diff --git a/README.md b/README.md index d1659cc..b0d0864 100644 --- a/README.md +++ b/README.md @@ -1,327 +1,327 @@ -
-
-
-
-
-
-
- - Quick Start · - Architecture · - Configuration · - CLI · - Changelog - -
- -[](https://github.com/agentrust-io/cmcp/actions/workflows/ci.yml) [](LICENSE) [](https://pypi.org/project/cmcp-runtime/) [](https://scorecard.dev/viewer/?uri=github.com/agentrust-io/cmcp) [](https://discord.gg/grgzFEHgkj) - -> **Developer Preview** - launching at Confidential Computing Summit, June 23 2026. May have breaking changes before v1.0. - -**cMCP (Confidential MCP Runtime) is an open-source gateway that enforces MCP tool-call policy inside a hardware Trusted Execution Environment (TEE).** Every tool call is intercepted, evaluated against a Cedar policy bundle, and enforced where the process it governs cannot reach it. Each session produces a signed, hardware-attested TRACE Claim that a verifier checks without trusting the operator. - -> **TL;DR** - Point your agent at the cMCP Gateway. It evaluates every tool call against a Cedar policy inside a TEE, blocks or redacts what the policy denies, and emits a tamper-evident TRACE Claim as proof. Run `pip install cmcp-runtime` and start in software mode with no hardware required. - -Your agent calls Snowflake, Salesforce, a dozen APIs. What stops it from leaking a customer's data on one of those calls? If a regulator asks, could you prove it didn't? - ---- - -## The problem - -An agent calls a tool. The policy engine says allow. The tool call goes through. - -None of that proves the policy engine itself was not compromised. Software-only MCP governance cannot guarantee: - -- The Cedar policy on disk is the one that ran. A rogue admin can swap the bundle after approval; the hash check runs inside the same OS the admin controls. -- The allow/deny decision was not flipped in memory. A supply chain CVE in the evaluator runs in the same address space as the attacker. -- The audit log reflects what actually happened. Any party holding the software signing key can reconstruct a valid audit chain after the fact. - -The control plane that governs tool calls must run where it cannot be reached by the process it governs. - -Hardware-attested policy enforcement for MCP tool calls. Every tool call is intercepted, evaluated against a Cedar policy bundle, and enforced by a policy engine running inside a Trusted Execution Environment (TEE). The policy bundle hash is measured into the hardware attestation report before any code runs. - -Unlike tunnel-based connectivity solutions, the cMCP Runtime processes tool-call payloads inside the TEE. The connectivity provider sees ciphertext, not plaintext. The only thing that leaves the enclave is the signed TRACE claim. - ---- - -## Quick Start - -```bash -pip install cmcp-runtime -``` - -Create `cmcp-config.yaml`: - -```yaml -attestation: - provider: auto - enforcement_mode: advisory -policy_bundle_path: ./policies/ -catalog_path: ./catalog.json -``` - -Start the gateway: - -```bash -CMCP_DEV_MODE=1 cmcp start --config cmcp-config.yaml -``` - -Make a tool call: - -```bash -curl -X POST http://localhost:8443/mcp \ - -H "Content-Type: application/json" \ - -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"salesforce.contacts","arguments":{"query":"Acme Corp"},"_cmcp":{"session_id":"s1","workflow_id":"demo-agent"}}}' -``` - -See [docs/quickstart.md](docs/quickstart.md) for the full walkthrough: Cedar policy, tool catalog, first TRACE Claim, and verification (no hardware TEE required). - ---- - -## How it works - -1. The agent sends every tool call to the cMCP Gateway instead of directly to MCP servers. -2. At startup the gateway measures the Cedar policy bundle hash into the hardware attestation report. No code runs