trustpact 0.1.0__tar.gz

trustpact-0.1.0/PKG-INFO

@@ -0,0 +1,85 @@
+Metadata-Version: 2.4
+Name: trustpact
+Version: 0.1.0
+Summary: Behavioral trust scanner for MCP servers and AI agents
+Author-email: Nina Klee <nina@arqon.group>
+License-Expression: Apache-2.0
+Project-URL: Homepage, https://trustpact.ai
+Project-URL: Repository, https://github.com/trustpact-ai/trustpact-verify
+Project-URL: Documentation, https://trustpact.ai/docs
+Keywords: mcp,trust,ai-agents,security,aegis
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: httpx>=0.25.0
+Requires-Dist: rich>=13.0.0
+
+# trustpact
+
+Behavioral trust scanner for MCP servers and AI agents.
+
+## Install
+
+```bash
+pip install trustpact
+```
+
+## Usage
+
+```bash
+# Scan a server from the Smithery registry
+trustpact scan "slack"
+
+# Scan a local server spec (JSON)
+trustpact scan server.json
+
+# JSON output for CI/CD integration
+trustpact scan server.json --json
+
+# Show AEGIS scoring methodology
+trustpact info
+```
+
+## What It Does
+
+TrustPact scans MCP server tool definitions for manipulation patterns and calculates a behavioral trust score using the AEGIS 5-dimensional model:
+
+- **Trust Signals (35%)** — metadata, documentation, authentication
+- **Manipulation Risk (25%)** — hidden instructions, poisoning patterns
+- **Protection Level (15%)** — auth, scope, licensing
+- **Vulnerability Index (15%)** — critical exposure surface
+- **Context Modifier (10%)** — runtime context signals
+
+### Attack Classes Detected
+
+| Class | Description |
+|-------|-------------|
+| SIREN | Hidden instruction injection |
+| PHANTOM | Identity spoofing |
+| HYDRA | Coordinated Sybil attacks |
+| MIRAGE | Capability misrepresentation |
+| LEECH | Data/credential exfiltration |
+| CHIMERA | Code injection, safety bypass |
+
+### Trust Tiers
+
+| Tier | Score | Meaning |
+|------|-------|---------|
+| SOVEREIGN | 95+ | Highest trust |
+| SENTINEL | 85+ | Proven track record |
+| MASTER | 65+ | Reliable |
+| ADEPT | 40+ | Limited history |
+| FELLOW | 0+ | New or unverified |
+
+## License
+
+Proprietary — ARQON GmbH (i.G.)
+
+## Links
+
+- [trustpact.ai](https://trustpact.ai)
+- Patent Provisional 63/928,604

trustpact-0.1.0/README.md

@@ -0,0 +1,65 @@
+# trustpact
+
+Behavioral trust scanner for MCP servers and AI agents.
+
+## Install
+
+```bash
+pip install trustpact
+```
+
+## Usage
+
+```bash
+# Scan a server from the Smithery registry
+trustpact scan "slack"
+
+# Scan a local server spec (JSON)
+trustpact scan server.json
+
+# JSON output for CI/CD integration
+trustpact scan server.json --json
+
+# Show AEGIS scoring methodology
+trustpact info
+```
+
+## What It Does
+
+TrustPact scans MCP server tool definitions for manipulation patterns and calculates a behavioral trust score using the AEGIS 5-dimensional model:
+
+- **Trust Signals (35%)** — metadata, documentation, authentication
+- **Manipulation Risk (25%)** — hidden instructions, poisoning patterns
+- **Protection Level (15%)** — auth, scope, licensing
+- **Vulnerability Index (15%)** — critical exposure surface
+- **Context Modifier (10%)** — runtime context signals
+
+### Attack Classes Detected
+
+| Class | Description |
+|-------|-------------|
+| SIREN | Hidden instruction injection |
+| PHANTOM | Identity spoofing |
+| HYDRA | Coordinated Sybil attacks |
+| MIRAGE | Capability misrepresentation |
+| LEECH | Data/credential exfiltration |
+| CHIMERA | Code injection, safety bypass |
+
+### Trust Tiers
+
+| Tier | Score | Meaning |
+|------|-------|---------|
+| SOVEREIGN | 95+ | Highest trust |
+| SENTINEL | 85+ | Proven track record |
+| MASTER | 65+ | Reliable |
+| ADEPT | 40+ | Limited history |
+| FELLOW | 0+ | New or unverified |
+
+## License
+
+Proprietary — ARQON GmbH (i.G.)
+
+## Links
+
+- [trustpact.ai](https://trustpact.ai)
+- Patent Provisional 63/928,604

trustpact-0.1.0/pyproject.toml

@@ -0,0 +1,35 @@
+[build-system]
+requires = ["setuptools>=68.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "trustpact"
+version = "0.1.0"
+description = "Behavioral trust scanner for MCP servers and AI agents"
+readme = "README.md"
+license = "Apache-2.0"
+requires-python = ">=3.9"
+authors = [{name = "Nina Klee", email = "nina@arqon.group"}]
+keywords = ["mcp", "trust", "ai-agents", "security", "aegis"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "Programming Language :: Python :: 3",
+    "Topic :: Security",
+    "Topic :: Software Development :: Libraries",
+]
+dependencies = [
+    "httpx>=0.25.0",
+    "rich>=13.0.0",
+]
+
+[project.scripts]
+trustpact = "trustpact_verify.cli:main"
+
+[project.urls]
+Homepage = "https://trustpact.ai"
+Repository = "https://github.com/trustpact-ai/trustpact-verify"
+Documentation = "https://trustpact.ai/docs"
+
+[tool.setuptools.packages.find]
+include = ["trustpact_verify*"]

