{"schema_version":"verify.compare.v1","generated_at":"2026-07-04T15:28:13.612637+00:00","count":1,"missing_servers":[],"results":[{"server_id":"skone/pqc-khepra-mcp","display_name":"PQC-Khepra-MCP","profile_url":"https://verify.sentinelsignal.io/servers/skone/pqc-khepra-mcp","compare_url":"https://verify.sentinelsignal.io/compare?server=skone%2Fpqc-khepra-mcp","trust_summary_url":"https://verify.sentinelsignal.io/v1/servers/skone/pqc-khepra-mcp/trust-summary","claimed":false,"verified_publisher":false,"claim_status":"unclaimed","badge_url":"https://verify.sentinelsignal.io/badge/skone/pqc-khepra-mcp.svg","report_url":"https://verify.sentinelsignal.io/v1/servers/skone/pqc-khepra-mcp/report","policy_url":"https://verify.sentinelsignal.io/v1/servers/skone/pqc-khepra-mcp/policy","evidence_url":"https://verify.sentinelsignal.io/api/v1/servers/skone/pqc-khepra-mcp/evidence","commerce_signal":null,"payment_capable":null,"delegation_level":null,"risk_flags":[],"strengths":["report_available","policy_available","badge_available"],"limitations":["unclaimed_profile","publisher_not_verified"],"last_seen":null,"last_scored":"2026-07-04T09:56:04.276880+00:00","recommended_agent_action":"allow_with_policy_review","observed_attention":{"schema":"verify.observed_attention.v1","window_days":30,"level":"none","label":"No observed attention","summary":"No recent machine-readable trust or discovery activity observed for this server.","segments":{"useful_ai_user":{"level":"none","observed":false,"description":"AI-assisted user sessions such as ChatGPT/User or Claude/User."},"machine_trust_evaluator":{"level":"none","observed":false,"description":"Synthetic sessions inspecting multiple trust surfaces such as report, policy, ledger, badge, trust-summary, or compare."},"possible_agent_or_script":{"level":"none","observed":false,"description":"Structured direct sessions with rapid profile, compare, report, policy, badge, or trust-surface fan-out."},"isolated_machine_surface":{"level":"none","observed":false,"description":"Aged-out direct synthetic singleton sessions that touched a machine-readable trust surface without becoming a broader evaluator."},"ai_crawler":{"level":"none","observed":false,"description":"Known AI crawler activity such as ClaudeBot, GPTBot, or similar crawlers."},"search_crawler":{"level":"none","observed":false,"description":"Search and SEO crawler activity."},"browser_like_automation":{"level":"none","observed":false,"description":"Browser-like synthetic sessions with rapid structured endpoint activity."},"confirmed_human":{"level":"none","observed":false,"description":"Confirmed browser-session human activity."}},"surfaces_observed":{"server_profile":false,"compare":false,"compare_json":false,"compare_api":false,"report_json":false,"policy":false,"ledger":false,"badge_metadata":false,"badge_svg":false,"trust_summary":false,"mcp_tool":false},"claim_prompt":{"recommended":false,"reason":"No claim prompt is recommended from observed attention in the current window."},"notes":["Observed attention is based on segmented first-party telemetry.","Crawler and evaluator activity is not treated as confirmed human demand.","Public levels are bucketed to avoid exposing raw traffic counts."]},"owner_activation":{"claim_recommended":false,"reason":"no_observed_attention"}}],"servers":[{"namespace":"skone","name":"pqc-khepra-mcp","title":"PQC-Khepra-MCP","description":"KHEPRA MCP Server\nMCP Registry License Container PQC\n\nSovereign compliance engine with 36,195 STIG/CCI/NIST/CMMC mappings.\n\nAir-gappable. Zero token costs. Run ert_scan → get a Godfather Report with dollar-denominated business impact.\nThe only MCP compliance server that runs on your metal — with the World's First DoD PQC STIG built in.\n\nPQC-01-STIG-V1R1 — Full Whitepaper →\n17 controls covering CNSA 2.0, FIPS 203/204/205, and the NSA's May 2026 MCP security advisory.\nThe world's first DoD-style Post-Quantum Cryptography STIG, including the first PQC controls for agentic AI and MCP deployments.\n\nTiers\nTier\tLicense Key\tTools\tTelemetry\tEgress\nCommunity\t❌ Not required\tpqc_stig + 12 core tools\tOpt-in Dark Crypto Intel\tZero (sovereign mode)\nSovereign\t✅ Required\tAll 34 tools\tZero\tZero\nPharaoh\t✅ Required\tAll 34 tools + priority support\tZero\tZero\nCommunity tier is free. Run pqc_stig to assess your project's quantum readiness against\nPQC-01-STIG-V1R1 — the World's First DoD-style Post-Quantum Cryptography STIG — no license key needed.