before this measurement. -3. Each incoming tool call is evaluated by the Cedar policy engine running inside the TEE. The result is allow, deny, or redact. The call and its decision are appended to the hardware-sealed audit chain. -4. At the end of the session the gateway produces a TRACE Claim: a signed, hardware-attested artifact that records which tools ran, which policy decided each call, and the full audit chain. A verifier checks this without trusting the operator. - -``` -Agent -> cMCP Runtime -> Cedar Policy Engine (TEE) -> Tool - | - GatewayClaim (TRACE Profile) - +-- trace.eat_profile - +-- trace.runtime.platform + measurement - +-- trace.policy.bundle_hash - +-- trace.cnf.jwk (Ed25519 confirmation key) - +-- gateway.audit_chain (root/tip/length) - +-- signature (Ed25519 over canonical JSON) -``` - ---- - -## Hardware providers - -| Provider | Platform | Assurance | Notes | -|---|---|---|---| -| `tpm` | TPM 2.0 / vTPM (Azure, AWS, GCP Trusted Launch) | Medium | Local TPM quote | -| `sev-snp` | AMD SEV-SNP (Azure DCasv5, AWS C6a Nitro) | High | AMD KDS | -| `tdx` | Intel TDX (Azure DCedsv5, GCP C3) | High | Intel PCS | -| `gpu-cc` _(v0.2)_ | NVIDIA H100/H200/Blackwell (CC mode) | High | NVIDIA Remote Attestation Service (NRAS) | -| `opaque` _(explicit opt-in)_ | OPAQUE Confidential Runtime | High | Set `OPAQUE_ATTESTATION_URL`; not in auto-detect chain (stub: detect() returns False, not yet implemented) | - -Provider auto-detects: `SEV-SNP -> TDX -> TPM -> software`. `opaque` is explicit opt-in via `OPAQUE_ATTESTATION_URL` and is never selected automatically. - -```python -from cmcp_gateway.config import TEEProvider - -# Auto-detect (default) -# attestation.provider: auto -> sev-snp -> tdx -> tpm -> software - -# Explicit hardware selection -# attestation.provider: sev-snp - -# OPAQUE Managed Runtime (explicit opt-in only) -# OPAQUE_ATTESTATION_URL=https://... cmcp start --config cmcp-config.yaml -``` - ---- - -## Enforcement modes - -| Mode | Behavior | Use case | -|---|---|---| -| `enforcing` | Policy denies return HTTP 403; call is not forwarded | Production | -| `advisory` | Policy denies are logged; call proceeds | First deployment, policy tuning | -| `silent` | Policy is evaluated but nothing is logged or blocked | Baselining | - -Default is `enforcing`. Set `enforcement_mode: advisory` in `cmcp-config.yaml` to use advisory mode. - ---- - -## Configuration - -`cmcp-config.yaml` full reference: - -```yaml -attestation: - provider: auto # auto | tpm | sev-snp | tdx | opaque | software-only - enforcement_mode: enforcing # enforcing | advisory | silent - validity_seconds: 86400 # attestation freshness window (default: 24 hours) - staleness_policy: fail_closed # fail_closed | warn_only - expected_measurement: ~ # pin a specific PCR/measurement (optional) - -policy_bundle_path: policy/ # directory containing .cedar files and manifest.json -catalog_path: catalog.json # approved tool catalog - -listen_addr: "0.0.0.0:8443" -max_response_size_bytes: 2097152 # 2 MB default -policy_reload_interval_seconds: 0 # 0 = disabled; restart required to update policy -``` - -Environment variables: - -| Variable | Effect | -|---|---| -| `CMCP_DEV_MODE=1` | Use software-only TEE provider; no hardware required | -| `CMCP_BEARER_TOKEN` | Require this bearer token on all inbound requests | -| `OPAQUE_ATTESTATION_URL` | Enable OPAQUE Managed Runtime attestation (explicit opt-in) | - ---- - -## CLI reference - -| Command | Flags | Description | -|---|---|---| -| `cmcp start` | `--config PATH` (required) | Start the gateway | -| `cmcp validate-config` | `--config PATH` (required) | Validate `cmcp-config.yaml` without starting | -| `cmcp validate-bundle` | `--bundle-path PATH` (required), `--expected-hash sha256:
+
+