trustpact-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

trustpact-0.1.0/trustpact.egg-info/PKG-INFO

@@ -0,0 +1,85 @@
+Metadata-Version: 2.4
+Name: trustpact
+Version: 0.1.0
+Summary: Behavioral trust scanner for MCP servers and AI agents
+Author-email: Nina Klee <nina@arqon.group>
+License-Expression: Apache-2.0
+Project-URL: Homepage, https://trustpact.ai
+Project-URL: Repository, https://github.com/trustpact-ai/trustpact-verify
+Project-URL: Documentation, https://trustpact.ai/docs
+Keywords: mcp,trust,ai-agents,security,aegis
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: httpx>=0.25.0
+Requires-Dist: rich>=13.0.0
+
+# trustpact
+
+Behavioral trust scanner for MCP servers and AI agents.
+
+## Install
+
+```bash
+pip install trustpact
+```
+
+## Usage
+
+```bash
+# Scan a server from the Smithery registry
+trustpact scan "slack"
+
+# Scan a local server spec (JSON)
+trustpact scan server.json
+
+# JSON output for CI/CD integration
+trustpact scan server.json --json
+
+# Show AEGIS scoring methodology
+trustpact info
+```
+
+## What It Does
+
+TrustPact scans MCP server tool definitions for manipulation patterns and calculates a behavioral trust score using the AEGIS 5-dimensional model:
+
+- **Trust Signals (35%)** — metadata, documentation, authentication
+- **Manipulation Risk (25%)** — hidden instructions, poisoning patterns
+- **Protection Level (15%)** — auth, scope, licensing
+- **Vulnerability Index (15%)** — critical exposure surface
+- **Context Modifier (10%)** — runtime context signals
+
+### Attack Classes Detected
+
+| Class | Description |
+|-------|-------------|
+| SIREN | Hidden instruction injection |
+| PHANTOM | Identity spoofing |
+| HYDRA | Coordinated Sybil attacks |
+| MIRAGE | Capability misrepresentation |
+| LEECH | Data/credential exfiltration |
+| CHIMERA | Code injection, safety bypass |
+
+### Trust Tiers
+
+| Tier | Score | Meaning |
+|------|-------|---------|
+| SOVEREIGN | 95+ | Highest trust |
+| SENTINEL | 85+ | Proven track record |
+| MASTER | 65+ | Reliable |
+| ADEPT | 40+ | Limited history |
+| FELLOW | 0+ | New or unverified |
+
+## License
+
+Proprietary — ARQON GmbH (i.G.)
+
+## Links
+
+- [trustpact.ai](https://trustpact.ai)
+- Patent Provisional 63/928,604

trustpact-0.1.0/trustpact.egg-info/SOURCES.txt

@@ -0,0 +1,12 @@
+README.md
+pyproject.toml
+trustpact.egg-info/PKG-INFO
+trustpact.egg-info/SOURCES.txt
+trustpact.egg-info/dependency_links.txt
+trustpact.egg-info/entry_points.txt
+trustpact.egg-info/requires.txt
+trustpact.egg-info/top_level.txt
+trustpact_verify/__init__.py
+trustpact_verify/cli.py
+trustpact_verify/registry.py
+trustpact_verify/scanner.py

trustpact-0.1.0/trustpact.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

trustpact-0.1.0/trustpact.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+trustpact = trustpact_verify.cli:main

trustpact-0.1.0/trustpact.egg-info/requires.txt

@@ -0,0 +1,2 @@
+httpx>=0.25.0
+rich>=13.0.0

trustpact-0.1.0/trustpact.egg-info/top_level.txt

@@ -0,0 +1 @@
+trustpact_verify

trustpact-0.1.0/trustpact_verify/__init__.py

@@ -0,0 +1,3 @@
+"""TrustPact — Behavioral trust scanner for MCP servers and AI agents."""
+
+__version__ = "0.1.0"