\n\nWhat It Does\nKHEPRA MCP connects your AI assistant directly to a hardened compliance engine. Ask Claude or any MCP client to scan a system, map findings to STIG/NIST/CMMC controls, and generate an executive-ready risk report — all without sending data to external APIs.\n\nKey capabilities:\n\n36,195 STIG/CCI/NIST 800-53/800-171/CMMC mappings (offline, bundled)\nPost-quantum cryptographic attestation on every tool call (ML-DSA-65 / FIPS 204)\nWorld's First DoD PQC STIG — 17 controls covering CNSA 2.0 / FIPS 203/204/205 + agentic AI / MCP (PQC-01-STIG-V1R1)\nGodfather Report: dollar-denominated business impact per finding (FAIR model)\nAir-gap and SCIF compatible — sovereign/ironbank modes make zero egress calls\nFlat annual licensing — no per-token or per-query charges\nRuns on your metal: on-prem, DoD, IC, classified environments\nInstallation\nThere are two delivery methods: Docker (recommended, no build required) and compiled binary (fastest startup, required for air-gap). Both support the same environment variables and all MCP clients.\n\nChoose your path:\n\nMethod\tBest For\tStartup\nDocker\tMost users, easiest setup\t~2s\nCompiled Binary\tAir-gap, SCIF, performance\t~300ms\nOption A: Docker (Recommended)\nRequires Docker Desktop or Docker Engine. The image is pre-built and ships the full compliance database — no additional downloads in sovereign mode.\n\n# Pull once\ndocker pull ghcr.io/nouchix/pqc-khepra-mcp:latest\n\n# Test it (should print the initialize response and exit)\necho '{\"jsonrpc\":\"2.0\",\"method\":\"initialize\",\"params\":{\"protocolVersion\":\"2025-11-25\",\"capabilities\":{},\"clientInfo\":{\"name\":\"test\",\"version\":\"1.0\"}},\"id\":0}' \\\n  | docker run --rm -i -e KHEPRA_MODE=sovereign ghcr.io/nouchix/pqc-khepra-mcp:latest\nOption B: Compiled Binary\nRequires Go 1.21+ for building, or download a pre-built release from GitHub Releases.\n\ngit clone https://github.com/nouchix/PQC-Khepra-MCP.git\ncd PQC-Khepra-MCP\n\n# Build (cross-compile for your OS)\ngo build -o khepra-mcp ./cmd/khepra-mcp        # Linux / macOS\ngo build -o khepra-mcp.exe ./cmd/khepra-mcp    # Windows\n\n# Test the binary\necho '{\"jsonrpc\":\"2.0\",\"method\":\"initialize\",\"params\":{\"protocolVersion\":\"2025-11-25\",\"capabilities\":{},\"clientInfo\":{\"name\":\"test\",\"version\":\"1.0\"}},\"id\":0}' \\\n  | KHEPRA_MODE=sovereign ./khepra-mcp\nWindows — using the batch launcher\nThe repo ships a run-mcp.bat launcher for Windows. It uses the pre-built binary (fast path) and falls back to go run automatically:\n\n:: run-mcp.bat is already in the repo at the root of PQC-Khepra-MCP\n:: Point your MCP client to: cmd /c C:\\path\\to\\PQC-Khepra-MCP\\run-mcp.bat\nAdding to Your AI Client\nClaude Desktop\nConfig file location:\n\nmacOS: ~/Library/Application Support/Claude/claude_desktop_config.json\nWindows: %APPDATA%\\Claude\\claude_desktop_config.json\nLinux: ~/.config/Claude/claude_desktop_config.json\nCommunity tier — Docker (macOS / Linux)\n{\n  \"mcpServers\": {\n    \"khepra\": {\n      \"command\": \"docker\",\n      \"args\": [\n        \"run\", \"--rm\", \"-i\",\n        \"-e\", \"KHEPRA_MODE=sovereign\",\n        \"-v\", \"/var/lib/khepra:/var/lib/khepra\",\n        \"ghcr.io/nouchix/pqc-khepra-mcp:latest\"\n      ]\n    }\n  }\n}\nCommunity tier — Docker (Windows)\n{\n  \"mcpServers\": {\n    \"khepra\": {\n      \"command\": \"docker\",\n      \"args\": [\n        \"run\", \"--rm\", \"-i\",\n        \"-e\", \"KHEPRA_MODE=sovereign\",\n        \"-v\", \"C:\\\\Users\\\\YourName\\\\.khepra:/var/lib/khepra\",\n        \"ghcr.io/nouchix/pqc-khepra-mcp:latest\"\n      ]\n    }\n  }\n}\nCommunity tier — Binary (Windows, fastest startup)\n{\n  \"mcpServers\": {\n    \"khepra\": {\n      \"command\": \"C:\\\\path\\\\to\\\\PQC-Khepra-MCP\\\\khepra-mcp.exe\",\n      \"args\": [],\n      \"env\": {\n        \"KHEPRA_MODE\": \"sovereign\",\n        \"KHEPRA_NETWORK_POLICY\": \"lan\",\n        \"MCP_PQC_ENABLED\": \"true\",\n        \"KHEPRA_MANIFEST_PATH\": \"C:\\\\path\\\\to\\\\PQC-Khepra-MCP\\\\manifest.json\"\n      }\n    }\n  }\n}\nCommunity tier — Binary via batch launcher (Windows)\n{\n  \"mcpServers\": {\n    \"khepra\": {\n      \"command\": \"cmd\",\n      \"args\": [\"/c\", \"C:\\\\path\\\\to\\\\PQC-Khepra-MCP\\\\run-mcp.bat\"],\n      \"env\": {\n        \"KHEPRA_MODE\": \"sovereign\",\n        \"KHEPRA_NETWORK_POLICY\": \"lan\",\n        \"MCP_PQC_ENABLED\": \"true\"\n      }\n    }\n  }\n}\nSovereign / Pharaoh tier (with license key)\n{\n  \"mcpServers\": {\n    \"khepra\": {\n      \"command\": \"docker\",\n      \"args\": [\n        \"run\", \"--rm\", \"-i\",\n        \"-e\", \"KHEPRA_LICENSE_KEY\",\n        \"-e\", \"KHEPRA_MODE=sovereign\",\n        \"-v\", \"/var/lib/khepra:/var/lib/khepra\",\n        \"-v\", \"/var/log/khepra:/var/log/khepra\",\n        \"ghcr.io/nouchix/pqc-khepra-mcp:latest\"\n      ],\n      \"env\": {\n        \"KHEPRA_LICENSE_KEY\": \"YOUR_LICENSE_KEY_HERE\"\n      }\n    }\n  }\n}\nAfter editing, restart Claude Desktop. Verify in Settings → Developer — you should see khepra with status running and all tools listed.\n\nCursor\nConfig file: .cursor/mcp.json in your project root, or ~/.cursor/mcp.json globally.\n\nDocker (macOS / Linux)\n{\n  \"servers\": {\n    \"khepra\": {\n      \"type\": \"stdio\",\n      \"command\": \"docker\",\n      \"args\": [\n        \"run\", \"--rm\", \"-i\",\n        \"-e\", \"KHEPRA_MODE=sovereign\",\n        \"-v\", \"/var/lib/khepra:/var/lib/khepra\",\n        \"ghcr.io/nouchix/pqc-khepra-mcp:latest\"\n      ]\n    }\n  }\n}\nBinary (macOS / Linux)\n{\n  \"servers\": {\n    \"khepra\": {\n      \"type\": \"stdio\",\n      \"command\": \"/path/to/khepra-mcp\",\n      \"args\": [],\n      \"env\": {\n        \"KHEPRA_MODE\": \"sovereign\",\n        \"KHEPRA_MANIFEST_PATH\": \"/path/to/PQC-Khepra-MCP/manifest.json\"\n      }\n    }\n  }\n}\nBinary (Windows)\n{\n  \"servers\": {\n    \"khepra\": {\n      \"type\": \"stdio\",\n      \"command\": \"C:\\\\path\\\\to\\\\PQC-Khepra-MCP\\\\khepra-mcp.exe\",\n      \"args\": [],\n      \"env\": {\n        \"KHEPRA_MODE\": \"sovereign\",\n        \"KHEPRA_MANIFEST_PATH\": \"C:\\\\path\\\\to\\\\PQC-Khepra-MCP\\\\manifest.json\"\n      }\n    }\n  }\n}\nVS Code (with GitHub Copilot or Cline extension)\nConfig file: .vscode/mcp.json in your project, or user settings.\n\n{\n  \"servers\": {\n    \"khepra\": {\n      \"type\": \"stdio\",\n      \"command\": \"docker\",\n      \"args\": [\n        \"run\", \"--rm\", \"-i\",\n        \"-e\", \"KHEPRA_MODE=sovereign\",\n        \"-v\", \"${env:HOME}/.khepra:/var/lib/khepra\",\n        \"ghcr.io/nouchix/pqc-khepra-mcp:latest\"\n      ]\n    }\n  }\n}\nOr via user settings.json for the Cline extension:\n\n{\n  \"cline.mcpServers\": {\n    \"khepra\": {\n      \"command\": \"docker\",\n      \"args\": [\n        \"run\", \"--rm\", \"-i\",\n        \"-e\", \"KHEPRA_MODE=sovereign\",\n        \"ghcr.io/nouchix/pqc-khepra-mcp:latest\"\n      ]\n    }\n  }\n}\nWindsurf\nConfig file: ~/.codeium/windsurf/mcp_config.json\n\n{\n  \"mcpServers\": {\n    \"khepra\": {\n      \"command\": \"docker\",\n      \"args\": [\n        \"run\", \"--rm\", \"-i\",\n        \"-e\", \"KHEPRA_MODE=sovereign\",\n        \"-v\", \"/var/lib/khepra:/var/lib/khepra\",\n        \"ghcr.io/nouchix/pqc-khepra-mcp:latest\"\n      ]\n    }\n  }\n}\nContinue.dev\nConfig file: ~/.continue/config.json — add to the experimental.modelContextProtocolServers array:\n\n{\n  \"experimental\": {\n    \"modelContextProtocolServers\": [\n      {\n        \"name\": \"khepra\",\n        \"transport\": {\n          \"type\": \"stdio\",\n          \"command\": \"docker\",\n          \"args\": [\n            \"run\", \"--rm\", \"-i\",\n            \"-e\", \"KHEPRA_MODE=sovereign\",\n            \"ghcr.io/nouchix/pqc-khepra-mcp:latest\"\n          ]\n        }\n      }\n    ]\n  }\n}\nCloud / SaaS AI Tools (Claude.ai, ChatGPT, Gemini, etc.)\nCloud-based AI tools cannot directly spawn local subprocesses — they need an HTTP/SSE bridge to reach your local KHEPRA server. There are two approaches:\n\nApproach 1 — mcp-remote proxy (easiest, no server required)\nmcp-remote tunnels a local stdio MCP server over HTTPS, making it accessible to any cloud tool. This is what the Kaggle MCP entry in the config above uses.\n\n# Install once\nnpm install -g mcp-remote\n\n# Start the bridge (exposes your local KHEPRA server at https://localhost:3000)\nKHEPRA_MODE=sovereign mcp-remote \\\n  --server \"docker run --rm -i -e KHEPRA_MODE=sovereign ghcr.io/nouchix/pqc-khepra-mcp:latest\" \\\n  --port 3000\nThen in Claude.ai (or any cloud tool that accepts MCP SSE URLs):\n\nMCP Server URL: http://localhost:3000/sse\nSecurity note: mcp-remote binds to localhost by default. Do not expose it to the public internet without TLS and authentication. In sovereign/ironbank mode, KHEPRA itself makes zero egress calls — only the bridge connection to the cloud tool carries data.