDED from the leaf hash.** This is the key patent innovation (Claim 3c) — chain integrity can be verified without revealing the contents of any event. Only a hash of the payload is included, preserving privacy while maintaining tamper evidence.
|
|
225
|
+
|
|
226
|
+
### 5.4 Salted Commitments
|
|
227
|
+
|
|
228
|
+
Evidence items are committed via:
|
|
229
|
+
```
|
|
230
|
+
commitment = SHA-256(content_bytes || salt_bytes)
|
|
231
|
+
```
|
|
232
|
+
|
|
233
|
+
The salt allows selective disclosure: reveal the salt to prove the commitment, keep it secret to maintain privacy.
|
|
234
|
+
|
|
235
|
+
### 5.5 Artifact Signature
|
|
236
|
+
|
|
237
|
+
```
|
|
238
|
+
signature = Ed25519.sign(canonicalize(unsigned_artifact), issuer_secret_key)
|
|
239
|
+
```
|
|
240
|
+
|
|
241
|
+
Where `canonicalize()` = sorted-key JSON.stringify with no whitespace. The signature covers every field of the artifact except the signature itself.
|
|
242
|
+
|
|
243
|
+
### 5.6 Receipt Signature
|
|
244
|
+
|
|
245
|
+
```
|
|
246
|
+
signature = Ed25519.sign(canonicalize(unsigned_receipt), portal_secret_key)
|
|
247
|
+
```
|
|
248
|
+
|
|
249
|
+
V3 behavior: a signed receipt is generated for **every** measurement — match or mismatch. This fulfills the NIST filing promise: "each measurement generates a signed receipt."
|
|
250
|
+
|
|
251
|
+
### 5.7 Merkle Tree
|
|
252
|
+
|
|
253
|
+
- Binary tree over event leaf hashes
|
|
254
|
+
- Odd leaf count: last leaf is duplicated
|
|
255
|
+
- Internal nodes: `SHA-256(left || right)` (hex concatenation)
|
|
256
|
+
- Inclusion proofs: array of `{ hash, direction }` pairs
|
|
257
|
+
- Verification: reconstruct root from leaf + proof, compare to checkpoint root
|
|
258
|
+
|
|
259
|
+
---
|
|
260
|
+
|
|
261
|
+
## 6. PORTAL STATE MACHINE
|
|
262
|
+
|
|
263
|
+
```
|
|
264
|
+
loadArtifact()
|
|
265
|
+
INITIALIZATION ──────────────────► ARTIFACT_VERIFICATION
|
|
266
|
+
│
|
|
267
|
+
sig OK? ───┤
|
|
268
|
+
time OK? │
|
|
269
|
+
revoked? ───┤
|
|
270
|
+
│
|
|
271
|
+
┌──────▼──────┐
|
|
272
|
+
│ ACTIVE │◄──── ALERT_ONLY
|
|
273
|
+
│ MONITORING │ (resumes)
|
|
274
|
+
└──────┬──────┘
|
|
275
|
+
│
|
|
276
|
+
drift detected
|
|
277
|
+
│
|
|
278
|
+
┌──────▼──────┐
|
|
279
|
+
│ DRIFT │
|
|
280
|
+
│ DETECTED │
|
|
281
|
+
└──┬───┬───┬──┘
|
|
282
|
+
│ │ │
|
|
283
|
+
QUARANTINE│ │ │TERMINATE/SAFE_STATE
|
|
284
|
+
│ │ │
|
|
285
|
+
┌───────▼┐ │ ┌▼──────────┐
|
|
286
|
+
│PHANTOM │ │ │TERMINATED │
|
|
287
|
+
│QUARANT.│ │ │(fail-closed│
|
|
288
|
+
└───┬────┘ │ │no recovery)│
|
|
289
|
+
│ │ └────────────┘
|
|
290
|
+
│ │
|
|
291
|
+
▼ │
|
|
292
|
+
TERMINATED◄──┘
|
|
293
|
+
```
|
|
294
|
+
|
|
295
|
+
### Fail-Closed Semantics
|
|
296
|
+
|
|
297
|
+
On **every** call to `Portal.measure()`:
|
|
298
|
+
1. Check TTL — if expired → `TERMINATED` immediately
|
|
299
|
+
2. Check revocation — if revoked → `TERMINATED` immediately
|
|
300
|
+
3. Compare hashes — if mismatch → `DRIFT_DETECTED`
|
|
301
|
+
|
|
302
|
+
There is no recovery from `TERMINATED`. The agent must be re-attested.
|
|
303
|
+
|
|
304
|
+
---
|
|
305
|
+
|
|
306
|
+
## 7. BEHAVIORAL DRIFT DETECTION
|
|
307
|
+
|
|
308
|
+
Binary hashing detects file modification but NOT prompt injection — the binary is unchanged while behavior is compromised. The `BehavioralMonitor` tracks tool invocation patterns:
|
|
309
|
+
|
|
310
|
+
### Violation Types
|
|
311
|
+
|
|
312
|
+
| Type | Detection |
|
|
313
|
+
|---|---|
|
|
314
|
+
| `UNAUTHORIZED_TOOL` | Agent calls a tool not in the permitted list |
|
|
315
|
+
| `RATE_EXCEEDED` | Tool invoked more times than allowed in the measurement window |
|
|
316
|
+
| `FORBIDDEN_SEQUENCE` | Prohibited tool chain detected (e.g., `read_secret` → `send_email`) |
|
|
317
|
+
|
|
318
|
+
### Integration
|
|
319
|
+
|
|
320
|
+
- Every governed tool invocation is recorded by the governance middleware
|
|
321
|
+
- `measure_behavior` tool returns violations + behavioral hash (pattern fingerprint)
|
|
322
|
+
- Behavioral drift events are appended to the continuity chain
|
|
323
|
+
- Behavioral baseline can be sealed into the artifact via `attest_subject`
|
|
324
|
+
|
|
325
|
+
---
|
|
326
|
+
|
|
327
|
+
## 8. CONSTRAINED SUB-AGENT DELEGATION
|
|
328
|
+
|
|
329
|
+
NCCoE filing: "Scope can only diminish through delegation, never expand."
|
|
330
|
+
|
|
331
|
+
```
|
|
332
|
+
Primary Agent (TTL=3600s, triggers=[QUARANTINE, TERMINATE, SAFE_STATE])
|
|
333
|
+
│
|
|
334
|
+
├── delegate_to_subagent(TTL=1800, triggers=[QUARANTINE])
|
|
335
|
+
│ └── Child Artifact: TTL=1800, triggers=[QUARANTINE]
|
|
336
|
+
│ - TTL clamped to parent remaining
|
|
337
|
+
│ - Triggers ⊆ parent triggers
|
|
338
|
+
│ - Measurement types ⊆ parent types
|
|
339
|
+
│ - Disclosure policy inherited (cannot expand)
|
|
340
|
+
│
|
|
341
|
+
└── delegate_to_subagent(TTL=9999, triggers=[KEY_REVOKE])
|
|
342
|
+
└── REJECTED: Cannot expand scope
|
|
343
|
+
```
|
|
344
|
+
|
|
345
|
+
### Enforcement Rules
|
|
346
|
+
|
|
347
|
+
1. Child TTL = `min(requested_ttl, parent_remaining_ttl)`
|
|
348
|
+
2. Child enforcement triggers must be a subset of parent's
|
|
349
|
+
3. Child measurement types must be a subset of parent's
|
|
350
|
+
4. Child disclosure policy = parent's (inherited, cannot expand)
|
|
351
|
+
5. `DELEGATION` event appended to parent's continuity chain
|
|
352
|
+
6. `validateDelegation()` provides independent scope verification
|
|
353
|
+
|
|
354
|
+
---
|
|
355
|
+
|
|
356
|
+
## 9. CONTINUITY CHAIN
|
|
357
|
+
|
|
358
|
+
An append-only chain of `ContinuityEvent` objects:
|
|
359
|
+
|
|
360
|
+
### Event Types
|
|
361
|
+
|
|
362
|
+
| Type | When Created |
|
|
363
|
+
|---|---|
|
|
364
|
+
| `GENESIS` | Chain initialization (`init_chain` or auto-init) |
|
|
365
|
+
| `POLICY_ISSUANCE` | Artifact created (`attest_subject`) |
|
|
366
|
+
| `INTERACTION_RECEIPT` | Measurement taken (`measure_integrity`) or behavioral drift |
|
|
367
|
+
| `REVOCATION` | Artifact revoked (`revoke_artifact`) |
|
|
368
|
+
| `ATTESTATION` | Delegation event (`delegate_to_subagent`) |
|
|
369
|
+
| `ANCHOR_BATCH` | Checkpoint created (`create_checkpoint`) |
|
|
370
|
+
| `DISCLOSURE` | Claim disclosed (`request_claim`) |
|
