@tenova/swt3-mcp 0.1.0

package/README.md

@@ -0,0 +1,146 @@
+# @tenova/swt3-mcp
+
+MCP server for the SWT3 AI Witness protocol. Adds cryptographic compliance attestation to any MCP-compatible AI agent.
+
+## Zero-config start
+
+```bash
+npx @tenova/swt3-mcp
+```
+
+That's it. No account, no API key, no configuration. The server starts in demo mode and mints local witness anchors immediately.
+
+When you're ready to persist anchors to the SWT3 ledger, use the `signup` tool from within your agent conversation -- no need to leave your editor.
+
+## Setup
+
+### Claude Desktop
+
+Add to `claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "swt3": {
+      "command": "npx",
+      "args": ["@tenova/swt3-mcp"]
+    }
+  }
+}
+```
+
+### Cursor
+
+Add to `.cursor/mcp.json`:
+
+```json
+{
+  "mcpServers": {
+    "swt3": {
+      "command": "npx",
+      "args": ["@tenova/swt3-mcp"]
+    }
+  }
+}
+```
+
+### Claude Code
+
+```bash
+claude mcp add swt3 -- npx @tenova/swt3-mcp
+```
+
+## How it works
+
+```
+1. Add server to your MCP config         (one line)
+2. Start using AI tools as normal         (zero code changes)
+3. Ask your agent to witness inferences   (anchors minted locally)
+4. Use the signup tool when ready          (free account, never leave your editor)
+5. Anchors persist to the SWT3 ledger     (cryptographic compliance trail)
+```
+
+## Three modes
+
+| Mode | Config needed | What happens |
+|------|--------------|--------------|
+| **Demo** | Nothing | Local-only anchors, instant start |
+| **API key only** | `SWT3_API_KEY` | Tenant auto-resolved, anchors persisted |
+| **Full config** | `SWT3_API_KEY` + `SWT3_TENANT_ID` | Explicit tenant, anchors persisted |
+
+## Tools
+
+### witness_inference
+
+Mint a cryptographic witness anchor for an AI inference.
+
+```
+model_id: "gpt-4o"            # required -- everything else is optional
+prompt: "What is 2+2?"        # hashed locally, never sent to server
+response: "4"                 # hashed locally, never sent to server
+```
+
+Returns verdict (PASS/FAIL), anchor token, and verification URL.
+
+### verify_anchor
+
+Verify the cryptographic integrity of an existing anchor.
+
+```
+token: "SWT3-E-VULTR-AI-AIINF1-PASS-1700000000-96b7d56c0245"
+```
+
+### list_procedures
+
+Browse the UCT procedure registry. 151+ compliance controls.
+
+```
+namespace: "AI"               # optional filter
+```
+
+### check_posture
+
+Check current tenant compliance posture. No arguments.
+
+### signup
+
+Get a signup link to create a free account. No credentials pass through the AI.
+
+```
+framework: "EU-AI-ACT"        # optional (default: NIST-800-53)
+```
+
+Returns a browser URL. Complete signup there, copy your API key, add it to your MCP config.
+
+## Environment variables (optional)
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SWT3_API_KEY` | demo mode | API key (starts with `axm_`) |
+| `SWT3_TENANT_ID` | auto-resolved | Tenant ID (resolved from API key if omitted) |
+| `SWT3_ENDPOINT` | `https://sovereign.tenova.io` | Witness endpoint |
+| `SWT3_CLEARING_LEVEL` | `1` | Data clearing (0=analytics, 1=standard, 2=sensitive, 3=classified) |
+| `SWT3_AGENT_ID` | | Agent identity for AI-ID.1 |
+| `SWT3_SIGNING_KEY` | | HMAC-SHA256 signing key |
+
+## Clearing levels
+
+| Level | What leaves the wire |
+|-------|---------------------|
+| 0 | All metadata |
+| 1 | Hashes + model ID + context |
+| 2 | Hashes + model ID only |
+| 3 | Factors only, model ID hashed |
+
+Raw prompt and response text never leaves your machine at any clearing level.
+
+## Resources
+
+- `swt3://registry/procedures` -- Full UCT procedure catalog
+- `swt3://health` -- Service health status
+
+## License
+
+Apache 2.0. Patent pending.
+
+Built by [TeNova](https://tenova.io).

