Server data from the Official MCP Registry
Live internet-censorship signals: Great Firewall reachability, model-layer censorship, takedowns.
Live internet-censorship signals: Great Firewall reachability, model-layer censorship, takedowns.
Remote endpoints: streamable-http: https://api.seiche.info/palimpsest/mcp
Valid MCP server (1 strong, 0 medium validity signals). No known CVEs in dependencies. Imported from the Official MCP Registry.
3 tools verified · Open access · No issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Remote Plugin
No local installation needed. Your AI client connects to the remote endpoint directly.
Add this to your MCP configuration to connect:
{
"mcpServers": {
"io-github-beepboop2025-palimpsest": {
"url": "https://api.seiche.info/palimpsest/mcp"
}
}
}From the project's GitHub README.
A public, tamper-evident record of what powerful actors quietly erase, and a way for anyone to prove, offline, that not one entry was changed after it was published.
Palimpsest is one primitive, a sealed append-only ledger you can verify without trusting us, pointed at two places where the record gets rewritten in the dark:
Built entirely from open sources. It watches the censor, never the censored.
git clone https://github.com/beepboop2025/palimpsest && cd palimpsest
python3 scripts/verify_eval_registry.py # the eval chain + the pre-registration rule
python3 scripts/verify_ledger.py # the erasure / censorship ledger
No install, no key, no server, standard library only. Change one sealed byte and the verifier names the break. That is the entire idea: you do not have to trust the operator, you check.
Or watch it run live: the observatory (the live censorship signals), the Verifiable Eval Registry, and the Generative Firewall Index. A ten-second, zero-dependency taste:
python3 demo/palimpsest_demo.pypulls the live China Digital Times feed and ranks what the censor is focused on right now (--source sampleruns offline).

The registry, live. Chinese state-aligned and Western frontier models on the same frozen probes, every run sealed and pre-registered, chain intact. The drift panel has already caught a real event: one Western model newly refusing a benign legal question its peers answer.

The observatory headline: the Censorship Fear Index (one auditable 0–100 number), the top censor target, and the reachable selectivity and novelty signals. Velocity is shown suppressed, never faked. Representative data.
Two different kinds of evidence are becoming load-bearing, and both live in files the publishing side can edit after the fact.
AI evaluations. Every serious safety claim about a frontier model now routes through evals. Labs decide whether to ship on eval results, responsible-scaling policies trigger on them, and regulators are starting to cite them. Yet the results sit in ordinary web pages, PDFs, and git repos the publisher controls. If a capability number later becomes inconvenient, the cheapest response is a quiet revision. Nobody has to lie; the page just changes, and no outsider can prove it ever said anything different.
Authoritarian censorship. Before roughly 2013 a deletion often left a mark you could see and count. Today it usually does not: a post simply stops existing, with no notice and nothing left behind. For the people it hurts most, that silence is the point. What a state rushes to delete is also one of the clearest readings of what it actually fears. Every deletion is a kind of confession.
Both problems have the same shape: the before state is unprovable. Palimpsest makes it provable. Seal the record when it is published, and any later edit, deletion, reorder, or cherry-pick becomes detectable by anyone, forever, without trusting the person who sealed it.
The central claim is that the published record cannot be revised after the fact. Here is exactly what enforces that, who each layer defends against, and, crucially, what none of it can do. A trust claim without a threat model is marketing; the full model is in docs/INTEGRITY.md.
| # | Layer | What it proves | Who must be defeated to fake it |
|---|---|---|---|
| 1 | Hash chain (core/sealed_ledger.py, core/eval_registry.py) | No entry was altered, reordered, or dropped within the file. The registry additionally rejects any run whose probe set was not frozen earlier in the chain. | Nobody. Anyone holding the file recomputes it offline, stdlib only. |
| 2 | Merkle root + inclusion proofs (scripts/prove_inclusion.py) | One 64-char value fingerprints the whole record; any single result verifies against it in log₂(N) hashes. | Same as layer 1, without needing the whole chain. |
| 3 | Public git history | Every refresh is a timestamped commit on a public repo. Rewriting it needs a force-push, visible to anyone with a clone or fork. | GitHub, plus everyone who ever cloned. |
| 4 | Internet Archive snapshots (scripts/anchor_roots.py) | A dated third-party copy of the exact chain bytes, outside our infrastructure and jurisdiction. | The Internet Archive. |
| 5 | OpenTimestamps / Bitcoin (scripts/anchor_roots.py) | The roots existed no later than a Bitcoin block time; .ots proofs verify against the chain, not against us. | Bitcoin's proof-of-work. |
| 6 | Independent witness (ops/witness/) | A from-scratch reimplementation on separate infrastructure re-verifies the served chains and checks every previously seen head is still there. Detects split views and retroactive rewrites, and alerts. | Every running witness, at once and retroactively. |
Layers 1–2 are self-verification, and are built and tested today. Layers 3–6 exist for the one adversary self-verification cannot stop, an operator who rewrites the whole file and re-serves it, including us. The anchoring step (4–5) is wired into the refresh pipeline; the witness (6) is a single stdlib file anyone can run.
