Server data from the Official MCP Registry
Trust & human sign-off for AI agents: approval required before irreversible agent actions
Trust & human sign-off for AI agents: approval required before irreversible agent actions
This MCP server implements a trust and authorization protocol with extensive tooling for pre-action verification, receipts, and policy enforcement. The code is well-structured with appropriate permissions for its developer tools category, but contains moderate concerns: unauthenticated network calls for read operations, potential for sensitive data leakage in auto-receipt middleware, and missing input validation on several dangerous operations (policy evaluation, delegation creation). The server's core design is sound and aligns with its purpose, but implementation details require hardening. Package verification found 1 issue (1 critical, 0 high severity).
4 files analyzed · 11 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Unverified package source
We couldn't verify that the installable package matches the reviewed source code. Proceed with caution.
Set these up before or after installing:
Environment variable: EP_API_KEY
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-emiliaprotocol-mcp-server": {
"env": {
"EP_API_KEY": "your-ep-api-key-here"
},
"args": [
"-y",
"emilia-protocol"
],
"command": "npx"
}
}
}From the project's GitHub README.
EMILIA Gate is the commercial Consequence Firewall that prevents consequential machine actions on protected executor paths without verifiable authority. It sits at the executor or system-of-record boundary, refuses before mutation, consumes accepted authorization once, and leaves evidence another party can verify.
Start free by protecting one privileged MCP tool call. The first paid market is payer AI-assisted adverse medical-necessity determination, under one safety rule: no valid licensed-review evidence, no adverse determination. Missing evidence routes to lawful human review or a patient-protective fallback; it is not authority to withhold medically necessary care.
AI systems and repository reviewers: start with AI_CONTEXT.md. Current machine-readable evidence, provenance, assumptions, and exclusions are published at EMILIA-REPO-CONTEXT-v1. Archived or staged documents do not establish current implementation or IETF status.
EMILIA ships a security case that reviewers can execute. The current repository resolves 26 security claims over 121 hashed evidence files, verifies 10 obligations in one composed Tamarin Dolev-Yao model, and preserves 2 deliberately weakened variants that produce concrete replay and stale-registry attack traces. The live same-team conformance corpus contains 18 suites and 251 current vectors. Separately, an externally authored Rust verifier is pinned to the frozen 16-suite/164-vector bundle and a 359-case hostility campaign. The broader suite contains 6,610 automated tests across 342 files.
Each security claim names the enforcement path, positive and negative vectors, language coverage,
formal scope or explicit gap, assumptions, exclusions, and evidence hash. Start with the
human-readable evidence map, then inspect the
resolved security case or run npm run check:security-case.
For fifty years, software security answered one question: who is allowed in? Firewalls, OAuth, and passwords — all built to verify a human identity at the door.
That era is ending. The dominant users of software are no longer humans; they're autonomous AI agents. Agents don't just log in — they write code, call tools, and change reality on the fly. Every CISO knows a single bad prompt can make an agent wipe a production database or wire money to the wrong account. So they're blocking deployment — sitting on billions in AI budget they can't spend because their compliance teams can't answer one question:
Who approved that action?
The crisis of our generation isn't authentication. It's authorization at the moment of action: how do you prove that what an agent is about to do is exactly what a named human authorized — before it executes?
EMILIA is the seatbelt for the agentic era.
Decision logs are testimony. EMILIA produces receipts.
If an agent tries to move money, delete code, deploy production, change permissions, or mutate regulated state without a valid EMILIA receipt, the tool refuses to run — and if it runs, anyone can verify who authorized exactly what, offline, trusting no one.
