@attested-intelligence/aga-mcp-server 3.0.0-rc.0 → 3.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +47 -7
- package/THREAT_BOUNDARY.md +4 -4
- package/dist/proxy/evaluator.d.ts +1 -1
- package/dist/proxy/evaluator.js +2 -2
- package/dist/proxy/evaluator.js.map +1 -1
- package/dist/proxy/types.d.ts +1 -1
- package/dist/proxy/types.js +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -5,9 +5,10 @@ Cryptographic runtime governance for AI agents and autonomous systems.
|
|
|
5
5
|
[](https://www.npmjs.com/package/@attested-intelligence/aga-mcp-server)
|
|
6
6
|
[](https://pypi.org/project/aga-governance/)
|
|
7
7
|
[](LICENSE)
|
|
8
|
-
[](https://www.npmjs.com/package/@attested-intelligence/aga-mcp-server)
|
|
9
|
+
[](https://www.npmjs.com/package/@attested-intelligence/aga-mcp-server)
|
|
9
10
|
|
|
10
|
-
> **Status
|
|
11
|
+
> **Status: 3.0.0 (latest, published to npm with SLSA build provenance).** The server tools and the `aga-proxy` emit the **canonical SEP evidence bundle**, verifiable offline by the published `@attested-intelligence/aga-verify` and the reference verifier `aga-receipt-spec/verify/verify-sep.mjs`. Pre-3.0 releases (a legacy continuity-chain bundle that does *not* verify under the SEP verifier) are deprecated; use `^3.0.0`. Claim scope and residual attack surface are documented honestly in `THREAT_BOUNDARY.md`.
|
|
11
12
|
|
|
12
13
|
```bash
|
|
13
14
|
# This package IS the AGA MCP server (TypeScript, runs over stdio). Use it from any MCP client:
|
|
@@ -16,13 +17,27 @@ npx -y @attested-intelligence/aga-mcp-server
|
|
|
16
17
|
|
|
17
18
|
A Python companion SDK (`aga-governance`) is documented in the Python SDK section below.
|
|
18
19
|
|
|
20
|
+
## Verify this yourself (no trust required)
|
|
21
|
+
|
|
22
|
+
You do not have to take any of this on faith. The repo ships the reference verifier, the canonical vectors, and sample bundles, so you can check one offline right now with no network and no dependency on us:
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
git clone https://github.com/attestedintelligence/aga-mcp-server
|
|
26
|
+
cd aga-mcp-server
|
|
27
|
+
# A canonical SEP bundle verifies; a one-byte-tampered copy is rejected.
|
|
28
|
+
node aga-receipt-spec/verify/verify-sep.mjs fixtures/valid_minimal.json # OVERALL: VERIFIED (integrity only; no key pinned)
|
|
29
|
+
node aga-receipt-spec/verify/verify-sep.mjs fixtures/tampered.json # OVERALL: FAILED
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
The published `@attested-intelligence/aga-verify@2.0.0` CLI renders the identical verdict, and `npm run conformance:cross-stack` proves six independent verifiers (the reference, the in-server engine, `aga-verify`, Go, and two Python implementations) agree on all 55 canonical cases. For a full trust-free reproduction (build the package yourself, reproduce the published tarball byte-for-byte, re-run every gate), see **[REPRODUCIBILITY.md](REPRODUCIBILITY.md)** and the step-by-step **[SKEPTICAL_AUDITOR.md](SKEPTICAL_AUDITOR.md)**. The 3.0.0 npm release carries SLSA build provenance, checkable with `npm audit signatures`.
|
|
33
|
+
|
|
19
34
|
## What This Does
|
|
20
35
|
|
|
21
36
|
Every tool call an AI agent makes passes through the AGA gateway. Each call is evaluated against policy, and the decision (PERMITTED or DENIED) is recorded as a signed, hash-linked governance receipt. Receipts are collected into evidence bundles that any third party can verify offline using standard cryptography.
|
|
22
37
|
|
|
23
38
|
**Record. Prove. Verify.**
|
|
24
39
|
|
|
25
|
-
**Scope:** a verified bundle proves the *integrity of the receipts present* — each is authentic, correctly ordered, Merkle-included, and (when a key is pinned) provenance-bound. It does **not** prove non-omission (that every action the agent took was logged); completeness is bounded by the tamper-evidence of the interception point, which is outside the bundle.