trustpact-0.1.0/trustpact_verify/cli.py

@@ -0,0 +1,402 @@
+"""
+trustpact verify — CLI entry point.
+
+Usage:
+    trustpact scan <name_or_url>    Scan an MCP server for trust issues
+    trustpact info                  Show AEGIS scoring methodology
+    trustpact version               Show version
+"""
+
+from __future__ import annotations
+
+import argparse
+import json
+import sys
+from pathlib import Path
+
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+from rich.text import Text
+from rich import box
+
+from trustpact_verify import __version__
+from trustpact_verify.scanner import (
+    scan_server,
+    scan_tool_descriptions,
+    scan_metadata,
+    ScanResult,
+    Finding,
+)
+
+console = Console()
+
+
+# ── Colours & symbols ──────────────────────────────────────────
+
+TIER_STYLES = {
+    "SOVEREIGN": ("bold bright_green", "★★★★★"),
+    "SENTINEL":  ("bold green",        "★★★★☆"),
+    "MASTER":    ("bold yellow",       "★★★☆☆"),
+    "ADEPT":     ("bold bright_red",   "★★☆☆☆"),
+    "FELLOW":    ("bold red",          "★☆☆☆☆"),
+}
+
+SEVERITY_STYLES = {
+    "CRITICAL": "bold white on red",
+    "HIGH":     "bold red",
+    "MEDIUM":   "yellow",
+    "LOW":      "dim",
+}
+
+REC_STYLES = {
+    "SAFE":    ("bold bright_green", "✓ SAFE — Low risk, reasonable to use"),
+    "CAUTION": ("bold yellow",       "⚠ CAUTION — Review findings before use"),
+    "AVOID":   ("bold red",          "✗ AVOID — Significant trust concerns"),
+}
+
+
+def _render_header():
+    console.print()
+    console.print(
+        Panel(
+            "[bold bright_cyan]TrustPact[/] verify  ·  AEGIS Trust Scanner",
+            subtitle=f"v{__version__}",
+            style="bright_cyan",
+            width=64,
+        )
+    )
+
+
+def _render_score(result: ScanResult):
+    """Render the trust score gauge."""
+    tier_style, stars = TIER_STYLES.get(result.trust_tier, ("white", "?"))
+
+    score_text = Text()
+    score_text.append(f"  Trust Score: ", style="bold")
+    score_text.append(f"{result.trust_score:.1f}", style=tier_style)
+    score_text.append(f" / 100", style="dim")
+    score_text.append(f"  {stars}", style=tier_style)
+    console.print(score_text)
+
+    tier_text = Text()
+    tier_text.append(f"  Trust Tier:  ", style="bold")
+    tier_text.append(result.trust_tier, style=tier_style)
+    console.print(tier_text)
+    console.print()
+
+
+def _render_dimensions(result: ScanResult):
+    """Render the 5-dimensional breakdown."""
+    dims = result.dimensions
+    table = Table(
+        title="AEGIS Dimensions",
+        box=box.ROUNDED,
+        title_style="bold bright_cyan",
+        width=64,
+    )
+    table.add_column("Dimension", style="bold", width=22)
+    table.add_column("Value", justify="right", width=10)
+    table.add_column("Bar", width=26)
+
+    rows = [
+        ("Trust Signals",      dims.trust_signals,       False),
+        ("Manipulation Risk",  dims.manipulation_risk,   True),
+        ("Protection Level",   dims.protection_level,    False),
+        ("Vulnerability Index", dims.vulnerability_index, True),
+        ("Context Modifier",   dims.context_modifier,    None),
+    ]
+
+    for name, value, invert in rows:
+        if invert is None:
+            # context modifier is -10 to +10
+            bar = f"{'▓' * max(0, int(value + 10))}{'░' * max(0, 20 - int(value + 10))}"
+            style = "yellow" if abs(value) < 3 else ("green" if value > 0 else "red")
+            table.add_row(name, f"{value:+.1f}", Text(bar, style=style))
+        else:
+            filled = int(value / 5)  # 0-20 blocks
+            bar = "▓" * filled + "░" * (20 - filled)
+            if invert:
+                style = "bright_green" if value < 30 else ("yellow" if value < 60 else "red")
+            else:
+                style = "red" if value < 30 else ("yellow" if value < 60 else "bright_green")
+            table.add_row(name, f"{value:.1f}", Text(bar, style=style))
+
+    console.print(table)
+
+
+def _render_findings(findings: list[Finding]):
+    """Render findings table."""
+    if not findings:
+        console.print("  [bright_green]No issues detected.[/]")
+        console.print()
+        return
+
+    table = Table(
+        title=f"Findings ({len(findings)})",
+        box=box.ROUNDED,
+        title_style="bold yellow",
+        width=80,
+        show_lines=True,
+    )