That is the whole protocol. The developer wedge is one wrapper around an irreversible MCP tool. See it cold, fully offline, no key, no account — each demo runs the entire loop (refused → named human signs the exact action → tool runs → forged receipt rejected):
node examples/mcp/payment-server.mjs # release_payment — refuses without a receipt
node examples/mcp/github-admin.mjs # delete_repo — refuses without a receipt
node examples/mcp/prod-deploy.mjs # deploy_production — refuses without a receipt
Wrap your own tool dispatcher in production — see examples/mcp/ and /mcp:
import { withMcpGuard } from '@emilia-protocol/mcp-guard';
const guarded = withMcpGuard(handleTool, {
annotations: { release_payment: { irreversible: true, action: 'payment.release' } },
}); // missing receipt → refused, never a silent pass
# Issue a receipt offline — no API key, no backend needed
npx @emilia-protocol/issue demo
# Add EMILIA to Claude / Cursor / Cline
npx -y @emilia-protocol/mcp-server
Try a real Face ID signoff → Approve an $82,000 wire with your own passkey. See what VERIFIED looks like. Forge the receipt. See it fail.
Verify any receipt in your browser — paste it in, nothing is uploaded.

Run it yourself:
node examples/crash-test.mjs— fully offline, no API key.
[ INTENT ] [ DECISION ] [ CEREMONY ] [ RECEIPT ]
Agent calls a Policy-bound, hash- Named human signs Signed, offline-
tool via MCP → pinned: allow / → the EXACT action → verifiable proof.
allow-with-signoff / on their own Tamper it:
deny (+observe device (passkey). fails by design.
mode: zero change What they saw =
to production) what they signed.
Act I — Interception (MCP-native). No rewrites. EMILIA hooks the tool call at the Model Context Protocol boundary — the moment an agent tries to delete a file or move capital, the action is caught mid-air.
Act II — Decision (policy-bound, deterministic). The action is checked against a hash-pinned policy: allow, allow-with-signoff, or deny. Plus an observe mode that changes nothing in production and reports what would have been held. Deterministic, auditable — not a black-box risk score.
Act III — The ceremony (device-bound human signoff). When policy requires a human, EMILIA runs a WebAuthn / passkey signoff bound to the exact action — Face ID / Touch ID on the operator's own device. This narrows the "what you saw is what you signed" gap (via the experimental display-attestation profile); it does not eliminate it. No autonomous loop can skip the ceremony.
Act IV — The receipt (the evidence). The result is a signed authorization receipt that anyone can verify offline, with open-source code, no backend, no vendor trust. Tamper it and verification fails by construction. Optionally anchor it for public timestamping — the core needs no blockchain.
You want agents that actually do things — but you're paralyzed by runaway loops, API over-spend, and accidental data destruction. EMILIA gives you a plug-and-play MCP server + a thin SDK wrapper. Apply a policy hash, and irreversible tool calls gain a cryptographically hardened, NIST-AI-RMF-mapped approval-and-evidence layer — without building approval workflows or audit infrastructure from scratch.
# langchain-emilia — wrap any LangChain tool with an EP gate
from langchain_emilia import EmiliaGateClient
gate = EmiliaGateClient(base_url="https://www.emiliaprotocol.ai", api_key="...")
safe_tool = gate.wrap(your_destructive_tool)
pip install langchain-emilia # PyPI
npm install @emilia-protocol/verify # npm
Your agent can't outrun its leash.
Every platform shift mints a new security primitive: the web got SSL, the cloud got Okta / IAM, the agent economy needs action-level trust. Enterprises are sitting on AI budgets that compliance won't let them spend — EMILIA is the key that unlocks them, by turning unpredictable agents into audit-ready infrastructure that maps primitive-by-primitive to NIST AI RMF, EU AI Act, and SOC 2 CC6/7 controls.
The managed layer (GovGuard / FinGuard) extends the open standard with sector-specific policy packs, observe-mode pilots, and audit-ready evidence packages — with no procurement required to start.