+
+
+
+
+ + Quick Start · + Architecture · + Configuration · + CLI · + Changelog + +
+ +[](https://github.com/agentrust-io/cmcp/actions/workflows/ci.yml) [](LICENSE) [](https://pypi.org/project/cmcp-runtime/) [](https://scorecard.dev/viewer/?uri=github.com/agentrust-io/cmcp) [](https://discord.gg/grgzFEHgkj) + +> **Developer Preview** - launching at Confidential Computing Summit, June 23 2026. May have breaking changes before v1.0. + +**cMCP (Confidential MCP Runtime) is the secure, confidential way to run MCP: an open-source gateway that enforces MCP tool-call policy inside a hardware Trusted Execution Environment (TEE).** Every tool call is intercepted, evaluated against a Cedar policy bundle, and enforced where the process it governs cannot reach it. Each session produces a signed, hardware-attested TRACE Claim that a verifier checks without trusting the operator. If you are looking for a secure version of MCP, this is the AgenTrust runtime for it. + +> **TL;DR** - Point your agent at the cMCP Gateway. It evaluates every tool call against a Cedar policy inside a TEE, blocks or redacts what the policy denies, and emits a tamper-evident TRACE Claim as proof. Run `pip install cmcp-runtime` and start in software mode with no hardware required. + +Your agent calls Snowflake, Salesforce, a dozen APIs. What stops it from leaking a customer's data on one of those calls? If a regulator asks, could you prove it didn't? + +--- + +## The problem + +An agent calls a tool. The policy engine says allow. The tool call goes through. + +None of that proves the policy engine itself was not compromised. Software-only MCP governance cannot guarantee: + +- The Cedar policy on disk is the one that ran. A rogue admin can swap the bundle after approval; the hash check runs inside the same OS the admin controls. +- The allow/deny decision was not flipped in memory. A supply chain CVE in the evaluator runs in the same address space as the attacker. +- The audit log reflects what actually happened. Any party holding the software signing key can reconstruct a valid audit chain after the fact. + +The control plane that governs tool calls must run where it cannot be reached by the process it governs. + +Hardware-attested policy enforcement for MCP tool calls. Every tool call is intercepted, evaluated against a Cedar policy bundle, and enforced by a policy engine running inside a Trusted Execution Environment (TEE). The policy bundle hash is measured into the hardware attestation report before any code runs. + +Unlike tunnel-based connectivity solutions, the cMCP Runtime processes tool-call payloads inside the TEE. The connectivity provider sees ciphertext, not plaintext. The only thing that leaves the enclave is the signed TRACE claim. + +--- + +## Quick Start + +```bash +pip install cmcp-runtime +``` + +Create `cmcp-config.yaml`: + +```yaml +attestation: + provider: auto + enforcement_mode: advisory +policy_bundle_path: ./policies/ +catalog_path: ./catalog.json +``` + +Start the gateway: + +```bash +CMCP_DEV_MODE=1 cmcp start --config cmcp-config.yaml +``` + +Make a tool call: + +```bash +curl -X POST http://localhost:8443/mcp \ + -H "Content-Type: application/json" \ + -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"salesforce.contacts","arguments":{"query":"Acme Corp"},"_cmcp":{"session_id":"s1","workflow_id":"demo-agent"}}}' +``` + +See [docs/quickstart.md](docs/quickstart.md) for the full walkthrough: Cedar policy, tool catalog, first TRACE Claim, and verification (no hardware TEE required). + +--- + +## How it works + +1. The agent sends every tool call to the cMCP Gateway instead of directly to MCP servers. +2. At startup the gateway measures the Cedar policy bundle hash into the hardware attestation report. No code