1. The Accountability Gap in MCP
The Model Context Protocol defines a standard interface for AI models to discover, invoke, and interact with external tools and data sources. It solves the integration problem: any MCP-compliant model can use any MCP-compliant server.
However, MCP has no accountability primitives.
- No cryptographic proof that a tool was invoked, by which model, or at what time
- No audit trail linking tool inputs and outputs to a tamper-evident record
- No mechanism for clearing sensitive data after use
- No standard way for an auditor to verify what an AI agent did with a tool
- No policy evaluation at the tool boundary (rate limits, data classification, role-based access)
- No trust verification between agents sharing tools in multi-agent architectures
The EU AI Act requires automatic logging of AI system operations (Art. 12), human oversight of high-risk decisions (Art. 14), and risk management measures that are operational, not merely documented (Art. 9). When an AI model invokes a tool via MCP, none of these requirements are satisfied by the protocol itself.
The OWASP MCP Top 10 (2026) and NSA MCP security guidance formally recognize these risks. For detailed procedure-level mappings, see the OWASP MCP Top 10 Mapping and NSA MCP Security Mapping.
2. Architecture: Transport vs. Accountability
SWT3 operates alongside MCP, not inside it. The protocol does not modify MCP's tool discovery, invocation, or response handling. Instead, it wraps tool calls with a witnessing layer that produces anchors as a side effect of normal operation.
↓
SWT3 Anchor + Factor Matrix → Witness Ledger
Request Flow
- Tool Request. The MCP client sends a standard tool invocation request to the SWT3 MCP Server.
- Policy Evaluation. The server evaluates the request against
mcp_policyrules: tool allowlist/blocklist, velocity limits, chain depth, and custom rules. - Trust Verification. If
require_trust_levelis set, the calling agent's credentials are checked. In strict mode, untrusted agents are blocked. - Tool Execution. If policy allows, the tool executes normally. SWT3 does not modify tool behavior.
- Witness Anchor Minting. An AI-TOOL.1 anchor is minted with tool name, call ID, outcome, and cryptographic fingerprint.
- Ledger Transmission. The anchor is written to the local WAL and, if configured, transmitted to the compliance ledger.
- Response. The original tool result is returned unchanged. The governance layer is transparent.
When fail_secure is true (default), any failure in the witnessing pipeline blocks the tool call. When false, the call proceeds and the failure is logged for reconciliation.
3. Installation and Configuration
Or add it to your Claude Desktop or MCP client configuration:
{
"mcpServers": {
"swt3-witness": {
"command": "npx",
"args": ["-y", "@tenova/swt3-mcp"],
"env": {
"SWT3_ENDPOINT": "https://sovereign.tenova.io",
"SWT3_API_KEY": "axm_live_..."
}
}
}
}
Tool Policy Configuration
Create a .swt3.yaml file in your project root:
mcp_policy: witnessed_tools: ["write_*", "search_*", "execute_*"] exempt_tools: ["list_files", "get_time"] require_trust_level: 2 auto_witness: true block_on_failure: true max_velocity: "10/60s" max_chain_depth: 5 fail_secure: true
Policy options:
witnessed_tools-- Glob patterns for tools that must be witnessedexempt_tools-- Low-risk tools excluded from witnessing overheadmax_velocity-- Rate limiting (invocations per time window)max_chain_depth-- Maximum sequential dependent tool callstool_allowlist/tool_blocklist-- Explicit permit and deny listsfail_secure-- Block tool call if witnessing fails (default: true)rules-- Custom governance rules with match conditions and actions
Validate with: npx @tenova/swt3-mcp doctor
4. Standard Tool Definitions
An SWT3-compliant MCP server SHOULD expose these canonical tools:
| Tool Name | Purpose | Read-Only |
|---|---|---|
witness_inference | Mint a cryptographic SWT3 anchor for an AI inference | No |
verify_anchor | Verify the cryptographic integrity of an existing anchor | Yes |
list_procedures | List available UCT procedures with namespace filtering | Yes |
check_posture | Check current AI witness compliance posture | Yes |
Standard resource URIs:
| URI | Description |
|---|---|
swt3://registry/procedures | Full catalog of UCT procedures with factor schemas and framework mappings |
swt3://health | Service health status including database connectivity and version |
5. Tool Witnessing Pattern
SWT3 defines a pattern for witnessing any MCP tool call without modifying the tools themselves.
Python
from openai import OpenAI
from swt3_ai import witness
# Wrap your OpenAI client. All calls are now witnessed.
client = witness(OpenAI(), clearing_level=1)
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Summarize Q3 revenue"}]
)
TypeScript
import OpenAI from "openai";
import { witness } from "@tenova/swt3-ai";
const client = witness(new OpenAI(), { clearingLevel: 1 });
const response = await client.chat.completions.create({
model: "gpt-4o",
messages: [{ role: "user", content: "Summarize Q3 revenue" }],
});
What Gets Recorded
| Field | Source | Stored As |
|---|---|---|
| Tool name | MCP tool invocation | Procedure ID (e.g., AI-TOOL.1) |
| Tool arguments | MCP tool input | SHA-256 hash (raw arguments never stored) |
| Tool result | MCP tool output | SHA-256 hash (raw result never stored) |
| Timestamp | System clock | Millisecond Unix epoch |
| Agent identity | Configuration | agent_id field |
Privacy guarantee: Raw data never enters the witness system. Tool arguments and results are SHA-256 hashed at the point of observation. An auditor can verify a specific tool call produced a specific result (by re-hashing), but cannot reconstruct the data from the anchor alone.
