The MCP trust boundary in the Phionyx runtime — descriptor signing, signed evidence envelopes, and a tamper-evident audit chain over third-party MCP tool calls.
phionyx-mcp-server sits between an MCP-capable host (Claude Desktop, Cursor, Zed,
VS Code, JetBrains) and any third-party MCP server it talks to, producing
tamper-evident evidence at every trust-boundary crossing. It closes a security gap
the MCP specification
(2025-11-25) explicitly
defers to implementors:
"MCP itself cannot enforce these security principles at the protocol level; implementors SHOULD..."
The threat surface is aligned with arXiv:2512.06556 (Jamshidi et al., Securing the Model Context Protocol) — tool poisoning, shadowing, rug pulls.
Phionyx ships three distinct things, each on its own version line — don't cross-attribute them:
- Engine —
phionyx-core: the deterministic governance runtime (46-block canonical pipeline, kill switch, HITL queue, ethics/safety gates, signed audit chain).pip install phionyx-core. - Gate —
phionyx-pipeline-mcp: an agent self-claim gate that verifies "I fixed / I tested / this changed" against the repository's actual diff. - Format — AI Runtime Evidence Protocol (AIREP): an experimental, vendor-neutral open format for an AI decision receipt — one signed, hash-chained, offline-checkable record per runtime decision, readable by anyone and tied to no vendor. AIREP is a proposed format, not a ratified standard. Phionyx's Reasoned Governance Envelope (RGE) is AIREP's reference producer (the first system that emits AIREP records; it matures by conforming).
This package is the outward MCP trust boundary — it produces signed, hash-chained evidence over third-party MCP tool calls. The envelopes it emits are RGE records (a Phionyx profile of AIREP). It interoperates with the gate through a shared session trace, so both governance surfaces share one view.
v0.2.0. Five of eight capabilities are fully implemented; three are explicit
stubs that return structured not_implemented markers (callers can detect server
maturity). The two load-bearing capabilities — descriptor verification and
tool-call audit — are live. Envelopes follow RGE v0.2 (Reasoned Governance
Envelope), the Phionyx profile of AIREP.
| # | Capability | Status |
|---|---|---|
| 1 | Tool descriptor hash | ✅ implemented |
| 2 | Descriptor change detection | ✅ implemented |
| 3 | Tool permission scope | 🟡 envelope field populated; policy logic stub |
| 4 | Tool call I/O hash | ✅ implemented |
| 5 | User approval state | 🟡 envelope field populated; UX surface stub |
| 6 | Runtime anomaly record | 🟡 records to the audit side-log; drift scoring stub |
| 7 | Signed evidence envelope | ✅ implemented (RGE v0.2) |
| 8 | Chain verification command | ✅ implemented (phionyx-mcp verify-chain) |
pip install phionyx-mcp-server
phionyx-mcp --helpAdd to your MCP-capable host (Claude Desktop example):
{
"mcpServers": {
"phionyx-governance": { "command": "phionyx-mcp-server" }
}
}The host then sees four production MCP tools:
verify_tool_descriptor(descriptor, baseline_hash)— hash and compare against an approved baseline (full descriptor, includingprotocolVersion).record_tool_call(turn_index, user_text, producer, …, trace_id=None)— emit a signed RGE v0.2 envelope.trace_idis optional; resolved fromPHIONYX_TRACE_IDor~/.phionyx/active_trace.verify_chain_integrity(trace_id=None)— walk the chain, refuse mixed schemas.query_audit_history(trace_id=None, limit=50)— replay envelopes for review.
Plus three stub tools returning structured not_implemented markers.
When installed alongside phionyx-pipeline-mcp, the two servers share a single
trace_id per session, so one session's evidence spans both governance surfaces:
PHIONYX_TRACE_IDenv var → highest precedence.PHIONYX_ACTIVE_TRACE_FILE(default~/.phionyx/active_trace) → file fallback.- The first caller generates a UUID-derived trace and persists it.
phionyx-mcp head --trace trace-abc123 # current chain head
phionyx-mcp verify-chain --trace trace-abc123 # walk + verify the chain
phionyx-mcp show --trace trace-abc123 --turn 7 # show one envelopeThe CLI exits 0 on a valid chain, 1 on tamper/break, 2 on invocation error.
Envelopes are written under $PHIONYX_MCP_AUDIT_ROOT (default ~/.phionyx/mcp_audit/):
<root>/<trace_id>/chain.jsonl (append-only index)
<root>/<trace_id>/<turn:06d>.json (full canonical-JSON envelope)
Swap the persistence layer by passing an alternative EnvelopeStore-protocol
implementation (S3, DynamoDB, …).
Envelopes conform to RGE v0.2 (Reasoned Governance Envelope), the Phionyx
profile of the AI Runtime Evidence Protocol (AIREP). The signature
covers all envelope content except the self-referential
mcp_tool_audit.signed_envelope_ref. The schema, RFC, and worked examples ship in
this repository.
pip install -e .
pytest -qThe suite pins descriptor-hash semantics (full descriptor including
protocolVersion), RGE v0.2 schema conformance (jsonschema Draft 2020-12), and
hash-chain integrity (tamper, reorder, and mixed-schema detection).
- Engine — phionyx-core on PyPI
- Gate — phionyx-pipeline-mcp
- Evidence format — AI Runtime Evidence Protocol (AIREP)
- Runtime narrative — phionyx.ai
AGPL-3.0-or-later.