\n\nApproach 2 — Self-hosted HTTP/SSE endpoint\nFor teams running KHEPRA on a shared server (e.g., Hostinger VPS at IP_ADDRESS), start the server in HTTP mode:\n\n# On your server — start KHEPRA in HTTP/SSE mode\ndocker run -d \\\n  -e KHEPRA_MODE=hybrid \\\n  -e KHEPRA_HTTP_PORT=8443 \\\n  -e KHEPRA_LICENSE_KEY=\"${KHEPRA_LICENSE_KEY}\" \\\n  -p 8443:8443 \\\n  ghcr.io/nouchix/pqc-khepra-mcp:latest\n\n# Point your cloud tool to:\n# https://your-server.com:8443/sse\nThen configure any cloud AI tool that supports MCP SSE:\n\nCloud Tool\tWhere to add MCP URL\nClaude.ai (Pro/Team)\tSettings → Integrations → MCP Servers\nOpenAI Assistants\tAPI tools field with type: \"mcp\"\nGemini for Workspace\tExtensions → Custom MCP (preview)\nGlama.ai\tWorkspace → MCP Servers\nSmithery.ai\tCatalog → Self-hosted server\nNote: HTTP/SSE mode (hybrid/edge) enables external connections. Always terminate TLS at a reverse proxy (nginx/Caddy) and restrict access by IP or API key. The sovereign mode refuses HTTP connections by design — air-gap integrity is preserved.\n\nApproach 3 — Smithery / MCP Registry (Community tier only)\nKHEPRA is listed on Smithery.ai and the MCP Registry. Cloud tools that support registry-based discovery can install it directly:\n\nRegistry ID: io.github.nouchix/pqc-khepra-mcp\nThis runs the Community tier via Smithery's managed infrastructure. For sovereign deployment (air-gap, your data stays on your metal), use Options A or B above.\n\nValidation — Test Your Installation\nRun this from your terminal to verify the server responds correctly:\n\n# Docker\necho '{\"jsonrpc\":\"2.0\",\"method\":\"tools/list\",\"params\":{},\"id\":1}' \\\n  | docker run --rm -i -e KHEPRA_MODE=sovereign ghcr.io/nouchix/pqc-khepra-mcp:latest\n\n# Binary (Linux / macOS)\necho '{\"jsonrpc\":\"2.0\",\"method\":\"tools/list\",\"params\":{},\"id\":1}' \\\n  | KHEPRA_MODE=sovereign ./khepra-mcp\n\n# Binary (Windows PowerShell)\n'{\"jsonrpc\":\"2.0\",\"method\":\"tools/list\",\"params\":{},\"id\":1}' \\\n  | & \".\\khepra-mcp.exe\"\nExpected output: a JSON-RPC response listing all available tools. If you see \"tools\": [...] with 12+ entries — you're connected.\n\nFull protocol validation (Windows)\n# Runs the complete Claude Desktop handshake sequence and validates all responses\n.\\scripts\\test-mcp-handshake.ps1 -BinaryPath \".\\khepra-mcp.exe\"\n\n# Expected output:\n# [PASS] initialize | protocolVersion=2025-11-25 | listChanged=False\n# [PASS] tools/list | count=34\n# TRL-10 READY - Server passes full Claude Desktop protocol validation\nMCP Tools\nCommunity Tier (Free — No License Key)\npqc_stig — World's First DoD PQC STIG ⭐\nAssesses a source code directory against PQC-01-STIG-V1R1: 12 controls covering CNSA 2.0 algorithm approval, ML-DSA-65 key strength, ML-KEM-768 encapsulation, hybrid cryptography, key storage, constant-time implementation, and certificate chain requirements.\n\npqc_stig(scan_path?: string, profile?: \"quick\" | \"full\" | \"executive\")\nExample: \"Run pqc_stig on my project and tell me if I'm CNSA 2.0 compliant\"\n\nnist_map\nMap CCI identifiers or STIG findings to NIST 800-53 Rev 5 controls.\n\nkhepra_query_stig\nQuery the 36,195-row STIG/CCI/NIST/CMMC compliance database by control ID.\n\ndark_crypto_contribute (opt-in)\nContribute anonymized cryptographic algorithm telemetry to the SouHimBou AI Dark Crypto Intelligence Network. No PII. Opt-in only — never fires without explicit invocation.\n\nSovereign / Pharaoh Tier\nert_scan\nEnterprise Risk & Threat scan across STIG, NIST 800-53, NIST 800-171, CMMC, and FedRAMP. Returns Godfather Report with dollar-denominated business impact.\n\nert_scan(target: string, frameworks?: string[], output_format?: \"godfather\" | \"json\" | \"csv\")\nExample: \"Run ert_scan on /etc and generate a Godfather Report\"\n\nstig_check\nAutomated RHEL-09-STIG-V1R3 compliance scan against a live system or configuration path.\n\ncmmc_assess\nFull CMMC Level 1, 2, or 3 assessment with gap analysis and POA&M generation.\n\ngodfather_report\nGenerate an executive Godfather Report from prior scan results: top 10 findings ranked by dollar exposure, remediation ROI, and FAIR model business impact.