@attested-intelligence/aga-mcp-server 0.1.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (194) hide show
  1. package/PATENTS.md +28 -0
  2. package/README.md +84 -23
  3. package/dist/context.d.ts +39 -0
  4. package/dist/context.d.ts.map +1 -0
  5. package/dist/context.js +113 -0
  6. package/dist/context.js.map +1 -0
  7. package/dist/core/identity.d.ts +14 -0
  8. package/dist/core/identity.d.ts.map +1 -0
  9. package/dist/core/identity.js +16 -0
  10. package/dist/core/identity.js.map +1 -0
  11. package/dist/core/index.d.ts +3 -0
  12. package/dist/core/index.d.ts.map +1 -1
  13. package/dist/core/index.js +3 -0
  14. package/dist/core/index.js.map +1 -1
  15. package/dist/core/measurement.d.ts +16 -0
  16. package/dist/core/measurement.d.ts.map +1 -0
  17. package/dist/core/measurement.js +18 -0
  18. package/dist/core/measurement.js.map +1 -0
  19. package/dist/core/portal.d.ts +1 -1
  20. package/dist/core/portal.d.ts.map +1 -1
  21. package/dist/core/portal.js +10 -5
  22. package/dist/core/portal.js.map +1 -1
  23. package/dist/core/types.d.ts +2 -2
  24. package/dist/core/types.d.ts.map +1 -1
  25. package/dist/crypto/canonicalize.d.ts +7 -0
  26. package/dist/crypto/canonicalize.d.ts.map +1 -0
  27. package/dist/crypto/canonicalize.js +21 -0
  28. package/dist/crypto/canonicalize.js.map +1 -0
  29. package/dist/crypto/index.d.ts +6 -5
  30. package/dist/crypto/index.d.ts.map +1 -1
  31. package/dist/crypto/index.js +6 -5
  32. package/dist/crypto/index.js.map +1 -1
  33. package/dist/crypto/keys.d.ts +10 -0
  34. package/dist/crypto/keys.d.ts.map +1 -0
  35. package/dist/crypto/keys.js +19 -0
  36. package/dist/crypto/keys.js.map +1 -0
  37. package/dist/index.js +1 -1
  38. package/dist/index.js.map +1 -1
  39. package/dist/middleware/governance.d.ts +1 -7
  40. package/dist/middleware/governance.d.ts.map +1 -1
  41. package/dist/middleware/governance.js +11 -18
  42. package/dist/middleware/governance.js.map +1 -1
  43. package/dist/prompts/drift-analysis.d.ts +13 -0
  44. package/dist/prompts/drift-analysis.d.ts.map +1 -0
  45. package/dist/prompts/drift-analysis.js +43 -0
  46. package/dist/prompts/drift-analysis.js.map +1 -0
  47. package/dist/prompts/governance-report.d.ts +7 -0
  48. package/dist/prompts/governance-report.d.ts.map +1 -0
  49. package/dist/prompts/governance-report.js +26 -0
  50. package/dist/prompts/governance-report.js.map +1 -0
  51. package/dist/prompts/nccoe-demo.d.ts +14 -0
  52. package/dist/prompts/nccoe-demo.d.ts.map +1 -0
  53. package/dist/prompts/nccoe-demo.js +48 -0
  54. package/dist/prompts/nccoe-demo.js.map +1 -0
  55. package/dist/resources/crypto-primitives.d.ts +3 -0
  56. package/dist/resources/crypto-primitives.d.ts.map +1 -0
  57. package/dist/resources/crypto-primitives.js +52 -0
  58. package/dist/resources/crypto-primitives.js.map +1 -0
  59. package/dist/resources/patent-claims.d.ts +3 -0
  60. package/dist/resources/patent-claims.d.ts.map +1 -0
  61. package/dist/resources/patent-claims.js +67 -0
  62. package/dist/resources/patent-claims.js.map +1 -0
  63. package/dist/resources/sample-bundle.d.ts +6 -0
  64. package/dist/resources/sample-bundle.d.ts.map +1 -0
  65. package/dist/resources/sample-bundle.js +58 -0
  66. package/dist/resources/sample-bundle.js.map +1 -0
  67. package/dist/resources/specification.d.ts +3 -0
  68. package/dist/resources/specification.d.ts.map +1 -0
  69. package/dist/resources/specification.js +107 -0
  70. package/dist/resources/specification.js.map +1 -0
  71. package/dist/server.d.ts +4 -7
  72. package/dist/server.d.ts.map +1 -1
  73. package/dist/server.js +217 -343
  74. package/dist/server.js.map +1 -1
  75. package/dist/storage/sqlite.js +1 -1
  76. package/dist/tools/create-artifact.d.ts +25 -0
  77. package/dist/tools/create-artifact.d.ts.map +1 -0
  78. package/dist/tools/create-artifact.js +85 -0
  79. package/dist/tools/create-artifact.js.map +1 -0
  80. package/dist/tools/delegate-subagent.d.ts +18 -0
  81. package/dist/tools/delegate-subagent.d.ts.map +1 -0
  82. package/dist/tools/delegate-subagent.js +50 -0
  83. package/dist/tools/delegate-subagent.js.map +1 -0
  84. package/dist/tools/disclose-claim.d.ts +14 -0
  85. package/dist/tools/disclose-claim.d.ts.map +1 -0
  86. package/dist/tools/disclose-claim.js +23 -0
  87. package/dist/tools/disclose-claim.js.map +1 -0
  88. package/dist/tools/export-bundle.d.ts +8 -0
  89. package/dist/tools/export-bundle.d.ts.map +1 -0
  90. package/dist/tools/export-bundle.js +25 -0
  91. package/dist/tools/export-bundle.js.map +1 -0
  92. package/dist/tools/full-lifecycle.d.ts +16 -0
  93. package/dist/tools/full-lifecycle.d.ts.map +1 -0
  94. package/dist/tools/full-lifecycle.js +121 -0
  95. package/dist/tools/full-lifecycle.js.map +1 -0
  96. package/dist/tools/generate-receipt.d.ts +16 -0
  97. package/dist/tools/generate-receipt.d.ts.map +1 -0
  98. package/dist/tools/generate-receipt.js +31 -0
  99. package/dist/tools/generate-receipt.js.map +1 -0
  100. package/dist/tools/get-chain.d.ts +14 -0
  101. package/dist/tools/get-chain.d.ts.map +1 -0
  102. package/dist/tools/get-chain.js +45 -0
  103. package/dist/tools/get-chain.js.map +1 -0
  104. package/dist/tools/get-portal-state.d.ts +8 -0
  105. package/dist/tools/get-portal-state.d.ts.map +1 -0