|
|
40
|
+
**Scope:** a verified bundle proves the *integrity of the receipts present* — each is authentic, correctly ordered, Merkle-included, and (when a key is pinned) provenance-bound. It does **not** prove non-omission (that every action the agent took was logged); completeness is bounded by the tamper-evidence of the interception point, which is outside the bundle. See **[KNOWN_LIMITATIONS.md](https://github.com/attestedintelligence/aga-mcp-server/blob/main/KNOWN_LIMITATIONS.md)** for the full honest boundary, and `THREAT_BOUNDARY.md` for the per-field detail.
|
|
26
41
|
|
|
27
42
|
## Use with Claude Desktop
|
|
28
43
|
|
|
@@ -41,6 +56,31 @@ Add to your Claude Desktop MCP config (`claude_desktop_config.json`):
|
|
|
41
56
|
|
|
42
57
|
Claude can then seal artifacts, measure integrity, generate evidence bundles, and verify compliance through natural language.
|
|
43
58
|
|
|
59
|
+
### Persist the signing key (do this first)
|
|
60
|
+
|
|
61
|
+
By default the gateway signs with an **ephemeral** key that rotates on every restart. That is fine for a first look, but evidence-bundle provenance cannot be pinned across restarts (and the server warns about it on stderr). Set one stable 64-hex Ed25519 seed so provenance stays pinnable:
|
|
62
|
+
|
|
63
|
+
```bash
|
|
64
|
+
# generate a seed once (32 random bytes, hex)
|
|
65
|
+
node -e "console.log(require('node:crypto').randomBytes(32).toString('hex'))"
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
Provide it via `AGA_GATEWAY_KEY`, or `AGA_GATEWAY_KEY_FILE` (a path to the seed). In Claude Desktop, add an `env` block:
|
|
69
|
+
|
|
70
|
+
```json
|
|
71
|
+
{
|
|
72
|
+
"mcpServers": {
|
|
73
|
+
"aga": {
|
|
74
|
+
"command": "npx",
|
|
75
|
+
"args": ["-y", "@attested-intelligence/aga-mcp-server"],
|
|
76
|
+
"env": { "AGA_GATEWAY_KEY": "<your-64-hex-seed>" }
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
Keep the seed secret and out of version control; see `DEPLOYMENT.md` for key handling.
|
|
83
|
+
|
|
44
84
|
## MCP Tools (15)
|
|
45
85
|
|
|
46
86
|
| Category | Tools |
|
|
@@ -64,7 +104,7 @@ A bundle this package emits (via the `generate_evidence_bundle` tool, or `aga-pr
|
|
|
64
104
|
node aga-receipt-spec/verify/verify-sep.mjs evidence-bundle.json --pubkey <gateway-public-key>
|
|
65
105
|
```
|
|
66
106
|
|
|
67
|
-
The published `@attested-intelligence/aga-verify` CLI mirrors this reference (2.0.0
|
|
107
|
+
The published `@attested-intelligence/aga-verify` CLI mirrors this reference (**2.0.0**, published on npm; the older forgeable 1.0.0 is deprecated). Without `--pubkey` you get an **integrity-only** result (`issuerVerified=false`); pin the key to also prove *who* issued it — see `THREAT_BOUNDARY.md` §3.7. A hosted browser verifier is linked under [Links](#links).
|
|
68
108
|
|
|
69
109
|
The reference §6 algorithm is implemented in **three languages** — JavaScript (`aga-receipt-spec/verify/verify-sep.mjs`), Go (`verify.go`, stdlib `crypto/ed25519`), and Python (`verify.py`, pure-stdlib RFC-8032 Ed25519) — and a cross-stack harness (`npm run conformance:cross-stack`) proves all three, plus the in-server engine and `aga-verify`, render **identical verdicts** on the canonical vectors (valid, adversarial, and every small-order forgery).