package/dist/bin/swt3-mcp.d.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+/**
+ * SWT3 MCP Server — CLI entry point.
+ *
+ * Zero-config start:
+ *   npx @tenova/swt3-mcp
+ *
+ * With API key (tenant auto-resolved):
+ *   SWT3_API_KEY=axm_live_... npx @tenova/swt3-mcp
+ *
+ * Full config:
+ *   SWT3_API_KEY=axm_live_... SWT3_TENANT_ID=MY_ENCLAVE npx @tenova/swt3-mcp
+ */
+export {};
+//# sourceMappingURL=swt3-mcp.d.ts.map

package/dist/bin/swt3-mcp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"swt3-mcp.d.ts","sourceRoot":"","sources":["../../src/bin/swt3-mcp.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;GAWG"}

package/dist/bin/swt3-mcp.js

@@ -0,0 +1,31 @@
+#!/usr/bin/env node
+/**
+ * SWT3 MCP Server — CLI entry point.
+ *
+ * Zero-config start:
+ *   npx @tenova/swt3-mcp
+ *
+ * With API key (tenant auto-resolved):
+ *   SWT3_API_KEY=axm_live_... npx @tenova/swt3-mcp
+ *
+ * Full config:
+ *   SWT3_API_KEY=axm_live_... SWT3_TENANT_ID=MY_ENCLAVE npx @tenova/swt3-mcp
+ */
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { loadConfig } from "../config.js";
+import { createServer } from "../server.js";
+try {
+    const config = loadConfig();
+    const server = createServer(config);
+    const transport = new StdioServerTransport();
+    if (config.demo) {
+        process.stderr.write("swt3-mcp: running in demo mode (local-only anchors)\n" +
+            "swt3-mcp: use the signup tool to create a free account\n");
+    }
+    await server.connect(transport);
+}
+catch (err) {
+    process.stderr.write(`swt3-mcp: ${err.message}\n`);
+    process.exit(1);
+}
+//# sourceMappingURL=swt3-mcp.js.map

package/dist/bin/swt3-mcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"swt3-mcp.js","sourceRoot":"","sources":["../../src/bin/swt3-mcp.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,IAAI,CAAC;IACH,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAE7C,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAChB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,uDAAuD;YACvD,0DAA0D,CAC3D,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC;AAAC,OAAO,GAAG,EAAE,CAAC;IACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,aAAc,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC;IAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC"}

