@treza/mcp 0.1.0

package/README.md

@@ -0,0 +1,148 @@
+# @treza/mcp
+
+[![npm version](https://badge.fury.io/js/%40treza%2Fmcp.svg)](https://badge.fury.io/js/%40treza%2Fmcp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+Model Context Protocol (MCP) server for Treza Enclaves. Lets AI agents manage hardware-isolated TEEs, verify cryptographic attestations, and interact with the Treza platform — all through natural tool calls.
+
+## Quick Start
+
+### With Claude Desktop / Cursor / Any MCP Client
+
+Add to your MCP configuration:
+
+```json
+{
+  "mcpServers": {
+    "treza": {
+      "command": "npx",
+      "args": ["@treza/mcp"],
+      "env": {
+        "TREZA_BASE_URL": "https://app.trezalabs.com"
+      }
+    }
+  }
+}
+```
+
+### As a Standalone Server
+
+```bash
+npm install -g @treza/mcp
+treza-mcp
+```
+
+## Environment Variables
+
+| Variable | Default | Description |
+|---|---|---|
+| `TREZA_BASE_URL` | `https://app.trezalabs.com` | Treza Platform API URL |
+| `TREZA_TIMEOUT` | `30000` | Request timeout in milliseconds |
+
+## Available Tools
+
+### Enclave Management
+
+| Tool | Description |
+|---|---|
+| `treza_list_enclaves` | List all enclaves owned by a wallet address |
+| `treza_get_enclave` | Get detailed info about a specific enclave |
+| `treza_create_enclave` | Create a new AWS Nitro Enclave with hardware-isolated TEE |
+| `treza_update_enclave` | Update enclave name, description, or config |
+| `treza_delete_enclave` | Permanently delete a terminated enclave |
+| `treza_enclave_action` | Pause, resume, or terminate an enclave |
+| `treza_get_enclave_logs` | Retrieve logs filtered by source type |
+
+### Attestation & Verification
+
+| Tool | Description |
+|---|---|
+| `treza_get_attestation` | Get attestation document with PCR measurements and certificate chain |
+| `treza_verify_attestation` | Full cryptographic verification with compliance checks (SOC2, HIPAA, FIPS) |
+| `treza_get_verification_status` | Quick trust level check |
+
+### Platform
+
+| Tool | Description |
+|---|---|
+| `treza_list_providers` | List available enclave providers and regions |
+| `treza_get_provider` | Get provider details and config schema |
+| `treza_list_tasks` | List scheduled tasks |
+| `treza_create_task` | Create a cron-scheduled task in an enclave |
+| `treza_list_api_keys` | List scoped API keys |
+| `treza_create_api_key` | Create a new API key with specific permissions |
+
+## MCP Resources
+
+The server also exposes browsable resources that give agents ambient context:
+
+| Resource URI | Description |
+|---|---|
+| `treza://enclaves/{walletAddress}` | All enclaves for a wallet |
+| `treza://enclaves/{enclaveId}/details` | Full enclave details |
+| `treza://enclaves/{enclaveId}/attestation` | Attestation document |
+| `treza://enclaves/{enclaveId}/verification` | Verification status |
+
+## Example Agent Interactions
+
+An AI agent using the Treza MCP server can:
+
+```
+"Create me a Nitro Enclave in us-west-2 for my trading bot"
+→ treza_create_enclave
+
+"Is my enclave verified? What's the trust level?"
+→ treza_verify_attestation
+
+"Show me the last 20 error logs from my enclave"
+→ treza_get_enclave_logs
+
+"Pause my enclave to save costs while I'm not using it"
+→ treza_enclave_action (pause)
+```
+
+## Architecture
+
+```
+AI Agent (Claude, Cursor, etc.)
+    │
+    ▼
+┌──────────────┐
+│  @treza/mcp  │  ← MCP Server (this package)
+│  16 tools    │
+│  4 resources │
+└──────┬───────┘
+       │ HTTP
+       ▼
+┌──────────────────┐
+│  Treza Platform  │  ← https://app.trezalabs.com
+│  REST API        │
+└──────┬───────────┘
+       │
+       ▼
+┌──────────────────┐
+│  AWS Nitro       │  ← Hardware-isolated TEEs
+│  Enclaves        │
+└──────────────────┘
+```
+
+## Development
+
+```bash
+git clone https://github.com/treza-labs/treza-sdk.git
+cd treza-sdk/packages/mcp
+npm install
+npm run build
+npm start
+```
+
+## Related
+
+- [@treza/sdk](https://www.npmjs.com/package/@treza/sdk) — Core SDK
+- [Treza Platform](https://app.trezalabs.com) — Web dashboard
+- [OpenAPI Spec](https://app.trezalabs.com/.well-known/openapi.json) — Full API schema
+- [Agent Manifest](https://app.trezalabs.com/.well-known/ai-plugin.json) — Machine-readable capabilities
+
+## License
+
+MIT

