@costrinity/vigil-compliance-mcp 0.1.0

package/README.md

@@ -0,0 +1,105 @@
+# @costrinity/vigil-compliance-mcp
+
+**MCP server exposing VIGIL's compliance fabric as tools your LLM agents can call.**
+
+Pair with [`@costrinity/vigil-mcp`](https://www.npmjs.com/package/@costrinity/vigil-mcp) (the JSON-RPC observer): the observer captures what your agent does, this server gives your agent compliance superpowers before it acts.
+
+## What it gives your agent
+
+| Tool | Purpose |
+|---|---|
+| `consent_check` | Is processing allowed for this principal + purpose? (pre-flight gate) |
+| `breach_classify` | Is this incident reportable? Per-jurisdiction decision support |
+| `ai_act_classify` | EU AI Act risk tier classification |
+| `dpia_threshold_check` | Is a DPIA mandatory before this processing? |
+| `us_sectoral_check` | HIPAA / GLBA / COPPA / FERPA / FCRA / SOX applicability |
+| `india_sectoral_check` | RBI / SEBI / IRDAI / TRAI / PFRDA applicability |
+| `india_cross_border_status` | DPDP §16 status for a destination country |
+| `japan_cross_border_status` | APPI Art 28 status for a destination country |
+| `us_state_breach_deadline` | US state breach window + AG recipient |
+| `aadhaar_mask` / `pan_classify` / `gstin_validate` / `cpf_validate` / `sin_validate` / `iban_validate` | Identifier validators with masking + reference token |
+| `pii_test` | Dry-run threat detection on a sample event |
+| `privacy_notice_get` | Generate operator's jurisdiction-templated privacy notice |
+| `sub_processors_register` | Sub-processor disclosure register |
+| `global_compliance_map` | 28+ regimes VIGIL has fabric for |
+| `india_regulators_directory` | Indian regulators + sectoral filter |
+
+## Install
+
+```bash
+npm install -g @costrinity/vigil-compliance-mcp
+```
+
+Or use directly via `npx`.
+
+## Configure your MCP client
+
+### Claude Desktop / Code / Cursor (`mcp.json`)
+
+```json
+{
+  "mcpServers": {
+    "vigil-compliance": {
+      "command": "npx",
+      "args": ["@costrinity/vigil-compliance-mcp"],
+      "env": {
+        "VIGIL_OWNER_ID": "<your-owner-uuid>",
+        "VIGIL_API_KEY": "vigil_<your-key>",
+        "VIGIL_BASE_URL": "https://vigil.costrinity.xyz"
+      }
+    }
+  }
+}
+```
+
+### What the env vars do
+
+- `VIGIL_OWNER_ID` — your operator UUID. Required; every tool call carries this. Get it from your VIGIL dashboard's URL.
+- `VIGIL_API_KEY` — optional but recommended. Authenticates the tool calls.
+- `VIGIL_BASE_URL` — defaults to `https://vigil.costrinity.xyz`. Point at your own VIGIL instance if self-hosted.
+
+## Example agent interactions
+
+**Agent considering cross-border transfer:**
+
+> User: Move this Indian user's profile to our US analytics warehouse.
+
+> Agent: Let me check DPDP §16 status first.
+> *Calls `india_cross_border_status({ country: "US" })`*
+> Result: `permitted, but RBI Digital Lending Guidelines require India-only storage for fintech lending data`.
+> 
+> Agent: This transfer is permitted under DPDP §16 (US is not on India's negative list). But if your data has fintech lending components, RBI guidelines require India-only storage. Do you want me to filter those fields out first?
+
+**Agent reviewing a new AI use case:**
+
+> User: We're building an AI tool to evaluate job applicants.
+
+> Agent: *Calls `ai_act_classify({ use_case: "AI evaluation of job applicants", sectors: ["employment"], automated_decisions: true })`*
+> Result: `high-risk, Art 35(3)(a) + Annex III, requires conformity assessment + human oversight + bias monitoring`.
+>
+> Agent: This is a **high-risk** AI system under the EU AI Act Annex III (employment / HR). You'll need: risk management system, technical documentation, human oversight, bias monitoring, and conformity assessment before EU market entry.
+
+**Agent handling a breach:**
+
+> User: We just discovered 1200 user records were exposed.
