magenta-canon 0.8.0 → 0.8.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -0
- package/bin/magenta-canon.mjs +12 -0
- package/docs/NPM_PACKAGING.md +23 -26
- package/examples/verticals/README.md +54 -0
- package/examples/verticals/devops-deploy/README.md +44 -0
- package/examples/verticals/devops-deploy/gateway.config.json +23 -0
- package/examples/verticals/devops-deploy/scenario.json +30 -0
- package/examples/verticals/ecommerce-ops/README.md +45 -0
- package/examples/verticals/ecommerce-ops/gateway.config.json +26 -0
- package/examples/verticals/ecommerce-ops/scenario.json +38 -0
- package/examples/verticals/fintech-refund/README.md +44 -0
- package/examples/verticals/fintech-refund/gateway.config.json +31 -0
- package/examples/verticals/fintech-refund/scenario.json +30 -0
- package/examples/verticals/healthcare-scribe/README.md +46 -0
- package/examples/verticals/healthcare-scribe/gateway.config.json +26 -0
- package/examples/verticals/healthcare-scribe/scenario.json +48 -0
- package/examples/verticals/insurance-claims/README.md +45 -0
- package/examples/verticals/insurance-claims/gateway.config.json +26 -0
- package/examples/verticals/insurance-claims/scenario.json +38 -0
- package/examples/verticals/legal-paralegal/README.md +45 -0
- package/examples/verticals/legal-paralegal/gateway.config.json +26 -0
- package/examples/verticals/legal-paralegal/scenario.json +38 -0
- package/examples/verticals/lib/tool-server.mjs +66 -0
- package/examples/verticals/saas-support-data/README.md +45 -0
- package/examples/verticals/saas-support-data/gateway.config.json +25 -0
- package/examples/verticals/saas-support-data/scenario.json +42 -0
- package/examples/verticals/security-soc/README.md +45 -0
- package/examples/verticals/security-soc/gateway.config.json +26 -0
- package/examples/verticals/security-soc/scenario.json +36 -0
- package/package.json +3 -1
- package/scripts/vertical-demo.mjs +282 -0
package/README.md
CHANGED
|
@@ -19,6 +19,7 @@ MCP host (Claude Code, Claude Desktop, Cursor, …) and downstream MCP tools, an
|
|
|
19
19
|
|
|
20
20
|
```bash
|
|
21
21
|
npx magenta-canon demo # full local proof loop: allow · block · witness · verify · tamper
|
|
22
|
+
npx magenta-canon vertical fintech-refund # sector demo in buyer language (vertical --list shows all 8)
|
|
22
23
|
npx magenta-canon verify --self-test # verifier self-check: all verdict levels incl. a tamper FAIL
|
|
23
24
|
npx magenta-canon gateway <config.json> # the stdio MCP capability gateway
|
|
24
25
|
npx magenta-canon mirror --self-test # external STH mirror: catch operator history rewrites
|
package/bin/magenta-canon.mjs
CHANGED
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
* magenta-canon — CLI entry point for the open-source reference implementation.
|
|
4
4
|
*
|
|
5
5
|
* npx magenta-canon demo run the full local proof loop
|
|
6
|
+
* npx magenta-canon vertical <id> run a sector demo (gate one industry's tools)
|
|
6
7
|
* npx magenta-canon verify <bundle> independently verify an evidence bundle
|
|
7
8
|
* npx magenta-canon gateway <config> run the stdio MCP capability gateway
|
|
8
9
|
* npx magenta-canon mirror <cmd> external STH mirror (append|verify|check|--self-test)
|
|
@@ -40,6 +41,9 @@ const USAGE = `magenta-canon ${pkg.version} — verifiable MCP gateway for AI-ag
|
|
|
40
41
|
Usage:
|
|
41
42
|
magenta-canon demo Run the full local proof loop (allow, block,
|
|
42
43
|
witness, verify, and a tamper control).
|
|
44
|
+
magenta-canon vertical <id> Run a sector demo (e.g. fintech-refund,
|
|
45
|
+
healthcare-scribe). 'vertical --list' shows
|
|
46
|
+
all available ids.
|
|
43
47
|
magenta-canon verify <bundle.json> Independently verify an evidence bundle.
|
|
44
48
|
Exit 0 = VERIFIED, 1 = VERIFICATION FAILED.
|
|
45
49
|
magenta-canon gateway <config.json> Run the stdio MCP capability gateway
|
|
@@ -93,6 +97,14 @@ switch (sub) {
|
|
|
93
97
|
// demo.mjs is plain ESM and resolves tsx + headless mode itself.
|
|
94
98
|
run(process.execPath, [path.join(ROOT, "scripts", "demo.mjs"), ...rest]);
|
|
95
99
|
break;
|
|
100
|
+
case "vertical":
|
|
101
|
+
// Sector vertical demos: gate one industry's tool calls, prove the blocked
|
|
102
|
+
// call never reached downstream, and verify the evidence. Reads a shipped
|
|
103
|
+
// examples/verticals/<id>/ scenario and resolves its runtime from dist/
|
|
104
|
+
// (or tsx in a repo checkout) exactly like `demo`. No <id> / --list / an
|
|
105
|
+
// unknown id all print the available verticals.
|
|
106
|
+
run(process.execPath, [path.join(ROOT, "scripts", "vertical-demo.mjs"), ...rest]);
|
|
107
|
+
break;
|
|
96
108
|
case "verify":
|
|
97
109
|
if (!rest[0] || rest[0].startsWith("-") && rest[0] !== "--self-test") {
|
|
98
110
|
// pass flags through (e.g. --self-test, --version); only warn on no target
|
package/docs/NPM_PACKAGING.md
CHANGED
|
@@ -3,27 +3,22 @@
|
|
|
3
3
|
How Magenta Canon is packaged as an installable CLI, what ships in the tarball,
|
|
4
4
|
what deliberately does not, and how to verify the package locally.
|
|
5
5
|
|
|
6
|
-
> **Status: published on npm.** The current published release is **`0.
