Tag

#llm

847 results found

SAIHM โ€” Sovereign AI Horizontal Memory
@SAIHM-Admin

What this is A sovereign, encrypted, sharable, persistent memory protocol for AI agents. A Model Context Protocol server that exposes eight tools any MCP-capable AI agent (Claude Code, Claude Desktop, custom agents) can call to gain a persistent, encrypted memory layer the user owns: saihm_remember โ€” store an encrypted memory cell saihm_recall โ€” retrieve and decrypt your memories saihm_forget โ€” true cryptographic erasure (GDPR Art. 17) saihm_status โ€” your protocol-runtime stats and storage tier dashboard saihm_share / saihm_revoke_share โ€” selectively share a memory with another agent or user saihm_governance_propose / saihm_governance_vote โ€” protocol governance via gSAIHM Each tool forwards to a SAIHM operator endpoint that runs the full protocol stack on COTI V2 mainnet. The server itself holds no crypto, no storage, and no protocol runtime โ€” those live behind the operator endpoint. Tool reference Tool Title Behavior saihm_remember Remember writes a new memory cell saihm_recall Recall read-only; safe to repeat saihm_forget Forget (GDPR erasure) destructive โ€” irreversible erasure saihm_status Status read-only saihm_share Share writes a sharing contract saihm_revoke_share Revoke share withdraws a grant saihm_governance_propose Propose (governance) opens a proposal saihm_governance_vote Vote (governance) casts a vote Each tool carries MCP annotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) and a human-readable title, so MCP hosts can gate confirmations and agents can select the right tool at reasoning time. Companion package This package speaks MCP. For production client-side cryptography โ€” post-quantum sealing, authenticated sharing, and provable erasure performed on your own machine so the operator stays blind โ€” pair it with @saihm/client-pro. See it run Runnable, one-command demos ground a memory you own in every major model โ€” Claude, GPT, DeepSeek, Qwen, Kimi, GLM โ€” then prove you can erase it, alongside drop-in adapters for LangChain, LlamaIndex, CrewAI, AutoGen, and LangGraph. Each runs offline in about a minute; no account needed. Live demos: https://citw2.github.io/saihm-demos/ demo-claude-code wires this server into Claude Code and Cursor as an MCP server. Measured โ€” up to ~86% fewer context tokens. Most agents re-send their entire transcript every turn, so context spend grows ~O(Nยฒ) over a session; recalling a bounded set of memory cells instead cut input tokens by 62.8%โ€“85.9% across a realistic multi-session coding task. The benchmark is open, offline, and deterministic โ€” reproduce the number rather than trust it: git clone https://github.com/citw2/saihm-token-benchmark cd saihm-token-benchmark && npm install && node benchmark.mjs Install npm install @saihm/mcp-server # or run directly without install: npx @saihm/mcp-server Configure The server needs two env vars: SAIHM_ENDPOINT_URL=https://operator.example.com/mcp SAIHM_AUTH_HEADER=Bearer <token-issued-by-your-operator> SAIHM_ENDPOINT_URL โ€” the SAIHM operator endpoint. Operators publish their endpoint URLs at https://saihm.coti.global. SAIHM_AUTH_HEADER โ€” the Authorization header value the operator expects (typically a Bearer <token> issued to you after key-bound enrolment). The server is authentication-agnostic and never transmits raw private keys; the operator's enrolment flow keeps your signing key on your machine. Place these in a .env file alongside the server (the .gitignore excludes all .env* files from any future repo). Wire into Claude Code { "mcpServers": { "saihm": { "command": "npx", "args": ["@saihm/mcp-server"], "env": { "SAIHM_ENDPOINT_URL": "https://operator.example.com/mcp", "SAIHM_AUTH_HEADER": "Bearer <token>" } } } } What gets persisted, where The server itself persists nothing. The operator endpoint runs the full protocol stack: cells are encrypted under a per-cell DEK, sealed by a per-agent KEK, persisted to the operator's configured durable storage, and audited on COTI V2 mainnet. See the operator's documentation for tier details, and Storage is the operator's responsibility (by design) below. Storage is the operator's responsibility (by design) For operators โ€” read this first. SAIHM does not hard-wire your durable storage to any single provider, and it does not silently provision storage for you. Choosing and configuring where cells are persisted is your job, on purpose. This is a deliberate design choice for operator convenience and data sovereignty โ€” not a missing feature. If memory writes fail with a storage error, it almost always means the backend has not been configured yet. Why it works this way: Provider sovereignty. You decide where your tenants' encrypted cells live. The protocol never locks you to one vendor or one network. Local-first, then deep-archive. A typical operator