  106. package/dist/tools/get-portal-state.js +15 -0
  107. package/dist/tools/get-portal-state.js.map +1 -0
  108. package/dist/tools/init-chain.d.ts +10 -0
  109. package/dist/tools/init-chain.d.ts.map +1 -0
  110. package/dist/tools/init-chain.js +13 -0
  111. package/dist/tools/init-chain.js.map +1 -0
  112. package/dist/tools/measure-behavior.d.ts +12 -0
  113. package/dist/tools/measure-behavior.d.ts.map +1 -0
  114. package/dist/tools/measure-behavior.js +29 -0
  115. package/dist/tools/measure-behavior.js.map +1 -0
  116. package/dist/tools/measure-subject.d.ts +15 -0
  117. package/dist/tools/measure-subject.d.ts.map +1 -0
  118. package/dist/tools/measure-subject.js +106 -0
  119. package/dist/tools/measure-subject.js.map +1 -0
  120. package/dist/tools/quarantine-status.d.ts +8 -0
  121. package/dist/tools/quarantine-status.d.ts.map +1 -0
  122. package/dist/tools/quarantine-status.js +16 -0
  123. package/dist/tools/quarantine-status.js.map +1 -0
  124. package/dist/tools/revoke-artifact.d.ts +13 -0
  125. package/dist/tools/revoke-artifact.d.ts.map +1 -0
  126. package/dist/tools/revoke-artifact.js +24 -0
  127. package/dist/tools/revoke-artifact.js.map +1 -0
  128. package/dist/tools/rotate-keys.d.ts +13 -0
  129. package/dist/tools/rotate-keys.d.ts.map +1 -0
  130. package/dist/tools/rotate-keys.js +39 -0
  131. package/dist/tools/rotate-keys.js.map +1 -0
  132. package/dist/tools/server-info.d.ts +8 -0
  133. package/dist/tools/server-info.d.ts.map +1 -0
  134. package/dist/tools/server-info.js +24 -0
  135. package/dist/tools/server-info.js.map +1 -0
  136. package/dist/tools/set-verification-tier.d.ts +11 -0
  137. package/dist/tools/set-verification-tier.d.ts.map +1 -0
  138. package/dist/tools/set-verification-tier.js +31 -0
  139. package/dist/tools/set-verification-tier.js.map +1 -0
  140. package/dist/tools/start-monitoring.d.ts +12 -0
  141. package/dist/tools/start-monitoring.d.ts.map +1 -0
  142. package/dist/tools/start-monitoring.js +17 -0
  143. package/dist/tools/start-monitoring.js.map +1 -0
  144. package/dist/tools/trigger-measurement.d.ts +15 -0
  145. package/dist/tools/trigger-measurement.d.ts.map +1 -0
  146. package/dist/tools/trigger-measurement.js +86 -0
  147. package/dist/tools/trigger-measurement.js.map +1 -0
  148. package/dist/tools/verify-artifact.d.ts +13 -0
  149. package/dist/tools/verify-artifact.d.ts.map +1 -0
  150. package/dist/tools/verify-artifact.js +6 -0
  151. package/dist/tools/verify-artifact.js.map +1 -0
  152. package/dist/tools/verify-bundle.d.ts +13 -0
  153. package/dist/tools/verify-bundle.d.ts.map +1 -0
  154. package/dist/tools/verify-bundle.js +6 -0
  155. package/dist/tools/verify-bundle.js.map +1 -0
  156. package/dist/types.d.ts +262 -0
  157. package/dist/types.d.ts.map +1 -0
  158. package/dist/types.js +9 -0
  159. package/dist/types.js.map +1 -0
  160. package/package.json +19 -3
  161. package/AGA_MCP_SERVER_SPEC.md +0 -632
  162. package/src/core/artifact.ts +0 -45
  163. package/src/core/attestation.ts +0 -33
  164. package/src/core/behavioral.ts +0 -132
  165. package/src/core/bundle.ts +0 -31
  166. package/src/core/chain.ts +0 -72
  167. package/src/core/checkpoint.ts +0 -22
  168. package/src/core/delegation.ts +0 -146
  169. package/src/core/disclosure.ts +0 -32
  170. package/src/core/index.ts +0 -11
  171. package/src/core/portal.ts +0 -96
  172. package/src/core/quarantine.ts +0 -16
  173. package/src/core/receipt.ts +0 -33
  174. package/src/core/subject.ts +0 -11
  175. package/src/core/types.ts +0 -244
  176. package/src/crypto/hash.ts +0 -33
  177. package/src/crypto/index.ts +0 -5
  178. package/src/crypto/merkle.ts +0 -43
  179. package/src/crypto/salt.ts +0 -18
  180. package/src/crypto/sign.ts +0 -35
  181. package/src/crypto/types.ts +0 -19
  182. package/src/index.ts +0 -12
  183. package/src/middleware/governance.ts +0 -95
  184. package/src/middleware/index.ts +0 -1
  185. package/src/server.ts +0 -436
  186. package/src/storage/index.ts +0 -3
  187. package/src/storage/interface.ts +0 -21
  188. package/src/storage/memory.ts +0 -27
  189. package/src/storage/sqlite.ts +0 -45
  190. package/src/tools/README.md +0 -13
  191. package/src/utils/canonical.ts +0 -14
  192. package/src/utils/constants.ts +0 -3
  193. package/src/utils/timestamp.ts +0 -12
  194. package/src/utils/uuid.ts +0 -2
@@ -1,632 +0,0 @@
1
- # AGA MCP Server — Complete Implementation Specification
2
-
3
- **Package:** `@attested-intelligence/aga-mcp-server@0.1.0`
4
- **Repository:** https://github.com/attestedintelligence/aga-mcp-server
5
- **Location:** `C:\Users\neuro\AIH\aga-mcp-server`
6
- **Patent:** USPTO Application No. 19/433,835
7
- **NIST References:** NIST-2025-0035 (AI Agent Transparency), NCCoE AI Agent Identity and Authorization
8
- **Date:** 2026-03-05
9
-
10
- ---
11
-
12
- ## 1. WHAT THIS IS
13
-
14
- A reference implementation of the **Attested Governance Artifact (AGA)** protocol, built as an MCP (Model Context Protocol) server. The server acts as a cryptographic **Portal** — a zero-trust Policy Enforcement Point that sits between an AI agent and the systems it interacts with. Every operation is attested, measured against a sealed cryptographic reference, and logged to a tamper-evident continuity chain with signed receipts.