\n\n+ 20 additional tools\nagent_record, dag_attestation, flight_export, khepra_get_dag_chain, nhi_inventory, acp_status, owasp_agent_assess, khepra_export_attestation, khepra_export_poam, khepra_get_compliance_score, ert_crypto, ert_readiness, stig_benchmark, ir_analysis, vuln_hunter, sbom_generate, threat_model, khepra_query_threat_intel, discover_assets, and more.\n\nThe Godfather Report\nUnlike compliance scanners that output a wall of CVEs, KHEPRA translates findings into the language executives care about:\n\nFinding: RHEL-09-212030 — No FIPS-validated crypto on /etc/ssh\nSeverity: CAT I (HIGH)\nBusiness Impact: $2.4M estimated breach exposure (FAIR model)\nRemediation Cost: $800 (4 hours engineer time)\nROI: 3,000x\nEvery finding includes control ID, framework mapping, business impact in dollars, remediation cost estimate, and ROI.\n\nDeployment Modes\nMode\tAir-Gap\tEgress\tTelemetry\tUse Case\nsovereign\t✅ Yes\tZero\tZero\tOn-prem, SCIF, classified (DEFAULT)\nironbank\t✅ Yes\tZero\tZero\tDoD/IC production, FIPS-only\nhybrid\t❌ No\tLAN\tZero\tEdge + cloud coordination\nedge\t❌ No\tUnrestricted\tZero\tFully stateless SaaS\nSet via KHEPRA_MODE environment variable. Unknown values are rejected at startup and fall back to sovereign (fail-closed).\n\nEnvironment Variables\nVariable\tRequired\tDefault\tDescription\nKHEPRA_LICENSE_KEY\tSovereign/Pharaoh only\t—\tLicense key. Community tier runs without one. Get at nouchix.com\nKHEPRA_MODE\tNo\tsovereign\tDeployment mode: sovereign, ironbank, hybrid, edge\nKHEPRA_MANIFEST_PATH\tNo\tmanifest.json\tPath to signed tool manifest file\nKHEPRA_HOME\tNo\t/var/lib/khepra\tData and compliance DB directory\nKHEPRA_LOG_DIR\tNo\t/var/log/khepra\tLog directory\nKHEPRA_DAG_PATH\tNo\t~/.khepra/dag\tDAG audit chain storage path\nKHEPRA_AUDIT_LOG_PATH\tNo\t~/.khepra/audit.ndjson\tSigned audit log path\nKHEPRA_MAX_CONCURRENT\tNo\t5\tMax concurrent tool calls per agent\nKHEPRA_NETWORK_POLICY\tNo\tlan\tNetwork scope: lan, none, unrestricted\nMCP_PQC_ENABLED\tNo\ttrue\tEnable ML-DSA-65 PQC attestation on all responses\nAir-Gap & SCIF Deployment\nKHEPRA makes zero external network calls in sovereign and ironbank modes:\n\nLicense validated offline via ML-DSA-65 signed license.adinkhepra file\nCompliance databases (36,195 mappings) bundled in container — no external downloads\nNo telemetry, no heartbeat, no egress — verified at the transport layer\n# Transfer image to air-gapped network\ndocker save ghcr.io/nouchix/pqc-khepra-mcp:latest | gzip > khepra-mcp.tar.gz\n\n# On air-gapped host:\ndocker load < khepra-mcp.tar.gz\nNote on telemetry: The dark_crypto_contribute tool (Community tier) sends anonymized cryptographic algorithm telemetry to the SouHimBou AI intelligence network only when explicitly invoked by the user. It is never triggered automatically. In sovereign/ironbank mode, all network calls are blocked at the transport layer regardless.\n\nCompliance Coverage\nFramework\tVersion\tMappings\nSTIG (RHEL 9)\tV1R3\tAutomated scanning\nNIST 800-53\tRev 5\t2,120 CCIs\nNIST 800-171\tRev 2\t320 controls\nCMMC\tLevel 3\tFull practice set\nFedRAMP\tHigh\tBaseline scanning\nPQC-01-STIG-V1R1\tV1R1\t17 PQC controls (CNSA 2.0)\nTotal\t\t36,195+ mappings\nLicensing\nFlat annual licensing — no per-token or per-query charges.\n\nTier\tCost\tLicense Key\tTools\nCommunity\tFree\tNot required\tpqc_stig + 12 core tools\nSovereign\tAnnual flat fee\tRequired\tAll 34 tools, air-gap, on-prem\nPharaoh\tAnnual flat fee\tRequired\tAll 34 tools + priority support + SLA\nCommunity tier is permanently free — contribute to open-source PQC adoption\nSovereign/Pharaoh: contact contact@nouchix.com or visit nouchix.com\nSecurity\nReporting Vulnerabilities\nDo not open public issues for security vulnerabilities.\n\nReport privately via GitHub Security Advisories or email support@nouchix.com.\n\nSLA\tTarget\nAcknowledgement\t24 hours\nInitial assessment\t5 business days\nPatch / mitigation (Critical)\t30 days\nWe accept encrypted reports via PGP (keys/security_contact.asc) and Post-Quantum channels (Dilithium / ML-DSA-65 keys in keys/). See SECURITY.md for the full disclosure policy and ASAF event taxonomy.\n\nSecurity Posture\nDeploying advanced post-quantum cryptography, air-gapped isolation, and comprehensive STIG mappings — built in direct alignment with NSA & ASD Model Context Protocol guidelines.