@attested-intelligence/aga-mcp-server 0.1.1 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (197) hide show
  1. package/README.md +106 -24
  2. package/dist/context.d.ts +39 -0
  3. package/dist/context.d.ts.map +1 -0
  4. package/dist/context.js +113 -0
  5. package/dist/context.js.map +1 -0
  6. package/dist/core/identity.d.ts +14 -0
  7. package/dist/core/identity.d.ts.map +1 -0
  8. package/dist/core/identity.js +16 -0
  9. package/dist/core/identity.js.map +1 -0
  10. package/dist/core/index.d.ts +3 -0
  11. package/dist/core/index.d.ts.map +1 -1
  12. package/dist/core/index.js +3 -0
  13. package/dist/core/index.js.map +1 -1
  14. package/dist/core/measurement.d.ts +16 -0
  15. package/dist/core/measurement.d.ts.map +1 -0
  16. package/dist/core/measurement.js +18 -0
  17. package/dist/core/measurement.js.map +1 -0
  18. package/dist/core/portal.d.ts +1 -1
  19. package/dist/core/portal.d.ts.map +1 -1
  20. package/dist/core/portal.js +10 -5
  21. package/dist/core/portal.js.map +1 -1
  22. package/dist/core/types.d.ts +2 -3
  23. package/dist/core/types.d.ts.map +1 -1
  24. package/dist/crypto/canonicalize.d.ts +7 -0
  25. package/dist/crypto/canonicalize.d.ts.map +1 -0
  26. package/dist/crypto/canonicalize.js +21 -0
  27. package/dist/crypto/canonicalize.js.map +1 -0
  28. package/dist/crypto/hash.d.ts +1 -1
  29. package/dist/crypto/hash.d.ts.map +1 -1
  30. package/dist/crypto/hash.js +1 -1
  31. package/dist/crypto/hash.js.map +1 -1
  32. package/dist/crypto/index.d.ts +6 -5
  33. package/dist/crypto/index.d.ts.map +1 -1
  34. package/dist/crypto/index.js +6 -5
  35. package/dist/crypto/index.js.map +1 -1
  36. package/dist/crypto/keys.d.ts +10 -0
  37. package/dist/crypto/keys.d.ts.map +1 -0
  38. package/dist/crypto/keys.js +19 -0
  39. package/dist/crypto/keys.js.map +1 -0
  40. package/dist/index.js +1 -1
  41. package/dist/index.js.map +1 -1
  42. package/dist/middleware/governance.d.ts +1 -7
  43. package/dist/middleware/governance.d.ts.map +1 -1
  44. package/dist/middleware/governance.js +11 -18
  45. package/dist/middleware/governance.js.map +1 -1
  46. package/dist/prompts/drift-analysis.d.ts +13 -0
  47. package/dist/prompts/drift-analysis.d.ts.map +1 -0
  48. package/dist/prompts/drift-analysis.js +43 -0
  49. package/dist/prompts/drift-analysis.js.map +1 -0
  50. package/dist/prompts/governance-report.d.ts +7 -0
  51. package/dist/prompts/governance-report.d.ts.map +1 -0
  52. package/dist/prompts/governance-report.js +26 -0
  53. package/dist/prompts/governance-report.js.map +1 -0
  54. package/dist/prompts/nccoe-demo.d.ts +14 -0
  55. package/dist/prompts/nccoe-demo.d.ts.map +1 -0
  56. package/dist/prompts/nccoe-demo.js +47 -0
  57. package/dist/prompts/nccoe-demo.js.map +1 -0
  58. package/dist/resources/cosai-mapping.d.ts +24 -0
  59. package/dist/resources/cosai-mapping.d.ts.map +1 -0
  60. package/dist/resources/cosai-mapping.js +127 -0
  61. package/dist/resources/cosai-mapping.js.map +1 -0
  62. package/dist/resources/crypto-primitives.d.ts +3 -0
  63. package/dist/resources/crypto-primitives.d.ts.map +1 -0
  64. package/dist/resources/crypto-primitives.js +52 -0
  65. package/dist/resources/crypto-primitives.js.map +1 -0
  66. package/dist/resources/sample-bundle.d.ts +6 -0
  67. package/dist/resources/sample-bundle.d.ts.map +1 -0
  68. package/dist/resources/sample-bundle.js +58 -0
  69. package/dist/resources/sample-bundle.js.map +1 -0
  70. package/dist/resources/specification.d.ts +3 -0
  71. package/dist/resources/specification.d.ts.map +1 -0
  72. package/dist/resources/specification.js +161 -0
  73. package/dist/resources/specification.js.map +1 -0
  74. package/dist/server.d.ts +3 -7
  75. package/dist/server.d.ts.map +1 -1
  76. package/dist/server.js +214 -343
  77. package/dist/server.js.map +1 -1
  78. package/dist/storage/sqlite.js +1 -1
  79. package/dist/tools/create-artifact.d.ts +25 -0
  80. package/dist/tools/create-artifact.d.ts.map +1 -0
  81. package/dist/tools/create-artifact.js +85 -0
  82. package/dist/tools/create-artifact.js.map +1 -0
  83. package/dist/tools/delegate-subagent.d.ts +18 -0
  84. package/dist/tools/delegate-subagent.d.ts.map +1 -0