runs before this measurement. +3. Each incoming tool call is evaluated by the Cedar policy engine running inside the TEE. The result is allow, deny, or redact. The call and its decision are appended to the hardware-sealed audit chain. +4. At the end of the session the gateway produces a TRACE Claim: a signed, hardware-attested artifact that records which tools ran, which policy decided each call, and the full audit chain. A verifier checks this without trusting the operator. + +``` +Agent -> cMCP Runtime -> Cedar Policy Engine (TEE) -> Tool + | + GatewayClaim (TRACE Profile) + +-- trace.eat_profile + +-- trace.runtime.platform + measurement + +-- trace.policy.bundle_hash + +-- trace.cnf.jwk (Ed25519 confirmation key) + +-- gateway.audit_chain (root/tip/length) + +-- signature (Ed25519 over canonical JSON) +``` + +--- + +## Hardware providers + +| Provider | Platform | Assurance | Notes | +|---|---|---|---| +| `tpm` | TPM 2.0 / vTPM (Azure, AWS, GCP Trusted Launch) | Medium | Local TPM quote | +| `sev-snp` | AMD SEV-SNP (Azure DCasv5, AWS C6a Nitro) | High | AMD KDS | +| `tdx` | Intel TDX (Azure DCedsv5, GCP C3) | High | Intel PCS | +| `gpu-cc` _(v0.2)_ | NVIDIA H100/H200/Blackwell (CC mode) | High | NVIDIA Remote Attestation Service (NRAS) | +| `opaque` _(explicit opt-in)_ | OPAQUE Confidential Runtime | High | Set `OPAQUE_ATTESTATION_URL`; not in auto-detect chain (stub: detect() returns False, not yet implemented) | + +Provider auto-detects: `SEV-SNP -> TDX -> TPM -> software`. `opaque` is explicit opt-in via `OPAQUE_ATTESTATION_URL` and is never selected automatically. + +```python +from cmcp_gateway.config import TEEProvider + +# Auto-detect (default) +# attestation.provider: auto -> sev-snp -> tdx -> tpm -> software + +# Explicit hardware selection +# attestation.provider: sev-snp + +# OPAQUE Managed Runtime (explicit opt-in only) +# OPAQUE_ATTESTATION_URL=https://... cmcp start --config cmcp-config.yaml +``` + +--- + +## Enforcement modes + +| Mode | Behavior | Use case | +|---|---|---| +| `enforcing` | Policy denies return HTTP 403; call is not forwarded | Production | +| `advisory` | Policy denies are logged; call proceeds | First deployment, policy tuning | +| `silent` | Policy is evaluated but nothing is logged or blocked | Baselining | + +Default is `enforcing`. Set `enforcement_mode: advisory` in `cmcp-config.yaml` to use advisory mode. + +--- + +## Configuration + +`cmcp-config.yaml` full reference: + +```yaml +attestation: + provider: auto # auto | tpm | sev-snp | tdx | opaque | software-only + enforcement_mode: enforcing # enforcing | advisory | silent + validity_seconds: 86400 # attestation freshness window (default: 24 hours) + staleness_policy: fail_closed # fail_closed | warn_only + expected_measurement: ~ # pin a specific PCR/measurement (optional) + +policy_bundle_path: policy/ # directory containing .cedar files and manifest.json +catalog_path: catalog.json # approved tool catalog + +listen_addr: "0.0.0.0:8443" +max_response_size_bytes: 2097152 # 2 MB default +policy_reload_interval_seconds: 0 # 0 = disabled; restart required to update policy +``` + +Environment variables: + +| Variable | Effect | +|---|---| +| `CMCP_DEV_MODE=1` | Use software-only TEE provider; no hardware required | +| `CMCP_BEARER_TOKEN` | Require this bearer token on all inbound requests | +| `OPAQUE_ATTESTATION_URL` | Enable OPAQUE Managed Runtime attestation (explicit opt-in) | + +--- + +## CLI reference + +| Command | Flags | Description | +|---|---|---| +| `cmcp start` | `--config PATH` (required) | Start the gateway | +| `cmcp validate-config` | `--config PATH` (required) | Validate `cmcp-config.yaml` without starting | +| `cmcp validate-bundle` | `--bundle-path PATH` (required), `--expected-hash sha256: