mcp-nervous-system 1.11.0 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,239 +1,32 @@
1
- # The Nervous System
1
+ # Agent Manifests
2
2
 
3
- **LLM Behavioral Enforcement Framework**
3
+ The following manifest files define governance settings for each agent:
4
4
 
5
- ## Quick Start (2 minutes)
5
+ - `tamara.manifest.yaml` - Oversees multi-agent operations with elevated permissions and reliability controls.
6
+ - `lily.manifest.yaml` - Guides users with public-facing coaching plans and motivational feedback.
7
+ - `kris.manifest.yaml` - Analyzes business credit signals and flags potential financial risk patterns.
8
+ - `aram.manifest.yaml` - Provides legal guidance under strict escalation and compliance boundaries.
9
+ - `harry.manifest.yaml` - Handles strict financial data workflows for bookkeeping and reconciliations.
10
+ - `harout.manifest.yaml` - Supports client-facing real estate workflows for listings and buyer matching.
11
+ - `roman.manifest.yaml` - Creates educational content and lesson structures for clear learning outcomes.
12
+ - `lou.manifest.yaml` - Finds grant opportunities and synthesizes eligibility and deadline requirements.
13
+ - `spartak.manifest.yaml` - Translates multilingual content accurately while preserving tone and intent.
14
+ - `nick.manifest.yaml` - Delivers advanced training workflows with restricted data and access controls.
15
+ - `corona.manifest.yaml` - Develops creative real estate concepts, campaigns, and positioning strategies.
16
+ - `soriano.manifest.yaml` - Designs youth empowerment programs with supportive coaching and resource guidance.
17
+ - `lady.manifest.yaml` - Executes parallel workstreams across five lanes with synchronized delivery control.
6
18
 
7
- ```bash
8
- npx mcp-nervous-system
9
- # Server starts on port 3475
10
- ```
19
+ ## Governance lint + paid x402 API
11
20
 
12
- Add to Claude Code:
13
- ```bash
14
- claude mcp add nervous-system npx mcp-nervous-system
15
- ```
21
+ The Nervous System is an external governance layer for agent systems: governance, attribution, and coordination across vendors.
16
22
 
17
- Add to Cursor / Windsurf / Cline - use the hosted endpoint (no install):
18
- ```
19
- https://api.100levelup.com/mcp-ns/
20
- ```
23
+ ### Free, local tool: `audit_mcp_config`
24
+ Deterministic governance lint for MCP server configurations. Pass the config JSON (e.g. `claude_desktop_config.json`) as `config` (object) or `config_json` (string). It checks for plaintext secrets in `env`, unpinned packages, auto-install flags, broad filesystem scopes, shell wrappers, non-TLS remote transports, and unpinned docker tags, then returns findings with severities and a 0-100 score. Zero dependencies, fully offline, never throws.
21
25
 
22
- That's it. You now have 32 governance tools: preflight checks, audit trails, drift detection, security scans, and a kill switch.
26
+ ### Hosted x402 API (pay-per-call)
27
+ For CI/agent use, the same checks plus audit-chain verification are available as pay-per-call HTTP endpoints priced in USDC on Base (x402):
23
28
 
24
- ---
29
+ - `POST https://api.100levelup.com/x402/audit-mcp` - governance lint ($0.05 USDC)
30
+ - `GET https://api.100levelup.com/x402/verify-audit` - audit-chain verification ($0.005 USDC)
25
31
 
26
- 7 mechanically enforced rules that prevent the most common failure modes when LLMs have access to real infrastructure: context loss, silent failures, file damage, goal drift, and overreach.
27
-
28
- Built by [Arthur Palyan](https://www.levelsofself.com) at Palyan Family AI System. 30 tools including configuration drift detection, emergency kill switch, usage monitoring, and bot compliance auditing. Battle-tested on a 13-agent AI family running 28 processes 24/7 on a $300/month infrastructure (7.8GB RAM, 154GB SSD). SAM.gov registered (CAGE 19R10). 35 partners across 10 countries. 99+ violations caught, 0 bypassed.
29
-
30
- ## The Problem
31
-
32
- When you give an LLM access to your file system, bash, and production infrastructure, it will eventually:
33
-
34
- - Edit a file it shouldn't touch
35
- - Lose context between sessions and start over
36
- - Drift from the original objective during long tasks
37
- - Fail silently when a session times out
38
- - Make logic changes without asking
39
- - Disappear into debug loops
40
-
41
- The Nervous System solves all of these with rules enforced by external mechanisms the LLM cannot override.
