MCP Tools Reference
AEGIS MCP Server -- Model Context Protocol interface for agentic AI governance.
AEGIS MCP Server -- Model Context Protocol interface for agentic AI governance.
The AEGIS MCP server exposes governance gates as MCP tools that AI agents (Claude Code, Codex, custom agents) can call to evaluate proposals before taking action.
Hosted MCP Endpoint
AEGIS provides a hosted MCP endpoint on GCP Cloud Run. No local installation required — connect any MCP-compatible client directly.
| Environment | Endpoint |
|---|---|
| Production | https://aegis-mcp-980022636831.us-central1.run.app/mcp |
Authentication uses a Bearer token (same API key from the portal).
Claude Code (.mcp.json)
{
"mcpServers": {
"aegis": {
"type": "streamable-http",
"url": "https://aegis-mcp-980022636831.us-central1.run.app/mcp",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}Replace YOUR_API_KEY with your API key from the
portal.
Health Check
The /health route is public (no authentication required):
curl https://aegis-mcp-980022636831.us-central1.run.app/healthLocal MCP Server (stdio)
For local development or air-gapped environments, run the MCP server locally via stdio.
Claude Code Integration
pip install -e ".[mcp]"Add a .mcp.json to the project root (preferred — portable and version-controllable):
{
"mcpServers": {
"aegis": {
"type": "stdio",
"command": "aegis-mcp-server"
}
}
}Or add to your project's .claude/settings.json:
{
"mcpServers": {
"aegis-governance": {
"command": "aegis-mcp-server",
"args": []
}
}
}This exposes 7 tools to Claude Code: aegis_evaluate_proposal,
aegis_quick_risk_check, aegis_check_thresholds, aegis_get_scoring_guide,
aegis_crypto_status, aegis_list_decisions, and aegis_get_decision.
Starting the Server
The MCP server uses the official MCP Python SDK (FastMCP) and supports two transports:
aegis-mcp-server # stdio (default, for Claude Code)
aegis-mcp-server --transport streamable-http --port 8080 # HTTP (ECS/hosted)In production (ECS Fargate), the server runs with streamable-http behind an internal ALB, exposed publicly via API Gateway HTTP API with Unkey Bearer token authentication. A /health endpoint is available for container and load-balancer health checks.
Rate Limiting
The server includes a token bucket rate limiter (CoSAI MCP-T10 compliance).
- Default: 60 requests per minute
- Configurable via
AegisConfig.mcp_rate_limit - Set to 0 to disable
- Exceeding the limit returns an error in the tool response
Audit Logging
Every aegis_evaluate_proposal invocation is logged with:
- SHA-256 hash of parameters (first 16 hex chars, PII-safe)
- Decision status
- Latency in milliseconds
- Caller ID (from
agent_idargument)
Tools
aegis_evaluate_proposal
Full governance gate evaluation via pcw_decide(). Evaluates a proposal through
all six quantitative gates (Risk, Profit, Novelty, Complexity, Quality, Utility)
and returns a structured decision with per-gate details and rationale.
Required parameters:
| Parameter | Type | Description |
|---|---|---|
proposal_summary | string | Brief description of the proposed action |
estimated_impact | string | Impact level: low, medium, high, critical |
Optional parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
risk_score | number | 0.0 | Alias for risk_proposed (0.0-1.0) |
risk_proposed | number | 0.0 | Predicted risk after change (0.0-1.0) |
risk_baseline | number | 0.0 | Current risk level (0.0-1.0). Gate triggers when risk doubles vs baseline with 95% Bayesian confidence. |
profit_proposed | number | 0.0 | Expected profit/performance after change |
profit_baseline | number | 0.0 | Current profit/performance metric |
novelty_score | number | 0.5 | How unprecedented the proposal is (0.0-1.0). Gate passes when novelty >= ~0.74. Logistic inflection at 0.7. |
complexity_score | number | 0.5 | Normalized complexity where HIGHER = SIMPLER (0.0-1.0). Hard floor at 0.5: below this the proposal HALTs and CANNOT be overridden. |
quality_score | number | 0.7 | Overall proposal quality (0.0-1.0). Must be >= 0.7. |
quality_subscores | array[number] | [0.7, 0.7, 0.7] | Detailed quality subscores. None may be zero. |
agent_id | string | "unknown" | Identifier of the calling agent |
session_id | string | (auto UUID) | Session identifier for correlation |
phase | string | "plan" | Lifecycle phase: plan, commit, work |
shadow_mode | boolean | false | Shadow mode: gates evaluate but results are advisory only. Requires Professional tier or higher. |
telemetry_url | string | (none) | HTTPS URL for structured telemetry events |
drift_baseline_data | array[number] | (none) | 30+ historical observations for KL divergence drift detection |
requires_human_approval | boolean | false | Whether this proposal requires human approval |
time_sensitive | boolean | false | Whether this proposal is time-sensitive |
reversible | boolean | true | Whether this proposal is reversible |
metadata | object | {} | Additional key-value metadata |
change_type | string | "feature" | Type of change: feature, refactor, bugfix, config. Non-feature types skip novelty and profit gates. |
Utility auto-synthesis: If
utility_resultis not provided (the common case), the MCP server auto-synthesizes it fromprofit_baseline/profit_proposedusing symmetric PERT three-point estimation (±20% spread) with a profit delta epsilon clamp of 0.001. This matches CLI and REST API behaviour — all three surfaces produce identical utility gate results for the same inputs.