routes writes to a local IPFS (Kubo) node first โ€” fast, authoritative, and under your own control โ€” and then asynchronously to a Filecoin deep-archive provider such as Pinata, Synapse, or Lighthouse. The same content addressing spans both tiers. Your memory and your tenants' take the same path. Whatever backend you configure serves both the operator's own memory and every tenant's โ€” there is no separate hidden sink hard-coded to one provider. What you configure (your operator deployment guide lists the exact settings): a reachable IPFS / Kubo endpoint (a local node is recommended) for the authoritative low-latency tier, and credentials for at least one Filecoin / IPFS pinning provider for durable deep-archive. If neither is configured, the endpoint has nowhere durable to put cells and will reject writes rather than lose data. That refusal is intentional. Prefer not to run storage yourself? Join SAIHM. You have two paths, and either is fine: Run your own operator endpoint and configure the storage backend as described above โ€” full sovereignty, your infrastructure. Join the hosted SAIHM operator and let it provide durable storage for you. It runs blind / non-custodial: paired with client-side sealing (see @saihm/client-pro and @saihm/mcp-server-pro), it only ever stores ciphertext and never holds your keys โ€” so you get managed storage without giving up custody. Enrol via Join SAIHM at https://saihm.coti.global (a paid hosted service). Reporting engine A reporting library is bundled as a sub-export, so operators can compose the eight MCP calls into bespoke reports with their own tooling (no extra dependency, no extra service): import { validateBespokeTemplate, registerTemplate, generateRegistryAttestation, StubPublicRegistry, InMemoryReportingRuntime, GDPR_ART15_FIELDS, REGISTRY_ATTESTATION_FIELDS, type BespokeReportTemplate, } from "@saihm/mcp-server/reporting"; What it covers Field universe (FIELD_UNIVERSE) โ€” 280 fields (262 framework + 18 ledger). Templates that project a field outside this set are rejected at validation. Bespoke template schema โ€” zod validator + universe-membership check + scope/cap enforcement. Authorization path validators โ€” 4 paths: public / self / operator-self / operator-for-downstream. Receipt emission โ€” 6 sub-kinds (report_generated / report_rejected / template_registered / template_superseded / erasure_chain_broken / rate_limit_exceeded) under a stable, domain-separated receipt namespace. Framework smoke โ€” registry-attestation (public auth) for end-to-end plumbing verification. Constraints Every fieldProjections[] entry MUST be in FIELD_UNIVERSE. scope.customerIdHashes 64-hex; max 10,000 per template. scope.timeRange window โ‰ค 366 days. fieldProjections length 1โ€“200. framework โˆˆ {gdpr-art-15, gdpr-art-17, soc2-t1, soc2-t2, iso27001, aml, audit-export, billing-history, registry-attestation}. format โˆˆ {pdfa3, json, csv}. Worked example const template: BespokeReportTemplate = { templateId: "acme-q1-summary", templateVersion: 1, operatorIdHash: "ab".repeat(32), scope: { customerIdHashes: ["cd".repeat(32)], timeRange: { from: "2026-01-01T00:00:00Z", to: "2026-04-01T00:00:00Z" }, }, framework: "gdpr-art-15", fieldProjections: [GDPR_ART15_FIELDS[0], GDPR_ART15_FIELDS[1]], format: "pdfa3", }; const v = validateBespokeTemplate(template); if (!v.valid) throw new Error(v.errors.join(", ")); const runtime = new InMemoryReportingRuntime(); // replace with your audit-ledger runtime const reg = await registerTemplate(template, runtime); if (reg.ok) console.log("registered:", reg.templateHash); In production, replace InMemoryReportingRuntime with a runtime that persists audit payloads to your operator's audit ledger. Operators who inject signature verifiers should use pure-crypto libraries (@noble/curves for EIP-712, @noble/post-quantum for FIPS 204 ML-DSA) โ€” the package itself bundles no EVM tooling. Security The server enforces a small set of defaults so misconfiguration cannot leak the Authorization header in transit: HTTPS-only endpoints. SAIHM_ENDPOINT_URL must use https://. Plain http:// is rejected at construction time, except for 127.0.0.1 and localhost (so a local operator endpoint works during development). Per-call abort window. Each request runs under an AbortController that aborts after 30s, preventing a hung endpoint from starving the MCP server. Response-size cap. Responses whose Content-Length exceeds 16 MB are rejected before deserialisation. No header echo. Authorization is never included in thrown error messages or stdout. No filesystem reads. The package never reads from disk; configuration flows entirely through env vars. Zero EVM tooling. No ethers, no eth_*, no Solidity. If operators inject signature verifiers via AuthVerifiers, they should use pure-crypto libraries (@noble/curves, @noble/post-quantum). Trust model: this client trusts