+
+> Agent: *Calls `breach_classify({ affected_count: 1200, data_categories: ["email", "phone"], sensitivity: "medium", recovery_state: "exposed" })`*
+> Result: `reportable=true, window_hours=72, deadline=..., recipient="Data Protection Board of India"`.
+>
+> Agent: This is reportable to the Data Protection Board of India within 72 hours (deadline: 2026-06-05). Should I prepare the §8 notification draft?
+
+## Why this exists
+
+Compliance lives in the operator's runtime, not their planning stage. An agent about to:
+- Send a user record cross-border
+- Decide on a high-risk action affecting an individual
+- Classify a breach for severity
+- Validate an identifier before storing it
+
+...should be able to **ask** VIGIL whether that's allowed *at request time*, not in a yearly DPIA.
+
+MCP turns VIGIL from "a dashboard the operator visits" into "a synchronous decision-support layer the agent calls."
+
+## License
+
+MIT © COSTRINITY (Indigenous-owned software studio, Regina, Saskatchewan, Treaty 4 territory)

package/dist/index.d.ts

@@ -0,0 +1,48 @@
+#!/usr/bin/env node
+/**
+ * VIGIL Compliance MCP server.
+ *
+ * Exposes VIGIL's compliance fabric as MCP tools so LLM agents can:
+ *   - Check if processing is allowed under any active consent
+ *   - Classify whether an incident is reportable per jurisdiction
+ *   - Classify an AI system under the EU AI Act
+ *   - Validate identifiers (Aadhaar / CPF / SIN / etc.) with masking
+ *   - Generate cross-border transfer notices
+ *   - Look up sub-processor disclosures, US state laws, breach deadlines
+ *   - Run DPIA + ROPA + SCC Annex II + privacy notice generators
+ *
+ * Why this exists
+ *   Compliance lives in the operator's runtime, not their planning stage.
+ *   An agent that's about to send a user record cross-border should be
+ *   able to ASK whether that's allowed — at request time, not in a
+ *   yearly DPIA. MCP turns VIGIL from a dashboard the operator visits
+ *   into a synchronous decision-support layer the agent calls.
+ *
+ *   Pair with `@costrinity/vigil-mcp` (the proxy/observer) for full
+ *   coverage: the observer captures what the agent does, this server
+ *   gives the agent compliance superpowers before it acts.
+ *
+ * Transport
+ *   stdio JSON-RPC 2.0 — same as every other MCP server. Add to your
+ *   client config:
+ *
+ *     {
+ *       "mcpServers": {
+ *         "vigil-compliance": {
+ *           "command": "npx",
+ *           "args": ["@costrinity/vigil-compliance-mcp"],
+ *           "env": {
+ *             "VIGIL_OWNER_ID": "<your-owner-uuid>",
+ *             "VIGIL_API_KEY": "vigil_<your-key>",
+ *             "VIGIL_BASE_URL": "https://vigil.costrinity.xyz"
+ *           }
+ *         }
+ *       }
+ *     }
+ *
+ * Tool catalogue
+ *   The MCP `tools/list` response enumerates each tool with its input
+ *   schema. Keep the catalogue stable across versions; add new tools
+ *   rather than mutating signatures.
+ */
+export {};

package/dist/index.js

@@ -0,0 +1,400 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * VIGIL Compliance MCP server.
+ *
+ * Exposes VIGIL's compliance fabric as MCP tools so LLM agents can:
+ *   - Check if processing is allowed under any active consent
+ *   - Classify whether an incident is reportable per jurisdiction
+ *   - Classify an AI system under the EU AI Act
+ *   - Validate identifiers (Aadhaar / CPF / SIN / etc.) with masking
+ *   - Generate cross-border transfer notices
+ *   - Look up sub-processor disclosures, US state laws, breach deadlines
+ *   - Run DPIA + ROPA + SCC Annex II + privacy notice generators
+ *
+ * Why this exists
+ *   Compliance lives in the operator's runtime, not their planning stage.
+ *   An agent that's about to send a user record cross-border should be
+ *   able to ASK whether that's allowed — at request time, not in a
+ *   yearly DPIA. MCP turns VIGIL from a dashboard the operator visits
+ *   into a synchronous decision-support layer the agent calls.
+ *
+ *   Pair with `@costrinity/vigil-mcp` (the proxy/observer) for full
+ *   coverage: the observer captures what the agent does, this server
+ *   gives the agent compliance superpowers before it acts.