  85. package/dist/tools/delegate-subagent.js +50 -0
  86. package/dist/tools/delegate-subagent.js.map +1 -0
  87. package/dist/tools/disclose-claim.d.ts +14 -0
  88. package/dist/tools/disclose-claim.d.ts.map +1 -0
  89. package/dist/tools/disclose-claim.js +23 -0
  90. package/dist/tools/disclose-claim.js.map +1 -0
  91. package/dist/tools/export-bundle.d.ts +8 -0
  92. package/dist/tools/export-bundle.d.ts.map +1 -0
  93. package/dist/tools/export-bundle.js +25 -0
  94. package/dist/tools/export-bundle.js.map +1 -0
  95. package/dist/tools/full-lifecycle.d.ts +16 -0
  96. package/dist/tools/full-lifecycle.d.ts.map +1 -0
  97. package/dist/tools/full-lifecycle.js +121 -0
  98. package/dist/tools/full-lifecycle.js.map +1 -0
  99. package/dist/tools/generate-receipt.d.ts +16 -0
  100. package/dist/tools/generate-receipt.d.ts.map +1 -0
  101. package/dist/tools/generate-receipt.js +31 -0
  102. package/dist/tools/generate-receipt.js.map +1 -0
  103. package/dist/tools/get-chain.d.ts +14 -0
  104. package/dist/tools/get-chain.d.ts.map +1 -0
  105. package/dist/tools/get-chain.js +45 -0
  106. package/dist/tools/get-chain.js.map +1 -0
  107. package/dist/tools/get-portal-state.d.ts +8 -0
  108. package/dist/tools/get-portal-state.d.ts.map +1 -0
  109. package/dist/tools/get-portal-state.js +15 -0
  110. package/dist/tools/get-portal-state.js.map +1 -0
  111. package/dist/tools/init-chain.d.ts +10 -0
  112. package/dist/tools/init-chain.d.ts.map +1 -0
  113. package/dist/tools/init-chain.js +13 -0
  114. package/dist/tools/init-chain.js.map +1 -0
  115. package/dist/tools/measure-behavior.d.ts +12 -0
  116. package/dist/tools/measure-behavior.d.ts.map +1 -0
  117. package/dist/tools/measure-behavior.js +29 -0
  118. package/dist/tools/measure-behavior.js.map +1 -0
  119. package/dist/tools/measure-subject.d.ts +15 -0
  120. package/dist/tools/measure-subject.d.ts.map +1 -0
  121. package/dist/tools/measure-subject.js +106 -0
  122. package/dist/tools/measure-subject.js.map +1 -0
  123. package/dist/tools/quarantine-status.d.ts +8 -0
  124. package/dist/tools/quarantine-status.d.ts.map +1 -0
  125. package/dist/tools/quarantine-status.js +16 -0
  126. package/dist/tools/quarantine-status.js.map +1 -0
  127. package/dist/tools/revoke-artifact.d.ts +13 -0
  128. package/dist/tools/revoke-artifact.d.ts.map +1 -0
  129. package/dist/tools/revoke-artifact.js +24 -0
  130. package/dist/tools/revoke-artifact.js.map +1 -0
  131. package/dist/tools/rotate-keys.d.ts +13 -0
  132. package/dist/tools/rotate-keys.d.ts.map +1 -0
  133. package/dist/tools/rotate-keys.js +39 -0
  134. package/dist/tools/rotate-keys.js.map +1 -0
  135. package/dist/tools/server-info.d.ts +8 -0
  136. package/dist/tools/server-info.d.ts.map +1 -0
  137. package/dist/tools/server-info.js +23 -0
  138. package/dist/tools/server-info.js.map +1 -0
  139. package/dist/tools/set-verification-tier.d.ts +11 -0
  140. package/dist/tools/set-verification-tier.d.ts.map +1 -0
  141. package/dist/tools/set-verification-tier.js +31 -0
  142. package/dist/tools/set-verification-tier.js.map +1 -0
  143. package/dist/tools/start-monitoring.d.ts +12 -0
  144. package/dist/tools/start-monitoring.d.ts.map +1 -0
  145. package/dist/tools/start-monitoring.js +17 -0
  146. package/dist/tools/start-monitoring.js.map +1 -0
  147. package/dist/tools/trigger-measurement.d.ts +15 -0
  148. package/dist/tools/trigger-measurement.d.ts.map +1 -0
  149. package/dist/tools/trigger-measurement.js +86 -0
  150. package/dist/tools/trigger-measurement.js.map +1 -0
  151. package/dist/tools/verify-artifact.d.ts +13 -0
  152. package/dist/tools/verify-artifact.d.ts.map +1 -0
  153. package/dist/tools/verify-artifact.js +6 -0
  154. package/dist/tools/verify-artifact.js.map +1 -0
  155. package/dist/tools/verify-bundle.d.ts +13 -0
  156. package/dist/tools/verify-bundle.d.ts.map +1 -0
  157. package/dist/tools/verify-bundle.js +6 -0
  158. package/dist/tools/verify-bundle.js.map +1 -0
  159. package/dist/types.d.ts +261 -0
  160. package/dist/types.d.ts.map +1 -0
  161. package/dist/types.js +8 -0
  162. package/dist/types.js.map +1 -0
  163. package/package.json +18 -3
  164. package/AGA_MCP_SERVER_SPEC.md +0 -632
  165. package/src/core/artifact.ts +0 -45
  166. package/src/core/attestation.ts +0 -33
  167. package/src/core/behavioral.ts +0 -132
  168. package/src/core/bundle.ts +0 -31
  169. package/src/core/chain.ts +0 -72
  170. package/src/core/checkpoint.ts +0 -22
  171. package/src/core/delegation.ts +0 -146
  172. package/src/core/disclosure.ts +0 -32
  173. package/src/core/index.ts +0 -11
  174. package/src/core/portal.ts +0 -96
  175. package/src/core/quarantine.ts +0 -16
  176. package/src/core/receipt.ts +0 -33
  177. package/src/core/subject.ts +0 -11
  178. package/src/core/types.ts +0 -244
  179. package/src/crypto/hash.ts +0 -33
  180. package/src/crypto/index.ts +0 -5
  181. package/src/crypto/merkle.ts +0 -43
  182. package/src/crypto/salt.ts +0 -18
  183. package/src/crypto/sign.ts +0 -35
  184. package/src/crypto/types.ts +0 -19
  185. package/src/index.ts +0 -12
  186. package/src/middleware/governance.ts +0 -95
  187. package/src/middleware/index.ts +0 -1
  188. package/src/server.ts +0 -436
  189. package/src/storage/index.ts +0 -3
  190. package/src/storage/interface.ts +0 -21
  191. package/src/storage/memory.ts +0 -27
  192. package/src/storage/sqlite.ts +0 -45
  193. package/src/tools/README.md +0 -13
  194. package/src/utils/canonical.ts +0 -14
  195. package/src/utils/constants.ts +0 -3
  196. package/src/utils/timestamp.ts +0 -12
  197. package/src/utils/uuid.ts +0 -2
@@ -0,0 +1,52 @@
1
+ export const CRYPTO_PRIMITIVES_DOC = `# AGA Cryptographic Primitives
2
+
3
+ ## Ed25519 Digital Signatures
4
+ - Library: @noble/ed25519 v2.1.0
5
+ - Key size: 256-bit (32 bytes)
6
+ - Signature size: 512-bit (64 bytes)
7
+ - Used for: Artifact signing, receipt signing, chain event signing
8
+
9
+ ## SHA-256 Hashing
10
+ - Library: @noble/hashes v1.7.0
11
+ - Output: 256-bit (64 hex characters)
12
+ - Used for: Sealed hash, leaf hash, payload hash, subject identity
13
+
14
+ ## Sealed Hash Construction
15
+ \`\`\`
16
+ sealed_hash = SHA-256(bytes_hash || metadata_hash || policy_reference || seal_salt)
17
+ \`\`\`
18
+ - No delimiters between fields (raw hex concatenation)
19
+ - No delimiters per protocol spec
20
+
21
+ ## Leaf Hash Construction
22
+ \`\`\`
23
+ leaf_hash = SHA-256(
24
+ schema_version || "||" || protocol_version || "||" ||
25
+ event_type || "||" || event_id || "||" ||
26
+ sequence_number || "||" || timestamp || "||" ||
27
+ previous_leaf_hash
28
+ )
29
+ \`\`\`
30
+ - **Payload EXCLUDED** - privacy innovation
31
+ - Chain integrity verifiable without revealing event contents
32
+
33
+ ## Salted Commitments
34
+ \`\`\`
35
+ commitment = SHA-256(content_bytes || salt_bytes)
36
+ \`\`\`
37
+ - Salt: 128-bit (16 bytes, 32 hex chars) CSPRNG
38
+ - Enables selective disclosure
39
+
40
+ ## Merkle Trees
41
+ - Binary tree over leaf hashes
42
+ - Internal nodes: SHA-256(left || right)
43
+ - Odd leaf count: last leaf duplicated
44
+ - Inclusion proofs: array of {hash, direction} pairs
45
+
46
+ ## Canonical Serialization
47
+ - RFC 8785 aligned
48
+ - Sorted keys, no whitespace
49
+ - Used before signing any object
50
+ `;
51
+ export const CRYPTO_PRIMITIVES_URI = 'aga://crypto-primitives';
52
+ //# sourceMappingURL=crypto-primitives.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"crypto-primitives.js","sourceRoot":"","sources":["../../src/resources/crypto-primitives.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,qBAAqB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiDpC,CAAC;AAEF,MAAM,CAAC,MAAM,qBAAqB,GAAG,yBAAyB,CAAC"}
@@ -0,0 +1,6 @@
1
+ export declare function generateSampleBundle(): {
2
+ bundle: string;
3
+ issuerPkHex: string;
4
+ };
5
+ export declare const SAMPLE_BUNDLE_URI = "aga://sample-bundle";
6
+ //# sourceMappingURL=sample-bundle.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sample-bundle.d.ts","sourceRoot":"","sources":["../../src/resources/sample-bundle.ts"],"names":[],"mappings":"AAgBA,wBAAgB,oBAAoB,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CA8C9E;AAED,eAAO,MAAM,iBAAiB,wBAAwB,CAAC"}
@@ -0,0 +1,58 @@
1
+ /**
2
+ * Sample Evidence Bundle: generates a real, cryptographically signed bundle.
3
+ * Can be verified with aga_verify_bundle.