|
|
7
|
-
> (the **
|
|
8
|
-
>
|
|
9
|
-
> `
|
|
10
|
-
>
|
|
11
|
-
>
|
|
12
|
-
>
|
|
13
|
-
>
|
|
14
|
-
>
|
|
15
|
-
>
|
|
16
|
-
>
|
|
17
|
-
>
|
|
18
|
-
>
|
|
19
|
-
>
|
|
20
|
-
>
|
|
21
|
-
>
|
|
22
|
-
> infrastructure, trust-root/issuer persistence, production execution kill
|
|
23
|
-
> switches, multi-tenant hosted services, automatic multi-model threat
|
|
24
|
-
> ingestion, or probabilistic/unknown-threat detection. `0.8.0` is **not yet
|
|
25
|
-
> published**; publishing remains an explicitly-authorized step done on an
|
|
26
|
-
> authenticated machine.
|
|
6
|
+
> **Status: published on npm.** The current published release is **`0.8.0`**
|
|
7
|
+
> (the **Sentinel Mesh V1** completion — eight sentinels plus a coordinator,
|
|
8
|
+
> **105 ratified invariants** across twelve domains, every one with a named
|
|
9
|
+
> enforcer), carried on **both** the `latest` and `next` dist-tags.
|
|
10
|
+
>
|
|
11
|
+
> This refresh prepares **`0.8.1`** — the **Vertical Demo Gallery**: eight
|
|
12
|
+
> runnable, customer-facing sector demos under `examples/verticals/` (fintech
|
|
13
|
+
> refund ceiling; devops / saas / healthcare / legal / e-commerce / insurance /
|
|
14
|
+
> SOC allowlists) and a new **`magenta-canon vertical <id>`** CLI command so npm
|
|
15
|
+
> users can run them from a fresh install (the prior `npm run demo:vertical`
|
|
16
|
+
> path only worked inside a repo checkout). `0.8.1` is a **PATCH** — no code,
|
|
17
|
+
> dependency, verifier, witness, gateway, or Sentinel changes; the trust core
|
|
18
|
+
> and Sentinel Mesh V1 are untouched, runtime deps remain `tweetnacl` + `zod`,
|
|
19
|
+
> and production install scripts remain zero. `0.8.1` is **not yet published**;
|
|
20
|
+
> publishing remains an explicitly-authorized step done on an authenticated
|
|
21
|
+
> machine.
|
|
27
22
|
>
|
|
28
23
|
> **Verdict-semantics migration (0.3.0):** scripts that grepped
|
|
29
24
|
> `RESULT: VERIFIED` must match the new verdicts — `RESULT: INTEGRITY
|
|
@@ -72,7 +67,8 @@ npm dist-tag add magenta-canon@<version> next
|
|
|
72
67
|
| `0.5.0` | **durable witness identity + authorized rotation continuity** (Durable Witness PR 3, #35): encrypted witness keystore (`MAGENTA_WITNESS_KEYFILE`/`MAGENTA_WITNESS_PASSPHRASE`; scrypt N=2^16 with bounded params → AES-256-GCM with header-bound AAD, `O_EXCL` create, atomic replace); **rotation records committed into the evidence ledger** (`magenta-rotation/1`: old-key authorization + new-key countersignature + `effective_tree_size` epoch boundary + chain hash) — *key material alone never grants authority; a validated, durably committed rotation record does*; epoch-aware replay in server **and** standalone verifier (historical STHs validate against their epoch's key; rollback/substitution/forked chains refused); deterministic crash reconciliation at boot (recover committed fact / abandon orphan / fail closed — never silent activation); single-authority config matrix (keystore × env-keys × `MAGENTA_STATE_FILE` exclusions); ships `docs/WITNESS_IDENTITY.md`. **Limitation (documented):** witness identity only — founder/receipt-issuer custody is a separate forthcoming lane (issuer key still regenerates on restart in file-ledger mode; pre-restart evidence keeps verifying). **Migration:** none required — 0.4.0 env-key and memory modes are unchanged; the keystore is opt-in and mutually exclusive with `MAGENTA_WITNESS_SECRET`/`PUBLIC` and `MAGENTA_STATE_FILE`. **Also in this release (repo hygiene, #37/#38):** the legacy RealityOS heartbeat adapter is **deprecated and removed** — excluded from the supported product architecture, never required for Magenta verification or distribution (`docs/LEGACY_REALITYOS_HEARTBEAT.md`); a tracked legacy dev identity was removed with a secret-hygiene CI gate added (`reports/INCIDENT_TRACKED_DEV_IDENTITY.md`) — **published**; `latest`/`next` aligned |
|
|
73
68
|
| `0.6.0` | the **executable Sentinel Mesh foundation** (PRs #40/#41): versioned **Invariant Registry** (`magenta-invariants/1`, `shared/invariants.ts` — 37 ratified invariants across repository/artifact/dependency/release/authority/witness domains, permanent IDs, reserved IDs for future lanes); deterministic **Repository Sentinel** (tracked private-key material incl. escaped-JSON forms, identity/keystore/state paths, heartbeat-revival surfaces, `.gitignore` protections); deterministic **Artifact Sentinel** (tarball / extracted dir / `npm pack`: secrets, forbidden file classes, compiled entrypoints, `MANIFEST.json` sha256 equality, version consistency, approved-dependency set, install scripts, native binaries — hardened in-memory tar reader, traversal-inert, bomb/malformation refusal); canonical **violation records** (`magenta-sentinel-violation/1`, deterministic `record_hash`, volatile fields excluded, assurance honestly `unsigned-local-diagnostic`); **scoped release-promotion eligibility** (`eligible / blocked / requires-independent-review / diagnostic-only`; authority-class violations always escalate to human review); and the **Witness & Rotation Sentinel** (MC-WIT-001…011: pinned-anchor continuity — honestly `not-evaluated` without an independently supplied anchor; rotation-chain completeness; old-key authorization + new-key countersignature validation; exact epoch boundaries; key-version & fork detection; epoch-correct STH validation; **substitution / resurrection / rollback / pre-activation** distinguished in evidence; keystore↔ledger authority agreement) — independently re-derived from the published wire formats, never wrapping server code. New CLI: `magenta-canon sentinel repository | artifact | pack | witness | invariants`. **Not included:** production runtime kill switch, hosted Sentinel service, Postgres Ledger Sentinel, independent hosted mirror, founder/root custody persistence, multi-tenant hosted control plane, automated third-party threat-intel intake, complete Sentinel Mesh coverage. **Migration:** none required — no behavior changes to gateway/verifier/ledger/witness paths; the sentinel surface is additive — **published**; `latest`/`next` aligned |