package/dist/client.d.ts

@@ -0,0 +1,70 @@
+/**
+ * SWT3 MCP Server — HTTP client for Axiom APIs.
+ *
+ * Uses native fetch (Node 18+). Zero dependencies.
+ */
+import type { McpConfig } from "./config.js";
+export interface WitnessPayload {
+    procedure_id: string;
+    factor_a: number;
+    factor_b: number;
+    factor_c: number;
+    clearing_level: number;
+    anchor_fingerprint: string;
+    anchor_epoch: number;
+    fingerprint_timestamp_ms: number;
+    ai_model_id?: string;
+    ai_prompt_hash?: string;
+    ai_response_hash?: string;
+    ai_system_prompt_hash?: string;
+    ai_latency_ms?: number;
+    ai_input_tokens?: number;
+    ai_output_tokens?: number;
+    ai_context?: Record<string, unknown>;
+    agent_id?: string;
+    cycle_id?: string;
+    payload_signature?: string;
+    policy_version_hash?: string;
+}
+export interface WitnessReceipt {
+    ok: boolean;
+    tenant_id: string;
+    procedure_id: string;
+    verdict: string;
+    swt3_anchor: string;
+    clearing_level: number;
+    witnessed_at: string;
+    verification_url: string;
+    error?: string;
+}
+export interface VerifyResponse {
+    verified: boolean;
+    status: string;
+    claimed_fingerprint?: string;
+    recomputed_fingerprint?: string;
+    inputs?: Record<string, unknown>;
+}
+export interface HealthResponse {
+    status: string;
+    version: string;
+    uptime: number;
+    checks: Record<string, string>;
+}
+export declare class AxiomClient {
+    private baseUrl;
+    private apiKey;
+    private timeout;
+    private resolvedTenantId;
+    constructor(config: McpConfig, timeout?: number);
+    /**
+     * Returns the tenant ID resolved from a prior API call, if available.
+     */
+    getResolvedTenantId(): string | null;
+    private request;
+    postWitness(payload: WitnessPayload): Promise<WitnessReceipt>;
+    verifyAnchor(token: string): Promise<VerifyResponse>;
+    getHealth(): Promise<HealthResponse>;
+    getPosture(): Promise<Record<string, unknown>>;
+    fetchRegistry(): Promise<Record<string, unknown>>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,wBAAwB,EAAE,MAAM,CAAC;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,OAAO,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,gBAAgB,CAAuB;gBAEnC,MAAM,EAAE,SAAS,EAAE,OAAO,GAAE,MAAc;IAMtD;;OAEG;IACH,mBAAmB,IAAI,MAAM,GAAG,IAAI;YAItB,OAAO;IAqCf,WAAW,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;IAO7D,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAOpD,SAAS,IAAI,OAAO,CAAC,cAAc,CAAC;IAapC,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAI9C,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAaxD"}

package/dist/client.js

@@ -0,0 +1,89 @@
+/**
+ * SWT3 MCP Server — HTTP client for Axiom APIs.
+ *
+ * Uses native fetch (Node 18+). Zero dependencies.
+ */
+export class AxiomClient {
+    baseUrl;
+    apiKey;
+    timeout;
+    resolvedTenantId = null;
+    constructor(config, timeout = 10000) {
+        this.baseUrl = config.endpoint;
+        this.apiKey = config.apiKey;
+        this.timeout = timeout;
+    }
+    /**
+     * Returns the tenant ID resolved from a prior API call, if available.
+     */
+    getResolvedTenantId() {
+        return this.resolvedTenantId;
+    }
+    async request(path, options = {}) {
+        const url = `${this.baseUrl}${path}`;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+            const response = await fetch(url, {
+                ...options,
+                signal: controller.signal,
+                headers: {
+                    "Content-Type": "application/json",
+                    Authorization: `Bearer ${this.apiKey}`,
+                    ...options.headers,
+                },
+            });
+            const body = await response.json();
+            if (!response.ok) {
+                const msg = body?.error || response.statusText;
+                throw new Error(`${response.status}: ${msg}`);
+            }
+            // Auto-resolve tenant ID from any response that includes it
+            if (body?.tenant_id && typeof body.tenant_id === "string") {
+                this.resolvedTenantId = body.tenant_id;
+            }
+            return body;
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    async postWitness(payload) {
+        return this.request("/api/v1/witness", {
+            method: "POST",
+            body: JSON.stringify(payload),
+        });
+    }
+    async verifyAnchor(token) {
+        const encoded = encodeURIComponent(token);
+        return this.request(`/api/v1/attest/verify?token=${encoded}`);
+    }
+    async getHealth() {
+        const url = `${this.baseUrl}/api/v1/health`;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+            const response = await fetch(url, { signal: controller.signal });
+            return (await response.json());
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    async getPosture() {
+        return this.request("/api/v1/ai-witness");
+    }
+    async fetchRegistry() {
+        const url = `${this.baseUrl}/registry/uct-registry.json`;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+            const response = await fetch(url, { signal: controller.signal });
+            return (await response.json());
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAsDH,MAAM,OAAO,WAAW;IACd,OAAO,CAAS;IAChB,MAAM,CAAS;IACf,OAAO,CAAS;IAChB,gBAAgB,GAAkB,IAAI,CAAC;IAE/C,YAAY,MAAiB,EAAE,UAAkB,KAAK;QACpD,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC/B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,mBAAmB;QACjB,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,IAAY,EACZ,UAAuB,EAAE;QAEzB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAEjE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,GAAG,OAAO;gBACV,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE;oBACtC,GAAG,OAAO,CAAC,OAAO;iBACnB;aACF,CAAC,CAAC;YAEH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAgD,CAAC;YAEjF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,GAAG,GAAG,IAAI,EAAE,KAAK,IAAI,QAAQ,CAAC,UAAU,CAAC;gBAC/C,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC,CAAC;YAChD,CAAC;YAED,4DAA4D;YAC5D,IAAI,IAAI,EAAE,SAAS,IAAI,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAC1D,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC;YACzC,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAuB;QACvC,OAAO,IAAI,CAAC,OAAO,CAAiB,iBAAiB,EAAE;YACrD,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC,OAAO,CACjB,+BAA+B,OAAO,EAAE,CACzC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,SAAS;QACb,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,gBAAgB,CAAC;QAC5C,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAEjE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACjE,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmB,CAAC;QACnD,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,OAAO,CAA0B,oBAAoB,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,6BAA6B,CAAC;QACzD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAEjE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACjE,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAC5D,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;CAEF"}

package/dist/config.d.ts

@@ -0,0 +1,19 @@
+/**
+ * SWT3 MCP Server — Configuration from environment variables.
+ *
+ * Three modes:
+ *   1. Demo mode (no env vars) — local-only anchors, no account needed
+ *   2. API key only — tenant auto-resolved from first API call
+ *   3. Full config — API key + explicit tenant ID
+ */
+export interface McpConfig {
+    endpoint: string;
+    apiKey: string;
+    tenantId: string;
+    clearingLevel: 0 | 1 | 2 | 3;
+    agentId?: string;
+    signingKey?: string;
+    demo: boolean;
+}
+export declare function loadConfig(): McpConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;CACf;AAED,wBAAgB,UAAU,IAAI,SAAS,CAkCtC"}

package/dist/config.js

@@ -0,0 +1,40 @@
+/**
+ * SWT3 MCP Server — Configuration from environment variables.
+ *
+ * Three modes:
+ *   1. Demo mode (no env vars) — local-only anchors, no account needed
+ *   2. API key only — tenant auto-resolved from first API call
+ *   3. Full config — API key + explicit tenant ID
+ */
+export function loadConfig() {
+    const endpoint = process.env.SWT3_ENDPOINT || "https://sovereign.tenova.io";
+    const apiKey = process.env.SWT3_API_KEY || "";
+    const tenantId = process.env.SWT3_TENANT_ID || "";
+    const rawLevel = process.env.SWT3_CLEARING_LEVEL;
+    const agentId = process.env.SWT3_AGENT_ID || undefined;
+    const signingKey = process.env.SWT3_SIGNING_KEY || undefined;
+    // Demo mode: no API key set
+    const demo = !apiKey;
+    // Validate API key format if provided
+    if (apiKey && !apiKey.startsWith("axm_")) {
+        throw new Error("SWT3_API_KEY must start with 'axm_'");
+    }
+    let clearingLevel = 1;
+    if (rawLevel !== undefined) {
+        const parsed = parseInt(rawLevel, 10);
+        if (![0, 1, 2, 3].includes(parsed)) {
+            throw new Error("SWT3_CLEARING_LEVEL must be 0, 1, 2, or 3");
+        }
+        clearingLevel = parsed;
+    }
+    return {
+        endpoint: endpoint.replace(/\/+$/, ""),
+        apiKey: demo ? "axm_demo_local" : apiKey,
+        tenantId: demo ? "DEMO_LOCAL" : tenantId,
+        clearingLevel,
+        agentId,
+        signingKey,
+        demo,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAYH,MAAM,UAAU,UAAU;IACxB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,6BAA6B,CAAC;IAC5E,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;IAC9C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;IAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACjD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,SAAS,CAAC;IACvD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,SAAS,CAAC;IAE7D,4BAA4B;IAC5B,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC;IAErB,sCAAsC;IACtC,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,aAAa,GAAkB,CAAC,CAAC;IACrC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QACtC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,aAAa,GAAG,MAAuB,CAAC;IAC1C,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;QACtC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM;QACxC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ;QACxC,aAAa;QACb,OAAO;QACP,UAAU;QACV,IAAI;KACL,CAAC;AACJ,CAAC"}

package/dist/fingerprint.d.ts

@@ -0,0 +1,13 @@
+/**
+ * SWT3 MCP Server — Fingerprint minting and SHA-256 utilities.
+ *
+ * Inlined from @tenova/swt3-ai to keep this package self-contained.
+ * The fingerprint formula is LOCKED:
+ *   SHA256("WITNESS:{tenant}:{proc}:{fa}:{fb}:{fc}:{ts_ms}").hex().slice(0, 12)
+ */
+export declare function sha256Hex(data: string, length?: number): string;
+export declare function sha256Truncated(data: string, length?: number): string;
+export declare function mintFingerprint(tenantId: string, procedureId: string, factorA: number, factorB: number, factorC: number, timestampMs: number): string;
+export declare function timestampMs(): [number, number];
+export declare function signPayload(signingKey: string, anchorFingerprint: string, agentId?: string): string;
+//# sourceMappingURL=fingerprint.d.ts.map

package/dist/fingerprint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../src/fingerprint.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,GAAE,MAAW,GAAG,MAAM,CAEnE;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,GAAE,MAAW,GAAG,MAAM,CAEzE;AAMD,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,GAClB,MAAM,CAMR;AAED,wBAAgB,WAAW,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAI9C;AAED,wBAAgB,WAAW,CACzB,UAAU,EAAE,MAAM,EAClB,iBAAiB,EAAE,MAAM,EACzB,OAAO,CAAC,EAAE,MAAM,GACf,MAAM,CAOR"}

package/dist/fingerprint.js

@@ -0,0 +1,37 @@
+/**
+ * SWT3 MCP Server — Fingerprint minting and SHA-256 utilities.
+ *
+ * Inlined from @tenova/swt3-ai to keep this package self-contained.
+ * The fingerprint formula is LOCKED:
+ *   SHA256("WITNESS:{tenant}:{proc}:{fa}:{fb}:{fc}:{ts_ms}").hex().slice(0, 12)
+ */
+import { createHash, createHmac } from "crypto";
+export function sha256Hex(data, length = 64) {
+    return createHash("sha256").update(data, "utf-8").digest("hex").slice(0, length);
+}
+export function sha256Truncated(data, length = 16) {
+    return sha256Hex(data, length);
+}
+function numStr(v) {
+    return String(v);
+}
+export function mintFingerprint(tenantId, procedureId, factorA, factorB, factorC, timestampMs) {
+    const fpInput = `WITNESS:${tenantId}:${procedureId}` +
+        `:${numStr(factorA)}:${numStr(factorB)}:${numStr(factorC)}` +
+        `:${timestampMs}`;
+    return createHash("sha256").update(fpInput, "utf-8").digest("hex").slice(0, 12);
+}
+export function timestampMs() {
+    const ts = Date.now();
+    const epoch = Math.floor(ts / 1000);
+    return [ts, epoch];
+}
+export function signPayload(signingKey, anchorFingerprint, agentId) {
+    const message = agentId
+        ? `${anchorFingerprint}:${agentId}`
+        : anchorFingerprint;
+    return createHmac("sha256", signingKey)
+        .update(message, "utf-8")
+        .digest("hex");
+}
+//# sourceMappingURL=fingerprint.js.map

