chronoverify-mcp 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ChronoVerify
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,44 @@
+# chronoverify-mcp
+
+An [MCP](https://modelcontextprotocol.io) server for [ChronoVerify](https://chronoverify.com). It gives any MCP-compatible AI agent (Claude Desktop, Cursor, Cline, and others) one tool, `verify_image`, to check a photo's capture time and provenance: C2PA Content Credentials, EXIF and XMP metadata, and classical pixel forensics, fused into one verdict (`provenance_confirmed`, `consistent`, `inconclusive`, `metadata_anomaly`, or `manipulation_indicated`) with a 0 to 100 confidence.
+
+Provenance-first, not a deepfake detector. Results are investigative triage to support human review, not proof.
+
+> **Get an API key** (the first 100 verifications each month are included): https://chronoverify.com/pricing . Without a key, the server uses the free, rate-limited public path.
+
+## Install
+
+Add it to your MCP client config. For Claude Desktop (`claude_desktop_config.json`) or any MCP client:
+
+```json
+{
+  "mcpServers": {
+    "chronoverify": {
+      "command": "npx",
+      "args": ["-y", "chronoverify-mcp"],
+      "env": { "CHRONOVERIFY_API_KEY": "cv_live_..." }
+    }
+  }
+}
+```
+
+Omit the `env` block to use the free public path.
+
+## The tool
+
+`verify_image` takes exactly one of:
+
+- `url`: a publicly reachable image URL (the server fetches it),
+- `file_path`: an absolute path to a local image, or
+- `image_base64`: base64-encoded image bytes.
+
+It returns the verdict, the confidence, the capture time and device when present, the C2PA status, and the SHA-256 of the file.
+
+## Example prompts
+
+- "Verify the provenance of /Users/me/Downloads/photo.jpg"
+- "When was the photo at this URL taken, and has it been edited? https://example.com/photo.jpg"
+
+## License
+
+MIT

package/dist/index.js

@@ -0,0 +1,97 @@
+#!/usr/bin/env node
+/**
+ * ChronoVerify MCP server.
+ *
+ * Exposes a single tool, `verify_image`, so any MCP-compatible AI agent (Claude
+ * Desktop, Cursor, Cline, and others) can verify a photo's capture time and
+ * provenance. It wraps POST /v1/verify: reads C2PA Content Credentials, EXIF and
+ * XMP metadata, and classical pixel forensics, and returns one verdict with a
+ * 0 to 100 confidence. Provenance-first, not a deepfake detector; results are
+ * investigative triage, not proof.
+ *
+ * Configure with the CHRONOVERIFY_API_KEY environment variable to meter calls
+ * against your key; without it, calls use the free, rate-limited public path.
+ */
+import { readFile } from "node:fs/promises";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+const BASE_URL = (process.env.CHRONOVERIFY_BASE_URL ?? "https://chronoverify.com").replace(/\/+$/, "");
+const API_KEY = process.env.CHRONOVERIFY_API_KEY;
+async function verifyImage(args) {
+    const provided = [args.url, args.file_path, args.image_base64].filter((x) => x != null && x !== "");
+    if (provided.length !== 1) {
+        throw new Error("Provide exactly one of url, file_path, or image_base64.");
+    }
+    const form = new FormData();
+    if (args.url) {
+        form.append("url", args.url);
+    }
+    else if (args.file_path) {
+        const buf = await readFile(args.file_path);
+        form.append("file", new Blob([buf]), "image");
+    }
+    else {
+        const buf = Buffer.from(args.image_base64, "base64");
+        form.append("file", new Blob([buf]), "image");
+    }
+    const headers = {};
+    if (API_KEY)
+        headers["Authorization"] = `Bearer ${API_KEY}`;
+    const resp = await fetch(`${BASE_URL}/v1/verify`, { method: "POST", body: form, headers });
+    if (!resp.ok) {
+        let detail = "";
+        try {
+            detail = (await resp.json()).detail ?? "";
+        }
+        catch {
+            /* ignore */
+        }
+        throw new Error(`ChronoVerify API error ${resp.status}${detail ? `: ${detail}` : ""}`);
+    }
+    return (await resp.json());
+}
+function summarize(r) {
+    const lines = [];
+    lines.push(`Verdict: ${r.verdict} (confidence ${r.confidence}/100)`);
+    if (r.headline)
+        lines.push(r.headline);
+    const ct = r.capture_time ?? {};
+    if (ct.value)
+        lines.push(`Capture time: ${ct.value} (source: ${ct.source})`);
+    const dev = r.capture_device ?? {};
+    if (dev.make || dev.model)
+        lines.push(`Device: ${[dev.make, dev.model].filter(Boolean).join(" ")}`);
+    const loc = r.capture_location ?? {};
+    if (loc.present) {
+        const place = [loc.city, loc.region, loc.country].filter(Boolean).join(", ");
+        lines.push(`Location: ${place || `${loc.lat}, ${loc.lon}`}`);
+    }
+    const c2pa = r.c2pa ?? {};
+    lines.push(`C2PA Content Credentials: ${c2pa.present ? (c2pa.validated ? "present and validated" : "present") : "none"}`);
+    if (r.integrity?.sha256)
+        lines.push(`SHA-256: ${r.integrity.sha256}`);
+    lines.push("");
+    lines.push("Verified with ChronoVerify (https://chronoverify.com). Investigative triage, not proof: a clean result means the file's saved data is internally consistent, not that the scene it shows is real.");
+    lines.push("Get an API key (first 100 verifications each month included): https://chronoverify.com/pricing");
+    return lines.join("\n");
+}
+const server = new McpServer({ name: "chronoverify", version: "0.1.0" });
+server.tool("verify_image", "Verify a photo's capture time and provenance with ChronoVerify. Reads C2PA Content Credentials, EXIF and XMP metadata, and runs classical pixel forensics, then returns one verdict (provenance_confirmed, consistent, inconclusive, metadata_anomaly, or manipulation_indicated) with a 0 to 100 confidence and the signals behind it. It works on any image, signed or not. Provenance-first and not a deepfake detector: results are investigative triage to support human review, not proof. Provide exactly one of url, file_path, or image_base64.", {
+    url: z.string().optional().describe("A publicly reachable image URL; the server fetches it."),
+    file_path: z.string().optional().describe("Absolute path to a local image file to verify."),
+    image_base64: z.string().optional().describe("Base64-encoded image bytes (no data: prefix)."),
+}, async (args) => {
+    try {
+        const result = await verifyImage(args);
+        return { content: [{ type: "text", text: summarize(result) }] };
+    }
+    catch (err) {
+        return {
+            content: [{ type: "text", text: `error: ${err.message}` }],
+            isError: true,
+        };
+    }
+});
+const transport = new StdioServerTransport();
+await server.connect(transport);

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "chronoverify-mcp",
+  "version": "0.1.0",
+  "description": "MCP server for ChronoVerify: verify a photo's capture time and provenance from any MCP-compatible AI agent.",
+  "type": "module",
+  "bin": {
+    "chronoverify-mcp": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "mcp",
+    "modelcontextprotocol",
+    "model-context-protocol",
+    "image",
+    "provenance",
+    "c2pa",
+    "exif",
+    "forensics",
+    "verification",
+    "osint"
+  ],
+  "license": "MIT",
+  "homepage": "https://chronoverify.com",
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "typescript": "^5.4.0"
+  }
+}