|
|
74
69
|
| `0.7.0` | the **Ledger Sentinel** (PR #43): MC-LEDGER-RSV-001 ratified into **MC-LEDGER-001…021** — the ledger-truth contract every storage implementation must satisfy (File Ledger today; PostgreSQL/hosted/mirrors later; *the implementation is never its own judge*). Independent evaluation (`magenta-canon sentinel ledger <ledger.jsonl>`): contiguous receipt sequence; duplicate-identity refusal; framing integrity; previous-hash continuity from genesis; receipt/execution-hash re-derivation; issuer-signature validity (recomputed hashes never bypass signatures); **own RFC 6962 Merkle re-derivation**; equivocation-at-rest freeze; exact tree-size/boundary accounting; checkpoint monotonicity; deterministic replay (store↔verifier↔sentinel agreement); corruption fails closed; **bounded crash-tail quarantine** (only a provably incomplete final append); commit-before-authority; single-writer/lock inspection (**never auto-stolen**); single-ledger-authority + **writer-fencing contract** for future stores; witness cross-run agreement; authority-record typing; mirror consistency incl. checkpoint-deletion exposure. Five distinct assurance outcomes (integrity / origin / operational exclusivity / not-evaluated / violation). Ships `docs/LEDGER_SENTINEL.md`. **Not included:** continuous hosted monitoring, Postgres storage, hosted independent mirror, trust-root/issuer persistence, production kill switches, multi-tenancy, automatic multi-model threat ingestion. **Migration:** none — additive CLI surface — **published** (fileCount 66, shasum `7b978f669ff08b5d7474e7b1e003bd4e62b47060`); `latest`/`next` aligned |
|
|
75
|
-
| `0.8.0` | **Sentinel Mesh V1 complete** (PRs #45–#48, #50–#51): the mesh closes at **eight sentinels + a coordinator** and **105 ratified invariants** across twelve domains — every ratified invariant names an enforcer (the coverage law is a CI gate), **zero live reserved**, three superseded reservations preserved. New this release: the **Execution Sentinel** (MC-EXEC-001…014 — binds an action to the signature-authenticated receipt's committed `action_hash`, never operator params; refused-action-downstream and missing-receipt caught); the **Configuration & Dual-Authority Sentinel** (MC-CONFIG-001…014 — one operation, one canonical authority path; independent source/precedence/fallback/drift enumeration); the **Mirror Sentinel** (MC-MIRROR-001…012 — independent `magenta-mirror/1` re-derivation: record-hash chain, STH signatures, anti-equivocation across all observed sizes); the **Anomaly Sentinel** (MC-ANOM-001…004 — the Attack KB's regression memory: a ratified attack that stops being detected fails the build; governed model-to-canon intake refuses model-sourced ratification without an independent reviewer + reproduction); and the **Sentinel Coordinator** (MC-COORD-001…003 — combines per-sentinel findings into one scoped, deterministic, tamper-evident `magenta-sentinel-report/1` that never overrides, downgrades, or suppresses a finding, freezing only the affected authority class). In-tree conformance proof (`server/sentinel/conformance.test.ts`) pins the totals, coverage law, adversarial matrix, scoped freeze, deterministic report hash, and redaction; ships `docs/SENTINEL_MESH_V1_COMPLETION.md`. Attack KB / Anomaly / Coordinator / conformance are **CI/dev surface — not in the tarball**; the ratified invariants ship in the registry. **Not included:** hosted Sentinel service, continuous monitoring, Postgres ledger, hosted mirror, trust-root/issuer custody, multi-tenancy, probabilistic/unknown-threat detection, production kill switches. **Migration:** none — additive (new sentinel subcommands; no behavior change to gateway/verifier/ledger/witness) — **
|
|
70
|
+
| `0.8.0` | **Sentinel Mesh V1 complete** (PRs #45–#48, #50–#51): the mesh closes at **eight sentinels + a coordinator** and **105 ratified invariants** across twelve domains — every ratified invariant names an enforcer (the coverage law is a CI gate), **zero live reserved**, three superseded reservations preserved. New this release: the **Execution Sentinel** (MC-EXEC-001…014 — binds an action to the signature-authenticated receipt's committed `action_hash`, never operator params; refused-action-downstream and missing-receipt caught); the **Configuration & Dual-Authority Sentinel** (MC-CONFIG-001…014 — one operation, one canonical authority path; independent source/precedence/fallback/drift enumeration); the **Mirror Sentinel** (MC-MIRROR-001…012 — independent `magenta-mirror/1` re-derivation: record-hash chain, STH signatures, anti-equivocation across all observed sizes); the **Anomaly Sentinel** (MC-ANOM-001…004 — the Attack KB's regression memory: a ratified attack that stops being detected fails the build; governed model-to-canon intake refuses model-sourced ratification without an independent reviewer + reproduction); and the **Sentinel Coordinator** (MC-COORD-001…003 — combines per-sentinel findings into one scoped, deterministic, tamper-evident `magenta-sentinel-report/1` that never overrides, downgrades, or suppresses a finding, freezing only the affected authority class). In-tree conformance proof (`server/sentinel/conformance.test.ts`) pins the totals, coverage law, adversarial matrix, scoped freeze, deterministic report hash, and redaction; ships `docs/SENTINEL_MESH_V1_COMPLETION.md`. Attack KB / Anomaly / Coordinator / conformance are **CI/dev surface — not in the tarball**; the ratified invariants ship in the registry. **Not included:** hosted Sentinel service, continuous monitoring, Postgres ledger, hosted mirror, trust-root/issuer custody, multi-tenancy, probabilistic/unknown-threat detection, production kill switches. **Migration:** none — additive (new sentinel subcommands; no behavior change to gateway/verifier/ledger/witness) — **published** (`latest`/`next` aligned to `0.8.0`) |