15
-
16
- This codebase is:
17
- - The working code behind two NIST public comments and a USPTO patent application
18
- - A live MCP server any AI agent (Claude, GPT, etc.) can connect to via Claude Desktop or any MCP client
19
- - Benchmarked at 3.7ms per measurement cycle (NIST target: <10ms)
20
- - Fully tested with 63 tests across 11 test files
21
-
22
- ---
23
-
24
- ## 2. CODEBASE METRICS
25
-
26
- | Metric | Value |
27
- |---|---|
28
- | TypeScript source files | 35 |
29
- | Test files | 11 |
30
- | Total tests | 63 (all passing) |
31
- | MCP tools | 16 |
32
- | Git commits | 5 |
33
- | Git tags | 4 (v0.1.0, v0.2.0, v0.3.0, v0.4.0) |
34
- | Benchmark | 3.74ms per measure+receipt cycle |
35
- | Build | Zero TypeScript errors |
36
- | Dependencies | @noble/ed25519, @noble/hashes, @modelcontextprotocol/sdk, uuid, zod |
37
- | Node requirement | >= 20.0.0 |
38
- | Module system | ESM only |
39
-
40
- ---
41
-
42
- ## 3. ARCHITECTURE
43
-
44
- ```
45
- ┌─────────────────────────────────────────────────────────┐
46
- │ MCP CLIENT (Claude Desktop) │
47
- └──────────────────────────┬──────────────────────────────┘
48
- │ JSON-RPC over stdio
49
- ┌──────────────────────────▼──────────────────────────────┐
50
- │ src/index.ts │
51
- │ StdioServerTransport │
52
- └──────────────────────────┬──────────────────────────────┘
53
-
54
- ┌──────────────────────────▼──────────────────────────────┐
55
- │ src/server.ts │
56
- │ McpServer + 16 Tool Handlers │
57
- │ │
58
- │ ┌─────────────────────────────────────────────────┐ │
59
- │ │ src/middleware/governance.ts │ │
60
- │ │ Governance Wrapper (zero-trust PEP) │ │
61
- │ │ - Blocks governed tools when TERMINATED │ │
62
- │ │ - Captures forensic inputs during QUARANTINE │ │
63
- │ │ - Records behavioral invocations │ │
64
- │ └─────────────────────────────────────────────────┘ │
65
- └───┬──────────┬───────────┬──────────┬───────────────────┘
66
- │ │ │ │
67
- ▼ ▼ ▼ ▼
68
- src/core/ src/crypto/ src/storage/ src/utils/
69
- ```
70
-
71
- ### Directory Structure
72
-
73
- ```
74
- aga-mcp-server/
75
- ├── src/
76
- │ ├── crypto/ Cryptographic primitives
77
- │ │ ├── types.ts Type aliases (PublicKey, SecretKey, HashHex, etc.)
78
- │ │ ├── hash.ts SHA-256, BLAKE2b, sha256Cat, sha256HexCat
79
- │ │ ├── sign.ts Ed25519 sign/verify via @noble/ed25519
80
- │ │ ├── salt.ts 128-bit salts, salted commitments
81
- │ │ ├── merkle.ts Merkle tree build, inclusion proofs
82
- │ │ └── index.ts Barrel export
83
- │ │
84
- │ ├── core/ Protocol logic
85
- │ │ ├── types.ts All interfaces (patent ref numerals annotated)
86
- │ │ ├── subject.ts Subject identity (bytes hash + metadata hash)
87
- │ │ ├── attestation.ts Sealed hash generation
88
- │ │ ├── artifact.ts Policy artifact generation + signature
89
- │ │ ├── receipt.ts Signed measurement receipts (every measurement)
90
- │ │ ├── chain.ts Continuity chain (leaf hash excludes payload)
91
- │ │ ├── portal.ts Portal state machine (6 states, fail-closed)
92
- │ │ ├── quarantine.ts Phantom execution (capture inputs, sever outputs)
93
- │ │ ├── checkpoint.ts Merkle checkpoints over chain events
94
- │ │ ├── bundle.ts Offline-verifiable evidence bundles
95
- │ │ ├── disclosure.ts Privacy-preserving claims + auto-substitution
96
- │ │ ├── behavioral.ts Behavioral drift detection (tool patterns)
97
- │ │ ├── delegation.ts Constrained sub-agent delegation
98
- │ │ └── index.ts Barrel export
99
- │ │
100
- │ ├── middleware/ Governance enforcement layer
101
- │ │ ├── governance.ts Zero-trust PEP wrapper for MCP tools
102
- │ │ └── index.ts Barrel export
103
- │ │
104
- │ ├── storage/ Persistence layer
105
- │ │ ├── interface.ts AGAStorage interface
106
- │ │ ├── memory.ts In-memory implementation (active)
107
- │ │ ├── sqlite.ts SQLite implementation (optional)
108
- │ │ └── index.ts Barrel export
109
- │ │
110
- │ ├── utils/ Shared utilities
111
- │ │ ├── constants.ts Protocol version constants
112
- │ │ ├── canonical.ts Deterministic JSON serialization
113
- │ │ ├── timestamp.ts Time utilities (TTL, expiry)
114
- │ │ └── uuid.ts UUID v4 wrapper
115
- │ │
116
- │ ├── server.ts MCP server factory (16 tools)
117
- │ └── index.ts Entry point (stdio transport)
118
-
119
- ├── tests/
120
- │ ├── crypto/ 22 tests (hash, sign, salt, merkle)
121
- │ ├── core/ 39 tests (artifact, chain, portal, governance,
122
- │ │ behavioral, delegation)
123
- │ └── integration/ 2 tests (full NCCoE lab scenario)
124
-
125
- ├── scripts/
126
- │ ├── demo.ts Full lifecycle console demo
127
- │ ├── benchmark.ts Performance benchmark (NIST <10ms)
128
- │ └── generate-keypair.ts Ed25519 keypair generation
129
-
130
- ├── config/
131
- │ ├── claude-desktop-config.json Template
132
- │ └── claude-desktop-config-local.json Resolved absolute path