whatever endpoint the operator configures. Cell IDs, audit anchors, and report receipts returned from that endpoint are surfaced to the agent verbatim โ€” operators are the authority for content shown via saihm_recall. Verifying receipts against COTI V2 mainnet anchors is out of scope for this server; consume the cellId and auditCellId fields and verify against your own SAIHM mainnet read path. For distribution integrity, each release carries the npm registry signature; verify with npm audit signatures (and inspect npm view @saihm/mcp-server --json | jq .dist). Dependencies The published npm package has a minimal runtime surface: Dependency License Role Node.js (โ‰ฅ 20.x) MIT Runtime @modelcontextprotocol/sdk MIT MCP SDK; binds the eight-tool surface TypeScript Apache-2.0 Build-time only tsx MIT TypeScript runner for tests + CLI No copyleft, no proprietary dependencies. Cryptographic primitives at the operator-endpoint layer (ML-DSA-65 / Ed25519 / key derivation) are not bundled into this MCP server; operators implementing the protocol stack are recommended to use @noble/post-quantum and @noble/curves (MIT) rather than rolling custom code. Achievements OpenSSF Best Practices Passing badge โ€” project 12898, 100% Passing criteria (2026-05-19). https://www.bestpractices.dev/projects/12898 IETF Independent Submission Stream โ€” draft-saihm-memory-protocol-01 (2026-05-27) is In ISE Review in the Independent Submission Stream. It is not an Internet Standard, is not endorsed by the IETF, and has no formal standing in the IETF standards process. https://datatracker.ietf.org/doc/draft-saihm-memory-protocol/ npm registry โ€” @saihm/mcp-server@0.3.4 published (2026-06-22) adds a conspicuous "Storage is the operator's responsibility (by design)" section โ€” documenting BYO storage and the Join-SAIHM hosted, non-custodial option. 0.3.3 (2026-06-22) was a documentation release that states the Independent-Submission status precisely (no implied IETF endorsement) and cross-references the companion package @saihm/client-pro. 0.3.2 (2026-06-22) corrected the documented operator-endpoint path to /mcp (the canonical SAIHM_ENDPOINT_URL path) across the README and client comments. 0.3.1 (2026-05-28) was a metadata patch that sources the MCP serverInfo.version from package.json (was hardcoded "0.1.0" from 0.1.0 through 0.3.0). 0.3.0 (also 2026-05-28) aligned the saihm_status response shape with draft-saihm-memory-protocol-01 ยง3.4 (full eight-field schema: prs, bfsi, bfsi_window_start_ts, bfsi_R, bfsi_M, shards, contracts, governance). 0.2.0 (also 2026-05-28) aligned the cell-tuple response shape with ยง2.1; 0.1.3 was the OpenSSF Best Practices Passing badge release (2026-05-19). MCP Registry / Glama โ€” server listed for discovery (2026-05-16). Roadmap A 12-month roadmap is maintained in the project's AAIF proposal and will be mirrored to https://saihm.coti.global/roadmap with the v0.2.x release. Near-term tracks: 2026-Q2 โ€” Operator-endpoint reference implementation; OpenSSF Silver pursuit (governance, code-of-conduct, DCO, signed releases, coverage tooling, assurance case). 2026-Q3 โ€” First 2โ€“3 external organization deployments; formal AAIF Project Proposal submission when adoption blockers clear. 2026-Q4 โ€” NIST AI RMF crosswalk public review; EU AI Act compliance-checklist generator. OpenSSF Silver award (target). 2027-Q1 โ€” Independent-stream (ISE) RFC publication, subject to RFC-Editor review โ€” not an IETF-consensus standard; v1.0 reference implementation. License Apache-2.0 โ€” see LICENSE. Project Site: https://saihm.coti.global Issue tracker: https://github.com/SAIHM-Admin/saihm-mcp/issues Security: see SECURITY.md for private vulnerability disclosure Contributing: see CONTRIBUTING.md and CODE_OF_CONDUCT.md Governance: see GOVERNANCE.md Changelog: see CHANGELOG.md

5 days ago
PQC Khepra MCP Server: Agentic Security Attestation Framework
@NouchiX

KHEPRA MCP Server smithery badge MCP Registry License Container PQC Sovereign compliance engine with 36,195 STIG/CCI/NIST/CMMC mappings. Air-gappable. Zero token costs. Run ert_scan โ†’ get a Godfather Report with dollar-denominated business impact. The only MCP compliance server that runs on your metal โ€” with the World's First DoD PQC STIG built in. PQC-01-STIG-V1R1 โ€” Full Whitepaper โ†’ 17 controls covering CNSA 2.0, FIPS 203/204/205, and the NSA's May 2026 MCP security advisory. The world's first DoD-style Post-Quantum Cryptography STIG, including the first PQC controls for agentic AI and MCP deployments. Tiers Tier License Key Tools Telemetry Egress Community โŒ Not required pqc_stig + 12 core tools Opt-in Dark Crypto Intel Zero (sovereign mode) Sovereign โœ… Required All 34 tools Zero Zero Pharaoh โœ… Required All 34 tools + priority support Zero Zero Community tier is free. Run pqc_stig to assess your project's quantum readiness against PQC-01-STIG-V1R1 