package/dist/fingerprint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../src/fingerprint.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEhD,MAAM,UAAU,SAAS,CAAC,IAAY,EAAE,SAAiB,EAAE;IACzD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACnF,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,SAAiB,EAAE;IAC/D,OAAO,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,MAAM,CAAC,CAAS;IACvB,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,QAAgB,EAChB,WAAmB,EACnB,OAAe,EACf,OAAe,EACf,OAAe,EACf,WAAmB;IAEnB,MAAM,OAAO,GACX,WAAW,QAAQ,IAAI,WAAW,EAAE;QACpC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,EAAE;QAC3D,IAAI,WAAW,EAAE,CAAC;IACpB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClF,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC;IACpC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,UAAkB,EAClB,iBAAyB,EACzB,OAAgB;IAEhB,MAAM,OAAO,GAAG,OAAO;QACrB,CAAC,CAAC,GAAG,iBAAiB,IAAI,OAAO,EAAE;QACnC,CAAC,CAAC,iBAAiB,CAAC;IACtB,OAAO,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;SACpC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC;SACxB,MAAM,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * @tenova/swt3-mcp — MCP Server for SWT3 AI Witness Protocol
+ *
+ * Provides tools for witnessing AI inferences, verifying anchors,
+ * and browsing the UCT procedure registry via the Model Context Protocol.
+ *
+ * Usage (programmatic):
+ *   import { createServer, loadConfig } from "@tenova/swt3-mcp";
+ *   const server = createServer(loadConfig());
+ *
+ * Usage (CLI):
+ *   SWT3_API_KEY=axm_live_... SWT3_TENANT_ID=MY_ENCLAVE npx @tenova/swt3-mcp
+ *
+ * Copyright (c) 2026 Tenable Nova LLC. Apache 2.0. Patent pending.
+ */
+export { createServer } from "./server.js";
+export { loadConfig } from "./config.js";
+export type { McpConfig } from "./config.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,YAAY,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -0,0 +1,18 @@
+/**
+ * @tenova/swt3-mcp — MCP Server for SWT3 AI Witness Protocol
+ *
+ * Provides tools for witnessing AI inferences, verifying anchors,
+ * and browsing the UCT procedure registry via the Model Context Protocol.
+ *
+ * Usage (programmatic):
+ *   import { createServer, loadConfig } from "@tenova/swt3-mcp";
+ *   const server = createServer(loadConfig());
+ *
+ * Usage (CLI):
+ *   SWT3_API_KEY=axm_live_... SWT3_TENANT_ID=MY_ENCLAVE npx @tenova/swt3-mcp
+ *
+ * Copyright (c) 2026 Tenable Nova LLC. Apache 2.0. Patent pending.
+ */
+export { createServer } from "./server.js";
+export { loadConfig } from "./config.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC"}

package/dist/resources/health.d.ts

@@ -0,0 +1,14 @@
+/**
+ * SWT3 MCP Server — swt3://health resource.
+ *
+ * Read-only resource providing service health status.
+ */
+import type { AxiomClient } from "../client.js";
+export declare const HEALTH_RESOURCE: {
+    uri: string;
+    name: string;
+    description: string;
+    mimeType: string;
+};
+export declare function readHealth(client: AxiomClient): Promise<string>;
+//# sourceMappingURL=health.d.ts.map

package/dist/resources/health.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../../src/resources/health.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEhD,eAAO,MAAM,eAAe;;;;;CAO3B,CAAC;AAEF,wBAAsB,UAAU,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAGrE"}

