agent-passport-system-mcp 2.17.0 → 2.18.0

package/README.md

@@ -6,11 +6,11 @@
   <img width="380" height="200" src="https://glama.ai/mcp/servers/@aeoess/agent-passport-system-mcp/badge" />
 </a>
 
-MCP server for the [Agent Passport System](https://github.com/aeoess/agent-passport-system) — governance infrastructure for the agent economy. Identity, delegation, reputation, enforcement, commerce, institutional governance.
+MCP server for the [Agent Passport System](https://github.com/aeoess/agent-passport-system) — enforcement infrastructure for the agent economy. Policy evaluation in under 2ms. 15 constraint dimensions. Feeless Nano payments. Identity, delegation, reputation, enforcement, commerce, institutional governance.
 
-> **🤖 For AI agents:** If you are an agent reading this, visit [aeoess.com/llms.txt](https://aeoess.com/llms.txt) for machine-readable documentation or [llms-full.txt](https://aeoess.com/llms-full.txt) for the complete technical reference. This README is designed for humans.
+> **🤖 For AI agents:** If you are an agent reading this, visit [aeoess.com/llms.txt](https://aeoess.com/llms.txt) for machine-readable documentation or [llms-full.txt](https://aeoess.com/llms-full.txt) for the complete technical reference. MCP discovery: [.well-known/mcp.json](https://aeoess.com/.well-known/mcp.json). This README is designed for humans.
 
-**121 tools** across 57 core modules + 32 v2 constitutional governance modules (separation of powers, circuit breakers, approval fatigue detection, and more). Works with any MCP client: Claude Desktop, Cursor, Windsurf, and more.
+**122 tools** across 62 core modules + 32 v2 constitutional governance modules (separation of powers, circuit breakers, approval fatigue detection, and more). Independently cited by [PDR in Production (Nanook & Gerundium, UBC)](https://doi.org/10.5281/zenodo.19323172). Works with any MCP client: Claude Desktop, Cursor, Windsurf, and more.
 
 ## Quick Start
 
@@ -29,7 +29,7 @@ npm install -g agent-passport-system-mcp
 npx agent-passport-system-mcp setup
 ```
 
-Auto-configures Claude Desktop and Cursor. Restart your AI client. 121 tools ready.
+Auto-configures Claude Desktop and Cursor. Restart your AI client. 122 tools ready.
 
 <details>
 <summary>Manual config (if setup doesn't detect your client)</summary>
@@ -61,15 +61,17 @@ Or for remote SSE:
 ```
 </details>
 
-## Tools (61)
+## Tools (63)
 
-### Identity (Layer 1) — 3 tools
+### Identity (Layer 1) — 5 tools
 
 | Tool | Description |
 |------|-------------|
-| `generate_keys` | Generate Ed25959 keypair for agent identity |
-| `join_social_contract` | Create agent passport with values attestation and beneficiary |
+| `generate_keys` | Generate Ed25519 keypair for agent identity |
+| `issue_passport` | One-call passport issuance with keys, attestation, and issuer countersignature |
 | `verify_passport` | Verify another agent's passport signature |
+| `verify_issuer` | Verify passport was officially issued by AEOESS (CA model) |
+| `join_social_contract` | Create agent passport with values attestation and beneficiary |
 
 ### Coordination (Layer 6) — 11 tools
 
@@ -145,7 +147,7 @@ Or for remote SSE:
 