package/dist/handlers.d.ts

@@ -0,0 +1,10 @@
+import { TrezaClient } from './treza-client';
+type ToolResult = {
+    content: Array<{
+        type: 'text';
+        text: string;
+    }>;
+    isError?: boolean;
+};
+export declare function handleToolCall(client: TrezaClient, toolName: string, args: Record<string, unknown>): Promise<ToolResult>;
+export {};

package/dist/handlers.js

@@ -0,0 +1,165 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleToolCall = handleToolCall;
+const tools_1 = require("./tools");
+function ok(data) {
+    return {
+        content: [{ type: 'text', text: JSON.stringify(data, null, 2) }],
+    };
+}
+function err(message) {
+    return {
+        content: [{ type: 'text', text: JSON.stringify({ error: message }) }],
+        isError: true,
+    };
+}
+async function handleToolCall(client, toolName, args) {
+    try {
+        switch (toolName) {
+            // ── Enclave Management ──────────────────────────────────────────
+            case 'treza_list_enclaves': {
+                const { walletAddress } = tools_1.listEnclavesSchema.parse(args);
+                const enclaves = await client.getEnclaves(walletAddress);
+                return ok({
+                    count: enclaves.length,
+                    enclaves: enclaves.map((e) => ({
+                        id: e.id,
+                        name: e.name,
+                        status: e.status,
+                        region: e.region,
+                        description: e.description,
+                        createdAt: e.createdAt,
+                    })),
+                });
+            }
+            case 'treza_get_enclave': {
+                const { enclaveId } = tools_1.getEnclaveSchema.parse(args);
+                const enclave = await client.getEnclave(enclaveId);
+                return ok(enclave);
+            }
+            case 'treza_create_enclave': {
+                const params = tools_1.createEnclaveSchema.parse(args);
+                const providerConfig = {};
+                if (params.dockerImage)
+                    providerConfig.dockerImage = params.dockerImage;
+                if (params.cpuCount)
+                    providerConfig.cpuCount = params.cpuCount;
+                if (params.memoryMiB)
+                    providerConfig.memoryMiB = params.memoryMiB;
+                if (params.workloadType)
+                    providerConfig.workloadType = params.workloadType;
+                if (params.exposePorts)
+                    providerConfig.exposePorts = params.exposePorts;
+                if (params.enableDebug !== undefined)
+                    providerConfig.enableDebug = params.enableDebug;
+                const enclave = await client.createEnclave({
+                    name: params.name,
+                    description: params.description,
+                    region: params.region,
+                    walletAddress: params.walletAddress,
+                    providerId: params.providerId,
+                    providerConfig: Object.keys(providerConfig).length > 0 ? providerConfig : undefined,
+                });
+                return ok({
+                    message: `Enclave "${enclave.name}" created. Deployment in progress (typically 2-5 minutes).`,
+                    enclave,
+                });
+            }
+            case 'treza_update_enclave': {
+                const params = tools_1.updateEnclaveSchema.parse(args);
+                const enclave = await client.updateEnclave(params);
+                return ok(enclave);
+            }
+            case 'treza_delete_enclave': {
+                const { enclaveId, walletAddress } = tools_1.deleteEnclaveSchema.parse(args);
+                const message = await client.deleteEnclave(enclaveId, walletAddress);
+                return ok({ message });
+            }
+            case 'treza_enclave_action': {
+                const { enclaveId, action, walletAddress } = tools_1.enclaveActionSchema.parse(args);
+                const result = await client.performEnclaveAction({
+                    id: enclaveId,
+                    action,
+                    walletAddress,
+                });
+                return ok(result);
+            }
+            case 'treza_get_enclave_logs': {
+                const { enclaveId, logType, limit } = tools_1.getEnclaveLogsSchema.parse(args);
+                const logs = await client.getEnclaveLogs(enclaveId, logType, limit);
+                return ok(logs);
+            }
+            // ── Attestation ─────────────────────────────────────────────────
+            case 'treza_get_attestation': {
+                const { enclaveId } = tools_1.getAttestationSchema.parse(args);
+                const attestation = await client.getAttestation(enclaveId);
+                return ok(attestation);
+            }
+            case 'treza_verify_attestation': {
+                const { enclaveId, nonce, challenge } = tools_1.verifyAttestationSchema.parse(args);
+                const result = await client.verifyAttestation(enclaveId, {
+                    ...(nonce && { nonce }),
+                    ...(challenge && { challenge }),
+                });
+                return ok(result);
+            }
+            case 'treza_get_verification_status': {
+                const { enclaveId } = tools_1.getVerificationStatusSchema.parse(args);
+                const status = await client.getVerificationStatus(enclaveId);
+                return ok(status);
+            }
+            // ── Providers ───────────────────────────────────────────────────
+            case 'treza_list_providers': {
+                tools_1.listProvidersSchema.parse(args);
+                const providers = await client.getProviders();
+                return ok(providers);
+            }
+            case 'treza_get_provider': {
+                const { providerId } = tools_1.getProviderSchema.parse(args);
+                const provider = await client.getProvider(providerId);
+                return ok(provider);
+            }
+            // ── Tasks ───────────────────────────────────────────────────────
+            case 'treza_list_tasks': {
+                const { walletAddress } = tools_1.listTasksSchema.parse(args);
+                const tasks = await client.getTasks(walletAddress);
+                return ok({ count: tasks.length, tasks });
+            }
+            case 'treza_create_task': {
+                const params = tools_1.createTaskSchema.parse(args);
+                const task = await client.createTask(params);
+                return ok(task);
+            }
+            // ── API Keys ────────────────────────────────────────────────────
+            case 'treza_list_api_keys': {
+                const { walletAddress } = tools_1.listApiKeysSchema.parse(args);
+                const apiKeys = await client.getApiKeys(walletAddress);
+                return ok({
+                    count: apiKeys.length,
+                    apiKeys: apiKeys.map((k) => ({
+                        id: k.id,
+                        name: k.name,
+                        status: k.status,
+                        permissions: k.permissions,
+                        createdAt: k.createdAt,
+                        lastUsed: k.lastUsed,
+                    })),
+                });
+            }
+            case 'treza_create_api_key': {
+                const params = tools_1.createApiKeySchema.parse(args);
+                const apiKey = await client.createApiKey(params);
+                return ok({
+                    message: 'API key created. Store the key securely — it will not be shown again.',
+                    apiKey,
+                });
+            }
+            default:
+                return err(`Unknown tool: ${toolName}`);
+        }
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return err(message);
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,46 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const treza_client_1 = require("./treza-client");
+const tools_1 = require("./tools");
+const handlers_1 = require("./handlers");
+const resources_1 = require("./resources");
+const TREZA_BASE_URL = process.env.TREZA_BASE_URL || 'https://app.trezalabs.com';
+const TREZA_TIMEOUT = parseInt(process.env.TREZA_TIMEOUT || '30000', 10);
+const client = new treza_client_1.TrezaClient({
+    baseUrl: TREZA_BASE_URL,
+    timeout: TREZA_TIMEOUT,
+});
+const server = new mcp_js_1.McpServer({
+    name: 'treza-enclaves',
+    version: '0.1.0',
+});
+// ─── Register Tools ─────────────────────────────────────────────────────────
+for (const tool of tools_1.TOOL_DEFINITIONS) {
+    const shape = tool.schema.shape;
+    server.tool(tool.name, tool.description, shape, async (args) => (0, handlers_1.handleToolCall)(client, tool.name, args));
+}
+// ─── Register Resource Templates ────────────────────────────────────────────
+for (const template of resources_1.RESOURCE_TEMPLATES) {
+    server.resource(template.name, template.uriTemplate, { description: template.description, mimeType: template.mimeType }, async (uri) => ({
+        contents: [
+            {
+                uri: uri.href,
+                mimeType: template.mimeType,
+                text: await (0, resources_1.handleResourceRead)(client, uri.href),
+            },
+        ],
+    }));
+}
+// ─── Start ──────────────────────────────────────────────────────────────────
+async function main() {
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+    console.error(`Treza MCP server running (API: ${TREZA_BASE_URL})`);
+}
+main().catch((error) => {
+    console.error('Failed to start Treza MCP server:', error);
+    process.exit(1);
+});