โ€” the World's First DoD-style Post-Quantum Cryptography STIG โ€” no license key needed. What It Does KHEPRA MCP connects your AI assistant directly to a hardened compliance engine. Ask Claude or any MCP client to scan a system, map findings to STIG/NIST/CMMC controls, and generate an executive-ready risk report โ€” all without sending data to external APIs. Key capabilities: 36,195 STIG/CCI/NIST 800-53/800-171/CMMC mappings (offline, bundled) Post-quantum cryptographic attestation on every tool call (ML-DSA-65 / FIPS 204) World's First DoD PQC STIG โ€” 17 controls covering CNSA 2.0 / FIPS 203/204/205 + agentic AI / MCP (PQC-01-STIG-V1R1) Godfather Report: dollar-denominated business impact per finding (FAIR model) Air-gap and SCIF compatible โ€” sovereign/ironbank modes make zero egress calls Flat annual licensing โ€” no per-token or per-query charges Runs on your metal: on-prem, DoD, IC, classified environments Installation There are two delivery methods: Docker (recommended, no build required) and compiled binary (fastest startup, required for air-gap). Both support the same environment variables and all MCP clients. Choose your path: Method Best For Startup Docker Most users, easiest setup ~2s Compiled Binary Air-gap, SCIF, performance ~300ms Option A: Docker (Recommended) Requires Docker Desktop or Docker Engine. The image is pre-built and ships the full compliance database โ€” no additional downloads in sovereign mode. # Pull once docker pull ghcr.io/nouchix/pqc-khepra-mcp:latest # Test it (should print the initialize response and exit) echo '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2025-11-25","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}},"id":0}' \ | docker run --rm -i -e KHEPRA_MODE=sovereign ghcr.io/nouchix/pqc-khepra-mcp:latest Option B: Compiled Binary Requires Go 1.21+ for building, or download a pre-built release from GitHub Releases. git clone https://github.com/nouchix/PQC-Khepra-MCP.git cd PQC-Khepra-MCP # Build (cross-compile for your OS) go build -o khepra-mcp ./cmd/khepra-mcp # Linux / macOS go build -o khepra-mcp.exe ./cmd/khepra-mcp # Windows # Test the binary echo '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2025-11-25","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}},"id":0}' \ | KHEPRA_MODE=sovereign ./khepra-mcp Windows โ€” using the batch launcher The repo ships a run-mcp.bat launcher for Windows. It uses the pre-built binary (fast path) and falls back to go run automatically: :: run-mcp.bat is already in the repo at the root of PQC-Khepra-MCP :: Point your MCP client to: cmd /c C:\path\to\PQC-Khepra-MCP\run-mcp.bat Adding to Your AI Client Claude Desktop Config file location: macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json Linux: ~/.config/Claude/claude_desktop_config.json Community tier โ€” Docker (macOS / Linux) { "mcpServers": { "khepra": { "command": "docker", "args": [ "run", "--rm", "-i", "-e", "KHEPRA_MODE=sovereign", "-v", "/var/lib/khepra:/var/lib/khepra", "ghcr.io/nouchix/pqc-khepra-mcp:latest" ] } } } Community tier โ€” Docker (Windows) { "mcpServers": { "khepra": { "command": "docker", "args": [ "run", "--rm", "-i", "-e", "KHEPRA_MODE=sovereign", "-v", "C:\\Users\\YourName\\.khepra:/var/lib/khepra", "ghcr.io/nouchix/pqc-khepra-mcp:latest" ] } } } Community tier โ€” Binary (Windows, fastest startup) { "mcpServers": { "khepra": { "command": "C:\\path\\to\\PQC-Khepra-MCP\\khepra-mcp.exe", "args": [], "env": { "KHEPRA_MODE": "sovereign", "KHEPRA_NETWORK_POLICY": "lan", "MCP_PQC_ENABLED": "true", "KHEPRA_MANIFEST_PATH": "C:\\path\\to\\PQC-Khepra-MCP\\manifest.json" } } } } Community tier โ€” Binary via batch launcher (Windows) { "mcpServers": { "khepra": { "command": "cmd", "args": ["/c", "C:\\path\\to\\PQC-Khepra-MCP\\run-mcp.bat"], "env": { "KHEPRA_MODE": "sovereign", "KHEPRA_NETWORK_POLICY": "lan", "MCP_PQC_ENABLED": "true" } } } } Sovereign / Pharaoh tier (with license key) { "mcpServers": { "khepra": { "command": "docker", "args": [ "run", "--rm", "-i", "-e", "KHEPRA_LICENSE_KEY", "-e", "KHEPRA_MODE=sovereign", "-v", "/var/lib/khepra:/var/lib/khepra", "-v", "/var/log/khepra:/var/log/khepra", "ghcr.io/nouchix/pqc-khepra-mcp:latest" ], "env": { "KHEPRA_LICENSE_KEY": "YOUR_LICENSE_KEY_HERE" } } } } After editing, restart Claude Desktop. Verify in Settings โ†’ Developer โ€” you should see khepra with status running and all tools listed. Cursor Config file: .cursor/mcp.json in your project root, or ~/.cursor/mcp.json globally. Docker (macOS / Linux) { "servers": { "khepra": { "type": "stdio", "command": "docker", "args": [ "run", "--rm", "-i", "-e", "KHEPRA_MODE=sovereign", "-v", "/var/lib/khepra:/var/lib/khepra", "ghcr.io/nouchix/pqc-khepra-mcp:latest" ] } } } Binary (macOS / Linux) { "servers": { "khepra": { "type": "stdio", "command": "/path/to/khepra-mcp", "args": [], "env": { "KHEPRA_MODE": "sovereign", "KHEPRA_MANIFEST_PATH": "/path/to/PQC-Khepra-MCP/manifest.json" } } } } Binary (Windows) { "servers": { "khepra": { "type": "stdio", "command": "C:\\path\\to\\PQC-Khepra-MCP\\khepra-mcp.exe", "args": [], "env": { "KHEPRA_MODE": "sovereign", "KHEPRA_MANIFEST_PATH": "C:\\path\\to\\PQC-Khepra-MCP\\manifest.json" } } } } VS Code (with GitHub Copilot or Cline extension) Config file: .vscode/mcp.json in your project, or user settings. { "servers": { "khepra": { "type": "stdio", "command": "docker", "args": [ "run", "--rm", "-i", "-e", "KHEPRA_MODE=sovereign", "-v", "${env:HOME}/.khepra:/var/lib/khepra", "ghcr.io/nouchix/pqc-khepra-mcp:latest" ] } } } Or via user settings.json for the Cline extension: { "cline.mcpServers": { "khepra": { "command": "docker", "args": [ "run", "--rm", "-i", "-e", "KHEPRA_MODE=sovereign", "ghcr.io/nouchix/pqc-khepra-mcp:latest" ] } } } Windsurf Config file: ~/.codeium/windsurf/mcp_config.json { "mcpServers": { "khepra": { "command": "docker", "args": [ "run", "--rm", "-i", "-e", "KHEPRA_MODE=sovereign", "-v", "/var/lib/khepra:/var/lib/khepra", "ghcr.io/nouchix/pqc-khepra-mcp:latest" ] } } } Continue.dev Config file: ~/.continue/config.json โ€” add to the experimental.modelContextProtocolServers array: { "experimental": { "modelContextProtocolServers": [ { "name": "khepra", "transport": { "type": "stdio", "command": "docker", "args": [ "run", "--rm", "-i", "-e", "KHEPRA_MODE=sovereign", "ghcr.io/nouchix/pqc-khepra-mcp:latest" ] } } ] } } Cloud / SaaS AI Tools (Claude.ai, ChatGPT, Gemini, etc.) Cloud-based AI tools cannot directly spawn local subprocesses โ€” they need an HTTP/SSE bridge to reach your local KHEPRA server. There are two approaches: Approach 1 โ€” mcp-remote proxy (easiest, no server required) mcp-remote tunnels a local stdio MCP server over HTTPS, making it accessible to any cloud tool. This is what the Kaggle MCP entry in the config above uses. # Install once npm install -g mcp-remote # Start the bridge (exposes your local KHEPRA server at https://localhost:3000) KHEPRA_MODE=sovereign mcp-remote \ --server "docker run --rm -i -e KHEPRA_MODE=sovereign ghcr.io/nouchix/pqc-khepra-mcp:latest" \ --port 3000 Then in Claude.ai (or any cloud tool that accepts MCP SSE URLs): MCP Server URL: http://localhost:3000/sse Security note: mcp-remote binds to localhost by default. Do not expose it to the public internet without TLS and authentication. In sovereign/ironbank mode, KHEPRA itself makes zero egress calls โ€” only the bridge connection to the cloud tool carries data. Approach 2 โ€” Self-hosted HTTP/SSE endpoint For teams running KHEPRA on a shared server (e.g., Hostinger VPS at IP_ADDRESS), start the server in HTTP mode: # On your server โ€” start KHEPRA in HTTP/SSE mode docker run -d \ -e KHEPRA_MODE=hybrid \ -e KHEPRA_HTTP_PORT=8443 \ -e KHEPRA_LICENSE_KEY="${KHEPRA_LICENSE_KEY}" \ -p 8443:8443 \ ghcr.io/nouchix/pqc-khepra-mcp:latest # Point your cloud tool to: # https://your-server.com:8443/sse Then configure any cloud AI tool that supports MCP SSE: Cloud Tool Where to add MCP URL Claude.ai (Pro/Team) Settings โ†’ Integrations โ†’ MCP Servers OpenAI Assistants API tools field with type: "mcp" Gemini for Workspace Extensions โ†’ Custom MCP (preview) Glama.ai Workspace โ†’ MCP Servers Smithery.ai Catalog โ†’ Self-hosted server Note: HTTP/SSE mode (hybrid/edge) enables external connections. Always terminate TLS at a reverse proxy (nginx/Caddy) and restrict access by IP or API key. The sovereign mode refuses HTTP connections by design โ€” air-gap integrity is preserved. Approach 3 โ€” Smithery / MCP Registry (Community tier only) KHEPRA is listed on Smithery.ai and the MCP Registry. Cloud tools that support registry-based discovery can install it directly: Registry ID: io.github.nouchix/pqc-khepra-mcp This runs the Community tier via Smithery's managed infrastructure. For sovereign deployment (air-gap, your data stays on your metal), use Options A or B above. Validation โ€” Test Your Installation Run this from your terminal to verify the server responds correctly: # Docker echo '{"jsonrpc":"2.0","method":"tools/list","params":{},"id":1}' \ | docker run --rm -i -e KHEPRA_MODE=sovereign ghcr.io/nouchix/pqc-khepra-mcp:latest # Binary (Linux / macOS) echo '{"jsonrpc":"2.0","method":"tools/list","params":{},"id":1}' \ | KHEPRA_MODE=sovereign ./khepra-mcp # Binary (Windows PowerShell) '{"jsonrpc":"2.0","method":"tools/list","params":{},"id":1}' \ | & ".\khepra-mcp.exe" Expected output: a JSON-RPC response listing all available tools. If you see "tools": [...] with 12+ entries โ€” you're connected. Full protocol validation (Windows) # Runs the complete Claude Desktop handshake sequence and validates all responses .\scripts\test-mcp-handshake.ps1 -BinaryPath ".