What it does not protect against, stated plainly: lying at capture time (the chain preserves a false reading faithfully, so probes are pre-registered and raw responses are hashed for re-runs); the short window between sealing and the first external anchor; suppression by omission (mitigated by an open, cron-scheduled pipeline that abstains loudly rather than skipping silently); and endpoint compromise (an attacker could append false new entries, but still cannot rewrite old ones without tripping layers 3–6). The honest limits are the point, and they live in docs/INTEGRITY.md.
A public, tamper-evident record of AI-model evaluations. See docs/EVAL-REGISTRY.md.
scripts/verify_eval_registry.py reports the break.python3 scripts/verify_eval_registry.py # chain integrity + the pre-registration rule
python3 scripts/prove_inclusion.py 5 # inclusion proof for a single sealed result
Live: palimpsest.info/readings/eval-registry.html.
Continuous, quantified measurement of content-layer censorship: what gets deleted, how selectively, how fast, and what is newly sensitive. It fills the gap between network-layer measurement (OONI, GreatFire, Citizen Lab) and hand-documented deletion lists (China Digital Times); it ingests their public data and shares its own back.
The method: treat the censor as a sensor. Palimpsest archives a public post the moment it appears, then returns to see whether it survived. From the stream of disappearances it computes the Deletion-Differential Threat Index (DDTI):
| Signal | Question it answers |
|---|---|
| Selectivity | What is being targeted, which terms and topics draw censor attention. |
| Novelty | Which sensitive terms are surfacing for the first time, or bursting after quiet. |
| Velocity | How fast posts are deleted. A sudden acceleration signals an event being contained. |
The DDTI distils into a single, auditable 0–100 Censorship Fear Index, how hard is the state working to bury things right now, reported component by component, never a black box.
Validated by retrodiction. Run against six documented events (Li Wenliang, Peng Shuai, the
Sitong Bridge protest, the White Paper protests, and more), the scorer ranks the correct term
first every time and flags event-born euphemisms as novel from only a handful of deletions.
Reproduce it: PYTHONPATH=. python3 scripts/validate_ddti.py. See
docs/VALIDATION.md and the method in docs/METHODOLOGY.md.
palimpsest.info is self-updating public infrastructure. Five independent signals refresh on their own schedules via GitHub Actions on this repo, so every run, its code, and its output are publicly auditable (the badges above are live run status). No hidden server publishes.
| Signal | What it measures | Cadence | Feed |
|---|---|---|---|
| DDTI | Ranked censored terms with threat / attention / novelty, from public deletion streams | Every 3 hours | readings/ddti-latest.json |
| Generative Firewall | Refusal and state-narrative substitution rates of state-aligned LLMs vs a control | Daily | readings/latest.json |
| GDELT cross-signal | "Censored at home, loud abroad": global news volume on the terms China is deleting | Every 6 hours | readings/gdelt-latest.json |
| GitHub-as-Refuge | Takedown pressure on mirrors of censored material (996.ICU, nCovMemory, more), against persisted baselines | Every 12 hours | readings/github-refuge-latest.json |
| Wayback Reconstruction | Deletions and silent redactions of watched Chinese URLs, recovered from the Internet Archive's capture timeline with archive-witnessed timestamp brackets | Every 12 hours | readings/wayback-latest.json |
Every value is provenance-tracked to its source document, and a signal abstains rather than fabricates when its source returns nothing. Nothing is published without evidence. Researcher docs, schemas, and citation (BibTeX) are at palimpsest.info/for-researchers.
It generalises beyond China. The method is country-agnostic; what changes per information space
is the lexicon. China ships today; Iran loads from config alone (the Woman-Life-Freedom-era starter
lexicon). Adding a country is a gazetteer plus a registry entry, not a rewrite. See
config/regions/.