|
371
|
+
| `SUBSTITUTION` | Auto-substitution triggered (`request_claim`) |
|
|
372
|
+
| `KEY_ROTATION` | Key rotation (reserved) |
|
|
373
|
+
|
|
374
|
+
### Chain Integrity Verification
|
|
375
|
+
|
|
376
|
+
`verifyChainIntegrity()` checks:
|
|
377
|
+
1. Genesis event at sequence 0
|
|
378
|
+
2. Each event's `leaf_hash` matches recomputed leaf hash
|
|
379
|
+
3. Each event's `prev_leaf_hash` matches previous event's `leaf_hash`
|
|
380
|
+
4. Each event's `payload_hash` matches recomputed payload hash
|
|
381
|
+
|
|
382
|
+
---
|
|
383
|
+
|
|
384
|
+
## 10. OFFLINE EVIDENCE BUNDLES
|
|
385
|
+
|
|
386
|
+
4-step offline verification (`verifyBundleOffline`):
|
|
387
|
+
|
|
388
|
+
| Step | What It Checks | Current Status |
|
|
389
|
+
|---|---|---|
|
|
390
|
+
| Step 1 | Artifact signature (Ed25519) | Implemented — PASS |
|
|
391
|
+
| Step 2 | Receipt signatures (Ed25519) | Implemented — PASS |
|
|
392
|
+
| Step 3 | Merkle inclusion proofs | Implemented — PASS |
|
|
393
|
+
| Step 4 | Anchor validation (blockchain) | Returns `SKIPPED_OFFLINE` — no chain integration yet |
|
|
394
|
+
|
|
395
|
+
---
|
|
396
|
+
|
|
397
|
+
## 11. PRIVACY-PRESERVING DISCLOSURE
|
|
398
|
+
|
|
399
|
+
Claims have sensitivity levels:
|
|
400
|
+
- **S1_LOW** — can be revealed fully
|
|
401
|
+
- **S2_MODERATE** — can be revealed minimally or proved
|
|
402
|
+
- **S3_HIGH** — proof only, auto-substitutes to lower-sensitivity claim
|
|
403
|
+
|
|
404
|
+
Example: requesting `identity.name` (S3_HIGH) with mode `REVEAL_FULL` triggers auto-substitution to `identity.pseudonym` (S2_MODERATE) or `identity.org` (S1_LOW).
|
|
405
|
+
|
|
406
|
+
Substitution receipts are appended to the continuity chain for audit.
|
|
407
|
+
|
|
408
|
+
---
|
|
409
|
+
|
|
410
|
+
## 12. STORAGE
|
|
411
|
+
|
|
412
|
+
### Interface (`AGAStorage`)
|
|
413
|
+
|
|
414
|
+
```typescript
|
|
415
|
+
interface AGAStorage {
|
|
416
|
+
initialize(): Promise<void>;
|
|
417
|
+
storeArtifact(a: PolicyArtifact): Promise<void>;
|
|
418
|
+
getLatestArtifact(): Promise<PolicyArtifact | null>;
|
|
419
|
+
storeEvent(e: ContinuityEvent): Promise<void>;
|
|
420
|
+
getLatestEvent(): Promise<ContinuityEvent | null>;
|
|
421
|
+
getAllEvents(): Promise<ContinuityEvent[]>;
|
|
422
|
+
getEvents(start: number, end: number): Promise<ContinuityEvent[]>;
|
|
423
|
+
storeReceipt(r: SignedReceipt): Promise<void>;
|
|
424
|
+
getReceiptsByArtifact(hash: string): Promise<SignedReceipt[]>;
|
|
425
|
+
getAllReceipts(): Promise<SignedReceipt[]>;
|
|
426
|
+
storeCheckpoint(c: CheckpointReference): Promise<void>;
|
|
427
|
+
getLatestCheckpoint(): Promise<CheckpointReference | null>;
|
|
428
|
+
}
|
|
429
|
+
```
|
|
430
|
+
|
|
431
|
+
### Implementations
|
|
432
|
+
|
|
433
|
+
| Implementation | Status | Notes |
|
|
434
|
+
|---|---|---|
|
|
435
|
+
| `MemoryStorage` | Active | In-memory Maps/arrays, sufficient for all use cases |
|
|
436
|
+
| `SQLiteStorage` | Optional | Requires `better-sqlite3` + VS Build Tools. WAL mode, 4 tables. Gracefully unavailable on current machine. |
|
|
437
|
+
|
|
438
|
+
---
|
|
439
|
+
|
|
440
|
+
## 13. TEST COVERAGE
|
|
441
|
+