42
-
43
- ## Install
44
-
45
- ### Claude Desktop
46
-
47
- Add to your `claude_desktop_config.json`:
48
-
49
- ```json
50
- {
51
- "mcpServers": {
52
- "nervous-system": {
53
- "command": "npx",
54
- "args": ["-y", "mcp-nervous-system"]
55
- }
56
- }
57
- }
58
- ```
59
-
60
- ### Claude Code
61
-
62
- ```bash
63
- claude mcp add nervous-system npx mcp-nervous-system
64
- ```
65
-
66
- ### Direct
67
-
68
- ```bash
69
- npx mcp-nervous-system
70
- ```
71
-
72
- Server starts on port 3475 with SSE, HTTP, and health endpoints.
73
-
74
- ### Hosted (No Install)
75
-
76
- The server is live and ready to use:
77
-
78
- ```
79
- URL: https://api.100levelup.com/mcp-ns/
80
- Protocol: MCP 2024-11-05 (Streamable HTTP + SSE)
81
- Authentication: None required
82
- ```
83
-
84
- ## NEW in v1.9.3
85
-
86
- **Platform Integration Guides** - Working examples for governing multi-agent systems on the 3 biggest platforms plus any MCP client. Each guide gets you to governed agents in under 10 minutes.
87
-
88
- - [Ruflo (claude-flow)](./integrations/ruflo/) - Queen-Worker hive mind governance with preflight checks, drift audits, and violation logging to swarm_state
89
- - [Hivemind](./integrations/hivemind/) - Team chat agent governance with tool interception, heartbeat drift audits, and session handoffs
90
- - [Anthropic Agent Teams](./integrations/agent-teams/) - Parallel agent governance via CLAUDE.md propagation with shared untouchable lists and unified audit trails
91
- - [Generic MCP](./integrations/generic-mcp/) - 5-minute setup for any MCP client (Claude Desktop, Claude Code, Cursor, Windsurf, Cline)
92
-
93
- ## v1.9.3
94
-
95
- **Tamara Reference Implementation + Case Study** (2 new resources)
96
- Production reference implementation of an autonomous AI operations manager built on the Nervous System. Includes full architecture documentation, build-your-own guide, and case study with real metrics from managing 13 agents across 5 platforms.
97
-
98
- ## v1.9.3
99
-
100
- **drift_audit** (free tier)
101
- Configuration drift detection across 5 scopes: roles, versions, files, processes, and website. Scans source-of-truth files (family-roles.json, package.json, UNTOUCHABLE_FILES.txt) against all downstream references - HTML pages, JSON configs, markdown docs, and running PM2 processes. Change one file, drift_audit tells you everywhere else that needs updating. The closed loop that keeps your entire system consistent.
102
-
103
- **Positioning: Auto mode decides what Claude CAN do. The Nervous System governs HOW it behaves while doing it.**
104
-
105
- ## The 7 Rules
106
-
107
- | # | Rule | What It Prevents |
108
- |---|------|-----------------|
109
- | 1 | **Dispatch Don't Do** | Debug loops, rabbit holes. Tasks > 2 messages get dispatched. |
110
- | 2 | **Untouchable** | File damage. Protected files mechanically blocked from editing. |
111
- | 3 | **Write Progress** | Silent failures. Progress noted before each action. |
112
- | 4 | **Step Back Every 4** | Goal drift. Forced reflection every 4 messages. |
113
- | 5 | **Delegate and Return** | Invisible work. Background tasks reported immediately. |
114
- | 6 | **Ask Before Touching** | Unauthorized changes. Logic changes need human approval. |
115
- | 7 | **Hand Off** | Context loss. Written handoffs every 3-4 exchanges. |
116
-
117
- ## MCP Tools (21)
118
-
119
- | Tool | Description |
120
- |------|------------|
121
- | `get_framework` | Complete framework: all rules, permission protocol, enforcement patterns |
122
- | `guardrail_rules` | The 7 core rules with triggers, enforcement, and failure modes |
123
- | `preflight_check` | File protection system: shell script blocks edits to protected files |
124
- | `session_handoff` | Context preservation: templates for handoff documents |
125
- | `worklog` | Progress documentation pattern |
126
- | `violation_logging` | Audit trail: timestamp, type, context for every violation |
127
- | `step_back_check` | Forced reflection system |
128
- | `get_nervous_system_info` | System overview and operational stats |
129
- | `emergency_kill_switch` | Emergency shutdown of all PM2 processes. Requires kill switch secret. Logs to tamper-evident audit trail |
130
- | `verify_audit_chain` | Walks the SHA-256 hash-chained audit log and verifies every entry. Returns chain integrity status |
131
- | `dispatch_to_llm` | Spawns a background LLM agent to handle a task. Checks RAM, enforces max 2 concurrent dispatches |
132
- | `drift_audit` | Configuration drift detection across roles, versions, files, processes, and website. Finds stale values everywhere. |
133
-
134
- ## Kill Switch
135
-
136
- The `emergency_kill_switch` tool provides an emergency shutdown capability. Send a POST request to `/kill` with the kill switch secret to immediately stop all PM2 processes. Every activation is logged to the tamper-evident audit trail with SHA-256 hash chaining, so kill switch events cannot be hidden or altered after the fact.