133
-
134
- ├── package.json
135
- ├── tsconfig.json
136
- ├── vitest.config.ts
137
- ├── LICENSE MIT — Attested Intelligence Holdings LLC
138
- ├── README.md
139
- ├── PATENT_MAPPING.md Claim-to-code mapping + NIST alignment
140
- └── .npmignore
141
- ```
142
-
143
- ---
144
-
145
- ## 4. THE 16 MCP TOOLS
146
-
147
- ### Ungoverned (always available)
148
-
149
- | # | Tool | Patent Ref | Description |
150
- |---|---|---|---|
151
- | 1 | `get_server_info` | — | Server version, public keys, portal state |
152
- | 2 | `get_portal_state` | — | Current enforcement state, artifact info, TTL, quarantine status |
153
- | 3 | `init_chain` | Claim 3a | Initialize continuity chain with genesis event |
154
- | 4 | `attest_subject` | Claims 1a-1d | Hash content, attest, seal, generate signed artifact, load into portal. Accepts optional `behavioral_baseline` |
155
- | 5 | `verify_chain` | Claim 3c | Verify chain integrity (leaf hashes, linkage, payload hashes) |
156
- | 6 | `list_claims` | Claim 2 | List available claims with sensitivity levels |
157
- | 7 | `measure_behavior` | NIST-2025-0035 | Measure behavioral patterns — unauthorized tools, rate violations, forbidden sequences |
158
- | 8 | `get_receipts` | — | Get all signed receipts, filter by artifact |
159
- | 9 | `get_chain_events` | — | Get continuity chain events, filter by sequence range |
160
-
161
- ### Governed (blocked when TERMINATED/QUARANTINED/UNATTESTED)
162
-
163
- | # | Tool | Patent Ref | Description |
164
- |---|---|---|---|
165
- | 10 | `measure_integrity` | Claims 1e-1g | Measure content against sealed hash, enforce on drift, generate receipt |
166
- | 11 | `revoke_artifact` | NCCoE 3b | Mid-session artifact revocation, pushes REVOCATION chain event |
167
- | 12 | `create_checkpoint` | Claims 3d-3f | Build Merkle tree over chain events, produce checkpoint |
168
- | 13 | `generate_evidence_bundle` | Claim 9 | Package artifact + receipts + Merkle proofs for offline verification |
169
- | 14 | `verify_bundle_offline` | Section J | 4-step offline verification (artifact sig, receipt sigs, Merkle proofs, anchor) |
170
- | 15 | `request_claim` | Claim 2 | Privacy-preserving disclosure with sensitivity-based auto-substitution |
171
- | 16 | `delegate_to_subagent` | NCCoE | Derive constrained artifact for sub-agent (scope only diminishes) |
172
-
173
- ### Governance Behavior
174
-
175
- When a governed tool is called:
176
-
177
- | Portal State | Behavior |
178
- |---|---|
179
- | `INITIALIZATION` | Blocked — "Call attest_subject first" |
180
- | `ARTIFACT_VERIFICATION` | Blocked — attestation in progress |
181
- | `ACTIVE_MONITORING` | Allowed — invocation recorded for behavioral analysis |
182
- | `DRIFT_DETECTED` | Allowed — enforcement may follow |
183
- | `PHANTOM_QUARANTINE` | Blocked — tool call captured as forensic input, outputs severed |
184
- | `TERMINATED` | Blocked — "Agent governance has been revoked" |
185
-
186
- ---
187
-
188
- ## 5. CRYPTOGRAPHIC DESIGN
189
-
190
- ### 5.1 Key Algorithms
191
-
192
- | Operation | Algorithm | Library |
193
- |---|---|---|
194
- | Hashing | SHA-256 | @noble/hashes |
195
- | Signing | Ed25519 | @noble/ed25519 |
196
- | Salts | 128-bit (16 bytes) CSPRNG | @noble/hashes/utils |
197
- | Merkle trees | SHA-256 binary tree | Custom (src/crypto/merkle.ts) |
198
- | Canonical serialization | Sorted-key JSON.stringify | Custom (src/utils/canonical.ts) |
199
-
200
- ### 5.2 Sealed Hash (Patent Core)
201
-
202
- ```
203
- sealed_hash = SHA-256(bytes_hash || metadata_hash || policy_reference || seal_salt)
204
- ```
205
-
206
- - No delimiters between fields — raw hex concatenation via `sha256HexCat()`
207
- - `bytes_hash` = SHA-256 of subject content bytes
208
- - `metadata_hash` = SHA-256 of canonicalized metadata JSON
209
- - `seal_salt` = 128-bit random salt (32 hex chars), stored in artifact
210
-
211
- ### 5.3 Leaf Hash (Claim 3c — Privacy Innovation)
212
-
213
- ```
214
- leaf_hash = SHA-256(
215
- sequence_number || "||" ||
216
- event_type || "||" ||
217
- event_id || "||" ||
218
- timestamp || "||" ||
219
- prev_leaf_hash || "||" ||
220
- payload_hash
221
- )
222
- ```
223
-
224
- **The actual payload is EXCLUDED from the leaf hash.** This is the key patent innovation (Claim 3c) — chain integrity can be verified without revealing the contents of any event. Only a hash of the payload is included, preserving privacy while maintaining tamper evidence.
225
-
226
- ### 5.4 Salted Commitments
227
-
228
- Evidence items are committed via:
229
- ```
230
- commitment = SHA-256(content_bytes || salt_bytes)
231
- ```
232
-
233
- The salt allows selective disclosure: reveal the salt to prove the commitment, keep it secret to maintain privacy.