|
|
442
|
+
| Test File | Tests | What It Covers |
|
|
443
|
+
|---|---|---|
|
|
444
|
+
| `crypto/hash.test.ts` | 5 | SHA-256 determinism, hex format, ordering, hexcat |
|
|
445
|
+
| `crypto/sign.test.ts` | 7 | Ed25519 keypair, sign/verify bytes+string, tamper/wrong-key rejection, base64+hex roundtrips |
|
|
446
|
+
| `crypto/salt.test.ts` | 4 | Salt format (32 hex), uniqueness, commitment verification |
|
|
447
|
+
| `crypto/merkle.test.ts` | 6 | Root format, single leaf, proof verification, tamper detection, odd count, empty rejection |
|
|
448
|
+
| `core/artifact.test.ts` | 4 | Signature verification, tamper rejection, seal_salt storage |
|
|
449
|
+
| `core/chain.test.ts` | 7 | Genesis sequence, increment, intact chain, tampered leaf/payload, **leaf excludes payload (Claim 3c)**, REVOCATION event |
|
|
450
|
+
| `core/portal.test.ts` | 10 | Load, bad key rejection, match, drift, QUARANTINE, TERMINATE, ALERT_ONLY, TTL expiry, revoke, revocation-on-measure |
|
|
451
|
+
| `core/governance.test.ts` | 5 | TERMINATED blocks, ungoverned always allowed, QUARANTINE captures forensic, pre-attestation blocks, ACTIVE allows |
|
|
452
|
+
| `core/behavioral.test.ts` | 5 | Compliant behavior, unauthorized tool, rate exceeded, forbidden sequence, behavioral hash uniqueness |
|
|
453
|
+
| `core/delegation.test.ts` | 8 | Reduced scope, TTL clamping, scope expansion rejection (triggers + types), child signature valid, validateDelegation pass/fail, scope reduction tracking |
|
|
454
|
+
| `integration/nccoe-lab-demo.test.ts` | 2 | Full NCCoE lab scenario: attestation → clean measurements → drift → quarantine → revocation → chain verification → checkpoint → evidence bundle → offline verification |
|
|
455
|
+
| **Total** | **63** | |
|
|
456
|
+
|
|
457
|
+
---
|
|
458
|
+
|
|
459
|
+
## 14. PATENT CLAIM MAPPING
|
|
460
|
+
|
|
461
|
+
| Claim | Implementation | Source File | Function/Class |
|
|
462
|
+
|---|---|---|---|
|
|
463
|
+
| 1(a) receive subject | `attest_subject` | core/subject.ts | `computeSubjectIdFromString()` |
|
|
464
|
+
| 1(b) generate identifier | `attest_subject` | core/subject.ts | `computeSubjectId()` |
|
|
465
|
+
| 1(c) perform attestation | `attest_subject` | core/attestation.ts | `performAttestation()` |
|
|
466
|
+
| 1(d) generate artifact | `attest_subject` | core/artifact.ts | `generateArtifact()` |
|
|
467
|
+
| 1(e) portal + measurement | `measure_integrity` | core/portal.ts | `Portal.measure()` |
|
|
468
|
+
| 1(f) compare to sealed | `measure_integrity` | core/portal.ts | `Portal.measure()` |
|
|
469
|
+
| 1(g) enforce + receipt | `measure_integrity` | core/receipt.ts | `generateReceipt()` |
|
|
470
|
+
| 2 disclosure | `request_claim` | core/disclosure.ts | `processDisclosure()` |
|
|
471
|
+
| 3(a) genesis | `init_chain` | core/chain.ts | `createGenesisEvent()` |
|
|
472
|
+
| 3(b) append events | auto (every tool) | core/chain.ts | `appendEvent()` |
|
|
473
|
+
| 3(c) leaf hash (no payload) | `verify_chain` | core/chain.ts | `computeLeafHash()` |
|
|
474
|
+
| 3(d-f) checkpoint | `create_checkpoint` | core/checkpoint.ts | `createCheckpoint()` |
|
|
475
|
+