4
+ */
5
+ import { generateKeyPair, pkToHex } from '../crypto/sign.js';
6
+ import { sha256Str } from '../crypto/hash.js';
7
+ import { computeSubjectIdFromString } from '../core/subject.js';
8
+ import { performAttestation } from '../core/attestation.js';
9
+ import { generateArtifact, hashArtifact } from '../core/artifact.js';
10
+ import { generateReceipt } from '../core/receipt.js';
11
+ import { createGenesisEvent, appendEvent } from '../core/chain.js';
12
+ import { createCheckpoint, eventInclusionProof } from '../core/checkpoint.js';
13
+ import { generateBundle } from '../core/bundle.js';
14
+ let cachedBundle = null;
15
+ export function generateSampleBundle() {
16
+ if (cachedBundle)
17
+ return cachedBundle;
18
+ const issuerKP = generateKeyPair();
19
+ const portalKP = generateKeyPair();
20
+ const chainKP = generateKeyPair();
21
+ const content = 'def sample_agent(): return task.execute()';
22
+ const meta = { filename: 'sample_agent.py', version: '1.0.0' };
23
+ const subId = computeSubjectIdFromString(content, meta);
24
+ const policyRef = sha256Str('sample-policy');
25
+ const att = performAttestation({ subject_identifier: subId, policy_reference: policyRef, evidence_items: [] });
26
+ const artifact = generateArtifact({
27
+ subject_identifier: subId, policy_reference: policyRef, policy_version: 1,
28
+ sealed_hash: att.sealed_hash, seal_salt: att.seal_salt,
29
+ enforcement_parameters: {
30
+ measurement_cadence_ms: 1000, ttl_seconds: 3600,
31
+ enforcement_triggers: ['QUARANTINE', 'TERMINATE'],
32
+ re_attestation_required: true, measurement_types: ['EXECUTABLE_IMAGE'],
33
+ },
34
+ disclosure_policy: { claims_taxonomy: [], substitution_rules: [] },
35
+ evidence_commitments: att.evidence_commitments, issuer_keypair: issuerKP,
36
+ });
37
+ const artRef = hashArtifact(artifact);
38
+ const receipt = generateReceipt({
39
+ subjectId: subId, artifactRef: artRef,
40
+ currentHash: subId.bytes_hash, sealedHash: subId.bytes_hash,
41
+ driftDetected: false, driftDescription: null, action: null,
42
+ measurementType: 'EXECUTABLE_IMAGE', seq: 1, prevLeaf: null, portalKP,
43
+ });
44
+ const genesis = createGenesisEvent(chainKP, sha256Str('AGA-Spec'));
45
+ const e1 = appendEvent('POLICY_ISSUANCE', { artifact_hash: artRef }, genesis, chainKP);
46
+ const e2 = appendEvent('INTERACTION_RECEIPT', { receipt_id: receipt.receipt_id }, e1, chainKP);
47
+ const chain = [genesis, e1, e2];
48
+ const { checkpoint } = createCheckpoint(chain);
49
+ const proof = eventInclusionProof(chain, e1.sequence_number);
50
+ const bundle = generateBundle(artifact, [receipt], [proof], checkpoint, portalKP);
51
+ cachedBundle = {
52
+ bundle: JSON.stringify(bundle, null, 2),
53
+ issuerPkHex: pkToHex(issuerKP.publicKey),
54
+ };
55
+ return cachedBundle;
56
+ }
57
+ export const SAMPLE_BUNDLE_URI = 'aga://sample-bundle';
58
+ //# sourceMappingURL=sample-bundle.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sample-bundle.js","sourceRoot":"","sources":["../../src/resources/sample-bundle.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,cAAc,EAAuB,MAAM,mBAAmB,CAAC;AAExE,IAAI,YAAY,GAAmD,IAAI,CAAC;AAExE,MAAM,UAAU,oBAAoB;IAClC,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAC;IACnC,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAElC,MAAM,OAAO,GAAG,2CAA2C,CAAC;IAC5D,MAAM,IAAI,GAAG,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAC/D,MAAM,KAAK,GAAG,0BAA0B,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,SAAS,CAAC,eAAe,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,kBAAkB,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,gBAAgB,EAAE,SAAS,EAAE,cAAc,EAAE,EAAE,EAAE,CAAC,CAAC;IAE/G,MAAM,QAAQ,GAAG,gBAAgB,CAAC;QAChC,kBAAkB,EAAE,KAAK,EAAE,gBAAgB,EAAE,SAAS,EAAE,cAAc,EAAE,CAAC;QACzE,WAAW,EAAE,GAAG,CAAC,WAAY,EAAE,SAAS,EAAE,GAAG,CAAC,SAAU;QACxD,sBAAsB,EAAE;YACtB,sBAAsB,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI;YAC/C,oBAAoB,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC;YACjD,uBAAuB,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC,kBAAkB,CAAC;SACvE;QACD,iBAAiB,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE;QAClE,oBAAoB,EAAE,GAAG,CAAC,oBAAoB,EAAE,cAAc,EAAE,QAAQ;KACzE,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,OAAO,GAAG,eAAe,CAAC;QAC9B,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM;QACrC,WAAW,EAAE,KAAK,CAAC,UAAU,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU;QAC3D,aAAa,EAAE,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI;QAC1D,eAAe,EAAE,kBAAkB,EAAE,GAAG,EAAE,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ;KACtE,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,kBAAkB,CAAC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;IACnE,MAAM,EAAE,GAAG,WAAW,CAAC,iBAAiB,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACvF,MAAM,EAAE,GAAG,WAAW,CAAC,qBAAqB,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;IAC/F,MAAM,KAAK,GAAG,CAAC,OAAO,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IAChC,MAAM,EAAE,UAAU,EAAE,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,mBAAmB,CAAC,KAAK,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC;IAC7D,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IAElF,YAAY,GAAG;QACb,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;KACzC,CAAC;IACF,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAG,qBAAqB,CAAC"}
@@ -0,0 +1,3 @@
1
+ export declare const PROTOCOL_SPECIFICATION = "# Attested Governance Artifact (AGA) Protocol Specification v2.0.0\n\n## NIST References\n- NIST-2025-0035: AI Agent Transparency and Accountability\n- NCCoE AI Agent Identity and Authorization\n\n## Protocol Overview\nThe AGA protocol provides cryptographic governance for autonomous AI systems through:\n1. **Sealed Hash Attestation** - SHA-256(bytes_hash || metadata_hash || policy_ref || seal_salt)\n2. **Continuity Chain** - Tamper-evident append-only event log with privacy-preserving leaf hashes\n3. **Portal State Machine** - Zero-trust Policy Enforcement Point (7 states, fail-closed)\n4. **Signed Receipts** - Ed25519-signed measurement receipt for EVERY measurement\n5. **Evidence Bundles** - Offline-verifiable packages with Merkle inclusion proofs\n\n## 10 Measurement Embodiments\n1. EXECUTABLE_IMAGE - Runtime binary or script content\n2. LOADED_MODULES - Dynamic libraries and plugins\n3. CONTAINER_IMAGE - Container image manifest hash\n4. CONFIG_MANIFEST - Configuration file integrity\n5. SBOM - Software Bill of Materials verification\n6. TEE_QUOTE - Trusted Execution Environment attestation\n7. MEMORY_REGIONS - Runtime memory layout verification\n8. CONTROL_FLOW - Execution path integrity\n9. FILE_SYSTEM_STATE - Filesystem integrity monitoring\n10. NETWORK_CONFIG - Network configuration baseline\n\n## 6 Portal States\n1. INITIALIZATION - Server started, no artifact loaded\n2. ARTIFACT_VERIFICATION - Verifying artifact signature and validity\n3. ACTIVE_MONITORING - Operational, measurements occurring\n4. DRIFT_DETECTED - Hash mismatch detected, enforcement pending\n5. PHANTOM_QUARANTINE - Forensic capture mode, outputs severed\n6. TERMINATED - Fail-closed, no recovery without re-attestation\n\nPlus SAFE_STATE for graceful degradation on revocation.\n\n## 7 Enforcement Actions\n1. QUARANTINE - Phantom execution with forensic capture\n2. TERMINATE - Immediate kill, fail-closed\n3. SAFE_STATE - Return-to-home / controlled shutdown\n4. NETWORK_ISOLATE - Sever network, continue local\n5. KEY_REVOKE - Invalidate cryptographic keys\n6. TOKEN_INVALIDATE - Revoke access tokens\n7. ALERT_ONLY - Log without enforcement (gradual deployment)\n\n## 3 Verification Tiers\n| Tier | Description | Trust Assumption |\n|------|-------------|-----------------|\n| Bronze | Cryptographic signatures only | Trust signing keys |\n| Silver | Signatures + continuity chain | Trust chain operator + keys |\n| Gold | Full verification with blockchain-anchored Merkle proofs | Minimal trust - external anchor |\n\n## 3 Disclosure Modes\n1. PROOF_ONLY - Returns boolean attestation without revealing the value\n2. REVEAL_MIN - Returns minimal representation (e.g., range instead of exact value)\n3. REVEAL_FULL - Returns the complete claim value\n\n## Leaf Hash Formula (Privacy Innovation)\n```\nleaf_hash = SHA-256(\n schema_version || \"||\" || protocol_version || \"||\" ||\n event_type || \"||\" || event_id || \"||\" ||\n sequence_number || \"||\" || timestamp || \"||\" ||\n previous_leaf_hash\n)\n```\n**PAYLOAD IS EXCLUDED from the leaf hash.** This is a key privacy innovation - chain integrity can be verified without revealing the contents of any event. Only the structural metadata participates in the hash. The payload is separately integrity-protected via event_signature.\n\n## SPIFFE/SPIRE Integration Point\nSPIRE handles node-to-workload identity (SVID); AGA handles workload-to-intent governance. SPIFFE provides transport-layer identity binding via SVIDs (SPIFFE Verifiable Identity Documents). AGA binds governance policy to the workload's operational intent, creating a complementary layer:\n- SPIFFE: \"This workload IS who it claims to be\" (identity)\n- AGA: \"This workload IS DOING what it was attested to do\" (governance)\n\n## Framework Alignment\n| Framework | AGA Alignment |\n|-----------|--------------|\n| NIST SP 800-53 | SI-7 (Software Integrity), AU-10 (Non-repudiation), SI-4 (Monitoring) |\n| NIST AI RMF | Govern \u2192 Policy Artifacts; Map \u2192 Subject ID; Measure \u2192 Portal + Receipts; Manage \u2192 Enforcement |\n| NIST SP 800-57 | Key management for Ed25519 signing keys |\n| NIST SSDF (SP 800-218) | Software supply chain integrity via sealed hash attestation |\n| NIST SP 800-207 (ZTA) | Zero Trust Architecture - portal as Policy Enforcement Point, never trust, always verify |\n| ISO 42001 | AI management system - governance artifacts as compliance evidence |\n| EU AI Act | High-risk AI system transparency via evidence bundles |\n\n## Cryptographic Primitives\n- **Hashing:** SHA-256 (primary), BLAKE2b-256 (secondary)\n- **Signing:** Ed25519 via @noble/ed25519\n- **Salts:** 128-bit CSPRNG via @noble/hashes/utils\n- **Merkle Trees:** SHA-256 binary tree with inclusion proofs\n- **Serialization:** RFC 8785 deterministic JSON (sorted keys)\n\n## Event Types (12)\nGENESIS, POLICY_ISSUANCE, INTERACTION_RECEIPT, REVOCATION, ATTESTATION,\nANCHOR_BATCH, DISCLOSURE, SUBSTITUTION, KEY_ROTATION, BEHAVIORAL_DRIFT,\nDELEGATION, RE_ATTESTATION\n\n## 4 Sensitivity Levels\n- S1_LOW - Can be revealed fully\n- S2_MODERATE - Can be revealed minimally or proved\n- S3_HIGH - Proof only, auto-substitutes to lower sensitivity\n- S4_CRITICAL - Maximum protection, proof only, cascading substitution\n\n## CoSAI MCP Security Threat Coverage\n\nThe Coalition for Secure AI (CoSAI) published a comprehensive MCP security taxonomy\nidentifying 12 core threat categories and nearly 40 distinct threats specific to Model\nContext Protocol deployments (January 2026). The AGA MCP Server addresses all 12 categories.