|
|
70
110
|
|
|
@@ -165,7 +205,7 @@ with AgentSession(gateway_id="my-gateway") as session:
|
|
|
165
205
|
|
|
166
206
|
Automated tests across TypeScript and Python, plus a conformance corpus:
|
|
167
207
|
|
|
168
|
-
- **TypeScript MCP server:**
|
|
208
|
+
- **TypeScript MCP server:** 297 tests (vitest), including provable-denial and behavioral-monitor regressions
|
|
169
209
|
- **SEP conformance corpus:** `npm run test:conformance` (valid → VERIFIED, negatives → FAILED)
|
|
170
210
|
- **Python companion SDK:** pytest suite (`aga-python`)
|
|
171
211
|
|
|
@@ -191,7 +231,7 @@ src/
|
|
|
191
231
|
aga-python/ # Python companion SDK (PyPI: aga-governance)
|
|
192
232
|
independent-verifier/ # @attested-intelligence/aga-verify — standalone SEP verifier, zero AGA imports
|
|
193
233
|
scenarios/ # Demo scenarios (SCADA, autonomous vehicle, AI agent) — emit SEP bundles
|
|
194
|
-
tests/ # TypeScript test suite (
|
|
234
|
+
tests/ # TypeScript test suite (297 tests)
|
|
195
235
|
```
|
|
196
236
|
|
|
197
237
|
## Links
|
|
@@ -210,7 +250,7 @@ See [SECURITY.md](SECURITY.md) for vulnerability reporting.
|
|
|
210
250
|
|
|
211
251
|
## Contributing
|
|
212
252
|
|
|
213
|
-
See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
|
|
253
|
+
See [CONTRIBUTING.md](https://github.com/attestedintelligence/aga-mcp-server/blob/main/CONTRIBUTING.md) for development setup and guidelines.
|
|
214
254
|
|
|
215
255
|
## License
|
|
216
256
|
|
package/THREAT_BOUNDARY.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# AGA MCP Server — Threat Boundary & Bypass Surface (honest audit)
|
|
2
2
|
|
|
3
|
-
**Scope:** `@attested-intelligence/aga-mcp-server` 3.0.0
|
|
3
|
+
**Scope:** `@attested-intelligence/aga-mcp-server` 3.0.0. Written for Sprint 3 CP3.
|
|
4
4
|
**Stance:** defensibility through honesty. This documents what the package **does** guarantee, what it **does not**, and the **residual attack surface** that remains by design or is deferred. Per the project discipline: better a precisely-stated boundary than an overclaim.
|
|
5
5
|
|
|
6
6
|
---
|
|
@@ -44,12 +44,12 @@ Claim scope is **integrity-of-present-receipts, NOT non-omission**: a PASS prove
|
|
|
44
44
|
## 3. Residual attack surface (honest, deferred, or deployment-dependent)
|
|
45
45
|
|
|
46
46
|
1. **Proxy — mandatory mediation is a deployment property.** `GovernanceProxy` governs the path *through it*; if the agent can reach the upstream MCP server **directly** (network), it bypasses governance entirely. `upstreamUrl` (HTTP) is directly reachable. → **Deployment requirement:** the agent must be network-isolated so the proxy is its *only* route to tools. Documented, not code-enforceable here. *(Empirically demonstrated in CP3 A7: `_validation/redteam/a7-proxy-bypass.mjs` — a direct POST to the upstream fired a side effect with no receipt.)* **See `DEPLOYMENT.md` §1: stdio-upstream is the hardened default — the upstream is a non-network-reachable child process, closing this bypass by construction; HTTP-upstream mode now warns on stderr.**
|
|
47
|
-
2. **Proxy — only `method === "tools/call"` is policy-evaluated; partially mitigated in 3.0
|
|
47
|
+
2. **Proxy — only `method === "tools/call"` is policy-evaluated; partially mitigated in 3.0.** Other JSON-RPC methods are still forwarded (not policy-evaluated), but they are now recorded as **signed passthrough receipts** in the evidence bundle for auditability — so a side-effecting non-`tools/call` method is no longer *invisible* (the CP3 A7 `admin/deleteAllData` would now appear as a `(passthrough)` receipt with `method` set and `reason: forwarded, not policy-evaluated`). Benign protocol methods (`initialize`, `ping`, `tools/list`, `*/list`, `notifications/*`, …) are excluded by default; an optional `denyMethods` denylist rejects known side-effecting methods (a **DENIED** passthrough receipt, not forwarded). **What this closes:** invisibility — every forwarded non-benign method is now in the tamper-evident, checkpoint-bound bundle. **What it does NOT close:** the method is not policy-evaluated and still *executes* unless explicitly denylisted (this is *visibility, not governance*), and a direct-to-upstream call (§3.1) still bypasses the proxy entirely. Full per-method policy evaluation remains future work.