\khepra-mcp.exe" # Expected output: # [PASS] initialize | protocolVersion=2025-11-25 | listChanged=False # [PASS] tools/list | count=34 # TRL-10 READY - Server passes full Claude Desktop protocol validation MCP Tools Community Tier (Free โ€” No License Key) pqc_stig โ€” World's First DoD PQC STIG โญ Assesses a source code directory against PQC-01-STIG-V1R1: 12 controls covering CNSA 2.0 algorithm approval, ML-DSA-65 key strength, ML-KEM-768 encapsulation, hybrid cryptography, key storage, constant-time implementation, and certificate chain requirements. pqc_stig(scan_path?: string, profile?: "quick" | "full" | "executive") Example: "Run pqc_stig on my project and tell me if I'm CNSA 2.0 compliant" nist_map Map CCI identifiers or STIG findings to NIST 800-53 Rev 5 controls. khepra_query_stig Query the 36,195-row STIG/CCI/NIST/CMMC compliance database by control ID. dark_crypto_contribute (opt-in) Contribute anonymized cryptographic algorithm telemetry to the SouHimBou AI Dark Crypto Intelligence Network. No PII. Opt-in only โ€” never fires without explicit invocation. Sovereign / Pharaoh Tier ert_scan Enterprise Risk & Threat scan across STIG, NIST 800-53, NIST 800-171, CMMC, and FedRAMP. Returns Godfather Report with dollar-denominated business impact. ert_scan(target: string, frameworks?: string[], output_format?: "godfather" | "json" | "csv") Example: "Run ert_scan on /etc and generate a Godfather Report" stig_check Automated RHEL-09-STIG-V1R3 compliance scan against a live system or configuration path. cmmc_assess Full CMMC Level 1, 2, or 3 assessment with gap analysis and POA&M generation. godfather_report Generate an executive Godfather Report from prior scan results: top 10 findings ranked by dollar exposure, remediation ROI, and FAIR model business impact. + 20 additional tools agent_record, dag_attestation, flight_export, khepra_get_dag_chain, nhi_inventory, acp_status, owasp_agent_assess, khepra_export_attestation, khepra_export_poam, khepra_get_compliance_score, ert_crypto, ert_readiness, stig_benchmark, ir_analysis, vuln_hunter, sbom_generate, threat_model, khepra_query_threat_intel, discover_assets, and more. The Godfather Report Unlike compliance scanners that output a wall of CVEs, KHEPRA translates findings into the language executives care about: Finding: RHEL-09-212030 โ€” No FIPS-validated crypto on /etc/ssh Severity: CAT I (HIGH) Business Impact: $2.4M estimated breach exposure (FAIR model) Remediation Cost: $800 (4 hours engineer time) ROI: 3,000x Every finding includes control ID, framework mapping, business impact in dollars, remediation cost estimate, and ROI. Deployment Modes Mode Air-Gap Egress Telemetry Use Case sovereign โœ… Yes Zero Zero On-prem, SCIF, classified (DEFAULT) ironbank โœ… Yes Zero Zero DoD/IC production, FIPS-only hybrid โŒ No LAN Zero Edge + cloud coordination edge โŒ No Unrestricted Zero Fully stateless SaaS Set via KHEPRA_MODE environment variable. Unknown values are rejected at startup and fall back to sovereign (fail-closed). Environment Variables Variable Required Default Description KHEPRA_LICENSE_KEY Sovereign/Pharaoh only โ€” License key. Community tier runs without one. Get at nouchix.com KHEPRA_MODE No sovereign Deployment mode: sovereign, ironbank, hybrid, edge KHEPRA_MANIFEST_PATH No manifest.json Path to signed tool manifest file KHEPRA_HOME No /var/lib/khepra Data and compliance DB directory KHEPRA_LOG_DIR No /var/log/khepra Log directory KHEPRA_DAG_PATH No ~/.khepra/dag DAG audit chain storage path KHEPRA_AUDIT_LOG_PATH No ~/.khepra/audit.ndjson Signed audit log path KHEPRA_MAX_CONCURRENT No 5 Max concurrent tool calls per agent KHEPRA_NETWORK_POLICY No lan Network scope: lan, none, unrestricted MCP_PQC_ENABLED No true Enable ML-DSA-65 PQC attestation on all responses Air-Gap & SCIF Deployment KHEPRA makes zero external network calls in sovereign and ironbank modes: License validated offline via ML-DSA-65 signed license.adinkhepra file Compliance databases (36,195 mappings) bundled in container โ€” no external downloads No telemetry, no heartbeat, no egress โ€” verified at the transport layer # Transfer image to air-gapped network docker save ghcr.io/nouchix/pqc-khepra-mcp:latest | gzip > khepra-mcp.tar.gz # On air-gapped host: docker load < khepra-mcp.tar.gz Note on telemetry: The dark_crypto_contribute tool (Community tier) sends anonymized cryptographic algorithm telemetry to the SouHimBou AI intelligence network only when explicitly invoked by the user. It is never triggered automatically. In sovereign/ironbank mode, all network calls are blocked at the transport layer regardless. Compliance Coverage Framework Version Mappings STIG (RHEL 9) V1R3 Automated scanning NIST 800-53 Rev 5 2,120 CCIs NIST 800-171 Rev 2 320 controls CMMC Level 3 Full practice set FedRAMP High Baseline scanning PQC-01-STIG-V1R1 V1R1 17 PQC controls (CNSA 2.0) Total 36,195+ mappings Licensing Flat annual licensing โ€” no per-token or per-query charges. Tier Cost License Key Tools