234
-
235
- ### 5.5 Artifact Signature
236
-
237
- ```
238
- signature = Ed25519.sign(canonicalize(unsigned_artifact), issuer_secret_key)
239
- ```
240
-
241
- Where `canonicalize()` = sorted-key JSON.stringify with no whitespace. The signature covers every field of the artifact except the signature itself.
242
-
243
- ### 5.6 Receipt Signature
244
-
245
- ```
246
- signature = Ed25519.sign(canonicalize(unsigned_receipt), portal_secret_key)
247
- ```
248
-
249
- V3 behavior: a signed receipt is generated for **every** measurement — match or mismatch. This fulfills the NIST filing promise: "each measurement generates a signed receipt."
250
-
251
- ### 5.7 Merkle Tree
252
-
253
- - Binary tree over event leaf hashes
254
- - Odd leaf count: last leaf is duplicated
255
- - Internal nodes: `SHA-256(left || right)` (hex concatenation)
256
- - Inclusion proofs: array of `{ hash, direction }` pairs
257
- - Verification: reconstruct root from leaf + proof, compare to checkpoint root
258
-
259
- ---
260
-
261
- ## 6. PORTAL STATE MACHINE
262
-
263
- ```
264
- loadArtifact()
265
- INITIALIZATION ──────────────────► ARTIFACT_VERIFICATION
266
-
267
- sig OK? ───┤
268
- time OK? │
269
- revoked? ───┤
270
-
271
- ┌──────▼──────┐
272
- │ ACTIVE │◄──── ALERT_ONLY
273
- │ MONITORING │ (resumes)
274
- └──────┬──────┘
275
-
276
- drift detected
277
-
278
- ┌──────▼──────┐
279
- │ DRIFT │
280
- │ DETECTED │
281
- └──┬───┬───┬──┘
282
- │ │ │
283
- QUARANTINE│ │ │TERMINATE/SAFE_STATE
284
- │ │ │
285
- ┌───────▼┐ │ ┌▼──────────┐
286
- │PHANTOM │ │ │TERMINATED │
287
- │QUARANT.│ │ │(fail-closed│
288
- └───┬────┘ │ │no recovery)│
289
- │ │ └────────────┘
290
- │ │
291
- ▼ │
292
- TERMINATED◄──┘
293
- ```
294
-
295
- ### Fail-Closed Semantics
296
-
297
- On **every** call to `Portal.measure()`:
298
- 1. Check TTL — if expired → `TERMINATED` immediately
299
- 2. Check revocation — if revoked → `TERMINATED` immediately
300
- 3. Compare hashes — if mismatch → `DRIFT_DETECTED`
301
-
302
- There is no recovery from `TERMINATED`. The agent must be re-attested.
303
-
304
- ---
305
-
306
- ## 7. BEHAVIORAL DRIFT DETECTION
307
-
308
- Binary hashing detects file modification but NOT prompt injection — the binary is unchanged while behavior is compromised. The `BehavioralMonitor` tracks tool invocation patterns:
309
-
310
- ### Violation Types
311
-
312
- | Type | Detection |
313
- |---|---|
314
- | `UNAUTHORIZED_TOOL` | Agent calls a tool not in the permitted list |
315
- | `RATE_EXCEEDED` | Tool invoked more times than allowed in the measurement window |
316
- | `FORBIDDEN_SEQUENCE` | Prohibited tool chain detected (e.g., `read_secret` → `send_email`) |
317
-
318
- ### Integration
319
-
320
- - Every governed tool invocation is recorded by the governance middleware
321
- - `measure_behavior` tool returns violations + behavioral hash (pattern fingerprint)
322
- - Behavioral drift events are appended to the continuity chain
323
- - Behavioral baseline can be sealed into the artifact via `attest_subject`
324
-
325
- ---
326
-
327
- ## 8. CONSTRAINED SUB-AGENT DELEGATION
328
-
329
- NCCoE filing: "Scope can only diminish through delegation, never expand."
330
-
331
- ```
332
- Primary Agent (TTL=3600s, triggers=[QUARANTINE, TERMINATE, SAFE_STATE])
333
-
334
- ├── delegate_to_subagent(TTL=1800, triggers=[QUARANTINE])
335
- │ └── Child Artifact: TTL=1800, triggers=[QUARANTINE]
336
- │ - TTL clamped to parent remaining
337
- │ - Triggers ⊆ parent triggers
338
- │ - Measurement types ⊆ parent types
339
- │ - Disclosure policy inherited (cannot expand)
340
-
341
- └── delegate_to_subagent(TTL=9999, triggers=[KEY_REVOKE])
342
- └── REJECTED: Cannot expand scope
343
- ```
344
-
345
- ### Enforcement Rules
346
-
347
- 1. Child TTL = `min(requested_ttl, parent_remaining_ttl)`
348
- 2. Child enforcement triggers must be a subset of parent's
349
- 3. Child measurement types must be a subset of parent's
350
- 4. Child disclosure policy = parent's (inherited, cannot expand)
351
- 5. `DELEGATION` event appended to parent's continuity chain
352
- 6. `validateDelegation()` provides independent scope verification
353
-
354
- ---
355
-
356
- ## 9. CONTINUITY CHAIN
357
-
358
- An append-only chain of `ContinuityEvent` objects:
359
-
360
- ### Event Types
361
-
362
- | Type | When Created |
363
- |---|---|
364
- | `GENESIS` | Chain initialization (`init_chain` or auto-init) |
365
- | `POLICY_ISSUANCE` | Artifact created (`attest_subject`) |
366
- | `INTERACTION_RECEIPT` | Measurement taken (`measure_integrity`) or behavioral drift |
367
- | `REVOCATION` | Artifact revoked (`revoke_artifact`) |
368
- | `ATTESTATION` | Delegation event (`delegate_to_subagent`) |
369
- | `ANCHOR_BATCH` | Checkpoint created (`create_checkpoint`) |
370
- | `DISCLOSURE` | Claim disclosed (`request_claim`) |
371
- | `SUBSTITUTION` | Auto-substitution triggered (`request_claim`) |
372
- | `KEY_ROTATION` | Key rotation (reserved) |
373
-
374
- ### Chain Integrity Verification
375
-
376
- `verifyChainIntegrity()` checks:
377
- 1. Genesis event at sequence 0
378
- 2. Each event's `leaf_hash` matches recomputed leaf hash
379
- 3. Each event's `prev_leaf_hash` matches previous event's `leaf_hash`
380
- 4. Each event's `payload_hash` matches recomputed payload hash
381
-
382
- ---
383
-
384
- ## 10. OFFLINE EVIDENCE BUNDLES
385
-
386
- 4-step offline verification (`verifyBundleOffline`):
387
-
388
- | Step | What It Checks | Current Status |
389
- |---|---|---|
390
- | Step 1 | Artifact signature (Ed25519) | Implemented — PASS |
391
- | Step 2 | Receipt signatures (Ed25519) | Implemented — PASS |
392
- | Step 3 | Merkle inclusion proofs | Implemented — PASS |
393
- | Step 4 | Anchor validation (blockchain) | Returns `SKIPPED_OFFLINE` — no chain integration yet |
394
-
395
- ---
396
-
397
- ## 11. PRIVACY-PRESERVING DISCLOSURE
398
-
399
- Claims have sensitivity levels:
400
- - **S1_LOW** — can be revealed fully
401
- - **S2_MODERATE** — can be revealed minimally or proved
402
- - **S3_HIGH** — proof only, auto-substitutes to lower-sensitivity claim
403
-
404
- Example: requesting `identity.name` (S3_HIGH) with mode `REVEAL_FULL` triggers auto-substitution to `identity.pseudonym` (S2_MODERATE) or `identity.org` (S1_LOW).