|
|
71
|
+
| `0.8.1` | **Vertical Demo Gallery** (PR #49): eight runnable, customer-facing sector demos under `examples/verticals/` — fintech (refund ceiling) and devops / saas / healthcare / legal / e-commerce / insurance / SOC (allowlists) — plus a new **`magenta-canon vertical <id>`** CLI command so npm users can run them from a fresh install (the prior `npm run demo:vertical` path only worked inside a repo checkout). Each demo gates one industry's tool calls, proves the blocked call was **absent** downstream, and verifies the evidence to `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key. **PATCH** — no code / dependency / verifier / witness / gateway / Sentinel changes; trust core and Sentinel Mesh V1 untouched. Runtime deps remain `tweetnacl` + `zod`; zero production install scripts. Conformance + CLI regression tests pin every gate decision and the npm-consumer command. **Migration:** none — additive examples + one CLI subcommand — **not yet published** |
|
|
76
72
|
|
|
77
73
|
|
|
78
74
|
**Verified on macOS / Linux / Windows (current release `0.1.11`; `0.1.12` re-proven via installed-tarball smoke):**
|
|
@@ -271,25 +267,26 @@ MCP gateway, and a **local-file external STH mirror foundation** with an
|
|
|
271
267
|
operator runbook. **Not** included: hosted mirror service, automated network
|
|
272
268
|
publishing, production multi-tenant SaaS, production durability guarantees.
|
|
273
269
|
|
|
274
|
-
## Verifying the release artifact (checklist — current target `0.8.
|
|
270
|
+
## Verifying the release artifact (checklist — current target `0.8.1`)
|
|
275
271
|
|
|
276
272
|
From a clean checkout of the release commit:
|
|
277
273
|
|
|
278
274
|
```bash
|
|
279
275
|
npm ci && npm run check && npm test # 0 tsc errors; full suite green
|
|
280
276
|
npm run build:lean && npm run build:lean # deterministic: dist/MANIFEST.json identical
|
|
281
|
-
npm pack # prepack rebuilds dist/; expect magenta-canon-0.8.
|
|
282
|
-
tar -tzf magenta-canon-0.8.
|
|
277
|
+
npm pack # prepack rebuilds dist/; expect magenta-canon-0.8.1.tgz
|
|
278
|
+
tar -tzf magenta-canon-0.8.1.tgz # no .ts, no .map, no tests, no server/routes.ts, no ledger/lock/keystore files; no attack-kb/anomaly/coordinator/conformance files
|
|
283
279
|
```
|
|
284
280
|
|
|
285
281
|
Then in an empty directory:
|
|
286
282
|
|
|
287
283
|
```bash
|
|
288
|
-
npm init -y && npm i ../path/to/magenta-canon-0.8.
|
|
284
|
+
npm init -y && npm i ../path/to/magenta-canon-0.8.1.tgz
|
|
289
285
|
ls node_modules # exactly: magenta-canon tweetnacl zod
|
|
290
286
|
npx magenta-canon verify --self-test # all verdict levels incl. tamper VERIFICATION FAILED
|
|
291
287
|
npx magenta-canon mirror --self-test # [PASS] x3
|
|
292
288
|
npx magenta-canon demo # allow / block / VERIFIED / tamper FAILED
|
|
289
|
+
npx magenta-canon vertical --list # 8 sector demos; `vertical <id>` runs one (new in 0.8.1)
|
|
293
290
|
npx magenta-canon sentinel artifact node_modules/magenta-canon # PROMOTION: ELIGIBLE
|
|
294
291
|
npx magenta-canon sentinel ledger <your-ledger.jsonl> # ledger truth (0.7.0)
|
|
295
292
|
npx magenta-canon sentinel execution <bundle.json> # authority-bound action evidence (new in 0.8.0)
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
# Sector vertical examples
|
|
2
|
+
|
|
3
|
+
Each folder is a complete, runnable example of Magenta Canon gating a different
|
|
4
|
+
kind of AI-agent action — the **same wedge** ("allow what's delegated, block what
|
|
5
|
+
isn't, witness both, verify the receipt") told in the vocabulary of a specific
|
|
6
|
+
sector. Every example rides the **real** capability gate the policy enforces
|
|
7
|
+
today: a numeric **ceiling** for `payments.refund`, and an **allowlist**
|
|
8
|
+
(default-deny) of `mcp.call:<tool>` for everything else. No example claims a gate
|
|
9
|
+
behavior that isn't actually enforced.
|
|
10
|
+
|
|
11
|
+
| Vertical | Sector | Model | Delegated → allowed | Blocked at the gate |
|
|
12
|
+
|---|---|---|---|---|
|
|
13
|
+
| [`devops-deploy`](devops-deploy/) | DevOps / CI-CD | allowlist | deploy_staging | deploy_prod |
|
|
14
|
+
| [`ecommerce-ops`](ecommerce-ops/) | E-commerce / marketplace | allowlist | catalog_read, inventory_update | price_override |
|
|
15
|
+
| [`fintech-refund`](fintech-refund/) | Fintech / payments | ceiling | refund | refund |
|
|
16
|
+
| [`healthcare-scribe`](healthcare-scribe/) | Healthcare | allowlist | chart_read, note_draft | medication_order, record_delete |
|
|
17
|
+
| [`insurance-claims`](insurance-claims/) | Insurance | allowlist | claim_read, estimate_draft | payout_approve |
|
|
18
|
+
| [`legal-paralegal`](legal-paralegal/) | Legal | allowlist | caselaw_search, memo_draft | court_efile |
|
|
19
|
+
| [`saas-support-data`](saas-support-data/) | SaaS / customer support | allowlist | db_read, db_write | db_delete |
|
|
20
|
+
| [`security-soc`](security-soc/) | Security / SOC | allowlist | alert_read, ioc_enrich | host_isolate |
|
|
21
|
+
|
|
22
|
+
## Run any vertical
|
|
23
|
+
|
|
24
|
+
From a published install — no repository checkout required:
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
npx magenta-canon vertical <id> # e.g. npx magenta-canon vertical healthcare-scribe
|
|
28
|
+
npx magenta-canon vertical --list # list the available verticals
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
(Inside a repo checkout, `npm run demo:vertical <id>` does the same thing.)