|
|
48
48
|
3. **Proxy — denial is observable.** A DENIED call returns a distinctive `-32600` error, which an adversary can use as a policy-probing oracle. Low severity; structured denial metadata could be tightened later.
|
|
49
|
-
4. **Key persistence — mitigated in 3.0
|
|
49
|
+
4. **Key persistence — mitigated in 3.0.** The gateway signing key can be **persisted** via `AGA_GATEWAY_KEY` (64-hex seed) or `AGA_GATEWAY_KEY_FILE` (`DEPLOYMENT.md` §2), so `gateway_public_key` is stable and **pinnable across restarts**. The default remains an ephemeral key (warned on stderr). HSM/KMS backing remains future work. A verifier MUST still pin the key it expects.
|
|
50
50
|
5. **Storage durability (Sprint 5).** Default storage is in-memory → the live chain is lost on **process restart**. The cryptographic record survives via the **exported signed bundle**; durable cross-restart retention needs the SQLite/persistent backend (Sprint 5). The raw quarantine forensic buffer is in-memory by design (only the `arguments_hash` commitment is signed — privacy-preserving and sufficient to *prove* a capture).
|
|
51
51
|
6. **Out of scope entirely (not what AGA does).** AGA does not prevent: model jailbreaks, model-weight theft, credential compromise, or infrastructure compromise. It provides *accountability and provenance* for governed decisions, not prevention of those classes. If an attacker holds the gateway signing key, they can author receipts — protect the key (Sprint 4).
|
|
52
|
-
7. **Verifier-UX / unpinned consumers (NEW — CP3 A5).** A consumer that verifies a bundle **without pinning** the gateway key gets an integrity-only `VERIFIED` with `issuerVerified=false` — *even on a forged, attacker-signed, denial-free bundle*. This is correct (integrity-of-present-receipts ≠ provenance, and the result object/CLI say so explicitly), but a UI that shows a bare "VERIFIED" without prominently propagating `issuerVerified=false` could mislead a non-expert. → Downstream consumers (esp. the website demo) MUST pin the gateway key and never present an unpinned PASS as proof of *who* issued the bundle. **Mitigated in 3.0
|
|
52
|
+
7. **Verifier-UX / unpinned consumers (NEW — CP3 A5).** A consumer that verifies a bundle **without pinning** the gateway key gets an integrity-only `VERIFIED` with `issuerVerified=false` — *even on a forged, attacker-signed, denial-free bundle*. This is correct (integrity-of-present-receipts ≠ provenance, and the result object/CLI say so explicitly), but a UI that shows a bare "VERIFIED" without prominently propagating `issuerVerified=false` could mislead a non-expert. → Downstream consumers (esp. the website demo) MUST pin the gateway key and never present an unpinned PASS as proof of *who* issued the bundle. **Mitigated in 3.0:** the verify result now carries a prominent `summary` — `VERIFIED (provenance verified …)` vs `VERIFIED (integrity only — NOT provenance …)` — surfaced by `verify_bundle_offline` and the reference/`aga-verify` CLIs; key-pinning ergonomics are in `DEPLOYMENT.md` §2. Consumers must still pin.
