Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:

if [ -d docs ]; then cp -r docs $BUILD/docs; fi

for fname in README.md CHANGELOG.md CONTRIBUTING.md GOVERNANCE.md ROADMAP.md LIMITATIONS.md CNAME; do
for fname in README.md CHANGELOG.md CONTRIBUTING.md GOVERNANCE.md ROADMAP.md LIMITATIONS.md CNAME robots.txt; do
if [ -f "$fname" ]; then cp "$fname" "$BUILD/$fname"; fi
done

Expand Down
71 changes: 71 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@

> **Developer Preview** - launching at Confidential Computing Summit, June 23 2026. May have breaking changes before v1.0.

**cMCP (Confidential MCP Runtime) is an open-source gateway that enforces MCP tool-call policy inside a hardware Trusted Execution Environment (TEE).** Every tool call is intercepted, evaluated against a Cedar policy bundle, and enforced where the process it governs cannot reach it. Each session produces a signed, hardware-attested TRACE Claim that a verifier checks without trusting the operator.

> **TL;DR** - Point your agent at the cMCP Gateway. It evaluates every tool call against a Cedar policy inside a TEE, blocks or redacts what the policy denies, and emits a tamper-evident TRACE Claim as proof. Run `pip install cmcp-runtime` and start in software mode with no hardware required.

Your agent calls Snowflake, Salesforce, a dozen APIs. What stops it from leaking a customer's data on one of those calls? If a regulator asks, could you prove it didn't?

---
Expand Down Expand Up @@ -241,6 +245,73 @@ See [SECURITY.md](SECURITY.md) for vulnerability reporting and response SLAs. Se

---

## FAQ

### What is cMCP?

cMCP (Confidential MCP Runtime) is an open-source gateway that enforces MCP tool-call policy inside a hardware Trusted Execution Environment. It intercepts each tool call, evaluates it against a Cedar policy bundle, enforces the decision (allow, deny, or redact), and records the call in a hardware-sealed audit chain.

### How is cMCP different from software-only MCP governance?

Software-only governance runs the policy engine in the same OS an operator or a supply-chain CVE can reach, so it cannot prove the policy that ran was the approved one or that the decision was not flipped in memory. cMCP runs the policy engine inside a TEE and measures the Cedar bundle hash into the hardware attestation report before any code runs, so the control plane cannot be reached by the process it governs.

### Do I need special hardware to try it?

No. Set `CMCP_DEV_MODE=1` to use the software-only TEE provider and run the full quickstart without a hardware TEE. Hardware providers (TPM, AMD SEV-SNP, Intel TDX, OPAQUE) are used in production.

### What is a TRACE Claim?

A TRACE Claim (a `GatewayClaim`) is a signed, hardware-attested artifact produced per session. It records which tools ran, which policy decided each call, the Cedar bundle hash, and the audit chain, and it is signed with an Ed25519 key that never leaves the TEE. A verifier checks it with the `cmcp_verify` library without trusting the operator.

### Which TEE providers are supported?

TPM 2.0 / vTPM, AMD SEV-SNP, and Intel TDX, with NVIDIA GPU confidential computing planned for v0.2 and OPAQUE Confidential Runtime available as explicit opt-in. Auto-detection order is SEV-SNP, then TDX, then TPM, then software.

### What license is cMCP under?

MIT.