+    table.add_column("Sev", width=8, justify="center")
+    table.add_column("Class", width=9)
+    table.add_column("Message", width=42)
+    table.add_column("Location", width=16, style="dim")
+
+    # Sort: CRITICAL first, then HIGH, MEDIUM, LOW
+    severity_order = {"CRITICAL": 0, "HIGH": 1, "MEDIUM": 2, "LOW": 3}
+    sorted_findings = sorted(findings, key=lambda f: severity_order.get(f.severity, 9))
+
+    for f in sorted_findings:
+        sev_style = SEVERITY_STYLES.get(f.severity, "white")
+        table.add_row(
+            Text(f.severity, style=sev_style),
+            Text(f.attack_class, style="bold"),
+            f.message,
+            f.location[:16] if f.location else "",
+        )
+
+    console.print(table)
+
+
+def _render_recommendation(result: ScanResult):
+    """Render the final recommendation."""
+    rec_style, rec_text = REC_STYLES.get(
+        result.recommendation, ("white", "? UNKNOWN")
+    )
+    console.print(
+        Panel(
+            f"[{rec_style}]{rec_text}[/]",
+            title="Recommendation",
+            style=rec_style.split()[0] if " " in rec_style else rec_style,
+            width=64,
+        )
+    )
+
+    # Summary line
+    console.print(
+        f"  [dim]Scanned {result.tools_scanned} tool(s) · "
+        f"{result.critical_count} critical · {result.high_count} high · "
+        f"Source: {result.scan_source}[/]"
+    )
+    console.print()
+
+
+def render_scan_result(result: ScanResult):
+    """Full formatted output for a scan result."""
+    _render_header()
+    console.print(f"  [bold]Target:[/] {result.target}")
+    console.print()
+    _render_score(result)
+    _render_dimensions(result)
+    console.print()
+    _render_findings(result.findings)
+    console.print()
+    _render_recommendation(result)
+
+
+# ── Commands ───────────────────────────────────────────────────
+
+def cmd_scan(args):
+    """Scan a server from a JSON spec file or registry name."""
+    target = args.target
+
+    # Try as local JSON file first
+    path = Path(target)
+    if path.exists() and path.suffix == ".json":
+        try:
+            data = json.loads(path.read_text())
+        except json.JSONDecodeError as e:
+            console.print(f"[red]Error parsing {target}: {e}[/]")
+            sys.exit(1)
+
+        tools = data.get("tools", [])
+        metadata = data.get("metadata", data.get("server", {}))
+        if not metadata.get("name"):
+            metadata["name"] = path.stem
+
+        result = scan_server(tools, metadata)
+        if args.json_output:
+            _output_json(result)
+        else:
+            render_scan_result(result)
+        return
+
+    # Try fetching from MCP registry
+    try:
+        from trustpact_verify.registry import fetch_server_spec
+        console.print(f"  [dim]Fetching server spec for '{target}' from registry...[/]")
+        spec = fetch_server_spec(target)
+        if spec is None:
+            console.print(f"[red]Server '{target}' not found in registry.[/]")
+            console.print("[dim]Try: trustpact scan <path-to-spec.json>[/]")
+            sys.exit(1)
+
+        tools = spec.get("tools", [])
+        metadata = spec.get("metadata", {})
+        metadata["name"] = metadata.get("name", target)
+
+        result = scan_server(tools, metadata)
+        if args.json_output:
+            _output_json(result)
+        else:
+            render_scan_result(result)
+    except ImportError:
+        console.print(f"[yellow]Registry module not available.[/]")
+        console.print(f"[dim]Provide a local JSON spec: trustpact scan server.json[/]")
+        sys.exit(1)
+    except Exception as e:
+        console.print(f"[red]Error fetching '{target}': {e}[/]")
+        sys.exit(1)
+
+
+def cmd_scan_json(args):
+    """Scan from piped JSON input (stdin)."""
+    try:
+        data = json.load(sys.stdin)
+    except json.JSONDecodeError as e:
+        console.print(f"[red]Invalid JSON input: {e}[/]")
+        sys.exit(1)
+
+    tools = data.get("tools", [])
+    metadata = data.get("metadata", data.get("server", {}))
+    if not metadata.get("name"):
+        metadata["name"] = "stdin"
+
+    result = scan_server(tools, metadata)
+
+    if args.json_output:
+        _output_json(result)
+    else:
+        render_scan_result(result)
+
+
+def _output_json(result: ScanResult):
+    """Output scan result as JSON."""
