Attestable MCP Server

The Attestable MCP Server tackles a core trust issue in modern AI workflows: ensuring that an assistant’s backend is running the exact, verified code it claims to be. By embedding a trusted execution environment (TEE) based attestation into the TLS handshake, the server guarantees that any MCP client can verify its provenance and integrity before exchanging sensitive prompts or data. This level of remote attestation is essential when AI assistants process confidential information, comply with regulatory standards, or need to prove compliance to third‑party auditors.

At its heart, the server leverages Intel SGX to generate a quote that captures the enclave’s measurement and cryptographic identity. This quote is wrapped in an X.509 certificate using the TCG DICE “tagged evidence” OID, and the certificate is transmitted during the TLS handshake. The client can then verify that the enclave’s public key hash, SGX report, and entire Intel certificate chain match what is expected from the code built on GitHub Actions. Because the same attestation values can be reproduced locally—either in an emulated or secure hardware environment—the server provides a transparent, reproducible audit trail that developers can inspect independently.

Key capabilities of the Attestable MCP Server include:

• Remote attestation for clients: Clients can request and validate the server’s enclave identity before any data exchange, ensuring they are interacting with a trusted instance.
• Optional client attestation: The server can also verify the integrity of connected clients, enabling bidirectional trust.
• GitHub‑CI driven signing: A self‑hosted GitHub Actions runner builds the Docker image inside an SGX enclave, signs it with a reproducible key, and pushes the signed artifact to GitHub Packages. This pipeline guarantees that the deployed server matches the source code history.
• Support for JWK attestation: Future plans include validating JSON Web Key claims, broadening the server’s compatibility with modern authentication flows.

Real‑world scenarios that benefit from this solution include regulated industries (finance, healthcare) where AI assistants must process protected health information or trade secrets; enterprises that enforce zero‑trust policies for internal tooling; and research labs that need to prove the integrity of their experimental AI models before sharing results. By integrating seamlessly with existing MCP clients, developers can add a robust layer of security without redesigning their application logic.

In summary, the Attestable MCP Server provides a cryptographically sound, reproducible mechanism for AI assistants to prove their code integrity. It bridges the gap between secure enclaves and high‑level AI protocols, enabling developers to build trustworthy, auditable AI systems that meet the stringent demands of modern data governance.