| 5 quarantine | `measure_integrity` | core/quarantine.ts | `initQuarantine()` |
|
|
476
|
+
| 6 TTL expiration | `measure_integrity` | core/portal.ts | `Portal.measure()` |
|
|
477
|
+
| 9 evidence bundle | `generate_evidence_bundle` | core/bundle.ts | `generateBundle()` |
|
|
478
|
+
| 10 pinned key | portal load | core/portal.ts | `Portal.loadArtifact()` |
|
|
479
|
+
| 11 phantom execution | `measure_integrity` | core/quarantine.ts | `captureInput()` |
|
|
480
|
+
| 12 graceful degradation | `measure_integrity` | core/portal.ts | TTL + fail-closed |
|
|
481
|
+
|
|
482
|
+
### NIST Filing Alignment
|
|
483
|
+
|
|
484
|
+
| NIST Promise | Implementation | Status |
|
|
485
|
+
|---|---|---|
|
|
486
|
+
| "each measurement generates a signed receipt" | `measure_integrity` generates receipt for match AND mismatch | DONE |
|
|
487
|
+
| "fail-closed semantics" | Portal checks TTL + revocation on every measurement | DONE |
|
|
488
|
+
| "mid-session revocation" (NCCoE 3b) | `revoke_artifact` tool + REVOCATION chain event | DONE |
|
|
489
|
+
| "phantom execution" | `QUARANTINE` enforcement → forensic capture buffer | DONE |
|
|
490
|
+
| "offline verification" | `generate_evidence_bundle` + `verify_bundle_offline` | DONE |
|
|
491
|
+
| "graduated enforcement" | TERMINATE / QUARANTINE / SAFE_STATE / ALERT_ONLY | DONE |
|
|
492
|
+
| "portal intercepts MCP tool invocations" | Governance middleware wraps all governed tools | DONE |
|
|
493
|
+
| "semantic drift without binary modification" | BehavioralMonitor tracks tool patterns | DONE |
|
|
494
|
+
| "constrained sub-mandates" | `delegate_to_subagent` + scope-only-diminishes | DONE |
|
|
495
|
+
| "sub-10ms per tool invocation" | 3.74ms per measure+receipt cycle | DONE |
|
|
496
|
+
|
|
497
|
+
---
|
|
498
|
+
|
|
499
|
+
## 15. VERSION HISTORY
|
|
500
|
+
|
|
501
|
+
| Tag | Commit | What Changed |
|
|
502
|
+
|---|---|---|
|
|
503
|
+
| `v0.1.0` | `62394ed` | Initial reference implementation — 45 files, 45 tests, all patent claims |
|
|
504
|
+
| (v0.1.1) | `1093631` | Hardening — .npmignore, LICENSE, keypair gen, benchmark, Claude Desktop config |
|
|
505
|
+
| `v0.2.0` | `897b2f7` | Governance middleware — portal as zero-trust PEP. 50 tests |
|
|
506
|
+
| `v0.3.0` | `bc48a28` | Behavioral drift detection — tool pattern monitoring. 55 tests |
|
|
507
|
+
| `v0.4.0` | `8f77321` | Constrained sub-agent delegation — scope only diminishes. 63 tests |
|
|
508
|
+
|
|
509
|
+
---
|
|
510
|
+
|
|
511
|
+
## 16. WHAT HAS BEEN ESTABLISHED
|
|
512
|
+
|
|
513
|
+
### Infrastructure
|
|
514
|
+
- [x] Git repository initialized with clean commit history
|
|
515
|
+
- [x] GitHub public repo at `attestedintelligence/aga-mcp-server`
|
|
516
|
+
- [x] 4 version tags pushed (v0.1.0 through v0.4.0)
|
|
517
|
+
- [x] Claude Desktop config generated with absolute path
|
|
518
|
+
- [x] MIT License (Attested Intelligence Holdings LLC)
|
|
519
|
+
- [x] .npmignore for clean npm packaging
|
|
520
|
+
|
|
521
|
+
### Protocol Implementation
|
|
522
|
+
- [x] Complete Ed25519 + SHA-256 cryptographic layer
|
|
523
|
+
- [x] Sealed hash generation with salted commitments
|
|
524
|
+
- [x] Policy artifact generation with issuer signature