137
-
138
- - Requires authentication (kill switch secret)
139
- - Logs to hash-chained audit trail
140
- - Returns confirmation with affected process count
141
-
142
- ## Tamper-Evident Audit Trail
143
-
144
- Every guardrail violation, kill switch activation, and dispatch event is recorded in a SHA-256 hash-chained audit log. Each entry includes the hash of the previous entry, making it cryptographically impossible to alter or delete past records without breaking the chain.
145
-
146
- - Use `verify_audit_chain` to walk the entire chain and verify integrity
147
- - Returns: valid/invalid status, entry count, and break point if tampered
148
- - 99+ violations caught, 0 bypassed, 0 chain breaks
149
-
150
- ## Dispatch to LLM
151
-
152
- The `dispatch_to_llm` tool enables a brain + agents architecture. Instead of one LLM session doing everything, complex tasks get dispatched to background agents that run independently under the same 7 rules.
153
-
154
- - Checks available RAM (requires 500MB+)
155
- - Enforces max 2 concurrent dispatches
156
- - Returns PID and log file path for monitoring
157
- - Every dispatched agent runs under the same nervous system guardrails
158
-
159
- ## EU AI Act Compliance
160
-
161
- The Nervous System provides practical compliance tools for the EU AI Act. See the full compliance page at:
162
-
163
- https://api.100levelup.com/family/eu-ai-act.html
164
-
165
- ## Production Reference: Tamara
166
-
167
- Tamara is an autonomous AI operations manager built on the Nervous System framework. She manages 13 AI agents across 5 platforms, serving 175+ countries accessible from a $12/month VPS - without dedicated DevOps staff.
168
-
169
- Tamara is the proof that the Nervous System works in production. She runs 60-minute autonomous check cycles, detects configuration drift, dispatches remediation agents, and reports to the human operator only when judgment is needed.
170
-
171
- - **Case Study**: Use the `nervous-system://case-study` resource for full production metrics
172
- - **Reference Implementation**: Use the `nervous-system://tamara-reference` resource for architecture details and build-your-own guide
173
- - **Enterprise Support**: For organizations deploying AI agent fleets at scale, implementation consulting is available at wa.me/18184399770
174
- - **Blog**: [Meet Tamara](https://api.100levelup.com/family/blog/meet-tamara.md) | [Why AI Agent Management Is the Next Infrastructure Layer](https://api.100levelup.com/family/blog/ai-agent-management.md)
175
-
176
- ## Resources (7)
177
-
178
- - `nervous-system://framework` - The complete framework
179
- - `nervous-system://quick-start` - Quick start guide
180
- - `nervous-system://rules` - The 7 core rules
181
- - `nervous-system://templates` - Templates for handoffs, worklogs, preflight
182
- - `nervous-system://drift-audit` - Configuration drift detection
183
- - `nervous-system://tamara-reference` - Tamara autonomous ops manager reference implementation
184
- - `nervous-system://case-study` - Palyan Family AI System production case study
185
-
186
- ## Production Stats
187
-
188
- From the live Palyan Family AI System deployment (Feb 28 - Mar 5, 2026):
189
-
190
- - **58+** violations caught
191
- - **29** edits blocked by preflight
192
- - **100** files protected
193
- - **0** rules bypassed
194
- - **27** processes monitored
195
- - **5** days continuous operation
196
-
197
- ## Live Demo
198
-
199
- Try it yourself (no login required):
200
-
201
- - **[Interactive Demo](https://api.100levelup.com/family/arthur.html?guest=1)** - Talk to a governed LLM and try to break the rules
202
- - **[Audit Dashboard](https://api.100levelup.com/family/audit.html)** - See real violation history with timeline
203
- - **[System Status](https://api.100levelup.com/family/status.html)** - Live health checks
204
- - **[API Documentation](https://api.100levelup.com/family/api-docs.html)** - Full tool and resource reference
205
- - **[Case Study](https://api.100levelup.com/family/case-study.html)** - Production deployment data
206
- - **[Plain English Rules](https://api.100levelup.com/family/rules-plain.html)** - For non-technical stakeholders
207
- - **[Incident Response](https://api.100levelup.com/family/incident-response.html)** - Detection, containment, resolution
208
- - **[EU AI Act Compliance](https://api.100levelup.com/family/eu-ai-act.html)** - Practical EU AI Act compliance tools
209
-
210
- ## Integrations
211
-
212
- Works with the major multi-agent platforms and any MCP client:
213
-
214
- | Platform | Integration | Setup Time |
215
- |----------|------------|------------|
216
- | **[Ruflo (claude-flow)](./integrations/ruflo/)** | Plugin hooks into Queen-Worker pipeline | 10 min |
217
- | **[Hivemind](./integrations/hivemind/)** | MCP connector with tool interception | 10 min |
218
- | **[Anthropic Agent Teams](./integrations/agent-teams/)** | CLAUDE.md governance propagation | 10 min |
219
- | **[Any MCP Client](./integrations/generic-mcp/)** | 3 lines of config | 5 min |
220
-
221
- Each integration includes working code, example configs, and a step-by-step README.