\n\n| CoSAI Category | Threat Domain | AGA Governance Mechanism |\n|---|---|---|\n| T1: Improper Authentication | Identity & Access | Ed25519 artifact signatures, pinned issuer keys, TTL re-attestation, key rotation chain events |\n| T2: Missing Access Control | Identity & Access | Portal as mandatory enforcement boundary, sealed constraints, delegation with scope diminishment |\n| T3: Input Validation Failures | Input Handling | Runtime measurement against sealed reference, behavioral drift detection |\n| T4: Data/Control Boundary Failures | Input Handling | Behavioral baseline (permitted tools, forbidden sequences, rate limits), phantom execution forensics |\n| T5: Inadequate Data Protection | Data & Code | Salted commitments, privacy-preserving disclosure with substitution, inference risk prevention |\n| T6: Missing Integrity Controls | Data & Code | Content-addressable hash binding, 10 measurement embodiments, continuous runtime verification |\n| T7: Session/Transport Security | Network & Transport | TTL-based artifact expiration, fail-closed on expiry, mid-session revocation, Ed25519 signed receipts |\n| T8: Network Isolation Failures | Network & Transport | Two-process architecture, agent holds no credentials, NETWORK_ISOLATE enforcement action |\n| T9: Trust Boundary Failures | Trust & Design | Enforcement pre-committed by human authorities in sealed artifact, not delegated to LLM |\n| T10: Resource Management | Trust & Design | Per-tool rate limits in behavioral baseline, configurable measurement cadence (10ms to 3600s) |\n| T11: Supply Chain Failures | Operational | Content-addressable hashing at attestation, runtime hash comparison blocks modified components |\n| T12: Insufficient Observability | Operational | Signed receipts, tamper-evident continuity chain, Merkle anchoring, offline evidence bundles |\n\nCoverage: 12 of 12 threat categories addressed.\nSource: CoSAI/OASIS, \"Securing the AI Agent Revolution\" (January 2026)\n\n### CoSAI Recommended Controls and AGA Implementation\n\n1. Strong Identity Throughout the Chain\n AGA: Ed25519 keypairs for issuer, portal, and chain. Every artifact and receipt\n cryptographically signed. Key rotation recorded in chain. Delegation produces\n derived artifacts with independent signatures traceable to the issuing authority.\n\n2. Zero Trust Applied to AI Agents\n AGA: Portal treats all agent operations as untrusted. Every request measured\n against sealed reference before authorization. Fail-closed: default state is denial.\n Agent cannot execute without a valid, signature-verified artifact.\n\n3. Sandbox Everything\n AGA: Two-process architecture. Agent and portal are separate OS processes.\n Agent has no credentials, no keys, no direct resource access. Phantom execution\n provides runtime sandboxing when drift is detected.\n\n4. Defensive Tool Design\n AGA: Permitted tools sealed in artifact. Forbidden sequences explicitly defined.\n Rate limits per tool. Portal enforces all constraints mechanically, independent\n of LLM judgment. Behavioral drift detection catches tool misuse patterns.\n\n5. Supply Chain Lockdown\n AGA: Content-addressable hash binding at attestation. Runtime measurement\n detects any component modification. Sealed hash covers all subject bytes,\n metadata, and policy reference. 10 measurement embodiments for comprehensive\n coverage.\n\n6. Observability from Day One\n AGA: Signed receipt for every measurement. Tamper-evident continuity chain.\n Structural metadata linking enables third-party verification without payload\n disclosure. Merkle checkpoint anchoring. Portable offline evidence bundles.\n";
2
+ export declare const SPECIFICATION_URI = "aga://specification";
3
+ //# sourceMappingURL=specification.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"specification.d.ts","sourceRoot":"","sources":["../../src/resources/specification.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,sBAAsB,siSA8JlC,CAAC;AAEF,eAAO,MAAM,iBAAiB,wBAAwB,CAAC"}
@@ -0,0 +1,161 @@
1
+ export const PROTOCOL_SPECIFICATION = `# Attested Governance Artifact (AGA) Protocol Specification v2.0.0
2
+
3
+ ## NIST References
4
+ - NIST-2025-0035: AI Agent Transparency and Accountability
5
+ - NCCoE AI Agent Identity and Authorization
6
+
7
+ ## Protocol Overview
8
+ The AGA protocol provides cryptographic governance for autonomous AI systems through:
9
+ 1. **Sealed Hash Attestation** - SHA-256(bytes_hash || metadata_hash || policy_ref || seal_salt)
10
+ 2. **Continuity Chain** - Tamper-evident append-only event log with privacy-preserving leaf hashes
11
+ 3. **Portal State Machine** - Zero-trust Policy Enforcement Point (7 states, fail-closed)
12
+ 4. **Signed Receipts** - Ed25519-signed measurement receipt for EVERY measurement
13
+ 5. **Evidence Bundles** - Offline-verifiable packages with Merkle inclusion proofs
14
+
15
+ ## 10 Measurement Embodiments
16
+ 1. EXECUTABLE_IMAGE - Runtime binary or script content
17
+ 2. LOADED_MODULES - Dynamic libraries and plugins
18
+ 3. CONTAINER_IMAGE - Container image manifest hash
19
+ 4. CONFIG_MANIFEST - Configuration file integrity
20
+ 5. SBOM - Software Bill of Materials verification
21
+ 6. TEE_QUOTE - Trusted Execution Environment attestation
22
+ 7. MEMORY_REGIONS - Runtime memory layout verification
23
+ 8. CONTROL_FLOW - Execution path integrity
24
+ 9. FILE_SYSTEM_STATE - Filesystem integrity monitoring
25
+ 10. NETWORK_CONFIG - Network configuration baseline
26
+
27
+ ## 6 Portal States
28
+ 1. INITIALIZATION - Server started, no artifact loaded
29
+ 2. ARTIFACT_VERIFICATION - Verifying artifact signature and validity
30
+ 3. ACTIVE_MONITORING - Operational, measurements occurring
31
+ 4. DRIFT_DETECTED - Hash mismatch detected, enforcement pending
32
+ 5. PHANTOM_QUARANTINE - Forensic capture mode, outputs severed
33
+ 6. TERMINATED - Fail-closed, no recovery without re-attestation
34
+
35
+ Plus SAFE_STATE for graceful degradation on revocation.