\n\nNSA & ASD MCP Security Alignment\nThe NSA and Australian Signals Directorate (ASD) have published specific threat vectors for AI systems interacting with local environments. KHEPRA MCP is explicitly designed to mitigate every identified vector:\n\nNSA/ASD Requirement\tKHEPRA Implementation\nCryptographic validation of tool responses\tML-DSA-65 (Dilithium) signatures on all JSON-RPC 2.0 payloads\nInput validation & sanitization\tParameter injection resistance via strict JSON Schema validation\nPrinciple of least privilege credentials\tShort-lived ephemeral tokens tied to specific task execution windows\nComprehensive audit logging\tTamper-evident events compiled into an immutable DAG structure\nResource consumption limits\tRate limiting + backpressure for LLM request loops\nAuthorization gates for sensitive actions\tHuman-in-the-loop gate for destructive state changes\nEnvironment isolation\tContainerized execution with zero-egress sovereign mode\nSoftware supply chain integrity\tManifest pinning for all loaded tools and dependencies\nNetwork exposure reduction\tAir-gappable — zero internet transit in sovereign/ironbank modes\nPost-quantum resilience\tPQC-signed DAG trail protecting against harvest-now-decrypt-later\nCompliance Certifications\nFramework\tStatus\tCoverage\nCMMC Level 2\t✅\tAutomates evidence collection for AU, CM, SI, SC domains\nNIST SP 800-171 Rev 2\t✅\tLogging, accountability, system integrity\nNIST SP 800-53 Rev 5\t✅\tContinuous monitoring (AU-2, SI-4)\nFIPS 203 (ML-KEM)\t✅\tKey encapsulation for secure transit\nFIPS 204 (ML-DSA)\t✅\tDigital signatures for payload authentication\nNSM-10 PQC Mandate\t✅\tNational Security Memorandum 10 compliance\nDFARS 252.204-7012\t✅\tImmutable forensic trails for cyber incident reporting\nNSA MCP Security Guidelines\t✅\tDirect mapping to all published AI agent threat mitigations\nLive Deployment — Physical Edge\nRunning continuously on constrained edge hardware since May 12, 2026 to prove efficiency in sovereign environments:\n\nHardware: Raspberry Pi 2 · 1 GB RAM · 900 MHz ARM · Live Spectrum Router\nSCADA Pod: STM32U585 / QRB2210 · Modbus TCP · MQTT · Zephyr RTOS 3.4+ · Live Dilithium Signature Verification\nControls active: 3 open ports secured · 12 STIG violations detected · 100% file integrity monitoring (AIDE) · 24/7 continuous operation\nAcademic Validation\nEvent\tDate\tInstitution\nUAlbany AI Plus Symposium 2026 — \"KHEPRA Protocol: Quantum-Resilient Agentic AI Security Using Cultural Cryptography\"\tMarch 7, 2026\tNSA CAE-CDE Institution · 200+ audience\nSUNY Albany Cybersecurity Showcase — First PQC key ceremony on STM32-class device (SCADA Pod)\tMay 12–13, 2026\tLive demo · SCADA architecture poster\nUSPTO Provisional Patent #73565085 — pending.\n🔒 Iron Bank containers in DISA vetting process.\n\nAbout NouchiX\nVeteran-led advisory firm translating CMMC, NIST, and STIG mandates into executive roadmaps.\n\nSales / General: contact@nouchix.com\nSupport: support@nouchix.com\nWebsite: https://nouchix.com\nPhone: (518) 304-4450\nDeveloped by SecRed Knowledge Inc. dba NouchiX, Albany, NY.","homepage_url":"https://github.com/nouchix/PQC-Khepra-MCP","docs_url":null,"icon_url":"https://api.smithery.ai/servers/skone/pqc-khepra-mcp/icon","support_url":null,"remote_url":null,"server_card_url":null,"latest_version":null,"current_status":"failing","current_score":40.67,"transport_type":null,"has_oauth":false,"has_dcr":false,"has_prompts":false,"tool_count":0,"current_validation_schema_version":"16d1d270090d6c8f","last_validated_at":"2026-07-04T09:56:04.276880+00:00","registry_source":"smithery_registry","registry_identifier":"smithery_registry:1f1bac77-a29a-4e9a-b074-3ef201a6a2a5","canonical_identifier":null,"current_score_components":{"auth_operability_score":0.0,"error_contract_score":0.0,"rate_limit_semantics_score":2.0,"schema_completeness_score":0.0,"backward_compatibility_score":2.0,"slo_health_score":2.0,"security_hygiene_score":1.5,"task_success_score":1.67,"trust_confidence_score":0.1,"abuse_noise_ratio_score":3.0,"prompt_contract_score":2.0,"resource_contract_score":2.0,"discovery_metadata_score":3.0,"registry_consistency_score":3.0,"installability_score":2.0,"session_semantics_score":0.0,"tool_surface_design_score":0.0,"result_shape_stability_score":0.0,"oauth_interop_score":0.0,"recovery_semantics_score":0.0,"maintenance_signal_score":1.45,"adoption_signal_score":2.0,"freshness_confidence_score":0.5,"transport_fidelity_score":0.0,"spec_recency_score":2.0,"session_resume_score":0.0,"step_up_auth_score":3.0,"transport_compliance_score":1.0,"utility_coverage_score":2.0,"advanced_capability_coverage_score":2.0,"connector_publishability_score":0.0,"tool_snapshot_churn_score":0.0,"connector_replay