+    output = {
+        "target": result.target,
+        "trust_score": result.trust_score,
+        "trust_tier": result.trust_tier,
+        "recommendation": result.recommendation,
+        "dimensions": {
+            "trust_signals": result.dimensions.trust_signals,
+            "manipulation_risk": result.dimensions.manipulation_risk,
+            "protection_level": result.dimensions.protection_level,
+            "vulnerability_index": result.dimensions.vulnerability_index,
+            "context_modifier": result.dimensions.context_modifier,
+        },
+        "findings": [
+            {
+                "severity": f.severity,
+                "attack_class": f.attack_class,
+                "message": f.message,
+                "location": f.location,
+            }
+            for f in result.findings
+        ],
+        "tools_scanned": result.tools_scanned,
+        "scan_source": result.scan_source,
+    }
+    print(json.dumps(output, indent=2))
+
+
+def cmd_info(_args):
+    """Show AEGIS scoring info."""
+    _render_header()
+
+    console.print()
+    console.print("  [bold]AEGIS Trust Scoring[/] — 5-dimensional behavioral trust assessment")
+    console.print()
+
+    # Tier table
+    table = Table(title="Trust Tiers", box=box.ROUNDED, width=60)
+    table.add_column("Tier", width=12)
+    table.add_column("Score", width=8, justify="center")
+    table.add_column("Meaning", width=35)
+
+    tiers = [
+        ("SOVEREIGN", "95+", "Highest trust. Fully certified."),
+        ("SENTINEL",  "85+", "Proven track record."),
+        ("MASTER",    "65+", "Reliable with strong history."),
+        ("ADEPT",     "40+", "Functional, limited history."),
+        ("FELLOW",    "0+",  "New or unverified."),
+    ]
+    for tier, score, meaning in tiers:
+        style, stars = TIER_STYLES[tier]
+        table.add_row(Text(f"{stars} {tier}", style=style), score, meaning)
+    console.print(table)
+
+    console.print()
+    console.print("  [bold]Dimensions:[/]")
+    console.print("    Trust Signals (35%)       — metadata, docs, auth")
+    console.print("    Manipulation Risk (25%)   — poisoning patterns detected")
+    console.print("    Protection Level (15%)    — auth, scope, licensing")
+    console.print("    Vulnerability Index (15%) — critical exposure surface")
+    console.print("    Context Modifier (10%)    — runtime context signals")
+    console.print()
+
+    console.print("  [bold]Attack Classes:[/]")
+    classes = [
+        ("SIREN",   "Emotional manipulation / hidden instructions"),
+        ("PHANTOM", "Identity spoofing"),
+        ("HYDRA",   "Coordinated Sybil attacks"),
+        ("MIRAGE",  "Capability misrepresentation"),
+        ("LEECH",   "Resource / data extraction"),
+        ("CHIMERA", "Context-shifting / code injection"),
+    ]
+    for cls, desc in classes:
+        console.print(f"    [bold]{cls:8s}[/] {desc}")
+    console.print()
+
+    console.print("  [dim]trustpact.ai · AEGIS Trust Standard · Patent Provisional 63/928,604[/]")
+    console.print()
+
+
+def cmd_version(_args):
+    print(f"trustpact {__version__}")
+
+
+# ── Main ───────────────────────────────────────────────────────
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="trustpact",
+        description="TrustPact — Behavioral trust scanner for MCP servers",
+    )
+    sub = parser.add_subparsers(dest="command")
+
+    # scan
+    p_scan = sub.add_parser("scan", help="Scan an MCP server spec")
+    p_scan.add_argument("target", help="JSON spec file path or registry server name")
+    p_scan.add_argument("--json", dest="json_output", action="store_true",
+                        help="Output results as JSON")
+
+    # scan-stdin (for piping)
+    p_stdin = sub.add_parser("scan-stdin", help="Scan from piped JSON on stdin")
+    p_stdin.add_argument("--json", dest="json_output", action="store_true")
+
+    # info
+    sub.add_parser("info", help="Show AEGIS scoring methodology")
+
+    # version
+    sub.add_parser("version", help="Show version")
+
+    args = parser.parse_args()
+
+    commands = {
+        "scan": cmd_scan,
+        "scan-stdin": cmd_scan_json,
+        "info": cmd_info,
+        "version": cmd_version,
+    }
+
+    if args.command not in commands:
+        parser.print_help()
+        sys.exit(0)
+
+    commands[args.command](args)
+
+
+if __name__ == "__main__":
+    main()