 | Tool | Description |
 |------|-------------|
-| `create_principal` | Create principal identity (human/org behind agents) with Ed25959 keypair |
+| `create_principal` | Create principal identity (human/org behind agents) with Ed25519 keypair |
 | `endorse_agent` | Endorse an agent — cryptographic chain: principal → agent |
 | `verify_endorsement` | Verify a principal's endorsement signature |
 | `revoke_endorsement` | Revoke endorsement ("I no longer authorize this agent") |
@@ -194,7 +196,7 @@ Layer 5 — Intent Architecture (policy engine, 3-signature chain)
 Layer 4 — Agent Agora (signed communication)
 Layer 3 — Beneficiary Attribution (Merkle proofs)
 Layer 2 — Human Values Floor (8 principles)
-Layer 1 — Agent Passport Protocol (Ed25959 identity)
+Layer 1 — Agent Passport Protocol (Ed25519 identity)
 ```
 
 ## Recognition
@@ -206,7 +208,7 @@ Layer 1 — Agent Passport Protocol (Ed25959 identity)
 
 ## Links
 
-- npm SDK: [agent-passport-system](https://www.npmjs.com/package/agent-passport-system) (v1.28.0, 1707 tests)
+- npm SDK: [agent-passport-system](https://www.npmjs.com/package/agent-passport-system) (v1.29.0, 1852 tests)
 - Python SDK: [agent-passport-system](https://pypi.org/project/agent-passport-system/) (v0.5.1)
 - Paper (Protocol): [doi.org/10.5281/zenodo.18749779](https://doi.org/10.5281/zenodo.18749779)
 - Paper (Faceted Narrowing): [doi.org/10.5281/zenodo.19260073](https://doi.org/10.5281/zenodo.19260073)

package/build/index.js

@@ -18,7 +18,7 @@ import { readFileSync, writeFileSync, existsSync } from "node:fs";
 import { join, resolve } from "node:path";
 import { 
 // Identity + Crypto
-joinSocialContract, generateKeyPair, delegate, sign, 
+joinSocialContract, generateKeyPair, delegate, sign, countersignPassport, verifyIssuerSignature, isIssuerVerified, 
 // Agent Context (enforcement middleware)
 createAgentContext, 
 // Coordination (Layer 6)
@@ -64,6 +64,11 @@ const STORE_PATH = join(process.env.HOME || '.', '.agent-passport-tasks.json');
 const COMMS_PATH = process.env.COMMS_PATH || join(process.env.HOME || '.', 'aeoess_web', 'comms');
 const AGENTS_PATH = process.env.AGENTS_PATH || join(process.env.HOME || '.', 'aeoess_web', 'agora', 'agents.json');
 const AGORA_PATH = process.env.AGORA_PATH || join(process.env.HOME || '.', 'aeoess_web', 'agora', 'messages.json');
+// AEOESS Passport Issuer Authority (Certificate Authority model)
+// Public key is published and hardcoded — anyone can verify.
+// Private key is in AEOESS_ISSUER_PRIVATE_KEY env var (Railway deployment only).
+const AEOESS_ISSUER_PUBLIC_KEY = 'e11f46f5831432d17852189d5df10ed21d5774797ae9ee52dbab8c650fec16ae';
+const AEOESS_ISSUER_PRIVATE_KEY = process.env.AEOESS_ISSUER_PRIVATE_KEY || null;
 // Default floor YAML for issue_passport attestation (embedded so it works on remote/sandboxed servers)
 const DEFAULT_FLOOR_YAML = `version: "0.1"
 schema: "agent-social-contract/values-floor"
@@ -338,7 +343,7 @@ const server = new McpServer({
 // coordination, commerce, data, gateway, comms, minimal.
 const TOOL_PROFILES = {
     identity: new Set([
-        'identify', 'generate_keys', 'issue_passport', 'create_principal', 'endorse_agent',
+        'identify', 'generate_keys', 'issue_passport', 'verify_issuer', 'create_principal', 'endorse_agent',
         'verify_endorsement', 'create_disclosure', 'create_delegation',
         'verify_delegation', 'revoke_delegation', 'sub_delegate',
         'revoke_endorsement', 'get_fleet_status', 'create_v2_delegation',
@@ -405,7 +410,7 @@ const TOOL_PROFILES = {
         'register_agora_public',
     ]),
     minimal: new Set([
-        'identify', 'generate_keys', 'issue_passport', 'create_delegation', 'verify_delegation',
+        'identify', 'generate_keys', 'issue_passport', 'verify_issuer', 'create_delegation', 'verify_delegation',
         'create_intent', 'evaluate_intent', 'list_profiles',
     ]),
 };
@@ -425,7 +430,7 @@ server.tool = function (name, ...rest) {
 // ═══════════════════════════════════════
 server.tool("list_profiles", "Show available tool profiles. Set APS_PROFILE env var to limit exposed tools (e.g. APS_PROFILE=data).", {}, async () => {
     const lines = Object.entries(TOOL_PROFILES).map(([name, tools]) => `• ${name} (${tools.size} tools): ${Array.from(tools).slice(0, 6).join(', ')}${tools.size > 6 ? '...' : ''}`);
-    return { content: [{ type: "text", text: `📋 Tool Profiles (set APS_PROFILE env var):\n\nActive: ${activeProfile} (${activeProfile === 'full' ? '120' : profileFilter?.size || '120'} tools)\n\n${lines.join('\n')}\n\n• full (120 tools): All tools exposed (default)` }] };