| Component | State |
|---|---|
| Sealed ledger + hash chain (erasure + eval registry) | Built, tested — offline-verifiable, stdlib only |
| Verifiable Eval Registry (frozen questions, pre-registration rule) | Built, tested — live readings published |
| Cross-lab frontier refusal-drift audit (OpenAI / Anthropic / Meta / Mistral) | Built, tested — sealed in the registry |
| Merkle roots + inclusion proofs | Built, tested |
| Root anchoring (Internet Archive + OpenTimestamps / Bitcoin) | Built; wired into the refresh pipeline |
| Independent witness (separate-infra re-verification) | Built — one stdlib file, run it yourself |
| CDT deletion ingestion + DDTI (selectivity + novelty) | Live — auto-published every 3h |
| Censorship Fear Index (one auditable number) | Built, tested |
| Retrodiction validation (6/6 documented events) | Built, tested |
| Generative Firewall — refusal / party-line tomography of state-aligned LLMs | Live — auto-published daily (hosted-API layer) |
| GDELT cross-signal · GitHub-as-Refuge | Live — auto-published (6h / 12h) |
| Wayback Reconstruction — deletion brackets + silent redactions from the Internet Archive's CDX timeline | Live — auto-published every 12h |
| Evidence-grounded Chinese gazetteer (154 terms, phylogeny) + self-evolving euphemism discovery | Built, tested |
| Cross-region packs (China + Iran, config-driven) · censorship forecaster | Built, tested |
| UNDERTEXT tomography · CDN-edge · Blocklist archaeology · Silence detection · Baike redaction-diff | Built, tested (live source injection gated, inert) |
| Governance: kill-switch, rate ceiling, hash-chained audit | Built, tested |
| Real-time velocity at minute resolution | Needs in-country / seam measurement (retroactive velocity now ships via Wayback) |
Velocity was the honest blocker on the censorship side: from outside the wall, the moment a post dies is unobservable. The Wayback Reconstruction vantage now recovers it retroactively from open egress, reading the Internet Archive's capture timeline so every deletion is published as an explicit archive-witnessed bracket (last seen alive to first seen gone), never a false-precise instant. What still needs in-country or seam vantage is real-time velocity at minute resolution. The method built for that, UNDERTEXT many-vantage differential observation (disagreement between vantage points is the signal), is built and tested here; what scaling adds is the vantage backends. See docs/UNDERTEXT.md.
See SAFETY.md and docs/ETHICS.md. In short: public data only; nobody
inside China is ever asked to act; a deletion is never claimed lightly (the detector probes a
known-live control post each cycle and suppresses all deletion writes when the network is
unreliable); the sensitive-terms gazetteer is human-authored and never delegated to a Beijing-aligned
model; and no state-aligned model is ever the analyst. Every figure ships with its uncertainty and
known biases stated openly. Those rules are enforced in code (core/governance.py), not just
documented.
# Zero-dependency demo (recommended first run), no venv needed:
python3 demo/palimpsest_demo.py # live CDT pull + ranking
python3 demo/palimpsest_demo.py --source sample # offline deletion demo
# Verify the sealed records (stdlib only, no install):
python3 scripts/verify_eval_registry.py # eval chain + pre-registration rule
python3 scripts/verify_ledger.py # the erasure ledger
python3 scripts/prove_inclusion.py 5 # inclusion proof for one attestation
python3 ops/witness/palimpsest_witness.py # become an independent witness
# Pure, offline cores (no database):
PYTHONPATH=. python3 scripts/validate_ddti.py # retrodiction backtest (6/6 events)
PYTHONPATH=. python3 scripts/fear_index_demo.py # Fear Index across documented events
PYTHONPATH=. python3 scripts/forecaster_demo.py # the censorship forecaster (a "called shot")
# Tests:
python3 -m venv .venv && source .venv/bin/activate && pip install -r requirements.txt
PYTHONPATH=. python3 -m pytest tests/ censorwatch/tests/ -q # 371 passing
The live velocity leg needs PostgreSQL, Redis, and in-country / seam egress; see
censorwatch/DEPLOY.md. It stays inert unless CENSORWATCH_ENABLED is set.
| Document | What it covers |
|---|---|
| docs/INTEGRITY.md | The layered trust model, what each layer defends against, and what none of them can do |
| docs/EVAL-REGISTRY.md | The Verifiable Eval Registry: pre-registration, sealing, and how to verify it |
| docs/METHODOLOGY.md | The DDTI method, the math, and its honest scope and biases |
| docs/VALIDATION.md | Retrodiction backtest, does the method catch documented events? |
| docs/NEW-METHODS.md | The observation surfaces (Generative Firewall, CDN-edge, Blocklist, Silence, GitHub-refuge, Baike) |
| docs/UNDERTEXT.md | Active differential tomography, many-vantage divergence as signal |
| docs/OSINT_SOURCES.md | Every public source, how it is accessed, what it yields, its limits |
| docs/ETHICS.md · SAFETY.md · CONTRIBUTING.md | Threat model, do-no-harm rules, and the safety-review gate |
Developed in the open as a public good. Free and open source; it is not a commercial product and never monetizes the people or topics it observes. Licensed under the MIT License so other tools can freely build on the feeds and reuse the measurement and sealing layers.
Palimpsest is built to complement, not repeat, the work of China Digital Times, GreatFire, Citizen Lab, and OONI. It ingests CDT deletion data as one input and is designed to share its data back. It draws on the academic measurement tradition of WeiboScope and the deletion-speed studies of Zhu et al. (2013) and Bamman et al. (2012), whose decade-old figures it re-measures rather than assumes. The sealing layer draws on trusted-archive integrity work (ARCHANGEL) and standard transparency-log constructions.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.