222
-
223
- ## Agent Skills
224
-
225
- The Nervous System is also available as an Agent Skill following the open [Agent Skills standard](https://agentskills.io). Install the governance skill to teach any AI agent (Claude, Codex, Cursor, Copilot, VS Code) how to enforce behavioral guardrails in multi-agent systems.
226
-
227
- See `skills/multi-agent-governance/SKILL.md` for the full skill definition.
228
-
229
- ## Philosophy
230
-
231
- > "LLMs can't reliably self-enforce promises. Guardrails work via preflight.sh, violation logs, and catching drift. Build enforcement systems, don't make promises."
232
-
233
- If a guardrail can be violated by the thing it guards, it is not a guardrail. It is a suggestion.
234
-
235
- Every rule in the Nervous System is enforced by an external mechanism: a shell script, a timer, a separate monitoring process. The LLM cannot override, circumvent, or ignore them.
236
-
237
- ## License
238
-
239
- MIT
32
+ Discovery: [`/openapi.json`](https://api.100levelup.com/openapi.json) and [`/llms.txt`](https://api.100levelup.com/llms.txt).
@@ -0,0 +1,22 @@
1
+ agent_id: "aram"
2
+ role: "legal counsel"
3
+ version: "1.0.0"
4
+ description: "Provides legal guidance under strict escalation and compliance boundaries."
5
+ capabilities:
6
+ - "policy_interpretation"
7
+ - "compliance_review"
8
+ - "escalation_routing"
9
+ required_tools:
10
+ - "policy_engine"
11
+ - "citation_retriever"
12
+ - "approval_gate"
13
+ policy: "/root/levels-os/governance/policies/agents/aram.yaml"
14
+ memory_access:
15
+ global_read: true
16
+ agent_read: true
17
+ agent_write: false
18
+ max_runtime_minutes: 30
19
+ model_preference: "ollama-qwen3"
20
+ fallback_model: "claude-sonnet"
21
+ cost_limit_usd: 1.0
22
+ heartbeat_interval_sec: 30
@@ -0,0 +1,22 @@
1
+ agent_id: "corona"
2
+ role: "creative real estate"
3
+ version: "1.0.0"
4
+ description: "Develops creative real estate concepts, campaigns, and positioning strategies."
5
+ capabilities:
6
+ - "campaign_concepting"
7
+ - "property_storytelling"
8
+ - "market_positioning"
9
+ required_tools:
10
+ - "content_editor"
11
+ - "media_planner"
12
+ - "listing_database"
13
+ policy: "/root/levels-os/governance/policies/agents/corona.yaml"
14
+ memory_access:
15
+ global_read: true
16
+ agent_read: true
17
+ agent_write: true
18
+ max_runtime_minutes: 60
19
+ model_preference: "ollama-qwen3"
20
+ fallback_model: "claude-sonnet"
21
+ cost_limit_usd: 2.0
22
+ heartbeat_interval_sec: 30
@@ -0,0 +1,22 @@
1
+ agent_id: "harout"
2
+ role: "realtor"
3
+ version: "1.0.0"
4
+ description: "Supports client-facing real estate workflows for listings and buyer matching."
5
+ capabilities:
6
+ - "listing_analysis"
7
+ - "client_communication"
8
+ - "market_comparison"
9
+ required_tools:
10
+ - "listing_database"
11
+ - "crm_connector"
12
+ - "calendar_scheduler"
13
+ policy: "/root/levels-os/governance/policies/agents/harout.yaml"
14
+ memory_access:
15
+ global_read: true
16
+ agent_read: true
17
+ agent_write: true
18
+ max_runtime_minutes: 60
19
+ model_preference: "ollama-qwen3"
20
+ fallback_model: "claude-sonnet"
21
+ cost_limit_usd: 2.0
22
+ heartbeat_interval_sec: 30
@@ -0,0 +1,22 @@
1
+ agent_id: "harry"
2
+ role: "accountant"
3
+ version: "1.0.0"
4
+ description: "Handles strict financial data workflows for bookkeeping and reconciliations."
5
+ capabilities:
6
+ - "ledger_reconciliation"
7
+ - "expense_classification"
8
+ - "financial_reporting"
9
+ required_tools:
10
+ - "ledger_reader"
11
+ - "calculator"
12
+ - "audit_logger"
13
+ policy: "/root/levels-os/governance/policies/agents/harry.yaml"
14
+ memory_access:
15
+ global_read: true
16
+ agent_read: true
17
+ agent_write: false
18
+ max_runtime_minutes: 30
19
+ model_preference: "ollama-qwen3"
20
+ fallback_model: "claude-sonnet"
21
+ cost_limit_usd: 1.0
22
+ heartbeat_interval_sec: 30
package/index.js CHANGED
@@ -538,7 +538,7 @@ const NERVOUS_SYSTEM_INFO = {
538
538
  ]
539
539
  },
540
540
  origin_story: {
541
- context: 'Arthur Palyan runs a startup with 12 AI family members, each with distinct roles. The entire operation runs on a $24/month VPS with a $200/month LLM subscription.',
541
+ context: 'Arthur Palyan runs a startup with 12 AI family members, each with distinct roles. The entire operation runs on a ~$48/month VPS with a $200/month LLM subscription, about $375/month all in.',
542
542
  problem_discovered: 'After months of building, patterns emerged: LLMs would break working systems while trying to improve them. They would loop on debugging instead of dispatching. They would silently fail when sessions timed out. They would lose all context between sessions.',
543
543
  solution_built: 'Arthur built the nervous system - not by changing the LLM model, but by wrapping it in behavioral rules enforced through scripts, file checks, and prompt engineering. The LLM itself became the enforcement mechanism, trained to check before acting.',
544
544
  philosophy: 'The brain (LLM) is powerful but needs a nervous system to keep it from hurting itself. Just like a human nervous system sends pain signals before you touch a hot stove, this system sends BLOCKED/PROTECTED signals before the LLM edits a critical file.',
@@ -570,7 +570,7 @@ const NERVOUS_SYSTEM_INFO = {
570
570
  reflection_trigger: 'Every 4 messages',
571
571
  processes_managed: '22+ autonomous PM2 processes',
572
572
  family_members: 12,
573
- monthly_cost: 'Under $300/month total infrastructure',
573
+ monthly_cost: 'Under $500/month total infrastructure (about $375 actual)',
574
574
  uptime: '24/7 autonomous operation',
575
575
  deployment: 'Single VPS, single LLM subscription'
576
576
  }
@@ -895,7 +895,7 @@ const RESOURCES = [
895
895
  { uri: 'nervous-system://templates', name: 'Templates', description: 'Ready-to-use templates for handoffs, worklogs, preflight, and untouchable lists', mimeType: 'text/plain' },
896
896
  { uri: 'nervous-system://drift-audit', name: 'Drift Audit', description: 'Configuration drift detection - checks roles, versions, file references, and running processes against source-of-truth files', mimeType: 'text/plain' },
897
897
  { uri: 'nervous-system://tamara-reference', name: 'Tamara Reference Implementation', description: 'Autonomous AI operations manager - reference implementation for managing AI agent fleets using the Nervous System framework', mimeType: 'text/plain' },
898
- { uri: 'nervous-system://case-study', name: 'Palyan Family AI System Case Study', description: 'Production case study: 13 agents, 5 platforms, 175 countries, $24/month - autonomous AI operations at scale', mimeType: 'text/plain' },
898
+ { uri: 'nervous-system://case-study', name: 'Palyan Family AI System Case Study', description: 'Production case study: 13 agents, 5 platforms, 175 countries, under $500/month - autonomous AI operations at scale', mimeType: 'text/plain' },
899
899
  ];
900
900
 
901
901
  // ============================================================
@@ -3875,7 +3875,7 @@ PRODUCTION RESULTS
3875
3875
  - 13 AI agents managed autonomously
3876
3876
  - 5 platforms (Telegram, Instagram, Facebook, Web, Bot Builder)
3877
3877
  - 175 countries served
3878
- - $24/month total infrastructure cost
3878
+ - Under $500/month total infrastructure cost (about $375 actual)
3879
3879
  - Zero dedicated DevOps staff
3880
3880
  - 99+ protected files with automated enforcement
3881
3881
  - Autonomous operation for weeks without human intervention
@@ -3900,7 +3900,7 @@ Open source: npmjs.com/package/mcp-nervous-system`;
3900
3900
  Autonomous AI Operations at Scale
3901
3901
 
3902
3902
  OVERVIEW
3903
- The Palyan Family AI System is a production deployment of 13 specialized AI agents serving users across 175 countries through 5 platforms. The entire operation runs on a single 4GB VPS for $24/month, managed autonomously by Tamara - an AI operations manager built on the Nervous System framework.
3903
+ The Palyan Family AI System is a production deployment of 13 specialized AI agents serving users across 175 countries through 5 platforms. The entire operation runs on a single 4GB VPS for about $48/month, managed autonomously by Tamara - an AI operations manager built on the Nervous System framework.