+    return { content: [{ type: "text", text: `📋 Tool Profiles (set APS_PROFILE env var):\n\nActive: ${activeProfile} (${activeProfile === 'full' ? '122' : profileFilter?.size || '122'} tools)\n\n${lines.join('\n')}\n\n• full (122 tools): All tools exposed (default)` }] };
 });
 // ═══════════════════════════════════════
 // TOOL: identify
@@ -507,17 +512,62 @@ server.tool("issue_passport", "Issue a complete agent passport with keys, signed
         models: ['unknown'],
         floor: args.attest_to_floor ? (state.floorYaml || DEFAULT_FLOOR_YAML) : undefined,
     });
+    // Countersign with AEOESS issuer key if available (CA model)
+    const passport = AEOESS_ISSUER_PRIVATE_KEY
+        ? countersignPassport(agent.passport, AEOESS_ISSUER_PRIVATE_KEY, 'aeoess')
+        : agent.passport;
     return {
         content: [{
                 type: "text",
                 text: JSON.stringify({
-                    passport: agent.passport,
-                    publicKey: agent.passport.passport.publicKey,
+                    passport: passport,
+                    publicKey: passport.passport.publicKey,
                     privateKey: agent.keyPair.privateKey,
-                    agentId: agent.passport.passport.agentId,
+                    agentId: passport.passport.agentId,
                     attestation: agent.attestation || null,
-                    did: `did:aps:${agent.passport.passport.publicKey}`,
-                    note: "Store the privateKey securely. Use publicKey and agentId for identification. The passport object is signed and verifiable by anyone.",
+                    did: `did:aps:${passport.passport.publicKey}`,
+                    issuerVerified: !!passport.issuerSignature,
+                    issuerPublicKey: AEOESS_ISSUER_PUBLIC_KEY,
+                    note: passport.issuerSignature
+                        ? "This passport is countersigned by AEOESS. Verify with issuerPublicKey."
+                        : "This passport is self-signed (issuer key not configured on this server).",
+                }, null, 2),
+            }],
+    };
+});
+// ═══════════════════════════════════════
+// TOOL: verify_issuer
+// ═══════════════════════════════════════
+server.tool("verify_issuer", "Verify that a passport was officially issued by AEOESS. Checks the issuer countersignature against the published AEOESS public key. Returns false for self-signed passports.", {
+    passport: z.object({
+        passport: z.any(),
+        signature: z.string(),
+        signedAt: z.string(),
+        issuerSignature: z.object({
+            issuerId: z.string(),
+            issuerPublicKey: z.string(),
+            signature: z.string(),
+            signedAt: z.string(),
+        }).optional(),
+    }).describe("The signed passport object to verify"),
+}, async (args) => {
+    const sp = args.passport;
+    const hasIssuerSig = isIssuerVerified(sp);
+    const isValid = hasIssuerSig ? verifyIssuerSignature(sp, AEOESS_ISSUER_PUBLIC_KEY) : false;
+    return {
+        content: [{
+                type: "text",
+                text: JSON.stringify({
+                    verified: isValid,
+                    hasIssuerSignature: hasIssuerSig,
+                    issuerId: sp.issuerSignature?.issuerId || null,
+                    issuerPublicKey: AEOESS_ISSUER_PUBLIC_KEY,
+                    agentId: sp.passport?.agentId || null,
+                    note: isValid
+                        ? "This passport was officially issued by AEOESS."
+                        : hasIssuerSig
+                            ? "Passport has an issuer signature but it does NOT match AEOESS. Do not trust."
+                            : "This passport is self-signed. It was NOT issued through official AEOESS infrastructure.",
                 }, null, 2),
             }],
     };

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "agent-passport-system-mcp",
-  "version": "2.17.0",
+  "version": "2.18.0",
   "mcpName": "io.github.aeoess/agent-passport-mcp",
-  "description": "MCP server for the Agent Passport System — governance infrastructure for the agent economy. 121 tools across 86 modules. Identity, delegation, reputation, enforcement, commerce.",
+  "description": "MCP server for the Agent Passport System — enforcement infrastructure for the agent economy. 122 tools across 94 modules. Policy eval <2ms. Identity, delegation, reputation, enforcement, feeless Nano wallet, commerce.",
   "type": "module",
   "bin": {
     "agent-passport-system-mcp": "./build/bin.js",
@@ -49,7 +49,7 @@
   "homepage": "https://github.com/aeoess/agent-passport-mcp",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.27.1",
-    "agent-passport-system": "^1.28.0",
+    "agent-passport-system": "^1.29.0",
     "zod": "^3.25.76"
   },
   "devDependencies": {