trustpact-0.1.0/trustpact_verify/registry.py

@@ -0,0 +1,201 @@
+"""
+MCP Registry fetcher — pull server specs from public registries.
+
+Supports:
+- Local JSON spec files
+- mcp.run package registry (public API)
+- Smithery registry (smithery.ai)
+- Raw GitHub manifest files
+"""
+
+from __future__ import annotations
+
+import json
+import re
+from typing import Any
+
+import httpx
+
+TIMEOUT = 15.0
+
+# ── Registry endpoints ─────────────────────────────────────────
+
+MCP_RUN_API = "https://registry.mcp.run/packages"
+SMITHERY_API = "https://registry.smithery.ai/servers"
+
+
+def fetch_server_spec(name_or_url: str) -> dict[str, Any] | None:
+    """
+    Fetch an MCP server spec by name or URL.
+
+    Tries in order:
+    1. Direct URL (if it looks like a URL)
+    2. Smithery registry
+    3. mcp.run registry
+    """
+    if name_or_url.startswith("http://") or name_or_url.startswith("https://"):
+        return _fetch_url(name_or_url)
+
+    # Try Smithery first (has richer tool definitions)
+    spec = _fetch_smithery(name_or_url)
+    if spec:
+        return spec
+
+    # Try mcp.run
+    spec = _fetch_mcp_run(name_or_url)
+    if spec:
+        return spec
+
+    return None
+
+
+def _fetch_url(url: str) -> dict[str, Any] | None:
+    """Fetch a spec from a direct URL."""
+    try:
+        resp = httpx.get(url, timeout=TIMEOUT, follow_redirects=True)
+        resp.raise_for_status()
+        return resp.json()
+    except Exception:
+        return None
+
+
+def _fetch_smithery(name: str) -> dict[str, Any] | None:
+    """
+    Fetch from Smithery registry.
+    API: GET /servers?q=<name>
+    """
+    try:
+        resp = httpx.get(
+            SMITHERY_API,
+            params={"q": name, "pageSize": 5},
+            timeout=TIMEOUT,
+            follow_redirects=True,
+        )
+        resp.raise_for_status()
+        data = resp.json()
+
+        servers = data.get("servers", data) if isinstance(data, dict) else data
+        if not isinstance(servers, list) or not servers:
+            return None
+
+        # Find exact or best match
+        server = None
+        for s in servers:
+            s_name = s.get("qualifiedName", s.get("name", ""))
+            if s_name.lower() == name.lower() or name.lower() in s_name.lower():
+                server = s
+                break
+        if not server:
+            server = servers[0]
+
+        # Normalize to our format
+        tools = server.get("tools", [])
+        metadata = {
+            "name": server.get("qualifiedName", server.get("name", name)),
+            "description": server.get("description", ""),
+            "repository": server.get("homepage", server.get("repository", "")),
+            "license": server.get("license", ""),
+            "tool_count": len(tools),
+            "source": "smithery",
+        }
+
+        # If tools aren't inline, try fetching detail endpoint
+        if not tools:
+            detail = _fetch_smithery_detail(server.get("qualifiedName", name))
+            if detail:
+                tools = detail.get("tools", [])
+                metadata["tool_count"] = len(tools)
+
+        return {"tools": tools, "metadata": metadata}
+
+    except Exception:
+        return None
+
+
+def _fetch_smithery_detail(qualified_name: str) -> dict | None:
+    """Fetch detailed server info from Smithery."""
+    try:
+        resp = httpx.get(
+            f"{SMITHERY_API}/{qualified_name}",
+            timeout=TIMEOUT,
+            follow_redirects=True,
+        )
+        resp.raise_for_status()
+        return resp.json()
+    except Exception:
+        return None
+
+
+def _fetch_mcp_run(name: str) -> dict[str, Any] | None:
+    """
+    Fetch from mcp.run registry.
+    """
+    try:
+        resp = httpx.get(
+            MCP_RUN_API,
+            params={"q": name},
+            timeout=TIMEOUT,
+            follow_redirects=True,
+        )
+        resp.raise_for_status()
+        data = resp.json()
+
+        packages = data if isinstance(data, list) else data.get("packages", [])
+        if not packages:
+            return None
+
+        # Best match
+        pkg = None
+        for p in packages:
+            p_name = p.get("name", "")
+            if p_name.lower() == name.lower() or name.lower() in p_name.lower():
+                pkg = p
+                break
+        if not pkg:
+            pkg = packages[0]
+
+        tools = pkg.get("tools", [])
+        metadata = {
+            "name": pkg.get("name", name),
+            "description": pkg.get("description", ""),
+            "repository": pkg.get("repository", pkg.get("homepage", "")),
+            "license": pkg.get("license", ""),
+            "tool_count": len(tools),
+            "source": "mcp.run",
+        }
+
+        return {"tools": tools, "metadata": metadata}
+
+    except Exception:
+        return None
+
+
+def search_registry(query: str, limit: int = 20) -> list[dict[str, Any]]:
+    """
+    Search registries and return a list of server summaries.
+    """
+    results = []
+
+    # Smithery
+    try:
+        resp = httpx.get(
+            SMITHERY_API,
+            params={"q": query, "pageSize": min(limit, 50)},
+            timeout=TIMEOUT,
+            follow_redirects=True,
+        )
+        resp.raise_for_status()
+        data = resp.json()
+        servers = data.get("servers", data) if isinstance(data, dict) else data
+        if isinstance(servers, list):
+            for s in servers[:limit]:
+                results.append({
+                    "name": s.get("qualifiedName", s.get("name", "?")),
+                    "description": s.get("description", "")[:100],
+                    "tools": len(s.get("tools", [])),
+                    "source": "smithery",
+                })
+    except Exception:
+        pass
+
+    return results[:limit]