405
-
406
- Substitution receipts are appended to the continuity chain for audit.
407
-
408
- ---
409
-
410
- ## 12. STORAGE
411
-
412
- ### Interface (`AGAStorage`)
413
-
414
- ```typescript
415
- interface AGAStorage {
416
- initialize(): Promise<void>;
417
- storeArtifact(a: PolicyArtifact): Promise<void>;
418
- getLatestArtifact(): Promise<PolicyArtifact | null>;
419
- storeEvent(e: ContinuityEvent): Promise<void>;
420
- getLatestEvent(): Promise<ContinuityEvent | null>;
421
- getAllEvents(): Promise<ContinuityEvent[]>;
422
- getEvents(start: number, end: number): Promise<ContinuityEvent[]>;
423
- storeReceipt(r: SignedReceipt): Promise<void>;
424
- getReceiptsByArtifact(hash: string): Promise<SignedReceipt[]>;
425
- getAllReceipts(): Promise<SignedReceipt[]>;
426
- storeCheckpoint(c: CheckpointReference): Promise<void>;
427
- getLatestCheckpoint(): Promise<CheckpointReference | null>;
428
- }
429
- ```
430
-
431
- ### Implementations
432
-
433
- | Implementation | Status | Notes |
434
- |---|---|---|
435
- | `MemoryStorage` | Active | In-memory Maps/arrays, sufficient for all use cases |
436
- | `SQLiteStorage` | Optional | Requires `better-sqlite3` + VS Build Tools. WAL mode, 4 tables. Gracefully unavailable on current machine. |
437
-
438
- ---
439
-
440
- ## 13. TEST COVERAGE
441
-
442
- | Test File | Tests | What It Covers |
443
- |---|---|---|
444
- | `crypto/hash.test.ts` | 5 | SHA-256 determinism, hex format, ordering, hexcat |
445
- | `crypto/sign.test.ts` | 7 | Ed25519 keypair, sign/verify bytes+string, tamper/wrong-key rejection, base64+hex roundtrips |
446
- | `crypto/salt.test.ts` | 4 | Salt format (32 hex), uniqueness, commitment verification |
447
- | `crypto/merkle.test.ts` | 6 | Root format, single leaf, proof verification, tamper detection, odd count, empty rejection |
448
- | `core/artifact.test.ts` | 4 | Signature verification, tamper rejection, seal_salt storage |
449
- | `core/chain.test.ts` | 7 | Genesis sequence, increment, intact chain, tampered leaf/payload, **leaf excludes payload (Claim 3c)**, REVOCATION event |
450
- | `core/portal.test.ts` | 10 | Load, bad key rejection, match, drift, QUARANTINE, TERMINATE, ALERT_ONLY, TTL expiry, revoke, revocation-on-measure |
451
- | `core/governance.test.ts` | 5 | TERMINATED blocks, ungoverned always allowed, QUARANTINE captures forensic, pre-attestation blocks, ACTIVE allows |
452
- | `core/behavioral.test.ts` | 5 | Compliant behavior, unauthorized tool, rate exceeded, forbidden sequence, behavioral hash uniqueness |
453
- | `core/delegation.test.ts` | 8 | Reduced scope, TTL clamping, scope expansion rejection (triggers + types), child signature valid, validateDelegation pass/fail, scope reduction tracking |
454
- | `integration/nccoe-lab-demo.test.ts` | 2 | Full NCCoE lab scenario: attestation → clean measurements → drift → quarantine → revocation → chain verification → checkpoint → evidence bundle → offline verification |
455
- | **Total** | **63** | |
456
-
457
- ---
458
-
459
- ## 14. PATENT CLAIM MAPPING
460
-
461
- | Claim | Implementation | Source File | Function/Class |
462
- |---|---|---|---|
463
- | 1(a) receive subject | `attest_subject` | core/subject.ts | `computeSubjectIdFromString()` |
464
- | 1(b) generate identifier | `attest_subject` | core/subject.ts | `computeSubjectId()` |
465
- | 1(c) perform attestation | `attest_subject` | core/attestation.ts | `performAttestation()` |
466
- | 1(d) generate artifact | `attest_subject` | core/artifact.ts | `generateArtifact()` |
467
- | 1(e) portal + measurement | `measure_integrity` | core/portal.ts | `Portal.measure()` |
468
- | 1(f) compare to sealed | `measure_integrity` | core/portal.ts | `Portal.measure()` |
469
- | 1(g) enforce + receipt | `measure_integrity` | core/receipt.ts | `generateReceipt()` |
470
- | 2 disclosure | `request_claim` | core/disclosure.ts | `processDisclosure()` |
471
- | 3(a) genesis | `init_chain` | core/chain.ts | `createGenesisEvent()` |
472
- | 3(b) append events | auto (every tool) | core/chain.ts | `appendEvent()` |
473
- | 3(c) leaf hash (no payload) | `verify_chain` | core/chain.ts | `computeLeafHash()` |
474
- | 3(d-f) checkpoint | `create_checkpoint` | core/checkpoint.ts | `createCheckpoint()` |
475
- | 5 quarantine | `measure_integrity` | core/quarantine.ts | `initQuarantine()` |
476
- | 6 TTL expiration | `measure_integrity` | core/portal.ts | `Portal.measure()` |
477
- | 9 evidence bundle | `generate_evidence_bundle` | core/bundle.ts | `generateBundle()` |
478
- | 10 pinned key | portal load | core/portal.ts | `Portal.loadArtifact()` |
479
- | 11 phantom execution | `measure_integrity` | core/quarantine.ts | `captureInput()` |
480
- | 12 graceful degradation | `measure_integrity` | core/portal.ts | TTL + fail-closed |
481
-
482
- ### NIST Filing Alignment
483
-
484
- | NIST Promise | Implementation | Status |
485
- |---|---|---|
486
- | "each measurement generates a signed receipt" | `measure_integrity` generates receipt for match AND mismatch | DONE |
487
- | "fail-closed semantics" | Portal checks TTL + revocation on every measurement | DONE |
488
- | "mid-session revocation" (NCCoE 3b) | `revoke_artifact` tool + REVOCATION chain event | DONE |
489
- | "phantom execution" | `QUARANTINE` enforcement → forensic capture buffer | DONE |
490
- | "offline verification" | `generate_evidence_bundle` + `verify_bundle_offline` | DONE |
491
- | "graduated enforcement" | TERMINATE / QUARANTINE / SAFE_STATE / ALERT_ONLY | DONE |
492
