magenta-canon 0.8.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/README.md +1 -0
  2. package/bin/magenta-canon.mjs +12 -0
  3. package/docs/NPM_PACKAGING.md +23 -26
  4. package/examples/verticals/README.md +54 -0
  5. package/examples/verticals/devops-deploy/README.md +44 -0
  6. package/examples/verticals/devops-deploy/gateway.config.json +23 -0
  7. package/examples/verticals/devops-deploy/scenario.json +30 -0
  8. package/examples/verticals/ecommerce-ops/README.md +45 -0
  9. package/examples/verticals/ecommerce-ops/gateway.config.json +26 -0
  10. package/examples/verticals/ecommerce-ops/scenario.json +38 -0
  11. package/examples/verticals/fintech-refund/README.md +44 -0
  12. package/examples/verticals/fintech-refund/gateway.config.json +31 -0
  13. package/examples/verticals/fintech-refund/scenario.json +30 -0
  14. package/examples/verticals/healthcare-scribe/README.md +46 -0
  15. package/examples/verticals/healthcare-scribe/gateway.config.json +26 -0
  16. package/examples/verticals/healthcare-scribe/scenario.json +48 -0
  17. package/examples/verticals/insurance-claims/README.md +45 -0
  18. package/examples/verticals/insurance-claims/gateway.config.json +26 -0
  19. package/examples/verticals/insurance-claims/scenario.json +38 -0
  20. package/examples/verticals/legal-paralegal/README.md +45 -0
  21. package/examples/verticals/legal-paralegal/gateway.config.json +26 -0
  22. package/examples/verticals/legal-paralegal/scenario.json +38 -0
  23. package/examples/verticals/lib/tool-server.mjs +66 -0
  24. package/examples/verticals/saas-support-data/README.md +45 -0
  25. package/examples/verticals/saas-support-data/gateway.config.json +25 -0
  26. package/examples/verticals/saas-support-data/scenario.json +42 -0
  27. package/examples/verticals/security-soc/README.md +45 -0
  28. package/examples/verticals/security-soc/gateway.config.json +26 -0
  29. package/examples/verticals/security-soc/scenario.json +36 -0
  30. package/package.json +3 -1
  31. package/scripts/vertical-demo.mjs +282 -0
package/README.md CHANGED
@@ -19,6 +19,7 @@ MCP host (Claude Code, Claude Desktop, Cursor, …) and downstream MCP tools, an
19
19
 
20
20
  ```bash
21
21
  npx magenta-canon demo # full local proof loop: allow · block · witness · verify · tamper
22
+ npx magenta-canon vertical fintech-refund # sector demo in buyer language (vertical --list shows all 8)
22
23
  npx magenta-canon verify --self-test # verifier self-check: all verdict levels incl. a tamper FAIL
23
24
  npx magenta-canon gateway <config.json> # the stdio MCP capability gateway
24
25
  npx magenta-canon mirror --self-test # external STH mirror: catch operator history rewrites
@@ -3,6 +3,7 @@
3
3
  * magenta-canon — CLI entry point for the open-source reference implementation.
4
4
  *
5
5
  * npx magenta-canon demo run the full local proof loop
6
+ * npx magenta-canon vertical <id> run a sector demo (gate one industry's tools)
6
7
  * npx magenta-canon verify <bundle> independently verify an evidence bundle
7
8
  * npx magenta-canon gateway <config> run the stdio MCP capability gateway
8
9
  * npx magenta-canon mirror <cmd> external STH mirror (append|verify|check|--self-test)
@@ -40,6 +41,9 @@ const USAGE = `magenta-canon ${pkg.version} — verifiable MCP gateway for AI-ag
40
41
  Usage:
41
42
  magenta-canon demo Run the full local proof loop (allow, block,
42
43
  witness, verify, and a tamper control).
44
+ magenta-canon vertical <id> Run a sector demo (e.g. fintech-refund,
45
+ healthcare-scribe). 'vertical --list' shows
46
+ all available ids.
43
47
  magenta-canon verify <bundle.json> Independently verify an evidence bundle.
44
48
  Exit 0 = VERIFIED, 1 = VERIFICATION FAILED.
45
49
  magenta-canon gateway <config.json> Run the stdio MCP capability gateway
@@ -93,6 +97,14 @@ switch (sub) {
93
97
  // demo.mjs is plain ESM and resolves tsx + headless mode itself.
94
98
  run(process.execPath, [path.join(ROOT, "scripts", "demo.mjs"), ...rest]);
95
99
  break;
100
+ case "vertical":
101
+ // Sector vertical demos: gate one industry's tool calls, prove the blocked
102
+ // call never reached downstream, and verify the evidence. Reads a shipped
103
+ // examples/verticals/<id>/ scenario and resolves its runtime from dist/
104
+ // (or tsx in a repo checkout) exactly like `demo`. No <id> / --list / an
105
+ // unknown id all print the available verticals.
106
+ run(process.execPath, [path.join(ROOT, "scripts", "vertical-demo.mjs"), ...rest]);
107
+ break;
96
108
  case "verify":
97
109
  if (!rest[0] || rest[0].startsWith("-") && rest[0] !== "--self-test") {
98
110
  // pass flags through (e.g. --self-test, --version); only warn on no target
@@ -3,27 +3,22 @@
3
3
  How Magenta Canon is packaged as an installable CLI, what ships in the tarball,
4
4
  what deliberately does not, and how to verify the package locally.