|
|
53
53
|
8. **Cross-stack verifier conformance (CLOSED — 2026-06-07).** Earlier in the 3.0 hardening only `src/sep/verify.ts` carried the full strict floor; the reference `verify-sep.mjs`, the published `aga-verify`, Go, and Python lagged. **That asymmetry is now closed.** All six verifiers — engine (`src/sep`), reference (`verify-sep.mjs`), `aga-verify`, Go (`verify.go`), and Python (audited library + pure-stdlib) — apply the identical strict floor and return **byte-identical verdicts**. The shared floor: strict field allowlist; `envelope_consistency` (binds the unsigned `gateway_id`/`merkle_root`/`generated_at` to the signed/recomputed values); checkpoint-algorithm binding; lexicographic-string canonicalization with RFC-8785 integral-number normalization; complete small-order/non-canonical-key rejection; **one library-free canonical-timestamp rule** (exact `.sssZ` UTC form via an ASCII regex + integer-arithmetic calendar + lexicographic ordering — no native date parser); merkle-direction-token strictness (`left`/`right` only, length-matched); unpaired-UTF-16-surrogate rejection; depth-bounded never-throw; and whole-document parse (trailing content rejected). Verified by `npm run conformance:cross-stack` — six verifiers agree on every case in the committed corpus (55 cases incl. raw-byte/file-parse), confirmed across multiple rounds of independent blind differential re-audit. See `fixtures/cross-stack/README.md`. **Residual (by design, not a divergence):** the bundle envelope still carries four *unsigned* metadata fields with no signed counterpart — `bundle_id`, `schema_version`, `policy_reference`, `offline_capable`. They are informational and are **not** security-identity fields (the identity fields `gateway_id`/`merkle_root`/`generated_at` ARE bound); a relying party must still trust only signed/verified values and pin the gateway key (§3.7). Of the four, **`policy_reference` is the only identity-grade one** — but the governing policy IS captured and cryptographically verified inside **every signed receipt's own `policy_reference` field** (one of the 15 signed fields), so the unsigned *envelope* `policy_reference` is only a convenience mirror, not the source of truth. Binding the envelope copy is a recommended near-term (3.1) format revision; a coordinated verifier-output flag that marks these four envelope fields as unsigned/not-verified is a recommended enhancement, deliberately deferred here to avoid adding an untested cross-language output surface immediately after the cross-stack-consistency campaign (the verdict surface already attests only the steps it runs, and never claims these fields). One further residual is **unreachable by construction:** SEP signed fields are strings plus the single integer `leaf_count` (the emit guard `assertSignedReceiptFieldsAreStrings` forbids any other number in a signed field), so a verifier's canonicalization of a *non-integer / exponential* number placed in a signed field — which no conformant gateway can emit — is intentionally left unspecified and MAY differ across language stdlibs; it cannot affect any bundle a conformant gateway produces. Reachable string content is fully cross-stack-consistent (an exhaustive 0..0x10FFFF code-point sweep confirms the only ever-divergent characters, `U+2028`/`U+2029`, are normalized identically by every verifier).
|
|
54
54
|
|
|
55
55
|
---
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* AGA Governance Proxy - Tool Policy Evaluator
|
|
3
|
-
* Ported from
|
|
3
|
+
* Ported from the internal AGA governance gateway's policy engine, with rate limiting.
|
|
4
4
|
*
|
|
5
5
|
* Copyright (c) 2026 Attested Intelligence Holdings LLC
|
|
6
6
|
* SPDX-License-Identifier: MIT
|
package/dist/proxy/evaluator.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* AGA Governance Proxy - Tool Policy Evaluator
|
|
3
|
-
* Ported from
|
|
3
|
+
* Ported from the internal AGA governance gateway's policy engine, with rate limiting.