<script type="application/ld+json">
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "What is cMCP?",
"acceptedAnswer": { "@type": "Answer", "text": "cMCP (Confidential MCP Runtime) is an open-source gateway that enforces MCP tool-call policy inside a hardware Trusted Execution Environment. It intercepts each tool call, evaluates it against a Cedar policy bundle, enforces the decision (allow, deny, or redact), and records the call in a hardware-sealed audit chain." }
},
{
"@type": "Question",
"name": "How is cMCP different from software-only MCP governance?",
"acceptedAnswer": { "@type": "Answer", "text": "Software-only governance runs the policy engine in the same OS an operator or a supply-chain CVE can reach, so it cannot prove the policy that ran was the approved one. cMCP runs the policy engine inside a TEE and measures the Cedar bundle hash into the hardware attestation report before any code runs, so the control plane cannot be reached by the process it governs." }
},
{
"@type": "Question",
"name": "Do I need special hardware to try cMCP?",
"acceptedAnswer": { "@type": "Answer", "text": "No. Set CMCP_DEV_MODE=1 to use the software-only TEE provider and run the full quickstart without a hardware TEE. Hardware providers (TPM, AMD SEV-SNP, Intel TDX, OPAQUE) are used in production." }
},
{
"@type": "Question",
"name": "What is a TRACE Claim?",
"acceptedAnswer": { "@type": "Answer", "text": "A TRACE Claim (a GatewayClaim) is a signed, hardware-attested artifact produced per session. It records which tools ran, which policy decided each call, the Cedar bundle hash, and the audit chain, and it is signed with an Ed25519 key that never leaves the TEE. A verifier checks it with the cmcp_verify library without trusting the operator." }
},
{
"@type": "Question",
"name": "Which TEE providers does cMCP support?",
"acceptedAnswer": { "@type": "Answer", "text": "TPM 2.0 / vTPM, AMD SEV-SNP, and Intel TDX, with NVIDIA GPU confidential computing planned for v0.2 and OPAQUE Confidential Runtime available as explicit opt-in. Auto-detection order is SEV-SNP, then TDX, then TPM, then software." }
},
{
"@type": "Question",
"name": "What license is cMCP under?",
"acceptedAnswer": { "@type": "Answer", "text": "MIT." }
}
]
}
</script>

---

## Contributing

[CONTRIBUTING.md](CONTRIBUTING.md) · [GOVERNANCE.md](GOVERNANCE.md) · [Discussions](https://github.com/agentrust-io/cmcp/discussions)
Expand Down
Binary file added docs/assets/og.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 4 additions & 0 deletions docs/concepts.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
---
description: How cMCP works. The four design ideas behind hardware-attested MCP tool-call governance: tamper-evident audit, TRACE Claims as evidence, TEE-measured Cedar policy, and operator-independent verification.
---

# How cMCP Works

This page explains the four core design ideas behind cMCP. The [quickstart](quickstart.md) shows you how to run it; this page explains why it works.
Expand Down
6 changes: 5 additions & 1 deletion docs/quickstart.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
# Quickstart - cMCP Runtime
---
description: cMCP quickstart. From zero to your first signed TRACE Claim in under 30 minutes using CMCP_DEV_MODE=1, no hardware TEE required. Install, write a Cedar policy and tool catalog, run the gateway, and verify the claim.
---

# Quickstart - cMCP Runtime

From zero to first TRACE Claim in under 30 minutes. Uses `CMCP_DEV_MODE=1` so no hardware TEE is required.

Expand Down
30 changes: 30 additions & 0 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ exclude_docs: |

theme:
name: material
custom_dir: overrides
logo: docs/assets/icon.svg
favicon: docs/assets/icon.svg
palette:
Expand Down Expand Up @@ -64,6 +65,35 @@ theme:

plugins:
- search
- llmstxt:
full_output: llms-full.txt
markdown_description: >-
cMCP (Confidential MCP Runtime) is an open-source gateway that enforces
MCP tool-call policy inside a hardware Trusted Execution Environment
(TEE). Every tool call is intercepted, evaluated against a Cedar policy
bundle, and enforced by a policy engine the governed process cannot
reach. The Cedar bundle hash is measured into the hardware attestation
report before any code runs, and each session produces a signed,
hardware-attested TRACE Claim that a verifier checks without trusting the
operator. Supports TPM, AMD SEV-SNP, Intel TDX, and OPAQUE providers,
with enforcing, advisory, and silent modes.
sections:
Getting started:
- README.md
- docs/quickstart.md
- docs/concepts.md
- docs/configuration.md
Specification:
- docs/SPEC.md
- docs/spec/cedar-policy.md
- docs/spec/attestation.md
- docs/spec/threat-model.md
- docs/spec/verification-library.md
Tutorials:
- docs/tutorials/connecting-agent-frameworks.md
- docs/tutorials/cedar-policy-walkthrough.md
- docs/tutorials/verifying-a-trace-claim.md
- docs/tutorials/tee-attestation.md
- minify:
minify_html: true
- mkdocstrings:
Expand Down
67 changes: 67 additions & 0 deletions overrides/main.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
{% extends "base.html" %}