5
5
 
6
- > **Status: published on npm.** The current published release is **`0.7.0`**
7
- > (the **Ledger Sentinel**), carried on **both** the `latest` and `next`
8
- > dist-tags (registry fileCount **66**, unpacked **747063 B**, shasum
9
- > `7b978f669ff08b5d7474e7b1e003bd4e62b47060`, integrity
10
- > `sha512-4CoFikyVR35Obl4Tcd2k6ffdP9Iq0/fCT6MM2cFF1Xc8fDcHHYUpr7lfkMaveSucf+d6571gKWdB/m/F/t8VAw==`,
11
- > owner-verified live install). This refresh prepares **`0.8.0`** — the
12
- > **Sentinel Mesh V1** completion. Magenta Canon 0.8.0 completes the mesh:
13
- > eight sentinels plus a coordinator, **105 ratified invariants** across
14
- > twelve domains (every one with a named enforcer; zero live reserved),
15
- > adding the **Execution** (MC-EXEC-001…014), **Configuration &
16
- > Dual-Authority** (MC-CONFIG-001…014), and **Mirror** (MC-MIRROR-001…012)
17
- > sentinels, plus the **Anomaly** meta-sentinel (MC-ANOM-001…004, the Attack
18
- > KB's regression memory) and the **Sentinel Coordinator** (MC-COORD-001…003,
19
- > a scoped, deterministic, tamper-evident `magenta-sentinel-report/1` that
20
- > never overrides or suppresses a finding). It does **not** provide continuous
21
- > hosted monitoring, Postgres storage, hosted independent mirror
22
- > infrastructure, trust-root/issuer persistence, production execution kill
23
- > switches, multi-tenant hosted services, automatic multi-model threat
24
- > ingestion, or probabilistic/unknown-threat detection. `0.8.0` is **not yet
25
- > published**; publishing remains an explicitly-authorized step done on an
26
- > authenticated machine.
6
+ > **Status: published on npm.** The current published release is **`0.8.0`**
7
+ > (the **Sentinel Mesh V1** completion eight sentinels plus a coordinator,
8
+ > **105 ratified invariants** across twelve domains, every one with a named
9
+ > enforcer), carried on **both** the `latest` and `next` dist-tags.
10
+ >
11
+ > This refresh prepares **`0.8.1`** — the **Vertical Demo Gallery**: eight
12
+ > runnable, customer-facing sector demos under `examples/verticals/` (fintech
13
+ > refund ceiling; devops / saas / healthcare / legal / e-commerce / insurance /
14
+ > SOC allowlists) and a new **`magenta-canon vertical <id>`** CLI command so npm
15
+ > users can run them from a fresh install (the prior `npm run demo:vertical`
16
+ > path only worked inside a repo checkout). `0.8.1` is a **PATCH** — no code,
17
+ > dependency, verifier, witness, gateway, or Sentinel changes; the trust core
18
+ > and Sentinel Mesh V1 are untouched, runtime deps remain `tweetnacl` + `zod`,
19
+ > and production install scripts remain zero. `0.8.1` is **not yet published**;
20
+ > publishing remains an explicitly-authorized step done on an authenticated
21
+ > machine.
27
22
  >
28
23
  > **Verdict-semantics migration (0.3.0):** scripts that grepped
29
24
  > `RESULT: VERIFIED` must match the new verdicts — `RESULT: INTEGRITY
@@ -72,7 +67,8 @@ npm dist-tag add magenta-canon@<version> next
72
67
  | `0.5.0` | **durable witness identity + authorized rotation continuity** (Durable Witness PR 3, #35): encrypted witness keystore (`MAGENTA_WITNESS_KEYFILE`/`MAGENTA_WITNESS_PASSPHRASE`; scrypt N=2^16 with bounded params → AES-256-GCM with header-bound AAD, `O_EXCL` create, atomic replace); **rotation records committed into the evidence ledger** (`magenta-rotation/1`: old-key authorization + new-key countersignature + `effective_tree_size` epoch boundary + chain hash) — *key material alone never grants authority; a validated, durably committed rotation record does*; epoch-aware replay in server **and** standalone verifier (historical STHs validate against their epoch's key; rollback/substitution/forked chains refused); deterministic crash reconciliation at boot (recover committed fact / abandon orphan / fail closed — never silent activation); single-authority config matrix (keystore × env-keys × `MAGENTA_STATE_FILE` exclusions); ships `docs/WITNESS_IDENTITY.md`. **Limitation (documented):** witness identity only — founder/receipt-issuer custody is a separate forthcoming lane (issuer key still regenerates on restart in file-ledger mode; pre-restart evidence keeps verifying). **Migration:** none required — 0.4.0 env-key and memory modes are unchanged; the keystore is opt-in and mutually exclusive with `MAGENTA_WITNESS_SECRET`/`PUBLIC` and `MAGENTA_STATE_FILE`. **Also in this release (repo hygiene, #37/#38):** the legacy RealityOS heartbeat adapter is **deprecated and removed** — excluded from the supported product architecture, never required for Magenta verification or distribution (`docs/LEGACY_REALITYOS_HEARTBEAT.md`); a tracked legacy dev identity was removed with a secret-hygiene CI gate added (`reports/INCIDENT_TRACKED_DEV_IDENTITY.md`) — **published**; `latest`/`next` aligned |
73
68
  | `0.6.0` | the **executable Sentinel Mesh foundation** (PRs #40/#41): versioned **Invariant Registry** (`magenta-invariants/1`, `shared/invariants.ts` — 37 ratified invariants across repository/artifact/dependency/release/authority/witness domains, permanent IDs, reserved IDs for future lanes); deterministic **Repository Sentinel** (tracked private-key material incl. escaped-JSON forms, identity/keystore/state paths, heartbeat-revival surfaces, `.gitignore` protections); deterministic **Artifact Sentinel** (tarball / extracted dir / `npm pack`: secrets, forbidden file classes, compiled entrypoints, `MANIFEST.json` sha256 equality, version consistency, approved-dependency set, install scripts, native binaries — hardened in-memory tar reader, traversal-inert, bomb/malformation refusal); canonical **violation records** (`magenta-sentinel-violation/1`, deterministic `record_hash`, volatile fields excluded, assurance honestly `unsigned-local-diagnostic`); **scoped release-promotion eligibility** (`eligible / blocked / requires-independent-review / diagnostic-only`; authority-class violations always escalate to human review); and the **Witness & Rotation Sentinel** (MC-WIT-001…011: pinned-anchor continuity — honestly `not-evaluated` without an independently supplied anchor; rotation-chain completeness; old-key authorization + new-key countersignature validation; exact epoch boundaries; key-version & fork detection; epoch-correct STH validation; **substitution / resurrection / rollback / pre-activation** distinguished in evidence; keystore↔ledger authority agreement) — independently re-derived from the published wire formats, never wrapping server code. New CLI: `magenta-canon sentinel repository | artifact | pack | witness | invariants`. **Not included:** production runtime kill switch, hosted Sentinel service, Postgres Ledger Sentinel, independent hosted mirror, founder/root custody persistence, multi-tenant hosted control plane, automated third-party threat-intel intake, complete Sentinel Mesh coverage. **Migration:** none required — no behavior changes to gateway/verifier/ledger/witness paths; the sentinel surface is additive — **published**; `latest`/`next` aligned |
74
69
  | `0.7.0` | the **Ledger Sentinel** (PR #43): MC-LEDGER-RSV-001 ratified into **MC-LEDGER-001…021** — the ledger-truth contract every storage implementation must satisfy (File Ledger today; PostgreSQL/hosted/mirrors later; *the implementation is never its own judge*). Independent evaluation (`magenta-canon sentinel ledger <ledger.jsonl>`): contiguous receipt sequence; duplicate-identity refusal; framing integrity; previous-hash continuity from genesis; receipt/execution-hash re-derivation; issuer-signature validity (recomputed hashes never bypass signatures); **own RFC 6962 Merkle re-derivation**; equivocation-at-rest freeze; exact tree-size/boundary accounting; checkpoint monotonicity; deterministic replay (store↔verifier↔sentinel agreement); corruption fails closed; **bounded crash-tail quarantine** (only a provably incomplete final append); commit-before-authority; single-writer/lock inspection (**never auto-stolen**); single-ledger-authority + **writer-fencing contract** for future stores; witness cross-run agreement; authority-record typing; mirror consistency incl. checkpoint-deletion exposure. Five distinct assurance outcomes (integrity / origin / operational exclusivity / not-evaluated / violation). Ships `docs/LEDGER_SENTINEL.md`. **Not included:** continuous hosted monitoring, Postgres storage, hosted independent mirror, trust-root/issuer persistence, production kill switches, multi-tenancy, automatic multi-model threat ingestion. **Migration:** none — additive CLI surface — **published** (fileCount 66, shasum `7b978f669ff08b5d7474e7b1e003bd4e62b47060`); `latest`/`next` aligned |
75
- | `0.8.0` | **Sentinel Mesh V1 complete** (PRs #45–#48, #50–#51): the mesh closes at **eight sentinels + a coordinator** and **105 ratified invariants** across twelve domains — every ratified invariant names an enforcer (the coverage law is a CI gate), **zero live reserved**, three superseded reservations preserved. New this release: the **Execution Sentinel** (MC-EXEC-001…014 — binds an action to the signature-authenticated receipt's committed `action_hash`, never operator params; refused-action-downstream and missing-receipt caught); the **Configuration & Dual-Authority Sentinel** (MC-CONFIG-001…014 — one operation, one canonical authority path; independent source/precedence/fallback/drift enumeration); the **Mirror Sentinel** (MC-MIRROR-001…012 — independent `magenta-mirror/1` re-derivation: record-hash chain, STH signatures, anti-equivocation across all observed sizes); the **Anomaly Sentinel** (MC-ANOM-001…004 — the Attack KB's regression memory: a ratified attack that stops being detected fails the build; governed model-to-canon intake refuses model-sourced ratification without an independent reviewer + reproduction); and the **Sentinel Coordinator** (MC-COORD-001…003 — combines per-sentinel findings into one scoped, deterministic, tamper-evident `magenta-sentinel-report/1` that never overrides, downgrades, or suppresses a finding, freezing only the affected authority class). In-tree conformance proof (`server/sentinel/conformance.test.ts`) pins the totals, coverage law, adversarial matrix, scoped freeze, deterministic report hash, and redaction; ships `docs/SENTINEL_MESH_V1_COMPLETION.md`. Attack KB / Anomaly / Coordinator / conformance are **CI/dev surface — not in the tarball**; the ratified invariants ship in the registry. **Not included:** hosted Sentinel service, continuous monitoring, Postgres ledger, hosted mirror, trust-root/issuer custody, multi-tenancy, probabilistic/unknown-threat detection, production kill switches. **Migration:** none — additive (new sentinel subcommands; no behavior change to gateway/verifier/ledger/witness) — **not yet published** |
70
+ | `0.8.0` | **Sentinel Mesh V1 complete** (PRs #45–#48, #50–#51): the mesh closes at **eight sentinels + a coordinator** and **105 ratified invariants** across twelve domains — every ratified invariant names an enforcer (the coverage law is a CI gate), **zero live reserved**, three superseded reservations preserved. New this release: the **Execution Sentinel** (MC-EXEC-001…014 — binds an action to the signature-authenticated receipt's committed `action_hash`, never operator params; refused-action-downstream and missing-receipt caught); the **Configuration & Dual-Authority Sentinel** (MC-CONFIG-001…014 — one operation, one canonical authority path; independent source/precedence/fallback/drift enumeration); the **Mirror Sentinel** (MC-MIRROR-001…012 — independent `magenta-mirror/1` re-derivation: record-hash chain, STH signatures, anti-equivocation across all observed sizes); the **Anomaly Sentinel** (MC-ANOM-001…004 — the Attack KB's regression memory: a ratified attack that stops being detected fails the build; governed model-to-canon intake refuses model-sourced ratification without an independent reviewer + reproduction); and the **Sentinel Coordinator** (MC-COORD-001…003 — combines per-sentinel findings into one scoped, deterministic, tamper-evident `magenta-sentinel-report/1` that never overrides, downgrades, or suppresses a finding, freezing only the affected authority class). In-tree conformance proof (`server/sentinel/conformance.test.ts`) pins the totals, coverage law, adversarial matrix, scoped freeze, deterministic report hash, and redaction; ships `docs/SENTINEL_MESH_V1_COMPLETION.md`. Attack KB / Anomaly / Coordinator / conformance are **CI/dev surface — not in the tarball**; the ratified invariants ship in the registry. **Not included:** hosted Sentinel service, continuous monitoring, Postgres ledger, hosted mirror, trust-root/issuer custody, multi-tenancy, probabilistic/unknown-threat detection, production kill switches. **Migration:** none — additive (new sentinel subcommands; no behavior change to gateway/verifier/ledger/witness) — **published** (`latest`/`next` aligned to `0.8.0`) |
71
+ | `0.8.1` | **Vertical Demo Gallery** (PR #49): eight runnable, customer-facing sector demos under `examples/verticals/` — fintech (refund ceiling) and devops / saas / healthcare / legal / e-commerce / insurance / SOC (allowlists) — plus a new **`magenta-canon vertical <id>`** CLI command so npm users can run them from a fresh install (the prior `npm run demo:vertical` path only worked inside a repo checkout). Each demo gates one industry's tool calls, proves the blocked call was **absent** downstream, and verifies the evidence to `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key. **PATCH** — no code / dependency / verifier / witness / gateway / Sentinel changes; trust core and Sentinel Mesh V1 untouched. Runtime deps remain `tweetnacl` + `zod`; zero production install scripts. Conformance + CLI regression tests pin every gate decision and the npm-consumer command. **Migration:** none — additive examples + one CLI subcommand — **not yet published** |
76
72
 
77
73
 
78
74
  **Verified on macOS / Linux / Windows (current release `0.1.11`; `0.1.12` re-proven via installed-tarball smoke):**
@@ -271,25 +267,26 @@ MCP gateway, and a **local-file external STH mirror foundation** with an
271
267
  operator runbook. **Not** included: hosted mirror service, automated network
272
268
  publishing, production multi-tenant SaaS, production durability guarantees.
273
269
 
274
- ## Verifying the release artifact (checklist — current target `0.8.0`)
270
+ ## Verifying the release artifact (checklist — current target `0.8.1`)
275
271
 
276
272
  From a clean checkout of the release commit:
277
273
 
278
274
  ```bash
279
275
  npm ci && npm run check && npm test # 0 tsc errors; full suite green
280
276
  npm run build:lean && npm run build:lean # deterministic: dist/MANIFEST.json identical
281
- npm pack # prepack rebuilds dist/; expect magenta-canon-0.8.0.tgz
282
- tar -tzf magenta-canon-0.8.0.tgz # no .ts, no .map, no tests, no server/routes.ts, no ledger/lock/keystore files; no attack-kb/anomaly/coordinator/conformance files
277
+ npm pack # prepack rebuilds dist/; expect magenta-canon-0.8.1.tgz
278
+ tar -tzf magenta-canon-0.8.1.tgz # no .ts, no .map, no tests, no server/routes.ts, no ledger/lock/keystore files; no attack-kb/anomaly/coordinator/conformance files
283
279
  ```
284
280
 
285
281
  Then in an empty directory:
286
282
 
287
283
  ```bash
288
- npm init -y && npm i ../path/to/magenta-canon-0.8.0.tgz
284
+ npm init -y && npm i ../path/to/magenta-canon-0.8.1.tgz
289
285
  ls node_modules # exactly: magenta-canon tweetnacl zod
290
286
  npx magenta-canon verify --self-test # all verdict levels incl. tamper VERIFICATION FAILED
291
287
  npx magenta-canon mirror --self-test # [PASS] x3
292
288
  npx magenta-canon demo # allow / block / VERIFIED / tamper FAILED
289
+ npx magenta-canon vertical --list # 8 sector demos; `vertical <id>` runs one (new in 0.8.1)
293
290
  npx magenta-canon sentinel artifact node_modules/magenta-canon # PROMOTION: ELIGIBLE
294
291
  npx magenta-canon sentinel ledger <your-ledger.jsonl> # ledger truth (0.7.0)
295
292
  npx magenta-canon sentinel execution <bundle.json> # authority-bound action evidence (new in 0.8.0)
@@ -0,0 +1,54 @@
1
+ # Sector vertical examples
2
+
3
+ Each folder is a complete, runnable example of Magenta Canon gating a different
4
+ kind of AI-agent action — the **same wedge** ("allow what's delegated, block what
5
+ isn't, witness both, verify the receipt") told in the vocabulary of a specific
6
+ sector. Every example rides the **real** capability gate the policy enforces
7
+ today: a numeric **ceiling** for `payments.refund`, and an **allowlist**
8
+ (default-deny) of `mcp.call:<tool>` for everything else. No example claims a gate
9
+ behavior that isn't actually enforced.
10
+
11
+ | Vertical | Sector | Model | Delegated → allowed | Blocked at the gate |
12
+ |---|---|---|---|---|
13
+ | [`devops-deploy`](devops-deploy/) | DevOps / CI-CD | allowlist | deploy_staging | deploy_prod |
14
+ | [`ecommerce-ops`](ecommerce-ops/) | E-commerce / marketplace | allowlist | catalog_read, inventory_update | price_override |
15
+ | [`fintech-refund`](fintech-refund/) | Fintech / payments | ceiling | refund | refund |
16
+ | [`healthcare-scribe`](healthcare-scribe/) | Healthcare | allowlist | chart_read, note_draft | medication_order, record_delete |
17
+ | [`insurance-claims`](insurance-claims/) | Insurance | allowlist | claim_read, estimate_draft | payout_approve |
18
+ | [`legal-paralegal`](legal-paralegal/) | Legal | allowlist | caselaw_search, memo_draft | court_efile |
19
+ | [`saas-support-data`](saas-support-data/) | SaaS / customer support | allowlist | db_read, db_write | db_delete |
20
+ | [`security-soc`](security-soc/) | Security / SOC | allowlist | alert_read, ioc_enrich | host_isolate |
21
+
22
+ ## Run any vertical
23
+
24
+ From a published install — no repository checkout required:
25
+
26
+ ```bash
27
+ npx magenta-canon vertical <id> # e.g. npx magenta-canon vertical healthcare-scribe
28
+ npx magenta-canon vertical --list # list the available verticals
29
+ ```
30
+
31
+ (Inside a repo checkout, `npm run demo:vertical <id>` does the same thing.)
32
+
33
+ The runner boots a local control plane, drives the scenario's calls through the
34
+ Magenta MCP gateway, proves the blocked calls were **absent** from the downstream
35
+ tool's own log, publishes the evidence, and independently verifies it to
36
+ `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key.
37
+
38
+ **Limitation:** every vertical is a local, single-host **demo** — ephemeral port,
39
+ fresh universe in a temp dir, cleaned up on exit. Not hosted SaaS, not
40
+ multi-tenant, not production durability.
41
+
42
+ ## Make your own
43
+
44
+ Each folder's `gateway.config.json` is the artifact you point a real MCP host
45
+ (Claude Code / Cursor) at. To adapt one:
46
+
47
+ 1. Point `downstream` at **your** real MCP server instead of the shared
48
+ `lib/tool-server.mjs` echo tool.
49
+ 2. Set `grantedCapabilities` to what the agent is actually delegated.
50
+ 3. Run your host through the gateway — every tool call is now gated and witnessed.
51
+
52
+ `lib/tool-server.mjs` is a single generic downstream tool server shared by all
53
+ the examples: it exposes whatever tool names it is given on the command line and
54
+ logs every call it receives (the ground truth for the non-bypass proof).
@@ -0,0 +1,44 @@
1
+ # Deploy agent — DevOps / CI-CD
2
+
3
+ A CI agent may deploy to staging but is not delegated production. A prod deploy is blocked at the gate and never reaches the deploy tool.
4
+
5
+ ## What this proves
6
+
7
+ **Capability model:** **allowlist** (default-deny)
8
+ **Delegated capabilities:** `mcp.call:deploy_staging`
9
+
10
+ | Tool call | Gate decision | Why |
11
+ |---|---|---|
12
+ | `deploy_staging` | ✅ allowed | staging is delegated |
13
+ | `deploy_prod` | ⛔ blocked | production is NOT on the allowlist |
14
+
15
+ Every decision — allowed *and* blocked — is witnessed as a signed receipt on the
16
+ append-only transparency log. A blocked call **never reaches the downstream
17
+ tool** (proven by the tool's own call log), and the published evidence verifies
18
+ to `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key.
19
+
20
+ ## Run it
21
+
22
+ From a published install — no repository checkout required:
23
+
24
+ ```bash
25
+ npx magenta-canon vertical devops-deploy
26
+ ```
27
+
28
+ (Inside a repo checkout you can also use `npm run demo:vertical devops-deploy`.)
29
+
30
+ It boots a local control plane, drives the calls above through the Magenta
31
+ gateway, proves the blocked call was **absent** from the downstream tool's own
32
+ log, publishes the evidence, and independently verifies it to
33
+ `ORIGIN AND INTEGRITY VERIFIED`.
34
+
35
+ **Limitation:** this is a local, single-host **demo** — an ephemeral control
36
+ plane and a fresh universe in a temp dir, cleaned up on exit. It is not hosted
37
+ SaaS, not multi-tenant, and not production durability.
38
+
39
+ ## Make it yours
40
+
41
+ `gateway.config.json` here is the same artifact you would point a real MCP host
42
+ (Claude Code / Cursor) at: swap the downstream for **your** real MCP tool server
43
+ and set your own `grantedCapabilities`. Every tool call is then gated and
44
+ witnessed exactly as shown above.
@@ -0,0 +1,23 @@
1
+ {
2
+ "downstream": {
3
+ "command": "node",
4
+ "args": [
5
+ "../lib/tool-server.mjs",
6
+ "deploy_staging",
7
+ "deploy_prod"
8
+ ]
9
+ },
10
+ "controlPlane": {
11
+ "url": "http://127.0.0.1:5000",
12
+ "internalKey": "operator-secret-xyz"
13
+ },
14
+ "agent": {
15
+ "agentId": "mcp:acme-ci-deployer",
16
+ "authorizedBy": "operator:cj@trendinghot",
17
+ "model": "mcp-gateway"
18
+ },
19
+ "grantedCapabilities": [
20
+ "mcp.call:deploy_staging"
21
+ ],
22
+ "defaultAction": "agent.mcp.call"
23
+ }
@@ -0,0 +1,30 @@
1
+ {
2
+ "id": "devops-deploy",
3
+ "sector": "DevOps / CI-CD",
4
+ "title": "Deploy agent",
5
+ "model": "allowlist",
6
+ "story": "A CI agent may deploy to staging but is not delegated production. A prod deploy is blocked at the gate and never reaches the deploy tool.",
7
+ "calls": [
8
+ {
9
+ "name": "deploy_staging",
10
+ "arguments": {
11
+ "service": "checkout-api",
12
+ "sha": "3d7f9bf"
13
+ },
14
+ "expect": "allow",
15
+ "note": "staging is delegated"
16
+ },
17
+ {
18
+ "name": "deploy_prod",
19
+ "arguments": {
20
+ "service": "checkout-api",
21
+ "sha": "3d7f9bf"
22
+ },
23
+ "expect": "block",
24
+ "note": "production is NOT on the allowlist"
25
+ }
26
+ ],
27
+ "groundTruthAbsent": [
28
+ "deploy_prod"
29
+ ]
30
+ }
@@ -0,0 +1,45 @@
1
+ # Catalog ops agent — E-commerce / marketplace
2
+
3
+ A merchandising agent may read the catalog and update inventory, but may not override price or cancel orders. Pricing and order state stay with a human.
4
+
5
+ ## What this proves
6
+
7
+ **Capability model:** **allowlist** (default-deny)
8
+ **Delegated capabilities:** `mcp.call:catalog_read`, `mcp.call:inventory_update`
9
+
10
+ | Tool call | Gate decision | Why |
11
+ |---|---|---|
12
+ | `catalog_read` | ✅ allowed | reading the catalog is delegated |
13
+ | `inventory_update` | ✅ allowed | inventory updates are delegated |
14
+ | `price_override` | ⛔ blocked | overriding price is NOT delegated |
15
+
16
+ Every decision — allowed *and* blocked — is witnessed as a signed receipt on the
17
+ append-only transparency log. A blocked call **never reaches the downstream
18
+ tool** (proven by the tool's own call log), and the published evidence verifies
19
+ to `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key.
20
+
21
+ ## Run it
22
+
23
+ From a published install — no repository checkout required:
24
+
25
+ ```bash
26
+ npx magenta-canon vertical ecommerce-ops
27
+ ```
28
+
29
+ (Inside a repo checkout you can also use `npm run demo:vertical ecommerce-ops`.)
30
+
31
+ It boots a local control plane, drives the calls above through the Magenta
32
+ gateway, proves the blocked call was **absent** from the downstream tool's own
33
+ log, publishes the evidence, and independently verifies it to
34
+ `ORIGIN AND INTEGRITY VERIFIED`.
35
+
36
+ **Limitation:** this is a local, single-host **demo** — an ephemeral control
37
+ plane and a fresh universe in a temp dir, cleaned up on exit. It is not hosted
38
+ SaaS, not multi-tenant, and not production durability.
39
+
40
+ ## Make it yours
41
+
42
+ `gateway.config.json` here is the same artifact you would point a real MCP host
43
+ (Claude Code / Cursor) at: swap the downstream for **your** real MCP tool server
44
+ and set your own `grantedCapabilities`. Every tool call is then gated and
45
+ witnessed exactly as shown above.