trustpact-0.1.0/trustpact_verify/scanner.py

@@ -0,0 +1,309 @@
+"""
+AEGIS Trust Scanner — core analysis engine.
+
+Scans MCP server tool definitions and metadata for:
+- Tool poisoning patterns (hidden instructions in descriptions)
+- Schema manipulation (Full-Schema Poisoning)
+- Capability misrepresentation (MIRAGE)
+- Identity spoofing indicators (PHANTOM)
+- Resource extraction patterns (LEECH)
+- Sybil/coordination signals (HYDRA)
+"""
+
+from __future__ import annotations
+
+import re
+import json
+from dataclasses import dataclass, field
+from typing import Any
+
+
+# ── Threat patterns ──────────────────────────────────────────
+
+POISONING_PATTERNS = [
+    # Hidden instructions in tool descriptions
+    (r"(?i)ignore\s+(previous|prior|above|all)\s+(instructions?|prompts?|rules?)", "SIREN", "HIGH",
+     "Hidden instruction override detected in tool description"),
+    (r"(?i)you\s+(must|should|are required to)\s+", "SIREN", "MEDIUM",
+     "Directive language in tool description — potential manipulation"),
+    (r"(?i)do\s+not\s+(tell|inform|reveal|mention|disclose)", "SIREN", "HIGH",
+     "Secrecy instruction detected — likely tool poisoning"),
+    (r"(?i)system\s*prompt|system\s*message|<\s*system\s*>", "SIREN", "HIGH",
+     "System prompt injection attempt in tool description"),
+    (r"(?i)act\s+as\s+(if|though)?|pretend\s+(to\s+be|you)", "PHANTOM", "HIGH",
+     "Identity manipulation — tool tries to alter agent persona"),
+    (r"(?i)forward\s+.*(token|key|credential|password|secret)", "LEECH", "CRITICAL",
+     "Credential exfiltration attempt detected"),
+    (r"(?i)send\s+.*(data|info|content)\s+to\s+", "LEECH", "HIGH",
+     "Data exfiltration pattern — tool may leak information"),
+    (r"(?i)(http|https|ftp)://[^\s\"']+\.(ru|cn|tk|xyz)/", "LEECH", "MEDIUM",
+     "Suspicious external URL in tool description"),
+    (r"(?i)base64|eval\s*\(|exec\s*\(|__import__", "CHIMERA", "HIGH",
+     "Code execution pattern in tool description"),
+    (r"(?i)(override|bypass|disable)\s+(safety|security|filter|guard|restriction|protection|limit)", "CHIMERA", "CRITICAL",
+     "Safety bypass attempt detected"),
+]
+
+SCHEMA_RISKS = [
+    # Schema-level manipulation (Full-Schema Poisoning)
+    # Note: only match param NAMES that are inherently sensitive, not benign names
+    # that happen to contain substrings like "token" (e.g. pageToken, nextToken)
+    (r"(?i)^(password|api_?key|secret_?key|credential|private_?key|access_?token|auth_?token|bearer_?token)$", "LEECH", "HIGH",
+     "Tool parameter requests sensitive credentials"),
+    (r"(?i)^(webhook_?url|callback_?url|redirect_?uri|notify_?url|exfil)$", "LEECH", "MEDIUM",
+     "Tool accepts external callback URL — potential data exfiltration channel"),
+    (r"(?i)^(shell_?command|exec_?command|eval_?code|run_?script|execute|shell|eval_?expr)$", "CHIMERA", "HIGH",
+     "Tool parameter suggests arbitrary code execution"),
+]
+
+METADATA_RISKS = [
+    # Server-level signals
+    ("no_readme", "MIRAGE", "LOW", "No README or documentation — reduced transparency"),
+    ("no_license", "MIRAGE", "LOW", "No license specified — unclear usage terms"),
+    ("no_auth", "LEECH", "LOW", "No authentication required — open access server"),
+    ("excessive_tools", "MIRAGE", "MEDIUM", "Unusually high number of tools — possible capability inflation"),
+    ("stale_repo", "MIRAGE", "LOW", "Repository not updated in 90+ days"),
+]
+
+
+@dataclass
+class Finding:
+    """A single security finding from the scan."""
+    attack_class: str  # SIREN, PHANTOM, HYDRA, MIRAGE, LEECH, CHIMERA
+    severity: str      # CRITICAL, HIGH, MEDIUM, LOW
+    message: str
+    location: str = ""  # where in the server spec this was found
+    pattern: str = ""   # the matched pattern
+
+
+@dataclass
+class DimensionScores:
+    """AEGIS 5-dimensional trust breakdown."""
+    trust_signals: float = 50.0
+    manipulation_risk: float = 0.0   # 0 = no risk, 100 = extreme risk
+    protection_level: float = 50.0
+    vulnerability_index: float = 50.0  # 0 = not vulnerable, 100 = very vulnerable
+    context_modifier: float = 0.0      # -10 to +10
+
+
+@dataclass
+class ScanResult:
+    """Complete scan result for an MCP server or agent."""
+    target: str
+    trust_score: float = 50.0
+    trust_tier: str = "FELLOW"
+    dimensions: DimensionScores = field(default_factory=DimensionScores)
+    findings: list[Finding] = field(default_factory=list)
+    tools_scanned: int = 0
+    recommendation: str = "UNKNOWN"
+    scan_source: str = "static_analysis"
+
+    @property
+    def critical_count(self) -> int:
+        return sum(1 for f in self.findings if f.severity == "CRITICAL")
+
+    @property
+    def high_count(self) -> int:
+        return sum(1 for f in self.findings if f.severity == "HIGH")
+
+
+def _score_to_tier(score: float) -> str:
+    if score >= 95:
+        return "SOVEREIGN"
+    if score >= 85:
+        return "SENTINEL"
+    if score >= 65:
+        return "MASTER"
+    if score >= 40:
+        return "ADEPT"
+    return "FELLOW"
+
+
+def scan_tool_descriptions(tools: list[dict[str, Any]]) -> list[Finding]:
+    """Scan tool descriptions for poisoning patterns."""
+    findings = []
+    for tool in tools:
+        name = tool.get("name", "unknown")
+        desc = tool.get("description", "")
+
+        for pattern, attack_class, severity, message in POISONING_PATTERNS:
+            if re.search(pattern, desc):
+                findings.append(Finding(
+                    attack_class=attack_class,
+                    severity=severity,
+                    message=message,
+                    location=f"tool:{name}/description",
+                    pattern=pattern,
+                ))
+
+        # Check input schema for sensitive parameter names
+        # Match against param name only (not description) to avoid false positives
+        schema = tool.get("inputSchema", tool.get("input_schema", {}))
+        props = schema.get("properties", {})
+        for param_name, param_def in props.items():
+            for pattern, attack_class, severity, message in SCHEMA_RISKS:
+                if re.search(pattern, param_name):