Community Free Not required pqc_stig + 12 core tools Sovereign Annual flat fee Required All 34 tools, air-gap, on-prem Pharaoh Annual flat fee Required All 34 tools + priority support + SLA Community tier is permanently free โ€” contribute to open-source PQC adoption Sovereign/Pharaoh: contact contact@nouchix.com or visit nouchix.com Security Reporting Vulnerabilities Do not open public issues for security vulnerabilities. Report privately via GitHub Security Advisories or email support@nouchix.com. SLA Target Acknowledgement 24 hours Initial assessment 5 business days Patch / mitigation (Critical) 30 days We accept encrypted reports via PGP (keys/security_contact.asc) and Post-Quantum channels (Dilithium / ML-DSA-65 keys in keys/). See SECURITY.md for the full disclosure policy and ASAF event taxonomy. Security Posture Deploying advanced post-quantum cryptography, air-gapped isolation, and comprehensive STIG mappings โ€” built in direct alignment with NSA & ASD Model Context Protocol guidelines. NSA & ASD MCP Security Alignment The NSA and Australian Signals Directorate (ASD) have published specific threat vectors for AI systems interacting with local environments. KHEPRA MCP is explicitly designed to mitigate every identified vector: NSA/ASD Requirement KHEPRA Implementation Cryptographic validation of tool responses ML-DSA-65 (Dilithium) signatures on all JSON-RPC 2.0 payloads Input validation & sanitization Parameter injection resistance via strict JSON Schema validation Principle of least privilege credentials Short-lived ephemeral tokens tied to specific task execution windows Comprehensive audit logging Tamper-evident events compiled into an immutable DAG structure Resource consumption limits Rate limiting + backpressure for LLM request loops Authorization gates for sensitive actions Human-in-the-loop gate for destructive state changes Environment isolation Containerized execution with zero-egress sovereign mode Software supply chain integrity Manifest pinning for all loaded tools and dependencies Network exposure reduction Air-gappable โ€” zero internet transit in sovereign/ironbank modes Post-quantum resilience PQC-signed DAG trail protecting against harvest-now-decrypt-later Compliance Certifications Framework Status Coverage CMMC Level 2 โœ… Automates evidence collection for AU, CM, SI, SC domains NIST SP 800-171 Rev 2 โœ… Logging, accountability, system integrity NIST SP 800-53 Rev 5 โœ… Continuous monitoring (AU-2, SI-4) FIPS 203 (ML-KEM) โœ… Key encapsulation for secure transit FIPS 204 (ML-DSA) โœ… Digital signatures for payload authentication NSM-10 PQC Mandate โœ… National Security Memorandum 10 compliance DFARS 252.204-7012 โœ… Immutable forensic trails for cyber incident reporting NSA MCP Security Guidelines โœ… Direct mapping to all published AI agent threat mitigations Live Deployment โ€” Physical Edge Running continuously on constrained edge hardware since May 12, 2026 to prove efficiency in sovereign environments: Hardware: Raspberry Pi 2 ยท 1 GB RAM ยท 900 MHz ARM ยท Live Spectrum Router SCADA Pod: STM32U585 / QRB2210 ยท Modbus TCP ยท MQTT ยท Zephyr RTOS 3.4+ ยท Live Dilithium Signature Verification Controls active: 3 open ports secured ยท 12 STIG violations detected ยท 100% file integrity monitoring (AIDE) ยท 24/7 continuous operation Academic Validation Event Date Institution UAlbany AI Plus Symposium 2026 โ€” "KHEPRA Protocol: Quantum-Resilient Agentic

a month ago
//beforeyouship โ€” LLM Cost Modeling From Your Editor
@Indiegoing

Query realistic LLM cost models without leaving your editor. beforeyouship models the **true monthly cost** of an LLM app architecture โ€” retries, prompt caching, batch discounts, infra overhead, and 3ร—/10ร— growth โ€” across GPT-5.x, Claude, Gemini, DeepSeek, and more. Not a token calculator: a planning tool for the design phase, before you commit to a stack. **No API key needed to try it** โ€” demo mode covers the six free-tier models. A Pro key from [beforeyouship.dev](https://beforeyouship.dev) unlocks the full 18-model catalog. ## What you can ask - "How much will a RAG chatbot cost at 10,000 requests/day?" - "Compare Claude Haiku vs Gemini Flash pricing for my workload" - "What's the cheapest model for a multi-step agent at scale?" - "Show me current per-token prices for Anthropic models" ## Tools ### `estimate_cost` Full cost model for an architecture at a given usage level. Returns Naive / Realistic / Worst Case monthly cost per model, 3ร—/10ร— growth scenarios, and an opinionated recommendation with reasoning. ### `get_model_prices` Current per-1M-token pricing โ€” input, output, cached input, batch โ€” with context windows and staleness metadata. ### `list_archetypes` Seven preset architecture patterns (simple chatbot, chatbot with history, RAG pipeline, multi-model router, coding assistant, document processor, multi-step agent) used as starting points for estimates. ## Setup **Claude Code:** โ€‹```bash claude mcp add --transport http beforeyouship https://beforeyouship.dev/api/mcp โ€‹``` **Cursor / other clients** โ€” add a remote server: โ€‹```json { "mcpServers": { "beforeyouship": { "type": "streamable-http", "url": "https://beforeyouship.dev/api/mcp" } } } โ€‹``` Add an `Authorization: Bearer bys_...` header with a Pro key for the full catalog. ## Try it > Estimate the monthly cost of a RAG pipeline at 10,000 requests/day