|
|
32
|
+
|
|
33
|
+
The runner boots a local control plane, drives the scenario's calls through the
|
|
34
|
+
Magenta MCP gateway, proves the blocked calls were **absent** from the downstream
|
|
35
|
+
tool's own log, publishes the evidence, and independently verifies it to
|
|
36
|
+
`ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key.
|
|
37
|
+
|
|
38
|
+
**Limitation:** every vertical is a local, single-host **demo** — ephemeral port,
|
|
39
|
+
fresh universe in a temp dir, cleaned up on exit. Not hosted SaaS, not
|
|
40
|
+
multi-tenant, not production durability.
|
|
41
|
+
|
|
42
|
+
## Make your own
|
|
43
|
+
|
|
44
|
+
Each folder's `gateway.config.json` is the artifact you point a real MCP host
|
|
45
|
+
(Claude Code / Cursor) at. To adapt one:
|
|
46
|
+
|
|
47
|
+
1. Point `downstream` at **your** real MCP server instead of the shared
|
|
48
|
+
`lib/tool-server.mjs` echo tool.
|
|
49
|
+
2. Set `grantedCapabilities` to what the agent is actually delegated.
|
|
50
|
+
3. Run your host through the gateway — every tool call is now gated and witnessed.
|
|
51
|
+
|
|
52
|
+
`lib/tool-server.mjs` is a single generic downstream tool server shared by all
|
|
53
|
+
the examples: it exposes whatever tool names it is given on the command line and
|
|
54
|
+
logs every call it receives (the ground truth for the non-bypass proof).
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# Deploy agent — DevOps / CI-CD
|
|
2
|
+
|
|
3
|
+
A CI agent may deploy to staging but is not delegated production. A prod deploy is blocked at the gate and never reaches the deploy tool.
|
|
4
|
+
|
|
5
|
+
## What this proves
|
|
6
|
+
|
|
7
|
+
**Capability model:** **allowlist** (default-deny)
|
|
8
|
+
**Delegated capabilities:** `mcp.call:deploy_staging`
|
|
9
|
+
|
|
10
|
+
| Tool call | Gate decision | Why |
|
|
11
|
+
|---|---|---|
|
|
12
|
+
| `deploy_staging` | ✅ allowed | staging is delegated |
|
|
13
|
+
| `deploy_prod` | ⛔ blocked | production is NOT on the allowlist |
|
|
14
|
+
|
|
15
|
+
Every decision — allowed *and* blocked — is witnessed as a signed receipt on the
|
|
16
|
+
append-only transparency log. A blocked call **never reaches the downstream
|
|
17
|
+
tool** (proven by the tool's own call log), and the published evidence verifies
|
|
18
|
+
to `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key.
|
|
19
|
+
|
|
20
|
+
## Run it
|
|
21
|
+
|
|
22
|
+
From a published install — no repository checkout required:
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
npx magenta-canon vertical devops-deploy
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
(Inside a repo checkout you can also use `npm run demo:vertical devops-deploy`.)
|
|
29
|
+
|
|
30
|
+
It boots a local control plane, drives the calls above through the Magenta
|
|
31
|
+
gateway, proves the blocked call was **absent** from the downstream tool's own
|
|
32
|
+
log, publishes the evidence, and independently verifies it to
|
|
33
|
+
`ORIGIN AND INTEGRITY VERIFIED`.
|
|
34
|
+
|
|
35
|
+
**Limitation:** this is a local, single-host **demo** — an ephemeral control
|
|
36
|
+
plane and a fresh universe in a temp dir, cleaned up on exit. It is not hosted
|
|
37
|
+
SaaS, not multi-tenant, and not production durability.
|
|
38
|
+
|
|
39
|
+
## Make it yours
|
|
40
|
+
|
|
41
|
+
`gateway.config.json` here is the same artifact you would point a real MCP host
|
|
42
|
+
(Claude Code / Cursor) at: swap the downstream for **your** real MCP tool server
|
|
43
|
+
and set your own `grantedCapabilities`. Every tool call is then gated and
|
|
44
|
+
witnessed exactly as shown above.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
{
|
|
2
|
+
"downstream": {
|
|
3
|
+
"command": "node",
|
|
4
|
+
"args": [
|
|
5
|
+
"../lib/tool-server.mjs",
|
|
6
|
+
"deploy_staging",
|
|
7
|
+
"deploy_prod"
|
|
8
|
+
]
|
|
9
|
+
},
|
|
10
|
+
"controlPlane": {
|
|
11
|
+
"url": "http://127.0.0.1:5000",
|
|
12
|
+
"internalKey": "operator-secret-xyz"
|
|
13
|
+
},
|
|
14
|
+
"agent": {
|
|
15
|
+
"agentId": "mcp:acme-ci-deployer",
|
|
16
|
+
"authorizedBy": "operator:cj@trendinghot",
|
|
17
|
+
"model": "mcp-gateway"
|
|
18
|
+
},
|
|
19
|
+
"grantedCapabilities": [
|
|
20
|
+
"mcp.call:deploy_staging"
|
|
21
|
+
],
|
|
22
|
+
"defaultAction": "agent.mcp.call"
|
|
23
|
+
}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "devops-deploy",
|
|
3
|
+
"sector": "DevOps / CI-CD",
|
|
4
|
+
"title": "Deploy agent",
|
|
5
|
+
"model": "allowlist",
|
|
6
|
+
"story": "A CI agent may deploy to staging but is not delegated production. A prod deploy is blocked at the gate and never reaches the deploy tool.",
|
|
7
|
+
"calls": [
|
|
8
|
+
{
|
|
9
|
+
"name": "deploy_staging",
|
|
10
|
+
"arguments": {
|
|
11
|
+
"service": "checkout-api",
|
|
12
|
+
"sha": "3d7f9bf"
|
|
13
|
+
},
|
|
14
|
+
"expect": "allow",
|
|
15
|
+
"note": "staging is delegated"
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"name": "deploy_prod",
|
|
19
|
+
"arguments": {
|
|
20
|
+
"service": "checkout-api",
|
|
21
|
+
"sha": "3d7f9bf"
|
|
22
|
+
},
|
|
23
|
+
"expect": "block",
|
|
24
|
+
"note": "production is NOT on the allowlist"
|
|
25
|
+
}
|
|
26
|
+
],
|
|
27
|
+
"groundTruthAbsent": [
|
|
28
|
+
"deploy_prod"
|
|
29
|
+
]
|
|
30
|
+
}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
# Catalog ops agent — E-commerce / marketplace
|
|
2
|
+
|
|
3
|
+
A merchandising agent may read the catalog and update inventory, but may not override price or cancel orders. Pricing and order state stay with a human.
|
|
4
|
+
|
|
5
|
+
## What this proves
|
|
6
|
+
|
|
7
|
+
**Capability model:** **allowlist** (default-deny)
|
|
8
|
+
**Delegated capabilities:** `mcp.call:catalog_read`, `mcp.call:inventory_update`
|
|
9
|
+
|
|
10
|
+
| Tool call | Gate decision | Why |
|
|
11
|
+
|---|---|---|
|
|
12
|
+
| `catalog_read` | ✅ allowed | reading the catalog is delegated |
|
|
13
|
+
| `inventory_update` | ✅ allowed | inventory updates are delegated |
|
|
14
|
+
| `price_override` | ⛔ blocked | overriding price is NOT delegated |
|
|
15
|
+
|
|
16
|
+
Every decision — allowed *and* blocked — is witnessed as a signed receipt on the
|
|
17
|
+
append-only transparency log. A blocked call **never reaches the downstream
|
|
18
|
+
tool** (proven by the tool's own call log), and the published evidence verifies
|
|
19
|
+
to `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key.
|
|
20
|
+
|
|
21
|
+
## Run it
|
|
22
|
+
|
|
23
|
+
From a published install — no repository checkout required:
|
|
24
|
+
|
|
25
|
+
```bash
|
|
26
|
+
npx magenta-canon vertical ecommerce-ops
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
(Inside a repo checkout you can also use `npm run demo:vertical ecommerce-ops`.)
|
|
30
|
+
|
|
31
|
+
It boots a local control plane, drives the calls above through the Magenta
|
|
32
|
+
gateway, proves the blocked call was **absent** from the downstream tool's own
|
|
33
|
+
log, publishes the evidence, and independently verifies it to
|
|
34
|
+
`ORIGIN AND INTEGRITY VERIFIED`.
|
|
35
|
+
|
|
36
|
+
**Limitation:** this is a local, single-host **demo** — an ephemeral control
|
|
37
|
+
plane and a fresh universe in a temp dir, cleaned up on exit. It is not hosted
|
|
38
|
+
SaaS, not multi-tenant, and not production durability.
|
|
39
|
+
|
|
40
|
+
## Make it yours
|
|
41
|
+
|
|
42
|
+
`gateway.config.json` here is the same artifact you would point a real MCP host
|
|
43
|
+
(Claude Code / Cursor) at: swap the downstream for **your** real MCP tool server
|
|
44
|
+
and set your own `grantedCapabilities`. Every tool call is then gated and
|
|
45
|
+
witnessed exactly as shown above.
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
{
|
|
2
|
+
"downstream": {
|
|
3
|
+
"command": "node",
|
|
4
|
+
"args": [
|
|
5
|
+
"../lib/tool-server.mjs",
|
|
6
|
+
"catalog_read",
|
|
7
|
+
"inventory_update",
|
|
8
|
+
"price_override",
|
|
9
|
+
"order_cancel"
|
|
10
|
+
]
|
|
11
|
+
},
|
|
12
|
+
"controlPlane": {
|
|
13
|
+
"url": "http://127.0.0.1:5000",
|
|
14
|
+
"internalKey": "operator-secret-xyz"
|
|
15
|
+
},
|
|
16
|
+
"agent": {
|
|
17
|
+
"agentId": "mcp:acme-catalog-ops",
|
|
18
|
+
"authorizedBy": "operator:cj@trendinghot",
|
|
19
|
+
"model": "mcp-gateway"
|
|
20
|
+
},
|
|
21
|
+
"grantedCapabilities": [
|
|
22
|
+
"mcp.call:catalog_read",
|
|
23
|
+
"mcp.call:inventory_update"
|
|
24
|
+
],
|
|
25
|
+
"defaultAction": "agent.mcp.call"
|
|
26
|
+
}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "ecommerce-ops",
|
|
3
|
+
"sector": "E-commerce / marketplace",
|
|
4
|
+
"title": "Catalog ops agent",
|
|
5
|
+
"model": "allowlist",
|
|
6
|
+
"story": "A merchandising agent may read the catalog and update inventory, but may not override price or cancel orders. Pricing and order state stay with a human.",
|
|
7
|
+
"calls": [
|
|
8
|
+
{
|
|
9
|
+
"name": "catalog_read",
|
|
10
|
+
"arguments": {
|
|
11
|
+
"sku": "SKU-552"
|
|
12
|
+
},
|
|
13
|
+
"expect": "allow",
|
|
14
|
+
"note": "reading the catalog is delegated"
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"name": "inventory_update",
|
|
18
|
+
"arguments": {
|
|
19
|
+
"sku": "SKU-552",
|
|
20
|
+
"on_hand": 120
|
|
21
|
+
},
|
|
22
|
+
"expect": "allow",
|
|
23
|
+
"note": "inventory updates are delegated"
|
|
24
|
+
},
|
|
25
|
+
{
|
|
26
|
+
"name": "price_override",
|
|
27
|
+
"arguments": {
|
|
28
|
+
"sku": "SKU-552",
|
|
29
|
+
"price_cents": 100
|
|
30
|
+
},
|
|
31
|
+
"expect": "block",
|
|
32
|
+
"note": "overriding price is NOT delegated"
|
|
33
|
+
}
|
|
34
|
+
],
|
|
35
|
+
"groundTruthAbsent": [
|
|
36
|
+
"price_override"
|
|
37
|
+
]
|
|
38
|
+
}
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# Refund agent — Fintech / payments
|
|
2
|
+
|
|
3
|
+
A support agent may issue refunds up to a delegated ceiling ($100). A larger refund is stopped at the gate before it reaches the payments tool.