|
|
525
|
+
- [x] Portal state machine with fail-closed semantics
|
|
526
|
+
- [x] Continuity chain with privacy-preserving leaf hashes (Claim 3c)
|
|
527
|
+
- [x] Merkle checkpoint anchoring
|
|
528
|
+
- [x] Offline-verifiable evidence bundles (4-step)
|
|
529
|
+
- [x] Privacy-preserving disclosure with auto-substitution
|
|
530
|
+
- [x] Phantom execution / quarantine with forensic capture
|
|
531
|
+
- [x] Mid-session revocation (NCCoE Phase 3b)
|
|
532
|
+
- [x] Receipt generation for every measurement (match or mismatch)
|
|
533
|
+
|
|
534
|
+
### v0.2.0+ Features
|
|
535
|
+
- [x] Governance middleware — portal as true zero-trust PEP
|
|
536
|
+
- [x] Behavioral drift detection — unauthorized tools, rate limits, forbidden sequences
|
|
537
|
+
- [x] Constrained sub-agent delegation — scope only diminishes through delegation
|
|
538
|
+
|
|
539
|
+
### Verification
|
|
540
|
+
- [x] 63 tests all passing
|
|
541
|
+
- [x] NCCoE lab demo scenario verified end-to-end
|
|
542
|
+
- [x] Benchmark: 3.74ms per cycle (NIST target <10ms)
|
|
543
|
+
- [x] TypeScript strict mode, zero build errors
|
|
544
|
+
|
|
545
|
+
---
|
|
546
|
+
|
|
547
|
+
## 17. WHAT'S NEXT
|
|
548
|
+
|
|
549
|
+
### Immediate (Requires User Action)
|
|
550
|
+
|
|
551
|
+
| Item | Action | Why |
|
|
552
|
+
|---|---|---|
|
|
553
|
+
| **npm publish** | Run `npm login` then `npm publish --access public` in terminal | Creates immutable npm registry timestamp for patent prosecution. Requires interactive 2FA. |
|
|
554
|
+
| **Claude Desktop smoke test** | Copy `config/claude-desktop-config-local.json` to `%APPDATA%\Claude\claude_desktop_config.json`, restart Claude Desktop, run test sequence | Proves the MCP server works as a live tool for AI agents |
|
|
555
|
+
|
|
556
|
+
### Near-Term Development
|
|
557
|
+
|
|
558
|
+
| Priority | Feature | NIST/Patent Ref | Description |
|
|
559
|
+
|---|---|---|---|
|
|
560
|
+
| HIGH | Arweave Anchoring | Patent Section I | Replace `SKIPPED_OFFLINE` stub with real blockchain anchoring. POST Merkle root to Arweave, store transaction IDs, enable Step 4 of offline verification. |
|
|
561
|
+
| HIGH | SPIFFE/SPIRE Integration | NCCoE filing | SPIRE handles workload-to-node identity (SVID), AGA handles workload-to-intent governance. Integration point: SVID provides transport identity, AGA binds governance. |
|
|
562
|
+
| MEDIUM | Multi-Agent Chain Linking | NCCoE filing | Child agent's genesis event links to parent's chain. Cross-chain verification for delegation audit trails. |
|
|
563
|
+
| MEDIUM | Persistent Storage | — | Install VS Build Tools, enable SQLiteStorage for durable state across server restarts. |
|
|
564
|
+
| LOW | WebSocket Transport | — | Add HTTP/SSE/WebSocket transport in addition to stdio for remote MCP clients. |
|
|
565
|
+
| LOW | CI/CD Pipeline | — | GitHub Actions for automated test + build + publish on tag push. |
|
|
566
|
+
|
|
567
|
+
### Architecture Evolution
|
|
568
|
+
|
|
569
|
+
```
|
|
570
|
+
Current (v0.4.0):
|
|
571
|
+
Single MCP server ← single agent
|
|
572
|
+
|
|
573
|
+
Next (v0.5.0+):
|
|
574
|
+
Primary MCP server ← primary agent