- | "portal intercepts MCP tool invocations" | Governance middleware wraps all governed tools | DONE |
493
- | "semantic drift without binary modification" | BehavioralMonitor tracks tool patterns | DONE |
494
- | "constrained sub-mandates" | `delegate_to_subagent` + scope-only-diminishes | DONE |
495
- | "sub-10ms per tool invocation" | 3.74ms per measure+receipt cycle | DONE |
496
-
497
- ---
498
-
499
- ## 15. VERSION HISTORY
500
-
501
- | Tag | Commit | What Changed |
502
- |---|---|---|
503
- | `v0.1.0` | `62394ed` | Initial reference implementation — 45 files, 45 tests, all patent claims |
504
- | (v0.1.1) | `1093631` | Hardening — .npmignore, LICENSE, keypair gen, benchmark, Claude Desktop config |
505
- | `v0.2.0` | `897b2f7` | Governance middleware — portal as zero-trust PEP. 50 tests |
506
- | `v0.3.0` | `bc48a28` | Behavioral drift detection — tool pattern monitoring. 55 tests |
507
- | `v0.4.0` | `8f77321` | Constrained sub-agent delegation — scope only diminishes. 63 tests |
508
-
509
- ---
510
-
511
- ## 16. WHAT HAS BEEN ESTABLISHED
512
-
513
- ### Infrastructure
514
- - [x] Git repository initialized with clean commit history
515
- - [x] GitHub public repo at `attestedintelligence/aga-mcp-server`
516
- - [x] 4 version tags pushed (v0.1.0 through v0.4.0)
517
- - [x] Claude Desktop config generated with absolute path
518
- - [x] MIT License (Attested Intelligence Holdings LLC)
519
- - [x] .npmignore for clean npm packaging
520
-
521
- ### Protocol Implementation
522
- - [x] Complete Ed25519 + SHA-256 cryptographic layer
523
- - [x] Sealed hash generation with salted commitments
524
- - [x] Policy artifact generation with issuer signature
525
- - [x] Portal state machine with fail-closed semantics
526
- - [x] Continuity chain with privacy-preserving leaf hashes (Claim 3c)
527
- - [x] Merkle checkpoint anchoring
528
- - [x] Offline-verifiable evidence bundles (4-step)
529
- - [x] Privacy-preserving disclosure with auto-substitution
530
- - [x] Phantom execution / quarantine with forensic capture
531
- - [x] Mid-session revocation (NCCoE Phase 3b)
532
- - [x] Receipt generation for every measurement (match or mismatch)
533
-
534
- ### v0.2.0+ Features
535
- - [x] Governance middleware — portal as true zero-trust PEP
536
- - [x] Behavioral drift detection — unauthorized tools, rate limits, forbidden sequences
537
- - [x] Constrained sub-agent delegation — scope only diminishes through delegation
538
-
539
- ### Verification
540
- - [x] 63 tests all passing
541
- - [x] NCCoE lab demo scenario verified end-to-end
542
- - [x] Benchmark: 3.74ms per cycle (NIST target <10ms)
543
- - [x] TypeScript strict mode, zero build errors
544
-
545
- ---
546
-
547
- ## 17. WHAT'S NEXT
548
-
549
- ### Immediate (Requires User Action)
550
-
551
- | Item | Action | Why |
552
- |---|---|---|
553
- | **npm publish** | Run `npm login` then `npm publish --access public` in terminal | Creates immutable npm registry timestamp for patent prosecution. Requires interactive 2FA. |
554
- | **Claude Desktop smoke test** | Copy `config/claude-desktop-config-local.json` to `%APPDATA%\Claude\claude_desktop_config.json`, restart Claude Desktop, run test sequence | Proves the MCP server works as a live tool for AI agents |
555
-
556
- ### Near-Term Development
557
-
558
- | Priority | Feature | NIST/Patent Ref | Description |
559
- |---|---|---|---|
560
- | HIGH | Arweave Anchoring | Patent Section I | Replace `SKIPPED_OFFLINE` stub with real blockchain anchoring. POST Merkle root to Arweave, store transaction IDs, enable Step 4 of offline verification. |
561
- | HIGH | SPIFFE/SPIRE Integration | NCCoE filing | SPIRE handles workload-to-node identity (SVID), AGA handles workload-to-intent governance. Integration point: SVID provides transport identity, AGA binds governance. |
562
- | MEDIUM | Multi-Agent Chain Linking | NCCoE filing | Child agent's genesis event links to parent's chain. Cross-chain verification for delegation audit trails. |
563
- | MEDIUM | Persistent Storage | — | Install VS Build Tools, enable SQLiteStorage for durable state across server restarts. |
564
- | LOW | WebSocket Transport | — | Add HTTP/SSE/WebSocket transport in addition to stdio for remote MCP clients. |
565
- | LOW | CI/CD Pipeline | — | GitHub Actions for automated test + build + publish on tag push. |
566
-
567
- ### Architecture Evolution
568
-
569
- ```
570
- Current (v0.4.0):
571
- Single MCP server ← single agent
572
-
573
- Next (v0.5.0+):
574
- Primary MCP server ← primary agent
575
- ├── Derived portal ← sub-agent A (constrained)
576
- ├── Derived portal ← sub-agent B (constrained)
577
- └── Arweave anchor ← immutable timestamp proof
578
-
579
- Future (v1.0.0):
580
- Federation of portals with cross-chain verification
581
- SPIFFE/SPIRE transport identity binding
582
- Real-time behavioral anomaly scoring
583
- Hardware attestation integration (TPM/SGX)
584
- ```
585
-
586
- ---
587
-
588
- ## 18. HOW TO RUN
589
-
590
- ### Build + Test + Demo
591
- ```bash
592
- cd C:\Users\neuro\AIH\aga-mcp-server
593
- npm run build # TypeScript compilation
594
- npm test # 63 tests
595
- npm run demo # Full NCCoE lab scenario output
596
- npm run benchmark # Performance benchmark
597
- ```
598
-
599
- ### Connect to Claude Desktop
600
- 1. Build: `npm run build`
601
- 2. Copy config:
602
- - From: `config/claude-desktop-config-local.json`
603
- - To: `%APPDATA%\Claude\claude_desktop_config.json`
604
- 3. Restart Claude Desktop
605
- 4. Test: "Use the AGA server. Call get_server_info."