|
|
4
|
+
|
|
5
|
+
## What this proves
|
|
6
|
+
|
|
7
|
+
**Capability model:** numeric **ceiling**
|
|
8
|
+
**Delegated capabilities:** `payments.refund:<=10000`
|
|
9
|
+
|
|
10
|
+
| Tool call | Gate decision | Why |
|
|
11
|
+
|---|---|---|
|
|
12
|
+
| `refund` | ✅ allowed | $89.00 — within the $100 ceiling |
|
|
13
|
+
| `refund` | ⛔ blocked | $250.00 — exceeds the delegated ceiling |
|
|
14
|
+
|
|
15
|
+
Every decision — allowed *and* blocked — is witnessed as a signed receipt on the
|
|
16
|
+
append-only transparency log. A blocked call **never reaches the downstream
|
|
17
|
+
tool** (proven by the tool's own call log), and the published evidence verifies
|
|
18
|
+
to `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key.
|
|
19
|
+
|
|
20
|
+
## Run it
|
|
21
|
+
|
|
22
|
+
From a published install — no repository checkout required:
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
npx magenta-canon vertical fintech-refund
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
(Inside a repo checkout you can also use `npm run demo:vertical fintech-refund`.)
|
|
29
|
+
|
|
30
|
+
It boots a local control plane, drives the calls above through the Magenta
|
|
31
|
+
gateway, proves the blocked call was **absent** from the downstream tool's own
|
|
32
|
+
log, publishes the evidence, and independently verifies it to
|
|
33
|
+
`ORIGIN AND INTEGRITY VERIFIED`.
|
|
34
|
+
|
|
35
|
+
**Limitation:** this is a local, single-host **demo** — an ephemeral control
|
|
36
|
+
plane and a fresh universe in a temp dir, cleaned up on exit. It is not hosted
|
|
37
|
+
SaaS, not multi-tenant, and not production durability.
|
|
38
|
+
|
|
39
|
+
## Make it yours
|
|
40
|
+
|
|
41
|
+
`gateway.config.json` here is the same artifact you would point a real MCP host
|
|
42
|
+
(Claude Code / Cursor) at: swap the downstream for **your** real MCP tool server
|
|
43
|
+
and set your own `grantedCapabilities`. Every tool call is then gated and
|
|
44
|
+
witnessed exactly as shown above.
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
{
|
|
2
|
+
"downstream": {
|
|
3
|
+
"command": "node",
|
|
4
|
+
"args": [
|
|
5
|
+
"../lib/tool-server.mjs",
|
|
6
|
+
"refund"
|
|
7
|
+
]
|
|
8
|
+
},
|
|
9
|
+
"controlPlane": {
|
|
10
|
+
"url": "http://127.0.0.1:5000",
|
|
11
|
+
"internalKey": "operator-secret-xyz"
|
|
12
|
+
},
|
|
13
|
+
"agent": {
|
|
14
|
+
"agentId": "mcp:acme-payments-bot",
|
|
15
|
+
"authorizedBy": "operator:cj@trendinghot",
|
|
16
|
+
"model": "mcp-gateway"
|
|
17
|
+
},
|
|
18
|
+
"grantedCapabilities": [
|
|
19
|
+
"payments.refund:<=10000"
|
|
20
|
+
],
|
|
21
|
+
"defaultAction": "agent.mcp.call",
|
|
22
|
+
"toolMap": {
|
|
23
|
+
"refund": {
|
|
24
|
+
"action": "agent.payments.refund",
|
|
25
|
+
"paramsFrom": [
|
|
26
|
+
"amount_cents",
|
|
27
|
+
"order_id"
|
|
28
|
+
]
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "fintech-refund",
|
|
3
|
+
"sector": "Fintech / payments",
|
|
4
|
+
"title": "Refund agent",
|
|
5
|
+
"model": "ceiling",
|
|
6
|
+
"story": "A support agent may issue refunds up to a delegated ceiling ($100). A larger refund is stopped at the gate before it reaches the payments tool.",
|
|
7
|
+
"calls": [
|
|
8
|
+
{
|
|
9
|
+
"name": "refund",
|
|
10
|
+
"arguments": {
|
|
11
|
+
"amount_cents": 8900,
|
|
12
|
+
"order_id": "4471"
|
|
13
|
+
},
|
|
14
|
+
"expect": "allow",
|
|
15
|
+
"note": "$89.00 — within the $100 ceiling"
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"name": "refund",
|
|
19
|
+
"arguments": {
|
|
20
|
+
"amount_cents": 25000,
|
|
21
|
+
"order_id": "5012"
|
|
22
|
+
},
|
|
23
|
+
"expect": "block",
|
|
24
|
+
"note": "$250.00 — exceeds the delegated ceiling"
|
|
25
|
+
}
|
|
26
|
+
],
|
|
27
|
+
"groundTruthAbsent": [
|
|
28
|
+
"refund"
|
|
29
|
+
]
|
|
30
|
+
}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
# Clinical scribe agent — Healthcare
|
|
2
|
+
|
|
3
|
+
A clinical scribe may read the chart and draft a note, but may not order medication or delete records. Clinical authority stays with the clinician.