+ *
+ * Transport
+ *   stdio JSON-RPC 2.0 — same as every other MCP server. Add to your
+ *   client config:
+ *
+ *     {
+ *       "mcpServers": {
+ *         "vigil-compliance": {
+ *           "command": "npx",
+ *           "args": ["@costrinity/vigil-compliance-mcp"],
+ *           "env": {
+ *             "VIGIL_OWNER_ID": "<your-owner-uuid>",
+ *             "VIGIL_API_KEY": "vigil_<your-key>",
+ *             "VIGIL_BASE_URL": "https://vigil.costrinity.xyz"
+ *           }
+ *         }
+ *       }
+ *     }
+ *
+ * Tool catalogue
+ *   The MCP `tools/list` response enumerates each tool with its input
+ *   schema. Keep the catalogue stable across versions; add new tools
+ *   rather than mutating signatures.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_readline_1 = require("node:readline");
+const VIGIL_BASE_URL = process.env.VIGIL_BASE_URL ?? 'https://vigil.costrinity.xyz';
+const VIGIL_OWNER_ID = process.env.VIGIL_OWNER_ID ?? '';
+const VIGIL_API_KEY = process.env.VIGIL_API_KEY ?? '';
+const SERVER_NAME = 'vigil-compliance';
+const SERVER_VERSION = '0.1.0';
+const TOOLS = [
+    // ─── Consent + processing gate ───────────────────────────────────
+    {
+        name: 'consent_check',
+        description: "Pre-flight check: is processing allowed for this data principal + purpose? Returns { allowed, reason, matching_consent_id, principal_id }. Call this BEFORE processing data on behalf of a principal.",
+        inputSchema: {
+            type: 'object',
+            required: ['purpose'],
+            properties: {
+                principal_id: { type: 'string', description: 'UUID of the data principal (if known).' },
+                principal_ref: { type: 'string', description: 'Operator-side identifier; will be SHA-256-hashed.' },
+                purpose: { type: 'string', description: "Purpose code (e.g. 'operational_observability')." },
+                category: { type: 'string', description: 'Optional permitted-category check.' },
+            },
+        },
+        call: (input) => ({
+            method: 'POST',
+            path: '/api/consent/check',
+            body: input,
+        }),
+    },
+    // ─── Breach + incident classification ────────────────────────────
+    {
+        name: 'breach_classify',
+        description: 'Decide whether an incident is reportable per the operator\'s jurisdiction (DPDP §8, GDPR Art 33, CPRA §1798.82, LGPD Art 48, PDPA §26B, US-FED sectoral). Returns reportability + reasoning + deadline + recipient.',
+        inputSchema: {
+            type: 'object',
+            required: ['affected_count', 'data_categories', 'sensitivity', 'recovery_state'],
+            properties: {
+                affected_count: { type: 'integer' },
+                data_categories: { type: 'array', items: { type: 'string' } },
+                processing_purpose: { type: 'string' },
+                sensitivity: { type: 'string', enum: ['low', 'medium', 'high', 'special'] },
+                recovery_state: { type: 'string', enum: ['lost', 'exposed', 'altered', 'destroyed', 'contained'] },
+                jurisdiction: { type: 'string' },
+            },
+        },
+        call: (input) => ({ method: 'POST', path: '/api/compliance/breach-classify', body: input }),
+    },
+    // ─── EU AI Act risk classifier ────────────────────────────────────
+    {
+        name: 'ai_act_classify',
+        description: "Classify an AI use case under the EU AI Act (Regulation 2024/1689). Returns risk tier (prohibited / high-risk / limited-risk / minimal-risk) + GPAI obligations + per-tier remediation obligations.",
+        inputSchema: {
+            type: 'object',
+            required: ['use_case'],
+            properties: {
+                use_case: { type: 'string' },
+                data_categories: { type: 'array', items: { type: 'string' } },
+                sectors: { type: 'array', items: { type: 'string' } },
+                automated_decisions: { type: 'boolean' },
+                biometric: { type: 'boolean' },
+                remote_identification: { type: 'boolean' },
+                social_scoring: { type: 'boolean' },
+                general_purpose_ai: { type: 'boolean' },
+            },
+        },
+        call: (input) => ({ method: 'POST', path: '/api/compliance/ai-act-classify', body: input }),
+    },
+    // ─── DPIA threshold check ─────────────────────────────────────────
+    {
+        name: 'dpia_threshold_check',
+        description: 'Decide if a DPIA is mandatory before processing under GDPR Art 35 / DPDP §10 / LGPD Art 38. Returns dpia_required + 9-criterion WP29 analysis + jurisdiction-specific guidance.',