_score":3.0,"request_association_score":3.0,"interactive_flow_safety_score":3.0,"action_safety_score":3.0,"official_registry_presence_score":3.0,"provenance_divergence_score":4.0,"safety_transparency_score":4.0,"tool_capability_clarity_score":0.0,"destructive_operation_safety_score":3.0,"egress_ssrf_resilience_score":3.0,"execution_sandbox_safety_score":4.0,"data_exfiltration_resilience_score":3.0,"least_privilege_scope_score":2.0,"secret_handling_hygiene_score":3.0,"dependency_supply_chain_signal_score":0.5,"input_sanitization_safety_score":0.0,"tool_namespace_clarity_score":0.0},"capability_taxonomy":[],"machine_summary":{},"taxonomy_tags":[],"score_decomposition":[],"validation_diff":null,"tool_snapshot_diff":null,"connector_replay":{},"request_association":{},"production_readiness":{"code":"evaluation_only","label":"Evaluation only","reason":"Compact compare evidence is served while Verify protects web capacity."},"recommended_for":[],"history_summary":{},"validation_timeline":[],"evidence_confidence":{"score":50,"label":"warming","reason":"Deep compare evidence is deferred to the regular cache refresh path."},"incident_feed":[],"remediations":[],"client_remediation_modes":[],"client_profiles":[],"client_readiness_verdicts":[],"publishability_policy_profiles":[],"compatibility_fixtures":[],"install_snippets":{},"aliases":[],"raw_evidence":{},"active_alerts":[],"maintainer_analytics":{},"public_server_reputation":{},"maintainer_response_quality":{},"maintainer_annotations":[],"maintainer_rebuttals":[],"security_posture_summary":{},"tool_security_inventory":[],"transport_compliance":{},"utility_coverage":{},"write_action_governance":{},"provenance_divergence":{},"alias_consolidation":{},"alert_routing":{},"authenticated_validation":{},"hosted_runtime":{},"action_controls_diff":null,"benchmark_tasks":[],"latest_capability_counts":{},"point_loss_breakdown":[],"verdict_traces":{},"current_snapshot":{"schema_version":"verify.trust_snapshot.v1","snapshot_id":"trustsnap_c8700372aa4023d7","generated_at":"2026-07-04T15:28:13.608684+00:00","source":"current_snapshot","server":"skone/pqc-khepra-mcp","last_validated_at":"2026-07-04T09:56:04.276880+00:00","validation_age_hours":5.54,"freshness":{"schema_version":"verify.freshness_profile.v1","last_validated_at":"2026-07-04T09:56:04.276880+00:00","age_hours":5.54,"bucket":"verified_last_24h","label":"Verified in last 24h","badges":["verified_last_24h"],"freshness_sla_hours":168.0,"freshness_sla_status":"met","stale_score_suppressed":false,"display_score":40.67,"raw_score":40.67,"confidence_score":50.0,"confidence_weighted_score":20.3,"tier_status":[{"tier":"community","label":"Community","freshness_sla_hours":720,"met":true,"priority_revalidation":false},{"tier":"pro","label":"Pro","freshness_sla_hours":168,"met":true,"priority_revalidation":true},{"tier":"enterprise","label":"Enterprise","freshness_sla_hours":24,"met":true,"priority_revalidation":true}]},"current_status":"failing","current_score":40.67,"display_score":40.67,"stale_score_suppressed":false,"production_trust_decision":{"schema_version":"verify.executive_verdict.v1","decision":"Block for production","why":"failing live status + score below evaluation threshold","next_action":"revalidate, add safeguards, export policy","reason_count":2},"production_readiness_class":{"code":null,"label":null,"reason":null},"evidence_confidence":{"score":null,"label":null,"validation_age_hours":null,"live_check_count":null},"active_alerts":[]},"trust_snapshot":{"schema_version":"verify.trust_snapshot.v1","snapshot_id":"trustsnap_c8700372aa4023d7","generated_at":"2026-07-04T15:28:13.608684+00:00","source":"current_snapshot","server":"skone/pqc-khepra-mcp","last_validated_at":"2026-07-04T09:56:04.276880+00:00","validation_age_hours":5.54,"freshness":{"schema_version":"verify.freshness_profile.v1","last_validated_at":"2026-07-04T09:56:04.276880+00:00","age_hours":5.54,"bucket":"verified_last_24h","label":"Verified in last 24h","badges":["verified_last_24h"],"freshness_sla_hours":168.0,"freshness_sla_status":"met","stale_score_suppressed":false,"display_score":40.67,"raw_score":40.67,"confidence_score":50.0,"confidence_weighted_score":20.3,"tier_status":[{"tier":"community","label":"Community","freshness_sla_hours":720,"met":true,"priority_revalidation":false},{"tier":"pro","label":"Pro","freshness_sla_hours":168,"met":true,"priority_revalidation":true},{"tier":"enterprise","label":"Enterprise","freshness_sla_hours":24,"met":true,"priority_revalidation":true}]},"current_status":"failing","current_score":40.67,"display_score":40.67,"stale_score_suppressed":false,"production_trust_decision":{"schema_version":"verify.executive_verdict.v1","decision":"Block