@@ -0,0 +1,26 @@
1
+ {
2
+ "downstream": {
3
+ "command": "node",
4
+ "args": [
5
+ "../lib/tool-server.mjs",
6
+ "catalog_read",
7
+ "inventory_update",
8
+ "price_override",
9
+ "order_cancel"
10
+ ]
11
+ },
12
+ "controlPlane": {
13
+ "url": "http://127.0.0.1:5000",
14
+ "internalKey": "operator-secret-xyz"
15
+ },
16
+ "agent": {
17
+ "agentId": "mcp:acme-catalog-ops",
18
+ "authorizedBy": "operator:cj@trendinghot",
19
+ "model": "mcp-gateway"
20
+ },
21
+ "grantedCapabilities": [
22
+ "mcp.call:catalog_read",
23
+ "mcp.call:inventory_update"
24
+ ],
25
+ "defaultAction": "agent.mcp.call"
26
+ }
@@ -0,0 +1,38 @@
1
+ {
2
+ "id": "ecommerce-ops",
3
+ "sector": "E-commerce / marketplace",
4
+ "title": "Catalog ops agent",
5
+ "model": "allowlist",
6
+ "story": "A merchandising agent may read the catalog and update inventory, but may not override price or cancel orders. Pricing and order state stay with a human.",
7
+ "calls": [
8
+ {
9
+ "name": "catalog_read",
10
+ "arguments": {
11
+ "sku": "SKU-552"
12
+ },
13
+ "expect": "allow",
14
+ "note": "reading the catalog is delegated"
15
+ },
16
+ {
17
+ "name": "inventory_update",
18
+ "arguments": {
19
+ "sku": "SKU-552",
20
+ "on_hand": 120
21
+ },
22
+ "expect": "allow",
23
+ "note": "inventory updates are delegated"
24
+ },
25
+ {
26
+ "name": "price_override",
27
+ "arguments": {
28
+ "sku": "SKU-552",
29
+ "price_cents": 100
30
+ },
31
+ "expect": "block",
32
+ "note": "overriding price is NOT delegated"
33
+ }
34
+ ],
35
+ "groundTruthAbsent": [
36
+ "price_override"
37
+ ]
38
+ }
@@ -0,0 +1,44 @@
1
+ # Refund agent — Fintech / payments
2
+
3
+ A support agent may issue refunds up to a delegated ceiling ($100). A larger refund is stopped at the gate before it reaches the payments tool.
4
+
5
+ ## What this proves
6
+
7
+ **Capability model:** numeric **ceiling**
8
+ **Delegated capabilities:** `payments.refund:<=10000`
9
+
10
+ | Tool call | Gate decision | Why |
11
+ |---|---|---|
12
+ | `refund` | ✅ allowed | $89.00 — within the $100 ceiling |
13
+ | `refund` | ⛔ blocked | $250.00 — exceeds the delegated ceiling |
14
+
15
+ Every decision — allowed *and* blocked — is witnessed as a signed receipt on the
16
+ append-only transparency log. A blocked call **never reaches the downstream
17
+ tool** (proven by the tool's own call log), and the published evidence verifies
18
+ to `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key.
19
+
20
+ ## Run it
21
+
22
+ From a published install — no repository checkout required:
23
+
24
+ ```bash
25
+ npx magenta-canon vertical fintech-refund
26
+ ```
27
+
28
+ (Inside a repo checkout you can also use `npm run demo:vertical fintech-refund`.)
29
+
30
+ It boots a local control plane, drives the calls above through the Magenta
31
+ gateway, proves the blocked call was **absent** from the downstream tool's own
32
+ log, publishes the evidence, and independently verifies it to
33
+ `ORIGIN AND INTEGRITY VERIFIED`.
34
+
35
+ **Limitation:** this is a local, single-host **demo** — an ephemeral control
36
+ plane and a fresh universe in a temp dir, cleaned up on exit. It is not hosted
37
+ SaaS, not multi-tenant, and not production durability.
38
+
39
+ ## Make it yours
40
+
41
+ `gateway.config.json` here is the same artifact you would point a real MCP host
42
+ (Claude Code / Cursor) at: swap the downstream for **your** real MCP tool server
43
+ and set your own `grantedCapabilities`. Every tool call is then gated and
44
+ witnessed exactly as shown above.
@@ -0,0 +1,31 @@
1
+ {
2
+ "downstream": {
3
+ "command": "node",
4
+ "args": [
5
+ "../lib/tool-server.mjs",
6
+ "refund"
7
+ ]
8
+ },
9
+ "controlPlane": {
10
+ "url": "http://127.0.0.1:5000",
11
+ "internalKey": "operator-secret-xyz"
12
+ },
13
+ "agent": {
14
+ "agentId": "mcp:acme-payments-bot",
15
+ "authorizedBy": "operator:cj@trendinghot",
16
+ "model": "mcp-gateway"
17
+ },
18
+ "grantedCapabilities": [
19
+ "payments.refund:<=10000"
20
+ ],
21
+ "defaultAction": "agent.mcp.call",
22
+ "toolMap": {
23
+ "refund": {
24
+ "action": "agent.payments.refund",
25
+ "paramsFrom": [
26
+ "amount_cents",
27
+ "order_id"
28
+ ]
29
+ }
30
+ }
31
+ }
@@ -0,0 +1,30 @@
1
+ {
2
+ "id": "fintech-refund",
3
+ "sector": "Fintech / payments",
4
+ "title": "Refund agent",
5
+ "model": "ceiling",
6
+ "story": "A support agent may issue refunds up to a delegated ceiling ($100). A larger refund is stopped at the gate before it reaches the payments tool.",
7
+ "calls": [
8
+ {
9
+ "name": "refund",
10
+ "arguments": {
11
+ "amount_cents": 8900,
12
+ "order_id": "4471"
13
+ },
14
+ "expect": "allow",
15
+ "note": "$89.00 — within the $100 ceiling"
16
+ },
17
+ {
18
+ "name": "refund",
19
+ "arguments": {
20
+ "amount_cents": 25000,
21
+ "order_id": "5012"
22
+ },
23
+ "expect": "block",
24
+ "note": "$250.00 — exceeds the delegated ceiling"
25
+ }
26
+ ],
27
+ "groundTruthAbsent": [
28
+ "refund"
29
+ ]
30
+ }
@@ -0,0 +1,46 @@
1
+ # Clinical scribe agent — Healthcare
2
+
3
+ A clinical scribe may read the chart and draft a note, but may not order medication or delete records. Clinical authority stays with the clinician.