3904
3904
 
3905
3905
  This is not a demo. This is a live system that has been running continuously since February 2026, processing real user interactions, managing real infrastructure, and operating without dedicated DevOps staff.
3906
3906
 
@@ -3923,7 +3923,7 @@ INFRASTRUCTURE
3923
3923
  - Server: 4GB VPS (Ubuntu)
3924
3924
  - Process Manager: PM2 (29 registered processes, 19+ online)
3925
3925
  - LLM Access: Anthropic Max subscription
3926
- - Total Monthly Cost: $24 (VPS $12 + domain/misc $12)
3926
+ - Total Monthly Cost: ~$375 (VPS ~$48 + LLM ~$200 + Vercel/insurance/tools)
3927
3927
  - Platforms: Telegram, Instagram, Facebook Messenger, Web, Bot Builder SaaS
3928
3928
 
3929
3929
  GOVERNANCE LAYER
@@ -0,0 +1,22 @@
1
+ agent_id: "kris"
2
+ role: "business credit scanner"
3
+ version: "1.0.0"
4
+ description: "Analyzes business credit signals and flags potential financial risk patterns."
5
+ capabilities:
6
+ - "credit_profile_scan"
7
+ - "risk_scoring"
8
+ - "report_generation"
9
+ required_tools:
10
+ - "data_fetcher"
11
+ - "risk_engine"
12
+ - "report_writer"
13
+ policy: "/root/levels-os/governance/policies/agents/kris.yaml"
14
+ memory_access:
15
+ global_read: true
16
+ agent_read: true
17
+ agent_write: true
18
+ max_runtime_minutes: 60
19
+ model_preference: "ollama-qwen3"
20
+ fallback_model: "claude-sonnet"
21
+ cost_limit_usd: 2.0
22
+ heartbeat_interval_sec: 30
@@ -0,0 +1,24 @@
1
+ agent_id: "lady"
2
+ role: "5-lane executor"
3
+ version: "1.0.0"
4
+ description: "Executes parallel workstreams across five lanes with synchronized delivery control."
5
+ capabilities:
6
+ - "parallel_execution"
7
+ - "priority_routing"
8
+ - "status_synchronization"
9
+ - "handoff_coordination"
10
+ required_tools:
11
+ - "lane_orchestrator"
12
+ - "task_dispatcher"
13
+ - "status_board"
14
+ - "audit_logger"
15
+ policy: "/root/levels-os/governance/policies/agents/lady.yaml"
16
+ memory_access:
17
+ global_read: true
18
+ agent_read: true
19
+ agent_write: true
20
+ max_runtime_minutes: 60
21
+ model_preference: "ollama-qwen3"
22
+ fallback_model: "claude-sonnet"
23
+ cost_limit_usd: 2.0
24
+ heartbeat_interval_sec: 30
@@ -0,0 +1,184 @@
1
+ 'use strict';
2
+ // mcp-audit.js - deterministic governance lint for MCP server configurations.
3
+ // Zero deps, pure Node. Powers the paid POST /audit-mcp SKU in x402-app.js.
4
+ //
5
+ // auditMcpConfig(input) -> { score:0-100, findings:[...], summary:{...} } (never throws)
6
+ // Malformed input -> { error, hint } (no throw)
7
+ //
8
+ // Input is PARSED JSON, either:
9
+ // Claude-Desktop shape { "mcpServers": { "<name>": {command,args,env,...} } }
10
+ // or a single server { command, args, env, ... }
11
+ //
12
+ // Each finding: { severity:'error'|'warn'|'info', code, server, message, hint }
13
+ // Score: start 100; -25 per error, -10 per warn, -2 per info; floor 0.
14
+
15
+ // Recognized keys (typo detection). Anything else -> UNKNOWN_TOP_FIELDS (info).
16
+ const KNOWN_TOP_KEYS = new Set(['mcpServers']);
17
+ const KNOWN_SERVER_KEYS = new Set([
18
+ 'command', 'args', 'env', 'url', 'transport', 'type', 'cwd', 'name',
19
+ 'disabled', 'enabled', 'autoApprove', 'alwaysAllow', 'timeout', 'headers', 'description'
20
+ ]);
21
+ // Flags that consume the following token as their value (so it is NOT the docker image / package).
22
+ const VALUE_FLAGS = new Set([
23
+ '-e', '--env', '-v', '--volume', '-p', '--publish', '--name', '-w', '--workdir',
24
+ '--network', '-u', '--user', '--mount', '--label', '-l', '--entrypoint'
25
+ ]);
26
+
27
+ function baseName(cmd) {
28
+ if (typeof cmd !== 'string') return '';
29
+ const parts = cmd.replace(/\\/g, '/').split('/');
30
+ return parts[parts.length - 1].toLowerCase();
31
+ }
32
+
33
+ function isEnvRef(v) {
34
+ // ${VAR} / $VAR / plain reference -> not an inline secret.