Response fields:
| Field | Type | Description |
|---|---|---|
status | string | Decision: proceed, pause, halt, escalate |
confidence | number | Minimum confidence across all gates |
gates_passed | number | Count of passing gates |
gates_failed | number | Count of failing gates |
failing_gates | array[string] | Names of failed gates |
rationale | string | Human-readable decision rationale |
next_steps | array[string] | Recommended next actions |
constraints | array[string] | Active constraints |
decision_id | string | Unique decision UUID |
timestamp | string | ISO 8601 UTC timestamp |
override_eligible | boolean | Whether override is possible |
override_requires | array[string] | Roles needed for override |
gates | object | Per-gate detail (value, threshold, confidence, message) |
aegis_quick_risk_check
Quick risk threshold check (risk_score < threshold).
Warning: This is a simplified check without Bayesian evaluation. For
governance decisions, use aegis_evaluate_proposal instead.
Required parameters:
| Parameter | Type | Description |
|---|---|---|
action_description | string | Brief description of the action to risk-check |
risk_score | number | Estimated risk score (0.0-1.0) |
Optional parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
threshold | number | 0.5 | Risk threshold. Score below this is considered safe. |
agent_id | string | "unknown" | Identifier of the calling agent |
Response fields:
| Field | Type | Description |
|---|---|---|
safe | boolean | true if risk is below threshold |
risk_score | number | The evaluated risk score |
threshold | number | The threshold used |
aegis_check_thresholds
Introspect all six gate thresholds and current configuration. Call this before submitting proposals to understand gate behavior and parameter values.
Parameters: None required.
Response fields:
| Field | Type | Description |
|---|---|---|
gates | array | Array of 6 gate definitions with name, type, threshold, description |
config | object | Full AegisConfig as dict |
aegis_get_scoring_guide
Get domain-specific parameter derivation guidance. Returns formulas, range guides, common mistakes, and worked examples showing how to map domain metrics to AEGIS parameters.
Recommended workflow:
aegis_check_thresholds— understand gate configurationaegis_get_scoring_guide(domain)— get derivation formulas for your domainaegis_evaluate_proposal(...)— submit with derived values
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
domain | string | No | Domain for tailored guidance. One of: trading, cicd, moderation, agents, generic. Defaults to generic if omitted or unrecognized. |
Response fields:
| Field | Type | Description |
|---|---|---|
domain | string | The domain returned |
domain_description | string | Brief description of the domain context |
parameters | object | Per-parameter guidance with description, derivation, formula, example, and range_guide |
common_mistakes | array[string] | Domain-specific pitfalls (e.g., complexity inversion, novelty pass direction) |
worked_example | object | Complete scenario with input JSON and expected_gates results |
Available domains:
| Domain | Use Case | Key Metric |
|---|---|---|
trading | Algorithmic trading, portfolio changes | VaR / position limit |
cicd | CI/CD pipelines, deployments | Error rate, rollback rate |
moderation | Content moderation, safety filters | False positive rate |
agents | Autonomous AI agents | Task failure rate |
generic | Any domain (default) | General-purpose guidance |
aegis_crypto_status
Check availability of all AEGIS cryptographic providers (signatures, encryption, key management). Returns which providers are installed and active.
Parameters: None.