4
+
5
+ ## What this proves
6
+
7
+ **Capability model:** **allowlist** (default-deny)
8
+ **Delegated capabilities:** `mcp.call:chart_read`, `mcp.call:note_draft`
9
+
10
+ | Tool call | Gate decision | Why |
11
+ |---|---|---|
12
+ | `chart_read` | ✅ allowed | reading the chart is delegated |
13
+ | `note_draft` | ✅ allowed | drafting a note is delegated |
14
+ | `medication_order` | ⛔ blocked | ordering medication requires the clinician, not the agent |
15
+ | `record_delete` | ⛔ blocked | deleting records is never delegated |
16
+
17
+ Every decision — allowed *and* blocked — is witnessed as a signed receipt on the
18
+ append-only transparency log. A blocked call **never reaches the downstream
19
+ tool** (proven by the tool's own call log), and the published evidence verifies
20
+ to `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key.
21
+
22
+ ## Run it
23
+
24
+ From a published install — no repository checkout required:
25
+
26
+ ```bash
27
+ npx magenta-canon vertical healthcare-scribe
28
+ ```
29
+
30
+ (Inside a repo checkout you can also use `npm run demo:vertical healthcare-scribe`.)
31
+
32
+ It boots a local control plane, drives the calls above through the Magenta
33
+ gateway, proves the blocked call was **absent** from the downstream tool's own
34
+ log, publishes the evidence, and independently verifies it to
35
+ `ORIGIN AND INTEGRITY VERIFIED`.
36
+
37
+ **Limitation:** this is a local, single-host **demo** — an ephemeral control
38
+ plane and a fresh universe in a temp dir, cleaned up on exit. It is not hosted
39
+ SaaS, not multi-tenant, and not production durability.
40
+
41
+ ## Make it yours
42
+
43
+ `gateway.config.json` here is the same artifact you would point a real MCP host
44
+ (Claude Code / Cursor) at: swap the downstream for **your** real MCP tool server
45
+ and set your own `grantedCapabilities`. Every tool call is then gated and
46
+ witnessed exactly as shown above.
@@ -0,0 +1,26 @@
1
+ {
2
+ "downstream": {
3
+ "command": "node",
4
+ "args": [
5
+ "../lib/tool-server.mjs",
6
+ "chart_read",
7
+ "note_draft",
8
+ "medication_order",
9
+ "record_delete"
10
+ ]
11
+ },
12
+ "controlPlane": {
13
+ "url": "http://127.0.0.1:5000",
14
+ "internalKey": "operator-secret-xyz"
15
+ },
16
+ "agent": {
17
+ "agentId": "mcp:acme-clinical-scribe",
18
+ "authorizedBy": "operator:cj@trendinghot",
19
+ "model": "mcp-gateway"
20
+ },
21
+ "grantedCapabilities": [
22
+ "mcp.call:chart_read",
23
+ "mcp.call:note_draft"
24
+ ],
25
+ "defaultAction": "agent.mcp.call"
26
+ }
@@ -0,0 +1,48 @@
1
+ {
2
+ "id": "healthcare-scribe",
3
+ "sector": "Healthcare",
4
+ "title": "Clinical scribe agent",
5
+ "model": "allowlist",
6
+ "story": "A clinical scribe may read the chart and draft a note, but may not order medication or delete records. Clinical authority stays with the clinician.",
7
+ "calls": [
8
+ {
9
+ "name": "chart_read",
10
+ "arguments": {
11
+ "patient": "p-1029"
12
+ },
13
+ "expect": "allow",
14
+ "note": "reading the chart is delegated"
15
+ },
16
+ {
17
+ "name": "note_draft",
18
+ "arguments": {
19
+ "patient": "p-1029",
20
+ "text": "Follow-up in 2 weeks."
21
+ },
22
+ "expect": "allow",
23
+ "note": "drafting a note is delegated"
24
+ },
25
+ {
26
+ "name": "medication_order",
27
+ "arguments": {
28
+ "patient": "p-1029",
29
+ "drug": "amoxicillin",
30
+ "dose": "500mg"
31
+ },
32
+ "expect": "block",
33
+ "note": "ordering medication requires the clinician, not the agent"
34
+ },
35
+ {
36
+ "name": "record_delete",
37
+ "arguments": {
38
+ "patient": "p-1029"
39
+ },
40
+ "expect": "block",
41
+ "note": "deleting records is never delegated"
42
+ }
43
+ ],
44
+ "groundTruthAbsent": [
45
+ "medication_order",
46
+ "record_delete"
47
+ ]
48
+ }