+        inputSchema: {
+            type: 'object',
+            required: ['processing_purpose', 'data_categories'],
+            properties: {
+                processing_purpose: { type: 'string' },
+                data_categories: { type: 'array', items: { type: 'string' } },
+                scale: { type: 'string', enum: ['small', 'medium', 'large', 'mass'] },
+                automated_decision: { type: 'boolean' },
+                systematic_monitoring: { type: 'boolean' },
+                cross_border: { type: 'boolean' },
+                vulnerable_subjects: { type: 'boolean' },
+                jurisdiction: { type: 'string' },
+            },
+        },
+        call: (input) => ({ method: 'POST', path: '/api/compliance/dpia-threshold-check', body: input }),
+    },
+    // ─── US sectoral analysis ─────────────────────────────────────────
+    {
+        name: 'us_sectoral_check',
+        description: 'Determine which US sectoral laws apply (HIPAA, GLBA, COPPA, FERPA, FCRA, SOX) given a processing profile.',
+        inputSchema: {
+            type: 'object',
+            required: ['processing_purpose', 'data_categories'],
+            properties: {
+                processing_purpose: { type: 'string' },
+                data_categories: { type: 'array', items: { type: 'string' } },
+                counterparty_types: { type: 'array', items: { type: 'string' } },
+                ai_decisions: { type: 'boolean' },
+                has_revenue_threshold: { type: 'boolean' },
+            },
+        },
+        call: (input) => ({ method: 'POST', path: '/api/compliance/sectoral-check', body: input }),
+    },
+    // ─── Indian sectoral analysis ─────────────────────────────────────
+    {
+        name: 'india_sectoral_check',
+        description: 'Determine which Indian sectoral regulators apply (RBI / SEBI / IRDAI / TRAI / DoT / PFRDA) given a processing profile.',
+        inputSchema: {
+            type: 'object',
+            required: ['processing_purpose', 'data_categories'],
+            properties: {
+                processing_purpose: { type: 'string' },
+                data_categories: { type: 'array', items: { type: 'string' } },
+                counterparty_types: { type: 'array', items: { type: 'string' } },
+                sector_hint: { type: 'string' },
+            },
+        },
+        call: (input) => ({ method: 'POST', path: '/api/compliance/india-sectoral-check', body: input }),
+    },
+    // ─── Cross-border lookups ─────────────────────────────────────────
+    {
+        name: 'india_cross_border_status',
+        description: 'Look up DPDP §16 cross-border transfer status for a destination country. Returns permitted / restricted / sectoral_restricted + RBI/SEBI/IRDAI caveats.',
+        inputSchema: {
+            type: 'object',
+            required: ['country'],
+            properties: { country: { type: 'string', description: 'ISO-3166 alpha-2 (e.g. US).' } },
+        },
+        call: (input) => ({
+            method: 'GET',
+            path: `/api/compliance/india-cross-border-countries?country=${encodeURIComponent(String(input.country ?? ''))}`,
+        }),
+    },
+    {
+        name: 'japan_cross_border_status',
+        description: 'Look up Japan APPI Art 28 cross-border status for a destination country (adequacy / standard basis / high scrutiny).',
+        inputSchema: {
+            type: 'object',
+            required: ['country'],
+            properties: { country: { type: 'string', description: 'ISO-3166 alpha-2.' } },
+        },
+        call: (input) => ({
+            method: 'GET',
+            path: `/api/compliance/japan-cross-border?country=${encodeURIComponent(String(input.country ?? ''))}`,
+        }),
+    },
+    // ─── US state breach deadlines ────────────────────────────────────
+    {
+        name: 'us_state_breach_deadline',
+        description: "Look up a US state's breach-notification window + AG recipient + threshold (e.g. 'CA' → 500 residents → CA AG → expedient).",
+        inputSchema: {
+            type: 'object',
+            required: ['state'],
+            properties: { state: { type: 'string', description: 'US 2-letter state code (CA, NY, TX, ...).' } },
+        },
+        call: (input) => ({
+            method: 'GET',
+            path: `/api/compliance/state-breach-deadlines?state=${encodeURIComponent(String(input.state ?? ''))}`,
+        }),
+    },
+    // ─── Identifier validators (all auth-gated; pass owner_id) ───────
+    {
+        name: 'aadhaar_mask',