36
+
37
+ ## 7 Enforcement Actions
38
+ 1. QUARANTINE - Phantom execution with forensic capture
39
+ 2. TERMINATE - Immediate kill, fail-closed
40
+ 3. SAFE_STATE - Return-to-home / controlled shutdown
41
+ 4. NETWORK_ISOLATE - Sever network, continue local
42
+ 5. KEY_REVOKE - Invalidate cryptographic keys
43
+ 6. TOKEN_INVALIDATE - Revoke access tokens
44
+ 7. ALERT_ONLY - Log without enforcement (gradual deployment)
45
+
46
+ ## 3 Verification Tiers
47
+ | Tier | Description | Trust Assumption |
48
+ |------|-------------|-----------------|
49
+ | Bronze | Cryptographic signatures only | Trust signing keys |
50
+ | Silver | Signatures + continuity chain | Trust chain operator + keys |
51
+ | Gold | Full verification with blockchain-anchored Merkle proofs | Minimal trust - external anchor |
52
+
53
+ ## 3 Disclosure Modes
54
+ 1. PROOF_ONLY - Returns boolean attestation without revealing the value
55
+ 2. REVEAL_MIN - Returns minimal representation (e.g., range instead of exact value)
56
+ 3. REVEAL_FULL - Returns the complete claim value
57
+
58
+ ## Leaf Hash Formula (Privacy Innovation)
59
+ \`\`\`
60
+ leaf_hash = SHA-256(
61
+ schema_version || "||" || protocol_version || "||" ||
62
+ event_type || "||" || event_id || "||" ||
63
+ sequence_number || "||" || timestamp || "||" ||
64
+ previous_leaf_hash
65
+ )
66
+ \`\`\`
67
+ **PAYLOAD IS EXCLUDED from the leaf hash.** This is a key privacy innovation - chain integrity can be verified without revealing the contents of any event. Only the structural metadata participates in the hash. The payload is separately integrity-protected via event_signature.
68
+
69
+ ## SPIFFE/SPIRE Integration Point
70
+ SPIRE handles node-to-workload identity (SVID); AGA handles workload-to-intent governance. SPIFFE provides transport-layer identity binding via SVIDs (SPIFFE Verifiable Identity Documents). AGA binds governance policy to the workload's operational intent, creating a complementary layer:
71
+ - SPIFFE: "This workload IS who it claims to be" (identity)
72
+ - AGA: "This workload IS DOING what it was attested to do" (governance)
73
+
74
+ ## Framework Alignment
75
+ | Framework | AGA Alignment |
76
+ |-----------|--------------|
77
+ | NIST SP 800-53 | SI-7 (Software Integrity), AU-10 (Non-repudiation), SI-4 (Monitoring) |
78
+ | NIST AI RMF | Govern → Policy Artifacts; Map → Subject ID; Measure → Portal + Receipts; Manage → Enforcement |
79
+ | NIST SP 800-57 | Key management for Ed25519 signing keys |
80
+ | NIST SSDF (SP 800-218) | Software supply chain integrity via sealed hash attestation |
81
+ | NIST SP 800-207 (ZTA) | Zero Trust Architecture - portal as Policy Enforcement Point, never trust, always verify |
82
+ | ISO 42001 | AI management system - governance artifacts as compliance evidence |
83
+ | EU AI Act | High-risk AI system transparency via evidence bundles |
84
+
85
+ ## Cryptographic Primitives
86
+ - **Hashing:** SHA-256 (primary), BLAKE2b-256 (secondary)
87
+ - **Signing:** Ed25519 via @noble/ed25519
88
+ - **Salts:** 128-bit CSPRNG via @noble/hashes/utils
89
+ - **Merkle Trees:** SHA-256 binary tree with inclusion proofs
90
+ - **Serialization:** RFC 8785 deterministic JSON (sorted keys)
91
+
92
+ ## Event Types (12)
93
+ GENESIS, POLICY_ISSUANCE, INTERACTION_RECEIPT, REVOCATION, ATTESTATION,
94
+ ANCHOR_BATCH, DISCLOSURE, SUBSTITUTION, KEY_ROTATION, BEHAVIORAL_DRIFT,
95
+ DELEGATION, RE_ATTESTATION
96
+
97
+ ## 4 Sensitivity Levels
98
+ - S1_LOW - Can be revealed fully
99
+ - S2_MODERATE - Can be revealed minimally or proved
100
+ - S3_HIGH - Proof only, auto-substitutes to lower sensitivity
101
+ - S4_CRITICAL - Maximum protection, proof only, cascading substitution
102
+
103
+ ## CoSAI MCP Security Threat Coverage
104
+
105
+ The Coalition for Secure AI (CoSAI) published a comprehensive MCP security taxonomy
106
+ identifying 12 core threat categories and nearly 40 distinct threats specific to Model
107
+ Context Protocol deployments (January 2026). The AGA MCP Server addresses all 12 categories.