|
|
4
4
|
*
|
|
5
5
|
* Copyright (c) 2026 Attested Intelligence Holdings LLC
|
|
6
6
|
* SPDX-License-Identifier: MIT
|
|
@@ -24,7 +24,7 @@ function checkRateLimit(toolName, maxPerMinute) {
|
|
|
24
24
|
export function resetRateLimits() {
|
|
25
25
|
rateLimits.clear();
|
|
26
26
|
}
|
|
27
|
-
// ── Path Utilities
|
|
27
|
+
// ── Path Utilities ────────────────────────────────
|
|
28
28
|
export function cleanPath(p) {
|
|
29
29
|
p = p.replace(/\\/g, '/');
|
|
30
30
|
p = p.replace(/\/+/g, '/');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"evaluator.js","sourceRoot":"","sources":["../../src/proxy/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAUH,MAAM,UAAU,GAAG,IAAI,GAAG,EAAsB,CAAC;AAEjD,SAAS,cAAc,CAAC,QAAgB,EAAE,YAAoB;IAC5D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC;IAE5B,IAAI,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC5B,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,wBAAwB;IACxB,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC;IAE9D,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,IAAI,YAAY;QAAE,OAAO,KAAK,CAAC;IAE3D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,UAAU,CAAC,KAAK,EAAE,CAAC;AACrB,CAAC;AAED
|
|
1
|
+
{"version":3,"file":"evaluator.js","sourceRoot":"","sources":["../../src/proxy/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAUH,MAAM,UAAU,GAAG,IAAI,GAAG,EAAsB,CAAC;AAEjD,SAAS,cAAc,CAAC,QAAgB,EAAE,YAAoB;IAC5D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC;IAE5B,IAAI,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC5B,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,wBAAwB;IACxB,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC;IAE9D,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,IAAI,YAAY;QAAE,OAAO,KAAK,CAAC;IAE3D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,UAAU,CAAC,KAAK,EAAE,CAAC;AACrB,CAAC;AAED,qDAAqD;AAErD,MAAM,UAAU,SAAS,CAAC,CAAS;IACjC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC1B,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAE3B,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;IAEpC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,GAAG,KAAK,EAAE,IAAI,GAAG,KAAK,GAAG;YAAE,SAAS;QACxC,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAClE,QAAQ,CAAC,GAAG,EAAE,CAAC;YACjB,CAAC;iBAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACrB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxD,IAAI,MAAM,KAAK,EAAE;QAAE,MAAM,GAAG,GAAG,CAAC;IAChC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,SAAiB;IAC7D,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,cAAc,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;IAE5C,IAAI,cAAc,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IAChD,MAAM,eAAe,GAAG,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,GAAG,GAAG,CAAC;IACpF,OAAO,cAAc,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,oBAAoB,CAC3B,UAA0D,EAC1D,IAA8B;IAE9B,IAAI,CAAC,UAAU,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC5E,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;QACtB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;gBAChD,OAAO,SAAS,GAAG,6BAA6B,UAAU,CAAC,WAAW,GAAG,CAAC;YAC5E,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAC1B,UAA0C,EAC1C,IAA8B;IAE9B,IAAI,CAAC,UAAU,CAAC,eAAe,EAAE,MAAM;QAAE,OAAO,IAAI,CAAC;IACrD,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,KAAK,MAAM,CAAC,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,SAAS;QACtC,KAAK,MAAM,OAAO,IAAI,UAAU,CAAC,eAAe,EAAE,CAAC;YACjD,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1B,OAAO,0CAA0C,OAAO,GAAG,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+DAA+D;AAE/D,MAAM,UAAU,QAAQ,CACtB,MAAkB,EAClB,QAAgB,EAChB,IAA8B;IAE9B,MAAM,IAAI,GAAG,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;IAE/D,iCAAiC;IACjC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACjC,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;IAC/E,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC9D,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;IACpF,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAEhD,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;QACtE,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;QAC3E,CAAC;QAED,mBAAmB;QACnB,IAAI,UAAU,CAAC,oBAAoB,EAAE,CAAC;YACpC,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,UAAU,CAAC,oBAAoB,CAAC,EAAE,CAAC;gBAC/D,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,UAAU,CAAC,oBAAoB,MAAM,EAAE,CAAC;YAC5G,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,oBAAoB,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QAC1D,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACxB,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QACzD,CAAC;QACD,MAAM,aAAa,GAAG,mBAAmB,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QAC5D,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QAC5D,CAAC;QACD,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;IAC3E,CAAC;IAED,gBAAgB;IAChB,IAAI,UAAU,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACtC,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;IACxE,CAAC;IAED,kEAAkE;IAClE,IAAI,UAAU,EAAE,oBAAoB,EAAE,CAAC;QACrC,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,UAAU,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC/D,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,UAAU,CAAC,oBAAoB,MAAM,EAAE,CAAC;QAC5G,CAAC;IACH,CAAC;IAED,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;AAC/D,CAAC"}
|
package/dist/proxy/types.d.ts
CHANGED
package/dist/proxy/types.js
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@attested-intelligence/aga-mcp-server",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.1",
|
|
4
4
|
"description": "MCP server for cryptographic AI agent governance. Seal policy artifacts, enforce at runtime, prove with signed receipts and offline-verifiable evidence bundles.",
|
|
5
5
|
"author": "Attested Intelligence Holdings LLC",
|
|
6
6
|
"license": "MIT",
|