|
|
4
|
+
|
|
5
|
+
## What this proves
|
|
6
|
+
|
|
7
|
+
**Capability model:** **allowlist** (default-deny)
|
|
8
|
+
**Delegated capabilities:** `mcp.call:chart_read`, `mcp.call:note_draft`
|
|
9
|
+
|
|
10
|
+
| Tool call | Gate decision | Why |
|
|
11
|
+
|---|---|---|
|
|
12
|
+
| `chart_read` | ✅ allowed | reading the chart is delegated |
|
|
13
|
+
| `note_draft` | ✅ allowed | drafting a note is delegated |
|
|
14
|
+
| `medication_order` | ⛔ blocked | ordering medication requires the clinician, not the agent |
|
|
15
|
+
| `record_delete` | ⛔ blocked | deleting records is never delegated |
|
|
16
|
+
|
|
17
|
+
Every decision — allowed *and* blocked — is witnessed as a signed receipt on the
|
|
18
|
+
append-only transparency log. A blocked call **never reaches the downstream
|
|
19
|
+
tool** (proven by the tool's own call log), and the published evidence verifies
|
|
20
|
+
to `ORIGIN AND INTEGRITY VERIFIED` against a pinned witness key.
|
|
21
|
+
|
|
22
|
+
## Run it
|
|
23
|
+
|
|
24
|
+
From a published install — no repository checkout required:
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
npx magenta-canon vertical healthcare-scribe
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
(Inside a repo checkout you can also use `npm run demo:vertical healthcare-scribe`.)
|
|
31
|
+
|
|
32
|
+
It boots a local control plane, drives the calls above through the Magenta
|
|
33
|
+
gateway, proves the blocked call was **absent** from the downstream tool's own
|
|
34
|
+
log, publishes the evidence, and independently verifies it to
|
|
35
|
+
`ORIGIN AND INTEGRITY VERIFIED`.
|
|
36
|
+
|
|
37
|
+
**Limitation:** this is a local, single-host **demo** — an ephemeral control
|
|
38
|
+
plane and a fresh universe in a temp dir, cleaned up on exit. It is not hosted
|
|
39
|
+
SaaS, not multi-tenant, and not production durability.
|
|
40
|
+
|
|
41
|
+
## Make it yours
|
|
42
|
+
|
|
43
|
+
`gateway.config.json` here is the same artifact you would point a real MCP host
|
|
44
|
+
(Claude Code / Cursor) at: swap the downstream for **your** real MCP tool server
|
|
45
|
+
and set your own `grantedCapabilities`. Every tool call is then gated and
|
|
46
|
+
witnessed exactly as shown above.
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
{
|
|
2
|
+
"downstream": {
|
|
3
|
+
"command": "node",
|
|
4
|
+
"args": [
|
|
5
|
+
"../lib/tool-server.mjs",
|
|
6
|
+
"chart_read",
|
|
7
|
+
"note_draft",
|
|
8
|
+
"medication_order",
|
|
9
|
+
"record_delete"
|
|
10
|
+
]
|
|
11
|
+
},
|
|
12
|
+
"controlPlane": {
|
|
13
|
+
"url": "http://127.0.0.1:5000",
|
|
14
|
+
"internalKey": "operator-secret-xyz"
|
|
15
|
+
},
|
|
16
|
+
"agent": {
|
|
17
|
+
"agentId": "mcp:acme-clinical-scribe",
|
|
18
|
+
"authorizedBy": "operator:cj@trendinghot",
|
|
19
|
+
"model": "mcp-gateway"
|
|
20
|
+
},
|
|
21
|
+
"grantedCapabilities": [
|
|
22
|
+
"mcp.call:chart_read",
|
|
23
|
+
"mcp.call:note_draft"
|
|
24
|
+
],
|
|
25
|
+
"defaultAction": "agent.mcp.call"
|
|
26
|
+
}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "healthcare-scribe",
|
|
3
|
+
"sector": "Healthcare",
|
|
4
|
+
"title": "Clinical scribe agent",
|
|
5
|
+
"model": "allowlist",
|
|
6
|
+
"story": "A clinical scribe may read the chart and draft a note, but may not order medication or delete records. Clinical authority stays with the clinician.",
|
|
7
|
+
"calls": [
|
|
8
|
+
{
|
|
9
|
+
"name": "chart_read",
|
|
10
|
+
"arguments": {
|
|
11
|
+
"patient": "p-1029"
|
|
12
|
+
},
|
|
13
|
+
"expect": "allow",
|
|
14
|
+
"note": "reading the chart is delegated"
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"name": "note_draft",
|
|
18
|
+
"arguments": {
|
|
19
|
+
"patient": "p-1029",
|
|
20
|
+
"text": "Follow-up in 2 weeks."
|
|
21
|
+
},
|
|
22
|
+
"expect": "allow",
|
|
23
|
+
"note": "drafting a note is delegated"
|
|
24
|
+
},
|
|
25
|
+
{
|
|
26
|
+
"name": "medication_order",
|
|
27
|
+
"arguments": {
|
|
28
|
+
"patient": "p-1029",
|
|
29
|
+
"drug": "amoxicillin",
|
|
30
|
+
"dose": "500mg"
|
|
31
|
+
},
|
|
32
|
+
"expect": "block",
|
|
33
|
+
"note": "ordering medication requires the clinician, not the agent"
|
|
34
|
+
},
|
|
35
|
+
{
|
|
36
|
+
"name": "record_delete",
|
|
37
|
+
"arguments": {
|
|
38
|
+
"patient": "p-1029"
|
|
39
|
+
},
|
|
40
|
+
"expect": "block",
|
|
41
|
+
"note": "deleting records is never delegated"
|
|
42
|
+
}
|
|
43
|
+
],
|
|
44
|
+
"groundTruthAbsent": [
|
|
45
|
+
"medication_order",
|
|
46
|
+
"record_delete"
|
|
47
|
+
]
|
|
48
|
+
}
|