for production","why":"failing live status + score below evaluation threshold","next_action":"revalidate, add safeguards, export policy","reason_count":2},"production_readiness_class":{"code":null,"label":null,"reason":null},"evidence_confidence":{"score":null,"label":null,"validation_age_hours":null,"live_check_count":null},"active_alerts":[]},"agent_commerce":{},"latest_claim":null,"maintainer_profile_slug":null,"watch_summary":{},"observed_attention":{"schema":"verify.observed_attention.v1","window_days":30,"level":"none","label":"No observed attention","summary":"No recent machine-readable trust or discovery activity observed for this server.","segments":{"useful_ai_user":{"level":"none","observed":false,"description":"AI-assisted user sessions such as ChatGPT/User or Claude/User."},"machine_trust_evaluator":{"level":"none","observed":false,"description":"Synthetic sessions inspecting multiple trust surfaces such as report, policy, ledger, badge, trust-summary, or compare."},"possible_agent_or_script":{"level":"none","observed":false,"description":"Structured direct sessions with rapid profile, compare, report, policy, badge, or trust-surface fan-out."},"isolated_machine_surface":{"level":"none","observed":false,"description":"Aged-out direct synthetic singleton sessions that touched a machine-readable trust surface without becoming a broader evaluator."},"ai_crawler":{"level":"none","observed":false,"description":"Known AI crawler activity such as ClaudeBot, GPTBot, or similar crawlers."},"search_crawler":{"level":"none","observed":false,"description":"Search and SEO crawler activity."},"browser_like_automation":{"level":"none","observed":false,"description":"Browser-like synthetic sessions with rapid structured endpoint activity."},"confirmed_human":{"level":"none","observed":false,"description":"Confirmed browser-session human activity."}},"surfaces_observed":{"server_profile":false,"compare":false,"compare_json":false,"compare_api":false,"report_json":false,"policy":false,"ledger":false,"badge_metadata":false,"badge_svg":false,"trust_summary":false,"mcp_tool":false},"claim_prompt":{"recommended":false,"reason":"No claim prompt is recommended from observed attention in the current window."},"notes":["Observed attention is based on segmented first-party telemetry.","Crawler and evaluator activity is not treated as confirmed human demand.","Public levels are bucketed to avoid exposing raw traffic counts."]},"owner_activation":{"claim_recommended":false,"reason":"no_observed_attention"}}],"rows":[{"label":"Snapshot ID","values":["trustsnap_c8700372aa4023d7"]},{"label":"Status","values":["failing"]},{"label":"Score","values":[40.67]},{"label":"Production readiness class","values":["Evaluation only"]},{"label":"Production trust decision","values":["Block for production"]},{"label":"Observed Attention","values":["No observed attention"]},{"label":"Evidence confidence","values":[50]},{"label":"Freshness","values":["n/a"]},{"label":"Latency","values":["n/a"]},{"label":"Spec recency","values":[2.0]},{"label":"Session resume","values":[0.0]},{"label":"Step-up auth","values":[3.0]},{"label":"Transport compliance","values":[1.0]},{"label":"Utility coverage","values":[2.0]},{"label":"Publishability","values":[0.0]},{"label":"Connector replay","values":[3.0]},{"label":"Request association","values":[3.0]},{"label":"Action safety","values":[3.0]},{"label":"Registry presence","values":[3.0]},{"label":"Provenance divergence","values":[4.0]},{"label":"Client compatibility: ChatGPT","values":["unknown"]},{"label":"Client compatibility: Claude","values":["unknown"]},{"label":"Write-action publishing","values":["unknown"]},{"label":"Snapshot churn risk","values":["unknown"]},{"label":"Transport","values":[null]},{"label":"Auth","values":["Unauthenticated / none"]},{"label":"Tools","values":[0]},{"label":"Prompts","values":[0]},{"label":"Resources","values":[0]},{"label":"OAuth","values":[false]},{"label":"DCR","values":[false]},{"label":"Taxonomy","values":[""]},{"label":"Recommended for","values":["none"]},{"label":"Top alerts","values":["none"]}],"cache_note":"Compact compare fallback response; deep compare evidence is deferred to protect web capacity."}