+        description: "Mask + Verhoeff-validate an Aadhaar number. Returns masked form, validity, and an owner-scoped reference token. No persistence of the raw value.",
+        inputSchema: {
+            type: 'object',
+            required: ['aadhaar'],
+            properties: { aadhaar: { type: 'string' } },
+        },
+        call: (input) => ({ method: 'POST', path: '/api/india/aadhaar-mask', body: input }),
+    },
+    {
+        name: 'pan_classify',
+        description: 'Classify a PAN entity type from the 4th character (P=Person, C=Company, H=HUF, F=Firm, ...).',
+        inputSchema: { type: 'object', required: ['pan'], properties: { pan: { type: 'string' } } },
+        call: (input) => ({ method: 'POST', path: '/api/india/pan-classify', body: input }),
+    },
+    {
+        name: 'gstin_validate',
+        description: 'Validate a GSTIN format + mod-36 check digit; returns state code lookup.',
+        inputSchema: { type: 'object', required: ['gstin'], properties: { gstin: { type: 'string' } } },
+        call: (input) => ({ method: 'POST', path: '/api/india/gstn-validate', body: input }),
+    },
+    {
+        name: 'cpf_validate',
+        description: 'Validate a Brazilian CPF (mod-11 check digits, rejects all-same).',
+        inputSchema: { type: 'object', required: ['cpf'], properties: { cpf: { type: 'string' } } },
+        call: (input) => ({ method: 'POST', path: '/api/brazil/cpf-validate', body: input }),
+    },
+    {
+        name: 'sin_validate',
+        description: 'Validate a Canadian SIN (Luhn checksum); returns series region + masked form.',
+        inputSchema: { type: 'object', required: ['sin'], properties: { sin: { type: 'string' } } },
+        call: (input) => ({ method: 'POST', path: '/api/canada/sin-validate', body: input }),
+    },
+    {
+        name: 'iban_validate',
+        description: 'Validate an IBAN format + ISO 7064 mod-97 check digit; supports 66 countries.',
+        inputSchema: { type: 'object', required: ['iban'], properties: { iban: { type: 'string' } } },
+        call: (input) => ({ method: 'POST', path: '/api/eu/iban-validate', body: input }),
+    },
+    {
+        name: 'pii_test',
+        description: "Dry-run PII / threat detection against a sample event. Returns what would be tagged, redacted preview, and whether severity would be escalated. No persistence.",
+        inputSchema: {
+            type: 'object',
+            required: ['sample_event'],
+            properties: {
+                sample_event: { type: 'object', description: 'event_type / message / payload fields.' },
+                jurisdiction: { type: 'string' },
+            },
+        },
+        call: (input) => ({ method: 'POST', path: '/api/compliance/pii-test', body: input }),
+    },
+    // ─── Read-only generators ─────────────────────────────────────────
+    {
+        name: 'privacy_notice_get',
+        description: "Generate the operator's jurisdiction-templated privacy notice. Returns markdown or JSON.",
+        inputSchema: {
+            type: 'object',
+            properties: { format: { type: 'string', enum: ['md', 'json'] } },
+        },
+        call: (input) => ({
+            method: 'GET',
+            path: `/api/compliance/privacy-notice?format=${input.format ?? 'md'}`,
+        }),
+    },
+    {
+        name: 'sub_processors_register',
+        description: "Return the public sub-processor register (Supabase, Vercel, Resend, etc.).",
+        inputSchema: { type: 'object', properties: {} },
+        call: () => ({ method: 'GET', path: '/api/compliance/sub-processors?format=json' }),
+    },
+    {
+        name: 'global_compliance_map',
+        description: "Master catalogue of every privacy/security/sectoral regime VIGIL has fabric for (28+ regimes).",
+        inputSchema: { type: 'object', properties: {} },
+        call: () => ({ method: 'GET', path: '/api/compliance/global-status' }),
+    },
+    {
+        name: 'india_regulators_directory',
+        description: "Directory of Indian regulators (DPB, RBI, SEBI, IRDAI, TRAI, DoT, PFRDA, MeitY, MCA) with sectoral filter.",
+        inputSchema: {
+            type: 'object',
+            properties: { sector: { type: 'string' } },
+        },
+        call: (input) => ({
+            method: 'GET',
+            path: input.sector
+                ? `/api/india/regulators?sector=${encodeURIComponent(String(input.sector))}`
+                : '/api/india/regulators',
+        }),
+    },
+];
+// ─── HTTP transport ────────────────────────────────────────────────