package/dist/resources.d.ts

@@ -0,0 +1,20 @@
+import { TrezaClient } from './treza-client';
+/**
+ * MCP Resources expose Treza data as browsable context that AI agents
+ * can read without invoking a tool. This gives agents ambient awareness
+ * of enclave state.
+ */
+export interface ResourceDefinition {
+    uri: string;
+    name: string;
+    description: string;
+    mimeType: string;
+}
+export interface ResourceTemplateDefinition {
+    uriTemplate: string;
+    name: string;
+    description: string;
+    mimeType: string;
+}
+export declare const RESOURCE_TEMPLATES: ResourceTemplateDefinition[];
+export declare function handleResourceRead(client: TrezaClient, uri: string): Promise<string>;

package/dist/resources.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RESOURCE_TEMPLATES = void 0;
+exports.handleResourceRead = handleResourceRead;
+exports.RESOURCE_TEMPLATES = [
+    {
+        uriTemplate: 'treza://enclaves/{walletAddress}',
+        name: 'Wallet Enclaves',
+        description: 'All enclaves owned by a wallet address, including status and configuration',
+        mimeType: 'application/json',
+    },
+    {
+        uriTemplate: 'treza://enclaves/{enclaveId}/details',
+        name: 'Enclave Details',
+        description: 'Full details for a specific enclave including provider config and GitHub connection',
+        mimeType: 'application/json',
+    },
+    {
+        uriTemplate: 'treza://enclaves/{enclaveId}/attestation',
+        name: 'Enclave Attestation',
+        description: 'Attestation document with PCR measurements, certificate chain, and verification status',
+        mimeType: 'application/json',
+    },
+    {
+        uriTemplate: 'treza://enclaves/{enclaveId}/verification',
+        name: 'Verification Status',
+        description: 'Quick verification status and trust level for an enclave',
+        mimeType: 'application/json',
+    },
+];
+async function handleResourceRead(client, uri) {
+    const url = new URL(uri);
+    const pathParts = url.pathname.replace(/^\/+/, '').split('/');
+    // treza://enclaves/{walletAddress}
+    if (url.host === 'enclaves' && pathParts.length === 1 && pathParts[0] !== '') {
+        const walletAddress = pathParts[0];
+        const enclaves = await client.getEnclaves(walletAddress);
+        return JSON.stringify({ count: enclaves.length, enclaves }, null, 2);
+    }
+    // treza://enclaves/{enclaveId}/details
+    if (url.host === 'enclaves' && pathParts.length === 2 && pathParts[1] === 'details') {
+        const enclaveId = pathParts[0];
+        const enclave = await client.getEnclave(enclaveId);
+        return JSON.stringify(enclave, null, 2);
+    }
+    // treza://enclaves/{enclaveId}/attestation
+    if (url.host === 'enclaves' && pathParts.length === 2 && pathParts[1] === 'attestation') {
+        const enclaveId = pathParts[0];
+        const attestation = await client.getAttestation(enclaveId);
+        return JSON.stringify(attestation, null, 2);
+    }
+    // treza://enclaves/{enclaveId}/verification
+    if (url.host === 'enclaves' && pathParts.length === 2 && pathParts[1] === 'verification') {
+        const enclaveId = pathParts[0];
+        const status = await client.getVerificationStatus(enclaveId);
+        return JSON.stringify(status, null, 2);
+    }
+    throw new Error(`Unknown resource URI: ${uri}`);
+}

package/dist/tools.d.ts

@@ -0,0 +1,195 @@
+import { z } from 'zod';
+/**
+ * Zod schemas and metadata for all MCP tools exposed by the Treza server.
+ * Each tool maps to a TrezaClient SDK method.
+ */
+export declare const listEnclavesSchema: z.ZodObject<{
+    walletAddress: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    walletAddress: string;
+}, {
+    walletAddress: string;
+}>;
+export declare const getEnclaveSchema: z.ZodObject<{
+    enclaveId: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    enclaveId: string;
+}, {
+    enclaveId: string;
+}>;
+export declare const createEnclaveSchema: z.ZodObject<{
+    name: z.ZodString;
+    description: z.ZodString;
+    region: z.ZodString;
+    walletAddress: z.ZodString;
+    providerId: z.ZodDefault<z.ZodString>;
+    dockerImage: z.ZodOptional<z.ZodString>;
+    cpuCount: z.ZodOptional<z.ZodEnum<["2", "4", "8", "16"]>>;
+    memoryMiB: z.ZodOptional<z.ZodEnum<["1024", "2048", "4096", "8192", "16384"]>>;
+    workloadType: z.ZodOptional<z.ZodEnum<["batch", "service", "daemon"]>>;
+    exposePorts: z.ZodOptional<z.ZodString>;
+    enableDebug: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    walletAddress: string;
+    name: string;
+    description: string;
+    region: string;
+    providerId: string;
+    dockerImage?: string | undefined;
+    cpuCount?: "2" | "4" | "8" | "16" | undefined;
+    memoryMiB?: "1024" | "2048" | "4096" | "8192" | "16384" | undefined;
+    workloadType?: "batch" | "service" | "daemon" | undefined;