35
+ return /^\$\{?[A-Za-z_][A-Za-z0-9_]*\}?$/.test(String(v).trim());
36
+ }
37
+
38
+ function looksHighEntropy(v) {
39
+ // 20+ chars, token-like charset, mixes letters AND digits -> probably a real credential.
40
+ return v.length >= 20 && /^[A-Za-z0-9+/=_.\-]{20,}$/.test(v) && /[0-9]/.test(v) && /[A-Za-z]/.test(v);
41
+ }
42
+
43
+ function firstNonFlagArg(args) {
44
+ for (const a of args) { if (typeof a === 'string' && !a.startsWith('-')) return a; }
45
+ return null;
46
+ }
47
+
48
+ // Best-effort docker image extraction: first bare token after `run`, skipping flags + their values.
49
+ function dockerImage(args) {
50
+ const i = args.indexOf('run');
51
+ if (i < 0) return null;
52
+ for (let j = i + 1; j < args.length; j++) {
53
+ const a = args[j];
54
+ if (typeof a !== 'string') continue;
55
+ if (a.startsWith('-')) { if (VALUE_FLAGS.has(a)) j++; continue; } // skip flag (and its value)
56
+ return a; // first bare token = the image reference
57
+ }
58
+ return null;
59
+ }
60
+
61
+ function checkServer(name, srv, findings) {
62
+ const push = (severity, code, message, hint) => findings.push({ severity, code, server: name, message, hint });
63
+ if (!srv || typeof srv !== 'object' || Array.isArray(srv)) {
64
+ push('info', 'UNKNOWN_TOP_FIELDS', 'server entry is not an object', 'Each server must map to an object with command/url + args/env.');
65
+ return;
66
+ }
67
+ const args = Array.isArray(srv.args) ? srv.args : [];
68
+ const cmd = baseName(srv.command);
69
+
70
+ // Unknown server-level keys (typo detection).
71
+ for (const k of Object.keys(srv)) {
72
+ if (!KNOWN_SERVER_KEYS.has(k)) {
73
+ push('info', 'UNKNOWN_TOP_FIELDS', 'unrecognized server field "' + k + '"', 'Check for a typo; expected command/args/env/url/type.');
74
+ }
75
+ }
76
+
77
+ // SECRET_IN_ENV (error)
78
+ if (srv.env && typeof srv.env === 'object' && !Array.isArray(srv.env)) {
79
+ for (const [k, v] of Object.entries(srv.env)) {
80
+ if (typeof v !== 'string' || v.length === 0 || isEnvRef(v)) continue;
81
+ const keyMatch = /key|token|secret|password|passwd|pwd|credential|apikey|auth|access[_-]?id|private/i.test(k);
82
+ if (keyMatch) {
83
+ push('error', 'SECRET_IN_ENV', 'env "' + k + '" appears to hold an inline credential', 'Reference a secret via ${ENV_VAR} or a secret manager; never inline credentials.');
84
+ } else if (looksHighEntropy(v)) {
85
+ push('error', 'SECRET_IN_ENV', 'env "' + k + '" holds a high-entropy value that looks like a secret', 'Reference a secret via ${ENV_VAR} or a secret manager; never inline credentials.');
86
+ }
87
+ }
88
+ }
89
+
90
+ // SHELL_WRAPPER (warn) - sh/bash/zsh -c hides the real binary
91
+ if ((cmd === 'sh' || cmd === 'bash' || cmd === 'zsh') && args.some((a) => a === '-c')) {
92
+ push('warn', 'SHELL_WRAPPER', 'command wraps the real binary in ' + cmd + ' -c', 'Invoke the real binary directly instead of wrapping in a shell.');
93
+ }
94
+
95
+ // UNPINNED_PACKAGE (warn) + AUTO_INSTALL_FLAG (warn) for npx/uvx/bunx-style runners
96
+ if (cmd === 'npx' || cmd === 'uvx' || cmd === 'bunx' || cmd === 'pnpm' || cmd === 'yarn') {
97
+ const pkg = firstNonFlagArg(args);
98
+ if (pkg) {
99
+ const body = pkg.startsWith('@') ? pkg.slice(1) : pkg; // strip scope so @scope/x isn't read as a pin
100
+ if (!body.includes('@')) {
101
+ push('warn', 'UNPINNED_PACKAGE', 'package "' + pkg + '" is not version-pinned', 'Pin the version (name@1.2.3) to prevent supply-chain drift.');
102
+ }
103
+ }
104
+ if (args.some((a) => a === '-y' || a === '--yes')) {
105
+ push('warn', 'AUTO_INSTALL_FLAG', cmd + ' auto-installs unreviewed code (-y/--yes)', 'Remove -y/--yes; review packages before first execution.');
106
+ }
107
+ }
108
+
109