a month ago
Verify Action
@Armada735

Verify AI agent tool calls with content-addressed, HMAC-attested receipts. Free third-party verification API for AI agents. Call verify_action(claim, evidence) to get an independent integrity check on whether your claimed action matches the actual evidence. Useful for catching silent failures: incorrect SQL operations, file-op mismatches, API call inconsistencies, and code-diff scope creep. Five specialized verifier kinds: - code_diff: verb / path / identifier coherence with unified diff - db_op: row delta + SQL operation + ID match - file_op: existence state + line/size delta - api_call: request body and response status coherence - generic: conservative fallback Returns: - aar_verdict: verified | contradicted | insufficient_evidence | unsafe_to_verify - verdict: ok | mismatch | uncertain (legacy 3-value alias) - reasoning, confidence - receipt: verify_action_receipt.v0 with HMAC-SHA256 signature, content-addressed via SHA-256 hashes of claim and evidence Cross-vendor: works with Claude Code, Cursor, Cline, Codex, Codeium, and any MCP-compatible harness. Stateless, per-request, no API key, no registration. Pure Python stdlib (no pip install). Anonymized telemetry only โ€” no PII, no model fingerprint, no raw claim/evidence retention. Honest scope: this is a small reference implementation, not a canonical inter-vendor standard. v0 receipts use HMAC-SHA256 (symmetric, single-issuer); v1 with ed25519 + multi-issuer is on the roadmap. The hosted endpoint has no SLA โ€” self-host for stability (git clone && ./start.sh). 90-day probe with explicit kill criteria. If adoption appears, v1 schema work begins. If response is null, the null is itself a publishable data point.

2 months ago
Lexicon
@Nadine

3 months ago
Petro Mcp
@Groundwork Analytics LLC

petro-mcp โ€” Petroleum Engineering MCP Server petro-mcp exposes petroleum engineering workflows to Claude and other MCP-compatible LLMs through natural language. Instead of writing Python scripts, just ask your AI assistant. Capabilities (80+ tools across the full upstream workflow): - Well Logs (LAS): Parse LAS files, extract curves and headers, compute Vshale, porosity (density, neutron-density, sonic, effective), water saturation (Archie, Simandoux, Indonesian), permeability (Timur, Coates), and net pay. - Decline Curve Analysis: Arps exponential/hyperbolic/harmonic fits, advanced models (Duong, PLE, SEPD), EUR calculation, Monte Carlo EUR distributions, bootstrap confidence intervals, probabilistic forecasts, price sensitivities. - Rate Transient Analysis (RTA): Agarwal-Gardner, Blasingame, NPI, flowing material balance, normalized rate, sqrt-time, material balance time, permeability estimation, radius of investigation. - Production Analytics: CSV production data queries, trend analysis, anomaly detection (shut-ins, rate jumps, water breakthrough, GOR blowouts), producing ratios (GOR, WOR, water cut). - PVT & Reservoir: Black-oil correlations (Standing, Beggs-Robinson, Hall-Yarborough, Lee-Gonzalez-Eakin, Sutton), brine PVT, bubble point, oil compressibility, gas Z-factor, volumetric OOIP/OGIP, recovery factors, Havlena-Odeh, P/Z analysis. - Drilling & Wellbore: Hydrostatic pressure, ECD, kill mud weight, MAASP, burst/collapse pressure, bit pressure drop, nozzle TFA, annular velocity, dogleg severity, vertical section, well survey, anticollision, wellbore tortuosity. - Production Engineering: Nodal analysis (Vogel IPR + VLP), Beggs-Brill multiphase flow, choke flow, erosional velocity, Turner/Coleman critical rates, hydrate temperature/inhibitor, ICP/FCP, HPT. - Economics: NPV, IRR, payout period, PV10, breakeven price, well economics, operating netback, price sensitivity. - Units: Oilfield unit conversions across pressure, rate, volume, length, density, viscosity, and more. Why petro-mcp? Purpose-built for petroleum engineers. Other energy MCP servers focus on commodity prices; this one runs the actual engineering calculations โ€” log interpretation, decline analysis, reservoir engineering, drilling, production, and economics โ€” all through plain English. Install: pip install petro-mcp โ†’ configure in Claude Desktop โ†’ ask away. Links: GitHub: https://github.com/petropt/petro-mcp ยท PyPI: https://pypi.org/project/petro-mcp/ ยท Web tools: https://tools.petropt.com License: MIT ยท Author: Groundwork Analytics

3 months ago