606
-
607
- ### Generate Keypair
608
- ```bash
609
- npx tsx scripts/generate-keypair.ts
610
- ```
611
-
612
- ---
613
-
614
- ## 19. KEY DESIGN DECISIONS
615
-
616
- | Decision | Rationale |
617
- |---|---|
618
- | SHA-256 over BLAKE2b for primary hashing | Broader hardware support, NIST standard, sufficient for this use case |
619
- | Leaf hash excludes payload | Patent innovation (Claim 3c) — enables chain verification without revealing event contents |
620
- | Receipt for every measurement | NIST filing promise — creates complete audit trail regardless of outcome |
621
- | Fail-closed on TTL/revocation | Security principle — expired or revoked artifacts must never be honored |
622
- | ESM only, no require() | Forward-compatible, matches @noble library requirements |
623
- | Server.ts monolith for tools | Simpler for reference implementation; refactor path documented in src/tools/README.md |
624
- | MemoryStorage as default | Sufficient for MCP server lifecycle (state is session-scoped); SQLite available when build tools are installed |
625
- | Governance middleware as wrapper | Non-invasive — existing tool handlers unchanged, enforcement added as a layer |
626
- | Behavioral monitor in middleware | Natural interception point — every governed tool call passes through anyway |
627
- | Scope-only-diminishes delegation | NCCoE filing requirement — prevents privilege escalation through delegation chains |
628
-
629
- ---
630
-
631
- *This document reflects the state of the codebase as of v0.4.0 (commit 8f77321), 2026-03-05.*
632
- *Generated for Attested Intelligence Holdings LLC — patent prosecution and NIST filing reference.*
@@ -1,45 +0,0 @@
1
- import { signStr, sigToB64, b64ToSig, pkToHex, hexToPk, verifyStr } from '../crypto/sign.js';
2
- import { sha256Str } from '../crypto/hash.js';
3
- import { canonicalize } from '../utils/canonical.js';
4
- import { utcNow } from '../utils/timestamp.js';
5
- import { SCHEMA_VERSION, PROTOCOL_VERSION } from '../utils/constants.js';
6
- import type { KeyPair, HashHex } from '../crypto/types.js';
7
- import type { PolicyArtifact, SubjectIdentifier, EnforcementParams, DisclosurePolicy, EvidenceCommitmentRecord } from './types.js';
8
-
9
- export interface ArtifactInput {
10
- subject_identifier: SubjectIdentifier;
11
- policy_reference: HashHex;
12
- policy_version: number;
13
- sealed_hash: HashHex;
14
- seal_salt: string;
15
- enforcement_parameters: EnforcementParams;
16
- disclosure_policy: DisclosurePolicy;
17
- evidence_commitments: EvidenceCommitmentRecord[];
18
- issuer_keypair: KeyPair;
19
- effective_timestamp?: string;
20
- expiration_timestamp?: string | null;
21
- }
22
-
23
- export function generateArtifact(input: ArtifactInput): PolicyArtifact {
24
- const now = utcNow();
25
- const unsigned: Omit<PolicyArtifact, 'signature'> = {
26
- schema_version: SCHEMA_VERSION, protocol_version: PROTOCOL_VERSION,
27
- subject_identifier: input.subject_identifier, policy_reference: input.policy_reference,
28
- policy_version: input.policy_version, sealed_hash: input.sealed_hash,
29
- seal_salt: input.seal_salt, issued_timestamp: now,
30
- effective_timestamp: input.effective_timestamp ?? now,
31
- expiration_timestamp: input.expiration_timestamp ?? null,
32
- issuer_identifier: pkToHex(input.issuer_keypair.publicKey),
33
- enforcement_parameters: input.enforcement_parameters,
34
- disclosure_policy: input.disclosure_policy,
35
- evidence_commitments: input.evidence_commitments,
36
- };
37
- return { ...unsigned, signature: sigToB64(signStr(canonicalize(unsigned), input.issuer_keypair.secretKey)) };
38
- }
39
-
40
- export function hashArtifact(a: PolicyArtifact): HashHex { return sha256Str(canonicalize(a)); }
41
-
42
- export function verifyArtifactSignature(a: PolicyArtifact, issuerPkHex: string): boolean {
43
- const { signature, ...unsigned } = a;
44
- return verifyStr(b64ToSig(signature), canonicalize(unsigned), hexToPk(issuerPkHex));
45
- }