{#
SEO and AEO head additions:
- Open Graph and Twitter card meta for link previews and answer engines.
- JSON-LD structured data (SoftwareApplication, Organization, WebSite) so
search and answer engines can model what cMCP is.
Canonical and description tags are emitted by Material when site_url is set,
so they are not repeated here.
#}
{% block extrahead %}
{{ super() }}
{% set page_desc = page.meta.description if page and page.meta and page.meta.description else config.site_description %}
{% set page_url = page.canonical_url if page and page.canonical_url else config.site_url %}

<meta property="og:type" content="website">
<meta property="og:site_name" content="{{ config.site_name }}">
<meta property="og:title" content="{% if page and page.title and not page.is_homepage %}{{ page.title }} - {{ config.site_name }}{% else %}{{ config.site_name }}: Confidential MCP Runtime{% endif %}">
<meta property="og:description" content="{{ page_desc }}">
<meta property="og:url" content="{{ page_url }}">
<meta property="og:image" content="https://cmcp.agentrust-io.com/docs/assets/og.png">
<meta property="og:image:width" content="1200">
<meta property="og:image:height" content="630">
<meta property="og:image:alt" content="cMCP: an AgenTrust open standard">

<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="{% if page and page.title and not page.is_homepage %}{{ page.title }} - {{ config.site_name }}{% else %}{{ config.site_name }}: Confidential MCP Runtime{% endif %}">
<meta name="twitter:description" content="{{ page_desc }}">
<meta name="twitter:image" content="https://cmcp.agentrust-io.com/docs/assets/og.png">

<script type="application/ld+json">
{
"@context": "https://schema.org",
"@graph": [
{
"@type": "SoftwareApplication",
"name": "cMCP (Confidential MCP Runtime)",
"applicationCategory": "DeveloperApplication",
"operatingSystem": "Linux",
"description": "Hardware-attested policy enforcement for MCP tool calls. cMCP intercepts every tool call, evaluates it against a Cedar policy bundle inside a Trusted Execution Environment, and produces a signed TRACE Claim that a verifier checks without trusting the operator.",
"url": "{{ config.site_url }}",
"softwareHelp": "{{ config.site_url }}",
"license": "https://opensource.org/licenses/MIT",
"offers": { "@type": "Offer", "price": "0", "priceCurrency": "USD" },
"author": { "@type": "Organization", "name": "AgenTrust", "url": "https://agentrust-io.com" },
"codeRepository": "{{ config.repo_url }}"
},
{
"@type": "Organization",
"name": "AgenTrust",
"url": "https://agentrust-io.com",
"sameAs": [
"https://github.com/agentrust-io",
"https://cmcp.agentrust-io.com",
"https://manifest.agentrust-io.com",
"https://trace.agentrust-io.com"
]
},
{
"@type": "WebSite",
"name": "{{ config.site_name }}",
"url": "{{ config.site_url }}"
}
]
}
</script>
{% endblock %}
1 change: 1 addition & 0 deletions requirements-docs.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
mkdocs>=1.6.1
mkdocs-material>=9.7.6
mkdocs-minify-plugin>=0.8
mkdocs-llmstxt>=0.5,<1.0
pymdown-extensions>=10.21.3
mkdocstrings[python]>=1.0.4
griffe>=2.1.0
35 changes: 35 additions & 0 deletions robots.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# cMCP documentation - crawling policy
# Search and answer engines, including AI crawlers, are welcome.

User-agent: *
Allow: /

# AI and answer-engine crawlers (explicitly welcomed)
User-agent: GPTBot
Allow: /

User-agent: OAI-SearchBot
Allow: /

User-agent: ChatGPT-User
Allow: /

User-agent: ClaudeBot
Allow: /

User-agent: anthropic-ai
Allow: /

User-agent: Claude-Web
Allow: /

User-agent: PerplexityBot
Allow: /

User-agent: Google-Extended
Allow: /

User-agent: CCBot
Allow: /

Sitemap: https://cmcp.agentrust-io.com/sitemap.xml