+ // BROAD_FS_SCOPE (warn) - filesystem servers granted / or a home root
110
+ const joined = (srv.command ? srv.command + ' ' : '') + args.join(' ');
111
+ const isFs = /filesystem/i.test(joined) || srv.type === 'filesystem' || /(^|[^a-z])fs($|[^a-z])/i.test(String(srv.name || ''));
112
+ if (isFs) {
113
+ for (const a of args) {
114
+ if (typeof a !== 'string') continue;
115
+ if (/^(\/|~|\$HOME|\/root|\/home\/[^/]+|\/Users\/[^/]+)\/?$/.test(a.trim())) {
116
+ push('warn', 'BROAD_FS_SCOPE', 'filesystem access granted to broad path "' + a + '"', 'Scope filesystem access to a specific project subdirectory, not / or $HOME.');
117
+ }
118
+ }
119
+ }
120
+
121
+ // REMOTE_URL_NO_TLS (error) - http:// to a non-localhost host
122
+ const urlCandidates = [];
123
+ if (typeof srv.url === 'string') urlCandidates.push(srv.url);
124
+ if (srv.transport && typeof srv.transport === 'object' && typeof srv.transport.url === 'string') urlCandidates.push(srv.transport.url);
125
+ for (const a of args) { if (typeof a === 'string' && /^https?:\/\//i.test(a)) urlCandidates.push(a); }
126
+ for (const raw of urlCandidates) {
127
+ let u; try { u = new URL(raw); } catch (e) { continue; }
128
+ if (u.protocol !== 'http:') continue;
129
+ const h = u.hostname.toLowerCase();
130
+ const local = h === 'localhost' || h === '127.0.0.1' || h === '0.0.0.0' || h === '::1' || h.endsWith('.local');
131
+ if (!local) {
132
+ push('error', 'REMOTE_URL_NO_TLS', 'remote transport uses plaintext http:// (' + h + ')', 'Use https:// for remote transports.');
133
+ }
134
+ }
135
+
136
+ // NO_VERSION_PIN_DOCKER (info) - image without a tag or :latest
137
+ if (cmd === 'docker') {
138
+ const img = dockerImage(args);
139
+ if (img) {
140
+ const tagless = !img.includes('@') && (!img.includes(':') || /:latest$/i.test(img));
141
+ if (tagless) {
142
+ push('info', 'NO_VERSION_PIN_DOCKER', 'docker image "' + img + '" has no immutable tag', 'Pin the image to a specific tag or digest, not :latest.');
143
+ }
144
+ }
145
+ }
146
+ }
147
+
148
+ function auditMcpConfig(input) {
149
+ if (input === null || typeof input !== 'object' || Array.isArray(input)) {
150
+ return { error: 'input must be a JSON object', hint: 'Provide {"mcpServers":{...}} (Claude Desktop) or a single server object {"command":...}.' };
151
+ }
152
+
153
+ const findings = [];
154
+ let servers;
155
+
156
+ if (input.mcpServers && typeof input.mcpServers === 'object' && !Array.isArray(input.mcpServers)) {
157
+ servers = input.mcpServers;
158
+ for (const k of Object.keys(input)) {
159
+ if (!KNOWN_TOP_KEYS.has(k)) {
160
+ findings.push({ severity: 'info', code: 'UNKNOWN_TOP_FIELDS', server: '(top)', message: 'unrecognized top-level field "' + k + '"', hint: 'Check for a typo; the config root normally holds only "mcpServers".' });
161
+ }
162
+ }
163
+ } else if ('command' in input || 'url' in input || 'args' in input || 'env' in input || 'transport' in input) {
164
+ servers = { '(root)': input }; // single-server shape
165
+ } else {
166
+ return { error: 'no MCP servers found', hint: 'Expected {"mcpServers":{...}} or a server object with a "command" or "url" field.' };
167
+ }
168
+
169
+ const names = Object.keys(servers);
170
+ for (const name of names) checkServer(name, servers[name], findings);
171
+
172
+ let score = 100;
173
+ let errors = 0, warns = 0, infos = 0;
174
+ for (const f of findings) {
175
+ if (f.severity === 'error') { score -= 25; errors++; }
176
+ else if (f.severity === 'warn') { score -= 10; warns++; }
177
+ else { score -= 2; infos++; }
178
+ }
179
+ if (score < 0) score = 0;
180
+
181
+ return { score, findings, summary: { servers: names.length, errors, warns, infos } };
182
+ }
183
+
184
+ module.exports = { auditMcpConfig };