|
|
575
|
+
├── Derived portal ← sub-agent A (constrained)
|
|
576
|
+
├── Derived portal ← sub-agent B (constrained)
|
|
577
|
+
└── Arweave anchor ← immutable timestamp proof
|
|
578
|
+
|
|
579
|
+
Future (v1.0.0):
|
|
580
|
+
Federation of portals with cross-chain verification
|
|
581
|
+
SPIFFE/SPIRE transport identity binding
|
|
582
|
+
Real-time behavioral anomaly scoring
|
|
583
|
+
Hardware attestation integration (TPM/SGX)
|
|
584
|
+
```
|
|
585
|
+
|
|
586
|
+
---
|
|
587
|
+
|
|
588
|
+
## 18. HOW TO RUN
|
|
589
|
+
|
|
590
|
+
### Build + Test + Demo
|
|
591
|
+
```bash
|
|
592
|
+
cd C:\Users\neuro\AIH\aga-mcp-server
|
|
593
|
+
npm run build # TypeScript compilation
|
|
594
|
+
npm test # 63 tests
|
|
595
|
+
npm run demo # Full NCCoE lab scenario output
|
|
596
|
+
npm run benchmark # Performance benchmark
|
|
597
|
+
```
|
|
598
|
+
|
|
599
|
+
### Connect to Claude Desktop
|
|
600
|
+
1. Build: `npm run build`
|
|
601
|
+
2. Copy config:
|
|
602
|
+
- From: `config/claude-desktop-config-local.json`
|
|
603
|
+
- To: `%APPDATA%\Claude\claude_desktop_config.json`
|
|
604
|
+
3. Restart Claude Desktop
|
|
605
|
+
4. Test: "Use the AGA server. Call get_server_info."
|
|
606
|
+
|
|
607
|
+
### Generate Keypair
|
|
608
|
+
```bash
|
|
609
|
+
npx tsx scripts/generate-keypair.ts
|
|
610
|
+
```
|
|
611
|
+
|
|
612
|
+
---
|
|
613
|
+
|
|
614
|
+
## 19. KEY DESIGN DECISIONS
|
|
615
|
+
|
|
616
|
+
| Decision | Rationale |
|
|
617
|
+
|---|---|
|
|
618
|
+
| SHA-256 over BLAKE2b for primary hashing | Broader hardware support, NIST standard, sufficient for this use case |
|
|
619
|
+
| Leaf hash excludes payload | Patent innovation (Claim 3c) — enables chain verification without revealing event contents |
|
|
620
|
+
| Receipt for every measurement | NIST filing promise — creates complete audit trail regardless of outcome |
|
|
621
|
+
| Fail-closed on TTL/revocation | Security principle — expired or revoked artifacts must never be honored |
|
|
622
|
+
| ESM only, no require() | Forward-compatible, matches @noble library requirements |
|
|
623
|
+
| Server.ts monolith for tools | Simpler for reference implementation; refactor path documented in src/tools/README.md |
|
|
624
|
+
| MemoryStorage as default | Sufficient for MCP server lifecycle (state is session-scoped); SQLite available when build tools are installed |
|
|
625
|
+
| Governance middleware as wrapper | Non-invasive — existing tool handlers unchanged, enforcement added as a layer |
|
|
626
|
+
| Behavioral monitor in middleware | Natural interception point — every governed tool call passes through anyway |
|
|
627
|
+
| Scope-only-diminishes delegation | NCCoE filing requirement — prevents privilege escalation through delegation chains |
|
|
628
|
+
|
|
629
|
+
---
|
|
630
|
+
|
|
631
|
+
*This document reflects the state of the codebase as of v0.4.0 (commit 8f77321), 2026-03-05.*
|
|
632
|
+
*Generated for Attested Intelligence Holdings LLC — patent prosecution and NIST filing reference.*
|
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Attested Intelligence Holdings LLC
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|