EMILIA is an open standard, not a product moat. The core is Apache-2.0 and tracked as an IETF Internet-Draft.
| IETF Internet-Drafts | Posted: authorization-receipts · quorum · authorization-evidence-chain · evidence-record. |
| Cross-language verifiers | JavaScript · Python · Go — all three proven to agree on adversarial conformance vectors, every push (npm run conformance). A consistency check across one team's ports, not clean-room independent implementations. Separately, an externally authored from-spec Rust implementation (source public) passes the pinned 16-suite/164-vector bundle and the pinned 359-case hostility campaign under an evaluator-controlled rebuild from an immutable source tree. Its checked-in construction evidence remains implementer-signed, not third-party-attested (signed statement); strict clean-room acceptance waits for the corrected third-party-attested manifest and independently pinned attestor key. |
| Formal verification | 26 TLA+ safety properties (0 errors) · 35 Alloy facts, 22 assertions · a composed symbolic Dolev-Yao model covering challenge, CAID, two approvals, issuer and authority pins, registry view, revocation, consumption, and execution. Ten strict Tamarin lemmas verify; deliberately removing consumption or exact registry-view binding produces replay and stale/equivocating-view traces (formal/tamarin/). |
| MCP registries | Official MCP registry · Glama (Grade A, Official badge) · Smithery |
| License | Apache-2.0 |
Three same-team reference ports (JS / Python / Go) agree across all 18 suites and 251 vectors. Separately, an externally authored Rust implementation rebuilt from a pinned public source tree passes the pinned 16-suite/164-vector clean-room bundle and a 359-case hostility campaign, re-run in its own CI lane on every change. The newer AEC acceptance and four-outcome resolution suites are not attributed to Rust. That is external interoperability evidence, not strict clean-room construction acceptance; the aggregate CI case records the strict acceptance count as zero pending independent attestation. See CONFORMANCE.md, or verify a receipt yourself at emiliaprotocol.ai/verify.
Eye observes. Handshake verifies. Signoff owns. Commit seals.
| Layer | What it does |
|---|---|
| EP Eye | Observes and classifies agent behavior (OBSERVE → SHADOW → ENFORCE) |
| EP Handshake | Cryptographic consent ceremony with 7-property binding |
| EP Signoff | Named human ownership — WebAuthn / passkey Class A, device-bound; multi-party quorum (M-of-N / ordered — the two-person rule) for the highest-stakes actions |
| EP Commit | Atomic, immutable action close with Merkle-chained receipts |
| Metric | Value |
|---|---|
| Automated test cases | 6,610 across 342 files; all platform-applicable cases must pass |
| TLA+ safety properties | 26 verified (T1–T26), 0 errors — see PROOF_STATUS.md |
| Alloy relational assertions | 35 facts + 22 assertions across two models — verified in CI |
| Red-team cases cataloged | 85 — RED_TEAM_CASES.md |
| Release security status | Repository security checks pass; live Strix retest and deployment validation remain open |
| Conformance (7/7) | node conformance/ep-conformance-test.js https://www.emiliaprotocol.ai |
| Cross-language conformance | 251 vectors · 18 suites: receipts · device signoffs · four-outcome resolution · multi-party quorum · revocation · time-attestation · trust-receipt (x2 profiles) · provenance · evidence-record · canonicalization · boundary · AEC acceptance · currency · initiator-attestation · consumption-proof · witness · timestamp-proof (RFC 3161). JS / Python / Go verifiers agree (node conformance/run.mjs). The external Rust baseline remains 164 vectors / 16 suites. See CONFORMANCE.md. |
| Handshake create p95 | 575ms at 50 VUs — PERFORMANCE_PROOF.md |
EP standardizes three interoperable objects that any conforming implementation can produce and verify:
| Object | What it is |
|---|---|
| Trust Receipt | A portable, signed record of an authorization event — what happened |
| Trust Profile | A standardized summary of observable trust state — what is known |
| Trust Decision | A policy-evaluated result with reasons and appeal path — what to do now |
EP Extensions (Handshake, Signoff, Commit, Delegation) add stronger enforcement where systems must constrain execution. The product layers (GovGuard / FinGuard) are built on top — not the protocol itself.
90-second demo · Quickstart · Agent walkthrough · IETF Draft · Discord
EP is authorization at the moment of action, not an identity system, not a wallet, not a reputation score.
See CONFORMANCE.md · SECURITY.md · THREAT_MODEL.md · GOVERNANCE.md · Neutrality Covenant
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.