+async function callVigil(method, path, body) {
+    const url = `${VIGIL_BASE_URL}${path}${path.includes('?') ? '&' : '?'}owner_id=${encodeURIComponent(VIGIL_OWNER_ID)}`;
+    const headers = {
+        'Content-Type': 'application/json',
+        'User-Agent': `vigil-compliance-mcp/${SERVER_VERSION}`,
+    };
+    if (VIGIL_API_KEY) {
+        headers['Authorization'] = `Bearer ${VIGIL_API_KEY}`;
+        headers['x-vigil-key'] = VIGIL_API_KEY;
+    }
+    const res = await fetch(url, {
+        method,
+        headers,
+        body: body !== undefined ? JSON.stringify(body) : undefined,
+    });
+    const text = await res.text();
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return { _raw: text, _status: res.status };
+    }
+}
+function send(resp) {
+    process.stdout.write(JSON.stringify(resp) + '\n');
+}
+function ok(id, result) {
+    send({ jsonrpc: '2.0', id, result });
+}
+function err(id, code, message, data) {
+    send({ jsonrpc: '2.0', id, error: { code, message, data } });
+}
+async function handle(req) {
+    const id = req.id ?? null;
+    try {
+        switch (req.method) {
+            case 'initialize':
+                ok(id, {
+                    protocolVersion: '2024-11-05',
+                    capabilities: { tools: {} },
+                    serverInfo: { name: SERVER_NAME, version: SERVER_VERSION },
+                });
+                return;
+            case 'tools/list':
+                ok(id, {
+                    tools: TOOLS.map((t) => ({
+                        name: t.name,
+                        description: t.description,
+                        inputSchema: t.inputSchema,
+                    })),
+                });
+                return;
+            case 'tools/call': {
+                const params = (req.params ?? {});
+                const tool = TOOLS.find((t) => t.name === params.name);
+                if (!tool) {
+                    err(id, -32602, `unknown tool: ${params.name}`);
+                    return;
+                }
+                const { method, path, body } = tool.call(params.arguments ?? {});
+                const result = await callVigil(method, path, body);
+                ok(id, {
+                    content: [
+                        { type: 'text', text: JSON.stringify(result, null, 2) },
+                    ],
+                });
+                return;
+            }
+            case 'notifications/initialized':
+                // Spec-required notification; no response.
+                return;
+            default:
+                err(id, -32601, `method not found: ${req.method}`);
+                return;
+        }
+    }
+    catch (e) {
+        err(id, -32603, e instanceof Error ? e.message : 'internal error');
+    }
+}
+// ─── Main loop ─────────────────────────────────────────────────────
+if (!VIGIL_OWNER_ID) {
+    console.error('[vigil-compliance-mcp] VIGIL_OWNER_ID not set — every tool call will 401. ' +
+        'Set this to your operator UUID before adding the server to your MCP client.');
+}
+const rl = (0, node_readline_1.createInterface)({ input: process.stdin });
+rl.on('line', (line) => {
+    if (!line.trim())
+        return;
+    try {
+        const req = JSON.parse(line);
+        void handle(req);
+    }
+    catch {
+        // Malformed — ignore. MCP protocol assumes line-delimited valid JSON.
+    }
+});

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@costrinity/vigil-compliance-mcp",
+  "version": "0.1.0",
+  "description": "MCP server exposing VIGIL's compliance fabric — consent / breach / DPIA / AI Act / identifier validators / cross-border — as tools LLM agents can call mid-task. 13 jurisdictions, 28+ regulatory regimes.",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "vigil-compliance-mcp": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "start": "node dist/index.js",
+    "prepublishOnly": "tsc"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "compliance",
+    "dpdp",
+    "gdpr",
+    "ai-act",
+    "privacy",
+    "ai-agents",
+    "vigil",
+    "costrinity",
+    "indigenous-owned"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "author": "COSTRINITY (Indigenous-owned software studio, Regina, Saskatchewan, Treaty 4 territory)",
+  "license": "MIT",
+  "homepage": "https://vigil.costrinity.xyz/why-vigil",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/COSTRINITY/costrinity-api.git",
+    "directory": "vigil/packages/vigil-compliance-mcp"
+  },
+  "bugs": {
+    "url": "https://github.com/COSTRINITY/costrinity-api/issues"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  }
+}