6. Integration Levels
Level 1: Passive (Log-Only)
Anchors are minted as a side effect of normal tool invocation. Tool execution is not affected.
Use case: Observability. "We can prove what happened."
Level 2: Active (Anchor-Gated)
Anchors are minted before tool execution. If the anchor cannot be minted, the tool call is blocked.
Use case: Compliance enforcement. "No tool call proceeds without a witness record."
Level 3: Sovereign (Clearing-Enforced)
Anchors are minted and clearing is enforced. After the anchor is sealed, raw tool inputs and outputs are purged.
Use case: Data sovereignty. "We can prove what happened, and the raw data no longer exists."
7. Governance Procedures
| Procedure | Name | MCP Governance Function |
|---|---|---|
AI-TOOL.1 | Tool Invocation | Records every tool call with name, call ID, parameters, and outcome |
AI-ACC.1 | Access Control | Records access decisions at the tool boundary |
AI-CHAIN.1 | Chain Handoff | Records handoff of execution context between agents |
AI-CHAIN.2 | Chain Trust Credential | Records trust credential presented during chain handoff |
AI-TRUST.1 | Agent Trust Verification | Records outcome of trust level verification for tool access |
AI-TRUST.2 | Trust Handshake | Records bidirectional credential exchange between agents |
AI-ID.1 | Agent Identity | Records the identity assertion of the calling agent |
AI-GRD.1/2 | Input/Output Guardrails | Records guardrail evaluation of tool parameters and results |
AI-GRD.3 | Policy Version Binding | Records the active policy version at evaluation time |
For the complete procedure registry (80 procedures across 41+ namespaces), see the UCT Registry.
8. Regulatory Mapping
| Regulation | Requirement | How SWT3 + MCP Satisfies It |
|---|---|---|
| EU AI Act Art. 12(1) | Automatic logging throughout lifecycle | Every MCP tool call produces a timestamped, tamper-evident anchor |
| EU AI Act Art. 14 | Human oversight measures operational | AI-HITL.1 witnesses human review events at the tool boundary |
| EU AI Act Art. 9(4)(a) | Risk management measures active | AI-GRD.1 witnesses guardrail state at inference time |
| NIST AI RMF MEASURE 2.6 | AI system outputs are traceable | SHA-256 hashes of inputs/outputs sealed into the anchor |
| NIST AI RMF MANAGE 4.1 | Risk controls monitored continuously | Continuous witnessing produces unbroken chain of anchors |
| GDPR Art. 5(1)(c) | Data minimization | Clearing Protocol destroys raw data after anchoring |
| HIPAA 164.312(b) | Audit controls for information systems | SWT3 anchors serve as tamper-evident audit records |
9. Clearing in MCP Context
MCP tool calls frequently involve sensitive data. The SWT3 Clearing Protocol ensures that this data does not persist in the witness system after the tool call completes.
| MCP Tool Type | Recommended Level | Rationale |
|---|---|---|
| Public API queries | Level 0 or 1 | Data is not sensitive; forensic value outweighs risk |
| Database queries with PII | Level 2 | Query results may contain user data; only anchor persists |
| File system operations | Level 1 | File paths retained; file contents cleared |
| Authentication/credential tools | Level 3 | Credentials must not persist in any system |
| Healthcare/clinical tools | Level 2 or 3 | PHI must not persist outside the clinical system |
10. Trust Mesh
Before executing a tool on behalf of an agent, the SWT3 MCP server can verify the agent's trust level against the mesh configuration. Three modes:
- Strict -- Untrusted agents are blocked. Tool calls from agents not in
trusted_agentsare rejected. - Permissive -- Untrusted agents allowed but flagged with reduced trust level in the anchor.
- Monitor -- All agents allowed. Trust status recorded but no blocking. Useful during initial deployment.
Multi-Agent Chains
Each agent in a multi-agent system is assigned a unique agent_id. When Agent A delegates work to Agent B via MCP, both agents produce anchors. The chain is reconstructable from the anchor sequence with millisecond ordering.
11. Conformance
An MCP server claiming SWT3 compliance MUST satisfy:
Minimum Requirements (all levels)
- Expose
witness_inferenceandverify_anchortools using canonical names - Expose
swt3://registry/proceduresresource - Compute fingerprints using the SWT3 canonical formula
- Never transmit raw prompt or response text to the witness endpoint
Level 2 (Active) Additional
- Block tool execution if anchor minting fails
- Include
agent_idin all anchors when configured - Support HMAC-SHA256 payload signing when a
signing_keyis provided
Level 3 (Sovereign) Additional
- Implement clearing at Level 1 or higher as default
- Ensure clearing irreversibility per the SWT3 Clearing Protocol
- Support per-tool clearing level configuration
Interoperability: An anchor minted by any SWT3-compliant MCP server MUST be verifiable by any SWT3-compliant verifier, regardless of language, hosting provider, or MCP version.