+    exposePorts?: string | undefined;
+    enableDebug?: boolean | undefined;
+}, {
+    walletAddress: string;
+    name: string;
+    description: string;
+    region: string;
+    providerId?: string | undefined;
+    dockerImage?: string | undefined;
+    cpuCount?: "2" | "4" | "8" | "16" | undefined;
+    memoryMiB?: "1024" | "2048" | "4096" | "8192" | "16384" | undefined;
+    workloadType?: "batch" | "service" | "daemon" | undefined;
+    exposePorts?: string | undefined;
+    enableDebug?: boolean | undefined;
+}>;
+export declare const updateEnclaveSchema: z.ZodObject<{
+    id: z.ZodString;
+    walletAddress: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    walletAddress: string;
+    id: string;
+    name?: string | undefined;
+    description?: string | undefined;
+}, {
+    walletAddress: string;
+    id: string;
+    name?: string | undefined;
+    description?: string | undefined;
+}>;
+export declare const deleteEnclaveSchema: z.ZodObject<{
+    enclaveId: z.ZodString;
+    walletAddress: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    walletAddress: string;
+    enclaveId: string;
+}, {
+    walletAddress: string;
+    enclaveId: string;
+}>;
+export declare const enclaveActionSchema: z.ZodObject<{
+    enclaveId: z.ZodString;
+    action: z.ZodEnum<["pause", "resume", "terminate"]>;
+    walletAddress: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    action: "pause" | "resume" | "terminate";
+    walletAddress: string;
+    enclaveId: string;
+}, {
+    action: "pause" | "resume" | "terminate";
+    walletAddress: string;
+    enclaveId: string;
+}>;
+export declare const getEnclaveLogsSchema: z.ZodObject<{
+    enclaveId: z.ZodString;
+    logType: z.ZodDefault<z.ZodEnum<["all", "ecs", "stepfunctions", "lambda", "application", "errors"]>>;
+    limit: z.ZodDefault<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    enclaveId: string;
+    logType: "all" | "ecs" | "stepfunctions" | "lambda" | "application" | "errors";
+    limit: number;
+}, {
+    enclaveId: string;
+    logType?: "all" | "ecs" | "stepfunctions" | "lambda" | "application" | "errors" | undefined;
+    limit?: number | undefined;
+}>;
+export declare const getAttestationSchema: z.ZodObject<{
+    enclaveId: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    enclaveId: string;
+}, {
+    enclaveId: string;
+}>;
+export declare const verifyAttestationSchema: z.ZodObject<{
+    enclaveId: z.ZodString;
+    nonce: z.ZodOptional<z.ZodString>;
+    challenge: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    enclaveId: string;
+    nonce?: string | undefined;
+    challenge?: string | undefined;
+}, {
+    enclaveId: string;
+    nonce?: string | undefined;
+    challenge?: string | undefined;
+}>;
+export declare const getVerificationStatusSchema: z.ZodObject<{
+    enclaveId: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    enclaveId: string;
+}, {
+    enclaveId: string;
+}>;
+export declare const listProvidersSchema: z.ZodObject<{}, "strip", z.ZodTypeAny, {}, {}>;
+export declare const getProviderSchema: z.ZodObject<{
+    providerId: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    providerId: string;
+}, {
+    providerId: string;
+}>;
+export declare const listTasksSchema: z.ZodObject<{
+    walletAddress: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    walletAddress: string;
+}, {
+    walletAddress: string;
+}>;
+export declare const createTaskSchema: z.ZodObject<{
+    name: z.ZodString;
+    description: z.ZodString;
+    enclaveId: z.ZodString;
+    schedule: z.ZodString;
+    walletAddress: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    walletAddress: string;
+    enclaveId: string;
+    name: string;
+    description: string;
+    schedule: string;
+}, {
+    walletAddress: string;
+    enclaveId: string;
+    name: string;
+    description: string;
+    schedule: string;
+}>;
+export declare const listApiKeysSchema: z.ZodObject<{
+    walletAddress: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    walletAddress: string;
+}, {
+    walletAddress: string;
+}>;
+export declare const createApiKeySchema: z.ZodObject<{
+    name: z.ZodString;
+    permissions: z.ZodArray<z.ZodEnum<["enclaves:read", "enclaves:write", "tasks:read", "tasks:write", "logs:read"]>, "many">;
+    walletAddress: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    walletAddress: string;
+    name: string;
+    permissions: ("enclaves:read" | "enclaves:write" | "tasks:read" | "tasks:write" | "logs:read")[];
+}, {
+    walletAddress: string;
+    name: string;
+    permissions: ("enclaves:read" | "enclaves:write" | "tasks:read" | "tasks:write" | "logs:read")[];
+}>;
+export interface ToolDefinition {
+    name: string;
+    description: string;
+    schema: z.ZodObject<any>;
+}
+export declare const TOOL_DEFINITIONS: ToolDefinition[];

package/dist/tools.js

@@ -0,0 +1,167 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TOOL_DEFINITIONS = exports.createApiKeySchema = exports.listApiKeysSchema = exports.createTaskSchema = exports.listTasksSchema = exports.getProviderSchema = exports.listProvidersSchema = exports.getVerificationStatusSchema = exports.verifyAttestationSchema = exports.getAttestationSchema = exports.getEnclaveLogsSchema = exports.enclaveActionSchema = exports.deleteEnclaveSchema = exports.updateEnclaveSchema = exports.createEnclaveSchema = exports.getEnclaveSchema = exports.listEnclavesSchema = void 0;
+const zod_1 = require("zod");
+/**
+ * Zod schemas and metadata for all MCP tools exposed by the Treza server.
+ * Each tool maps to a TrezaClient SDK method.
+ */
+// ─── Enclave Management ─────────────────────────────────────────────────────
+exports.listEnclavesSchema = zod_1.z.object({
+    walletAddress: zod_1.z.string().describe('Ethereum wallet address that owns the enclaves'),
+});
+exports.getEnclaveSchema = zod_1.z.object({
+    enclaveId: zod_1.z.string().describe('Unique enclave identifier (e.g. "enc_abc123")'),
+});
+exports.createEnclaveSchema = zod_1.z.object({
+    name: zod_1.z.string().describe('Human-readable name for the enclave'),
+    description: zod_1.z.string().describe('Description of the enclave purpose'),
+    region: zod_1.z.string().describe('AWS region to deploy in (e.g. "us-east-1", "eu-west-1")'),
+    walletAddress: zod_1.z.string().describe('Ethereum wallet address of the owner'),
+    providerId: zod_1.z.string().default('aws-nitro-enclave').describe('Provider ID (default: "aws-nitro-enclave")'),
+    dockerImage: zod_1.z.string().optional().describe('Docker image to run inside the enclave'),
+    cpuCount: zod_1.z.enum(['2', '4', '8', '16']).optional().describe('Number of vCPUs'),
+    memoryMiB: zod_1.z.enum(['1024', '2048', '4096', '8192', '16384']).optional().describe('Memory in MiB'),
+    workloadType: zod_1.z.enum(['batch', 'service', 'daemon']).optional().describe('Workload type'),
+    exposePorts: zod_1.z.string().optional().describe('Comma-separated ports to expose'),
+    enableDebug: zod_1.z.boolean().optional().describe('Enable debug mode'),
+});
+exports.updateEnclaveSchema = zod_1.z.object({
+    id: zod_1.z.string().describe('Enclave ID to update'),
+    walletAddress: zod_1.z.string().describe('Wallet address for authorization'),
+    name: zod_1.z.string().optional().describe('New name'),
+    description: zod_1.z.string().optional().describe('New description'),
+});
+exports.deleteEnclaveSchema = zod_1.z.object({
+    enclaveId: zod_1.z.string().describe('Enclave ID to delete'),
+    walletAddress: zod_1.z.string().describe('Wallet address for authorization'),
+});
+exports.enclaveActionSchema = zod_1.z.object({
+    enclaveId: zod_1.z.string().describe('Enclave ID to act on'),
+    action: zod_1.z.enum(['pause', 'resume', 'terminate']).describe('Lifecycle action'),
+    walletAddress: zod_1.z.string().describe('Wallet address for authorization'),
+});
+exports.getEnclaveLogsSchema = zod_1.z.object({
+    enclaveId: zod_1.z.string().describe('Enclave ID'),
+    logType: zod_1.z.enum(['all', 'ecs', 'stepfunctions', 'lambda', 'application', 'errors']).default('all').describe('Type of logs'),
+    limit: zod_1.z.number().default(50).describe('Max log entries to return'),
+});
+// ─── Attestation & Verification ─────────────────────────────────────────────
+exports.getAttestationSchema = zod_1.z.object({
+    enclaveId: zod_1.z.string().describe('Enclave ID to get attestation for'),
+});
+exports.verifyAttestationSchema = zod_1.z.object({
+    enclaveId: zod_1.z.string().describe('Enclave ID to verify'),
+    nonce: zod_1.z.string().optional().describe('Nonce for replay protection'),
+    challenge: zod_1.z.string().optional().describe('Challenge string for additional verification'),
+});
+exports.getVerificationStatusSchema = zod_1.z.object({
+    enclaveId: zod_1.z.string().describe('Enclave ID to check'),
+});
+// ─── Providers ──────────────────────────────────────────────────────────────
+exports.listProvidersSchema = zod_1.z.object({});
+exports.getProviderSchema = zod_1.z.object({
+    providerId: zod_1.z.string().describe('Provider ID (e.g. "aws-nitro-enclave")'),
+});
+// ─── Tasks ──────────────────────────────────────────────────────────────────
+exports.listTasksSchema = zod_1.z.object({
+    walletAddress: zod_1.z.string().describe('Wallet address that owns the tasks'),
+});
+exports.createTaskSchema = zod_1.z.object({
+    name: zod_1.z.string().describe('Task name'),
+    description: zod_1.z.string().describe('Task description'),
+    enclaveId: zod_1.z.string().describe('Enclave to run the task on'),
+    schedule: zod_1.z.string().describe('Cron expression (e.g. "0 */6 * * *")'),
+    walletAddress: zod_1.z.string().describe('Wallet address for authorization'),
+});
+// ─── API Keys ───────────────────────────────────────────────────────────────
+exports.listApiKeysSchema = zod_1.z.object({
+    walletAddress: zod_1.z.string().describe('Wallet address that owns the API keys'),
+});
+exports.createApiKeySchema = zod_1.z.object({
+    name: zod_1.z.string().describe('Human-readable key name'),
+    permissions: zod_1.z.array(zod_1.z.enum(['enclaves:read', 'enclaves:write', 'tasks:read', 'tasks:write', 'logs:read'])).describe('Array of permission scopes'),
+    walletAddress: zod_1.z.string().describe('Wallet address for authorization'),
+});
+exports.TOOL_DEFINITIONS = [
+    {
+        name: 'treza_list_enclaves',
+        description: 'List all Treza Nitro Enclaves owned by a wallet address. Returns enclave IDs, names, statuses, regions, and configuration.',
+        schema: exports.listEnclavesSchema,
+    },
+    {
+        name: 'treza_get_enclave',
+        description: 'Get detailed information about a specific Treza enclave including its status, configuration, provider settings, and GitHub connection.',
+        schema: exports.getEnclaveSchema,
+    },
+    {
+        name: 'treza_create_enclave',
+        description: 'Create a new AWS Nitro Enclave with hardware-isolated TEE. The enclave will generate and manage private keys internally — keys never leave the enclave boundary. Deployment takes 2-5 minutes via Step Functions.',
+        schema: exports.createEnclaveSchema,
+    },
+    {
+        name: 'treza_update_enclave',
+        description: 'Update an existing enclave\'s name, description, or configuration.',
+        schema: exports.updateEnclaveSchema,
+    },
+    {
+        name: 'treza_delete_enclave',
+        description: 'Permanently delete a terminated enclave. The enclave must be in DESTROYED status before deletion.',
+        schema: exports.deleteEnclaveSchema,
+    },
+    {
+        name: 'treza_enclave_action',
+        description: 'Perform a lifecycle action on an enclave: pause (stop billing), resume (restart), or terminate (destroy infrastructure). Terminate is irreversible.',
+        schema: exports.enclaveActionSchema,
+    },
+    {
+        name: 'treza_get_enclave_logs',
+        description: 'Retrieve logs from an enclave. Supports filtering by source: ECS deployment, Step Functions workflow, Lambda triggers, application stdout/stderr, or errors only.',
+        schema: exports.getEnclaveLogsSchema,
+    },
+    {
+        name: 'treza_get_attestation',
+        description: 'Get the attestation document for a deployed enclave. Returns PCR measurements (enclave image hash, kernel hash, application hash, signing cert), certificate chain, and verification endpoints. Use this to cryptographically verify an enclave is running the expected code.',
+        schema: exports.getAttestationSchema,
+    },
+    {
+        name: 'treza_verify_attestation',
+        description: 'Perform comprehensive cryptographic verification of an enclave\'s attestation. Checks PCR measurements, certificate chain, timestamp validity, nonce matching, and signature. Returns trust level (HIGH/MEDIUM/LOW), compliance status (SOC2, HIPAA, FIPS), and risk score.',
+        schema: exports.verifyAttestationSchema,
+    },
+    {
+        name: 'treza_get_verification_status',
+        description: 'Quick check of an enclave\'s verification status and trust level without performing full verification.',
+        schema: exports.getVerificationStatusSchema,
+    },
+    {
+        name: 'treza_list_providers',
+        description: 'List all available enclave providers (e.g., AWS Nitro Enclave) with their supported regions and configuration schemas.',
+        schema: exports.listProvidersSchema,
+    },
+    {
+        name: 'treza_get_provider',
+        description: 'Get detailed information about a specific enclave provider including supported regions and configuration options.',
+        schema: exports.getProviderSchema,
+    },
+    {
+        name: 'treza_list_tasks',
+        description: 'List all scheduled tasks for a wallet. Tasks are cron-scheduled operations that run inside enclaves.',
+        schema: exports.listTasksSchema,
+    },
+    {
+        name: 'treza_create_task',
+        description: 'Create a new scheduled task to run inside an enclave on a cron schedule.',
+        schema: exports.createTaskSchema,
+    },
+    {
+        name: 'treza_list_api_keys',
+        description: 'List all API keys for a wallet address. Keys have scoped permissions (enclaves:read, enclaves:write, tasks:read, tasks:write, logs:read).',
+        schema: exports.listApiKeysSchema,
+    },
+    {
+        name: 'treza_create_api_key',
+        description: 'Create a new scoped API key for programmatic access to the Treza platform. Returns the key only once — store it securely.',
+        schema: exports.createApiKeySchema,
+    },
+];

package/dist/treza-client.d.ts

@@ -0,0 +1,37 @@
+export interface TrezaConfig {
+    baseUrl?: string;
+    timeout?: number;
+}
+export declare class TrezaSdkError extends Error {
+    readonly code?: string;
+    readonly statusCode?: number;
+    constructor(message: string, code?: string, statusCode?: number);
+}
+/**
+ * Lightweight Treza API client for the MCP server.
+ * Mirrors the full SDK's TrezaClient but with no extra dependencies.
+ */
+export declare class TrezaClient {
+    private client;
+    constructor(config?: TrezaConfig);
+    getEnclaves(walletAddress: string): Promise<any>;
+    getEnclave(enclaveId: string): Promise<any>;
+    createEnclave(request: Record<string, unknown>): Promise<any>;
+    updateEnclave(request: Record<string, unknown>): Promise<any>;
+    deleteEnclave(enclaveId: string, walletAddress: string): Promise<any>;
+    performEnclaveAction(request: {
+        id: string;
+        action: string;
+        walletAddress: string;
+    }): Promise<any>;
+    getEnclaveLogs(enclaveId: string, logType?: string, limit?: number): Promise<any>;
+    getAttestation(enclaveId: string): Promise<any>;
+    getVerificationStatus(enclaveId: string): Promise<any>;
+    verifyAttestation(enclaveId: string, request?: Record<string, unknown>): Promise<any>;
+    getProviders(): Promise<any>;
+    getProvider(providerId: string): Promise<any>;
+    getTasks(walletAddress: string): Promise<any>;
+    createTask(request: Record<string, unknown>): Promise<any>;
+    getApiKeys(walletAddress: string): Promise<any>;
+    createApiKey(request: Record<string, unknown>): Promise<any>;
+}

package/dist/treza-client.js

@@ -0,0 +1,113 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TrezaClient = exports.TrezaSdkError = void 0;
+const axios_1 = __importDefault(require("axios"));
+class TrezaSdkError extends Error {
+    constructor(message, code, statusCode) {
+        super(message);
+        this.name = 'TrezaSdkError';
+        this.code = code;
+        this.statusCode = statusCode;
+    }
+}
+exports.TrezaSdkError = TrezaSdkError;
+/**
+ * Lightweight Treza API client for the MCP server.
+ * Mirrors the full SDK's TrezaClient but with no extra dependencies.
+ */
+class TrezaClient {
+    constructor(config = {}) {
+        this.client = axios_1.default.create({
+            baseURL: config.baseUrl || 'https://app.trezalabs.com',
+            timeout: config.timeout || 30000,
+            headers: { 'Content-Type': 'application/json' },
+        });
+        this.client.interceptors.response.use((r) => r, (error) => {
+            if (error.response) {
+                const data = error.response.data;
+                throw new TrezaSdkError(data?.error || error.message, `HTTP_${error.response.status}`, error.response.status);
+            }
+            throw new TrezaSdkError(error.message, 'NETWORK_ERROR');
+        });
+    }
+    // ── Enclaves ────────────────────────────────────────────────────────────
+    async getEnclaves(walletAddress) {
+        const r = await this.client.get('/api/enclaves', { params: { wallet: walletAddress } });
+        return r.data.enclaves;
+    }
+    async getEnclave(enclaveId) {
+        const r = await this.client.get(`/api/enclaves/${enclaveId}`);
+        return r.data.enclave;
+    }
+    async createEnclave(request) {
+        const r = await this.client.post('/api/enclaves', request);
+        return r.data.enclave;
+    }
+    async updateEnclave(request) {
+        const r = await this.client.put('/api/enclaves', request);
+        return r.data.enclave;
+    }
+    async deleteEnclave(enclaveId, walletAddress) {
+        const r = await this.client.delete(`/api/enclaves/${enclaveId}`, {
+            params: { wallet: walletAddress },
+        });
+        return r.data.message;
+    }
+    async performEnclaveAction(request) {
+        const r = await this.client.patch(`/api/enclaves/${request.id}`, {
+            action: request.action,
+            walletAddress: request.walletAddress,
+        });
+        return r.data;
+    }
+    async getEnclaveLogs(enclaveId, logType = 'all', limit = 100) {
+        const r = await this.client.get(`/api/enclaves/${enclaveId}/logs`, {
+            params: { type: logType, limit },
+        });
+        return r.data;
+    }
+    // ── Attestation ─────────────────────────────────────────────────────────
+    async getAttestation(enclaveId) {
+        const r = await this.client.get(`/api/enclaves/${enclaveId}/attestation`);
+        return r.data;
+    }
+    async getVerificationStatus(enclaveId) {
+        const r = await this.client.get(`/api/enclaves/${enclaveId}/attestation/verify`);
+        return r.data;
+    }
+    async verifyAttestation(enclaveId, request) {
+        const r = await this.client.post(`/api/enclaves/${enclaveId}/attestation/verify`, request || {});
+        return r.data;
+    }
+    // ── Providers ───────────────────────────────────────────────────────────
+    async getProviders() {
+        const r = await this.client.get('/api/providers');
+        return r.data.providers;
+    }
+    async getProvider(providerId) {
+        const r = await this.client.get('/api/providers', { params: { id: providerId } });
+        return r.data.provider;
+    }
+    // ── Tasks ───────────────────────────────────────────────────────────────
+    async getTasks(walletAddress) {
+        const r = await this.client.get('/api/tasks', { params: { wallet: walletAddress } });
+        return r.data.tasks;
+    }
+    async createTask(request) {
+        const r = await this.client.post('/api/tasks', request);
+        return r.data.task;
+    }
+    // ── API Keys ────────────────────────────────────────────────────────────
+    async getApiKeys(walletAddress) {
+        const r = await this.client.get('/api/api-keys', { params: { wallet: walletAddress } });
+        return r.data.apiKeys;
+    }
+    async createApiKey(request) {
+        const r = await this.client.post('/api/api-keys', request);
+        return r.data.apiKey;
+    }
+}
+exports.TrezaClient = TrezaClient;

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@treza/mcp",
+  "version": "0.1.0",
+  "description": "Model Context Protocol server for Treza Enclaves — lets AI agents manage TEEs, verify attestations, and sign transactions",
+  "keywords": [
+    "treza",
+    "mcp",
+    "model-context-protocol",
+    "ai-agents",
+    "enclaves",
+    "tee",
+    "attestation",
+    "nitro-enclaves"
+  ],
+  "homepage": "https://trezalabs.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/treza-labs/treza-sdk.git",
+    "directory": "packages/mcp"
+  },
+  "license": "MIT",
+  "author": "TREZA Labs <hello@trezalabs.com>",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "treza-mcp": "./dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "build:watch": "tsc -w",
+    "clean": "rm -rf dist",
+    "dev": "tsc -w",
+    "start": "node dist/index.js",
+    "lint": "eslint src/**/*.ts --fix",
+    "lint:check": "eslint src/**/*.ts",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.1",
+    "axios": "^1.7.0",
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@types/node": "^20.10.0",
+    "typescript": "^5.3.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}