package/dist/resources/health.js

@@ -0,0 +1,17 @@
+/**
+ * SWT3 MCP Server — swt3://health resource.
+ *
+ * Read-only resource providing service health status.
+ */
+export const HEALTH_RESOURCE = {
+    uri: "swt3://health",
+    name: "Service Health",
+    description: "Current health status of the SWT3 witness endpoint including " +
+        "uptime, database connectivity, and service version.",
+    mimeType: "application/json",
+};
+export async function readHealth(client) {
+    const health = await client.getHealth();
+    return JSON.stringify(health, null, 2);
+}
+//# sourceMappingURL=health.js.map

package/dist/resources/health.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.js","sourceRoot":"","sources":["../../src/resources/health.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,GAAG,EAAE,eAAe;IACpB,IAAI,EAAE,gBAAgB;IACtB,WAAW,EACT,+DAA+D;QAC/D,qDAAqD;IACvD,QAAQ,EAAE,kBAAkB;CAC7B,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAmB;IAClD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,EAAE,CAAC;IACxC,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC"}

package/dist/resources/registry.d.ts

@@ -0,0 +1,14 @@
+/**
+ * SWT3 MCP Server — swt3://registry/procedures resource.
+ *
+ * Read-only resource providing the full UCT procedure catalog.
+ */
+import type { AxiomClient } from "../client.js";
+export declare const REGISTRY_RESOURCE: {
+    uri: string;
+    name: string;
+    description: string;
+    mimeType: string;
+};
+export declare function readRegistry(client: AxiomClient): Promise<string>;
+//# sourceMappingURL=registry.d.ts.map

package/dist/resources/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/resources/registry.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAMhD,eAAO,MAAM,iBAAiB;;;;;CAQ7B,CAAC;AAEF,wBAAsB,YAAY,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAUvE"}

package/dist/resources/registry.js

@@ -0,0 +1,27 @@
+/**
+ * SWT3 MCP Server — swt3://registry/procedures resource.
+ *
+ * Read-only resource providing the full UCT procedure catalog.
+ */
+let registryCache = null;
+let cacheTimestamp = 0;
+const CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour
+export const REGISTRY_RESOURCE = {
+    uri: "swt3://registry/procedures",
+    name: "UCT Procedure Registry",
+    description: "Full catalog of Universal Control Taxonomy (UCT) procedures. " +
+        "Each procedure defines a compliance control with factor schemas, " +
+        "evaluation logic, and framework mappings.",
+    mimeType: "application/json",
+};
+export async function readRegistry(client) {
+    const now = Date.now();
+    if (registryCache && now - cacheTimestamp < CACHE_TTL_MS) {
+        return registryCache;
+    }
+    const registry = await client.fetchRegistry();
+    registryCache = JSON.stringify(registry, null, 2);
+    cacheTimestamp = now;
+    return registryCache;
+}
+//# sourceMappingURL=registry.js.map

package/dist/resources/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/resources/registry.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,IAAI,aAAa,GAAkB,IAAI,CAAC;AACxC,IAAI,cAAc,GAAG,CAAC,CAAC;AACvB,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;AAE9C,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,GAAG,EAAE,4BAA4B;IACjC,IAAI,EAAE,wBAAwB;IAC9B,WAAW,EACT,+DAA+D;QAC/D,mEAAmE;QACnE,2CAA2C;IAC7C,QAAQ,EAAE,kBAAkB;CAC7B,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAmB;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,aAAa,IAAI,GAAG,GAAG,cAAc,GAAG,YAAY,EAAE,CAAC;QACzD,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,aAAa,EAAE,CAAC;IAC9C,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAClD,cAAc,GAAG,GAAG,CAAC;IACrB,OAAO,aAAa,CAAC;AACvB,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,11 @@
+/**
+ * SWT3 MCP Server — Server assembly.
+ *
+ * Creates an MCP Server with tools and resources for the SWT3 AI Witness protocol.
+ * Supports three modes: demo (zero config), API key only (auto-resolve tenant),
+ * and full config (API key + tenant ID).
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { McpConfig } from "./config.js";
+export declare function createServer(config: McpConfig): McpServer;
+//# sourceMappingURL=server.d.ts.map