+                    findings.append(Finding(
+                        attack_class=attack_class,
+                        severity=severity,
+                        message=message,
+                        location=f"tool:{name}/param:{param_name}",
+                        pattern=pattern,
+                    ))
+
+            # Also check param descriptions for HIGH-confidence poisoning only
+            # Param descriptions are less exploitable than tool descriptions,
+            # so only flag the most dangerous patterns (instruction override, secrecy, exfil)
+            param_desc = param_def.get("description", "")
+            if param_desc:
+                PARAM_DESC_PATTERNS = [
+                    POISONING_PATTERNS[0],  # ignore previous instructions
+                    POISONING_PATTERNS[2],  # do not tell/reveal
+                    POISONING_PATTERNS[3],  # system prompt injection
+                    POISONING_PATTERNS[5],  # forward credentials
+                    POISONING_PATTERNS[6],  # send data to
+                ]
+                for pattern, attack_class, severity, msg in PARAM_DESC_PATTERNS:
+                    if re.search(pattern, param_desc):
+                        findings.append(Finding(
+                            attack_class=attack_class,
+                            severity=severity,
+                            message=f"Param description: {msg}",
+                            location=f"tool:{name}/param:{param_name}",
+                            pattern=pattern,
+                        ))
+
+    return findings
+
+
+def scan_metadata(metadata: dict[str, Any]) -> list[Finding]:
+    """Scan server metadata for risk signals."""
+    findings = []
+
+    if not metadata.get("readme") and not metadata.get("description"):
+        findings.append(Finding("MIRAGE", "LOW",
+            "No README or documentation — reduced transparency",
+            location="server/metadata"))
+
+    if not metadata.get("license"):
+        findings.append(Finding("MIRAGE", "LOW",
+            "No license specified — unclear usage terms",
+            location="server/metadata"))
+
+    tool_count = metadata.get("tool_count", 0)
+    if tool_count > 25:
+        findings.append(Finding("MIRAGE", "MEDIUM",
+            f"Unusually high number of tools ({tool_count}) — possible capability inflation",
+            location="server/metadata"))
+
+    if not metadata.get("authentication"):
+        findings.append(Finding("LEECH", "LOW",
+            "No authentication documented",
+            location="server/metadata"))
+
+    return findings
+
+
+def calculate_score(findings: list[Finding], tools: list[dict], metadata: dict) -> ScanResult:
+    """Calculate AEGIS trust score from scan findings."""
+
+    # Start with base scores
+    dims = DimensionScores()
+
+    # ── Trust Signals (35%) ──
+    # Based on metadata quality
+    # When source is a registry, some fields may simply not be exposed
+    # Treat missing-but-not-applicable fields as neutral
+    source = metadata.get("source", "")
+    is_registry = source in ("smithery", "mcp.run")
+
+    has_readme = bool(metadata.get("readme") or metadata.get("description"))
+    has_license = bool(metadata.get("license"))
+    has_repo = bool(metadata.get("repository"))
+    has_auth = bool(metadata.get("authentication"))
+
+    signal_score = 30.0  # base
+    if has_readme:
+        signal_score += 20
+    if has_license:
+        signal_score += 15
+    elif is_registry:
+        signal_score += 8  # neutral — registry doesn't expose this
+    if has_repo:
+        signal_score += 20
+    if has_auth:
+        signal_score += 15
+    elif is_registry:
+        signal_score += 8  # neutral — registry doesn't expose this
+    dims.trust_signals = min(100, signal_score)
+
+    # ── Manipulation Risk (25%) ──
+    severity_weights = {"CRITICAL": 30, "HIGH": 15, "MEDIUM": 5, "LOW": 2}
+    risk_score = 0
+    for f in findings:
+        risk_score += severity_weights.get(f.severity, 0)
+    dims.manipulation_risk = min(100, risk_score)
+
+    # ── Protection Level (15%) ──
+    protection = 40.0  # base
+    if has_auth:
+        protection += 30
+    tool_count = len(tools)
+    if 1 <= tool_count <= 15:
+        protection += 20  # reasonable scope
+    if has_license:
+        protection += 10
+    dims.protection_level = min(100, protection)
+
+    # ── Vulnerability Index (15%) ──
+    vuln = 20.0  # base vulnerability
+    critical_findings = sum(1 for f in findings if f.severity == "CRITICAL")
+    high_findings = sum(1 for f in findings if f.severity == "HIGH")
+    vuln += critical_findings * 25
+    vuln += high_findings * 10
+    if not has_auth:
+        vuln += 10
+    dims.vulnerability_index = min(100, vuln)
+
+    # ── Context Modifier (10%) ──
+    dims.context_modifier = 0  # neutral for static analysis
+
+    # ── Overall Score ──
+    # Higher trust_signals and protection = better
+    # Higher manipulation_risk and vulnerability = worse
+    overall = (
+        dims.trust_signals * 0.35
+        + (100 - dims.manipulation_risk) * 0.25
+        + dims.protection_level * 0.15
+        + (100 - dims.vulnerability_index) * 0.15
+        + (50 + dims.context_modifier * 5) * 0.10
+    )
+    overall = max(0, min(100, overall))
+
+    tier = _score_to_tier(overall)
+
+    # Recommendation
+    if overall >= 70 and critical_findings == 0:
+        recommendation = "SAFE"
+    elif overall >= 40 and critical_findings == 0:
+        recommendation = "CAUTION"
+    else:
+        recommendation = "AVOID"
+
+    return ScanResult(
+        target=metadata.get("name", "unknown"),
+        trust_score=round(overall, 1),
+        trust_tier=tier,
+        dimensions=dims,
+        findings=findings,
+        tools_scanned=len(tools),
+        recommendation=recommendation,
+    )
+
+
+def scan_server(tools: list[dict[str, Any]], metadata: dict[str, Any]) -> ScanResult:
+    """Full scan pipeline: analyze tools + metadata, calculate score."""
+    findings = []
+    findings.extend(scan_tool_descriptions(tools))
+    findings.extend(scan_metadata(metadata))
+    return calculate_score(findings, tools, metadata)