Response fields:
| Field | Type | Description |
|---|---|---|
signatures.hybrid | boolean | Ed25519 + ML-DSA-44 hybrid available |
signatures.bip322 | boolean | BIP-322 Schnorr available |
signatures.ed25519 | boolean | Ed25519 (deprecated) available |
encryption.hybrid_kem | boolean | X25519 + ML-KEM-768 + AES-256-GCM available |
post_quantum.ml_dsa | boolean | ML-DSA-44 signatures available |
post_quantum.ml_kem | boolean | ML-KEM-768 encryption available |
key_management.aws_kms | boolean | AWS KMS envelope encryption available |
key_management.hsm_pkcs11 | boolean | PKCS#11 HSM key wrapping available |
schema_signing.available | boolean | AMTSS schema signer package installed |
default_provider | string | Active signature provider: bip322-simple, ed25519, or none |
kek_provider | string | Best available KEK provider: kms, hsm, or environment |
documentation_url | string | Link to crypto documentation |
aegis_list_decisions
List governance decisions for the current customer. Returns recent decisions with status, confidence, proposal summary, and gate results.
Parameters:
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
month | string | No | Current month | YYYY-MM filter for decision history |
limit | integer | No | 50 | Maximum decisions to return (max 200) |
customer_id | string | No | From env var | Override customer ID |
Response fields:
| Field | Type | Description |
|---|---|---|
decisions | array | Array of decision summaries |
decisions[].decision_id | string | Unique decision UUID |
decisions[].status | string | Decision outcome: proceed, pause, halt, escalate |
decisions[].confidence | number | Minimum confidence across all gates |
decisions[].proposal_summary | string | Brief description of the proposal |
decisions[].timestamp | string | ISO 8601 UTC timestamp |
decisions[].gates_passed | integer | Count of passing gates |
decisions[].gates_failed | integer | Count of failing gates |
total | integer | Total decisions matching the filter |
month | string | The YYYY-MM filter applied |
aegis_get_decision
Get a specific governance decision by ID. Returns the full decision record including input context, all gate results, rationale, next steps, and audit hash.
Parameters:
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
decision_id | string | Yes | -- | UUID of the decision to retrieve |
month | string | No | Current month | YYYY-MM of the decision (improves lookup performance) |
customer_id | string | No | From env var | Override customer ID |
Response fields:
| Field | Type | Description |
|---|---|---|
decision_id | string | Unique decision UUID |
status | string | Decision outcome: proceed, pause, halt, escalate |
confidence | number | Minimum confidence across all gates |
proposal_summary | string | Brief description of the proposal |
estimated_impact | string | Impact level: low, medium, high, critical |
timestamp | string | ISO 8601 UTC timestamp |
rationale | string | Human-readable decision rationale |
next_steps | array[string] | Recommended next actions |
gates | object | Per-gate evaluation details (value, threshold, confidence, message) |
constraints | array[string] | Active constraints |
override_eligible | boolean | Whether override is possible |
override_requires | array[string] | Roles needed for override |
audit_hash | string | SHA-256 hash of the decision record for tamper detection |
input_context | object | Original input parameters submitted with the proposal |
Integration with MCP Clients
Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"aegis-governance": {
"command": "aegis-mcp-server",
"args": []
}
}
}Custom MCP Clients
Connect via stdio using the MCP Python SDK:
from mcp import ClientSession
from mcp.client.stdio import StdioServerParameters, stdio_client
params = StdioServerParameters(command="aegis-mcp-server", args=[])
async with stdio_client(params) as (read, write):
async with ClientSession(read, write) as session:
await session.initialize()
result = await session.call_tool(
"aegis_evaluate_proposal",
arguments={
"proposal_summary": "Add caching layer",
"estimated_impact": "medium",
"risk_score": 0.2,
"complexity_score": 0.7,
},
)Security
SSRF Protection
Telemetry URLs provided via telemetry_url are validated with a
resolve-then-validate approach:
- DNS resolution is performed first to catch DNS rebinding
- Private, loopback, link-local, reserved, and CGNAT addresses are blocked
- Only
https://schemes are accepted in production
Input Validation
- All numeric parameters reject
NaN,Inf, and-Inf - Boolean parameters reject non-boolean types (prevents Python truthiness confusion)
estimated_impactis validated as a string enum- The
validate_float()helper preserves legitimate falsy values like0and0.0