108
+
109
+ | CoSAI Category | Threat Domain | AGA Governance Mechanism |
110
+ |---|---|---|
111
+ | T1: Improper Authentication | Identity & Access | Ed25519 artifact signatures, pinned issuer keys, TTL re-attestation, key rotation chain events |
112
+ | T2: Missing Access Control | Identity & Access | Portal as mandatory enforcement boundary, sealed constraints, delegation with scope diminishment |
113
+ | T3: Input Validation Failures | Input Handling | Runtime measurement against sealed reference, behavioral drift detection |
114
+ | T4: Data/Control Boundary Failures | Input Handling | Behavioral baseline (permitted tools, forbidden sequences, rate limits), phantom execution forensics |
115
+ | T5: Inadequate Data Protection | Data & Code | Salted commitments, privacy-preserving disclosure with substitution, inference risk prevention |
116
+ | T6: Missing Integrity Controls | Data & Code | Content-addressable hash binding, 10 measurement embodiments, continuous runtime verification |
117
+ | T7: Session/Transport Security | Network & Transport | TTL-based artifact expiration, fail-closed on expiry, mid-session revocation, Ed25519 signed receipts |
118
+ | T8: Network Isolation Failures | Network & Transport | Two-process architecture, agent holds no credentials, NETWORK_ISOLATE enforcement action |
119
+ | T9: Trust Boundary Failures | Trust & Design | Enforcement pre-committed by human authorities in sealed artifact, not delegated to LLM |
120
+ | T10: Resource Management | Trust & Design | Per-tool rate limits in behavioral baseline, configurable measurement cadence (10ms to 3600s) |
121
+ | T11: Supply Chain Failures | Operational | Content-addressable hashing at attestation, runtime hash comparison blocks modified components |
122
+ | T12: Insufficient Observability | Operational | Signed receipts, tamper-evident continuity chain, Merkle anchoring, offline evidence bundles |
123
+
124
+ Coverage: 12 of 12 threat categories addressed.
125
+ Source: CoSAI/OASIS, "Securing the AI Agent Revolution" (January 2026)
126
+
127
+ ### CoSAI Recommended Controls and AGA Implementation
128
+
129
+ 1. Strong Identity Throughout the Chain
130
+ AGA: Ed25519 keypairs for issuer, portal, and chain. Every artifact and receipt
131
+ cryptographically signed. Key rotation recorded in chain. Delegation produces
132
+ derived artifacts with independent signatures traceable to the issuing authority.
133
+
134
+ 2. Zero Trust Applied to AI Agents
135
+ AGA: Portal treats all agent operations as untrusted. Every request measured
136
+ against sealed reference before authorization. Fail-closed: default state is denial.
137
+ Agent cannot execute without a valid, signature-verified artifact.
138
+
139
+ 3. Sandbox Everything
140
+ AGA: Two-process architecture. Agent and portal are separate OS processes.
141
+ Agent has no credentials, no keys, no direct resource access. Phantom execution
142
+ provides runtime sandboxing when drift is detected.
143
+
144
+ 4. Defensive Tool Design
145
+ AGA: Permitted tools sealed in artifact. Forbidden sequences explicitly defined.
146
+ Rate limits per tool. Portal enforces all constraints mechanically, independent
147
+ of LLM judgment. Behavioral drift detection catches tool misuse patterns.
148
+
149
+ 5. Supply Chain Lockdown
150
+ AGA: Content-addressable hash binding at attestation. Runtime measurement
151
+ detects any component modification. Sealed hash covers all subject bytes,
152
+ metadata, and policy reference. 10 measurement embodiments for comprehensive
153
+ coverage.
154
+
155
+ 6. Observability from Day One
156
+ AGA: Signed receipt for every measurement. Tamper-evident continuity chain.
157
+ Structural metadata linking enables third-party verification without payload
158
+ disclosure. Merkle checkpoint anchoring. Portable offline evidence bundles.
159
+ `;
160
+ export const SPECIFICATION_URI = 'aga://specification';
161
+ //# sourceMappingURL=specification.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"specification.js","sourceRoot":"","sources":["../../src/resources/specification.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,sBAAsB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA8JrC,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,qBAAqB,CAAC"}
package/dist/server.d.ts CHANGED
@@ -1,12 +1,8 @@
1
1
  /**
2
- * AGA MCP Server. The Portal (ref 150) as an MCP service.
2
+ * AGA MCP Server V2.0.0 - The Portal (ref 150) as an MCP service.
3
3
  *
4
- * V3 NIST-aligned behaviors:
5
- * 1. Every measurement generates a receipt (match OR mismatch)
6
- * 2. TTL checked on every measurement (fail-closed)
7
- * 3. Mid-session revocation via revoke_artifact tool
8
- * 4. Governance middleware: portal state checked before tool execution
9
- * 5. Auto-chaining: every operation writes to continuity chain
4
+ * 20 tools, 3 resources, 3 prompts.
5
+ * NIST-2025-0035, NCCoE AI Agent Identity and Authorization
10
6
  */
11
7
  import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
12
8
  export declare function createAGAServer(): Promise<McpServer>;
@@ -1 +1 @@
1
- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAiDpE,wBAAsB,eAAe,IAAI,OAAO,CAAC,SAAS,CAAC,CAwX1D"}
1
+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAwCpE,wBAAsB,eAAe,IAAI,OAAO,CAAC,SAAS,CAAC,CAiW1D"}