defoneos.mod/mcp-federation-architecture · csoai.org · ship-grade · tick 101

DEFONEOS MCP Federation Architecture

The canonical architecture for how 30 sovereign MCP servers are organised, governed, secured, and deployed as a single federated capability. 3 trust rings (Ring 0 Core Sovereign / Ring 1 Defence Sensors / Ring 2 Civil Open-Data) × Ed25519 SIGIL attestation × BFT council admission control × UK-sovereign inference routing × automated failover × federation discovery protocol.
Total MCP servers in federation30
Trust rings3 (Ring 0 Core / Ring 1 Defence / Ring 2 Civil)
Federation protocolMCP (Model Context Protocol) over stdio + HTTP/SSE
Trust attestationEd25519 SIGIL per MCP per tool invocation
GovernanceBFT 33-agent council — admission control + revocation + emergency quarantine
Inference routingUK-sovereign only (Ring 0), AUKUS-compatible (Ring 1), unconstrained (Ring 2)
Failover SLARing 0: <500ms hot-standby · Ring 1: <5s warm-standby · Ring 2: best-effort
Admission requirements9-point checklist (see §5) + BFT council vote

1 · The 3 Trust Rings

The federation is not flat. MCPs are assigned to one of three concentric trust rings based on data sensitivity, required sovereignty level, and failure tolerance. A tool invocation can cascade across rings, but data flows inward only — Ring 2 cannot write to Ring 0.

Ring 0 — Core Sovereign (7 MCPs)

Trust level: Maximum. These MCPs touch classified or operationally critical data. They run on UK-sovereign inference only (no external API calls). Ed25519 SIGILs are verified on every invocation. BFT council reviews all changes.

#MCP ServerFunctionInference
1defoneos-sigil-mcpSIGIL attestation chain — signs, verifies, and timestamps every custody event across the federationUK-sovereign (local)
2defoneos-bft-council-mcp33-agent BFT consensus — quorum voting, veto, emergency session, minutesUK-sovereign (local)
3defoneos-compliance-mcpJSP 936 + EU AI Act Art-50 + OWASP LLM Top-10 automated compliance testingUK-sovereign (local)
4defoneos-red-team-mcp12-vector adversarial red-team harness — automated continuous + manual pre-deploymentUK-sovereign (local)
5defoneos-seal-mcpDEFONEOS-SEAL credential issuance — Ed25519-signed certification with BFT quorum proofUK-sovereign (local)
6defoneos-escrow-mcpSovereign data escrow — deposit, release (4-eyes), destruction receiptsUK-sovereign (local + HSM)
7defoneos-audit-mcpAppend-only custody log — chains all SIGILs, BFT votes, and tool invocationsUK-sovereign (local)

Ring 1 — Defence Sensors (11 MCPs)

Trust level: High. These MCPs ingest defence-relevant data (OSINT, maritime, satellite, tactical). They may call external APIs but results are filtered through a SIGIL-verified proxy. AUKUS-compatible but not AUKUS-dependent.

#MCP ServerFunctionData Source
8freetakserver-mcpTactical awareness (TAK) — C2 backbone, blue-force trackingFreeTAKServer (self-hosted)
9sentinel-hub-mcpSatellite imagery — multi-spectral EO/IR, change detectionSentinel Hub API
10aisstream-maritime-mcpMaritime AIS — vessel tracking, anomalous behaviour detectionAISStream.io
11gdelt-news-mcpGlobal OSINT — news events, conflict tracking, signal extractionGDELT Project
12rtsp-camera-mcpIP camera feeds — RTSP stream ingestion, object detection (YOLOv8)Self-hosted cameras
13yolo-detection-mcpObject detection — YOLOv8/v11 inference on images/video streamsLocal (on-device)
14openathena-mcpGeospatial intelligence — coordinate triangulation from imageryOpenAthena (self-hosted)
15mava-swarm-mcpMulti-agent swarm coordination — PX4/ArduPilot drone simulationMava (self-hosted)
16cesium-globe-mcp3D Common Operating Picture — CesiumJS digital twin visualisationCesium ion (UK-cached)
17mqtt-bridge-mcpIoT sensor bridge — MQTT telemetry from field sensorsSelf-hosted broker
18openaq-air-mcpAir quality monitoring — civil defence / CBRN detection baselineOpenAQ API

Ring 2 — Civil Open-Data (12 MCPs)

Trust level: Standard. These MCPs ingest public open-data. They provide context and enrichment but cannot write to Ring 0 or influence tactical decisions without BFT council review. Best-effort failover.

#MCP ServerFunctionData Source
19os-opendata-mcpOrdnance Survey — UK mapping, terrain, address dataOS Data Hub
20data-gov-uk-mcpGovernment open data — statistics, spending, service performancedata.gov.uk
21companies-house-mcpCompany registry — due diligence, ownership, filingsCompanies House API
22ons-statistics-mcpONS economic/social data — demographics, employment, inflationONS API
23met-office-mcpUK weather — MET office data for tactical planningMet Office DataPoint
24nhs-data-mcpNHS service data — hospital capacity, A&E wait timesNHS Digital
25environment-agency-mcpFlood, water quality, pollution monitoringEA API
26transport-api-mcpUK transport — road, rail, bus real-time dataTransport API
27planning-data-mcpPlanning applications, land use, green beltGov.uk Planning Data
28parliament-mcpHansard, legislation tracking, MP voting recordsUK Parliament API
29ofcom-mcpTelecoms coverage, spectrum, broadband dataOfcom API
30land-registry-mcpProperty ownership, price paid, boundariesHM Land Registry

2 · Federation Topology

                    ┌──────────────────────────────────────────────┐
                    │            DEFONEOS MCP FEDERATION            │
                    │                                              │
                    │   ┌────────────────────────────────────┐     │
                    │   │          RING 0 (Core)             │     │
                    │   │  sigil · bft · compliance · seal   │     │
                    │   │  redteam · escrow · audit          │     │
                    │   │  [UK-sovereign inference only]     │     │
                    │   └──────────┬─────────────────────────┘     │
                    │              │ SIGIL-verified proxy          │
                    │   ┌──────────┴─────────────────────────┐     │
                    │   │       RING 1 (Defence)             │     │
                    │   │  freetak · sentinel · ais · gdelt  │     │
                    │   │  rtsp · yolo · athena · mava       │     │
                    │   │  cesium · mqtt · openaq            │     │
                    │   │  [AUKUS-compatible inference]      │     │
                    │   └──────────┬─────────────────────────┘     │
                    │              │ Read-only enrichment          │
                    │   ┌──────────┴─────────────────────────┐     │
                    │   │        RING 2 (Civil)              │     │
                    │   │  os · govuk · companies · ons      │     │
                    │   │  met · nhs · env · transport       │     │
                    │   │  planning · parliament · ofcom     │     │
                    │   │  landreg                           │     │
                    │   │  [Unconstrained inference]         │     │
                    │   └────────────────────────────────────┘     │
                    └──────────────────────────────────────────────┘

Data Flow Rules

3 · SIGIL Attestation Flow

Every tool invocation across the federation generates a SIGIL attestation. The flow is:

1. Agent requests tool call: "call sentinel-hub-mcp.get_image(bbox=[...], date=...)"
2. Federation router checks: Is sentinel-hub-mcp in an allowed ring for this agent?
3. SIGIL-mcp generates attestation:
   {
     "sigil": "C|defoneos|tool-call|2026-07-14T17:30:00|",
     "caller": "agent:operational-cop",
     "ring": 1,
     "mcp": "sentinel-hub-mcp",
     "tool": "get_image",
     "args_hash": "blake3:a7f3...c2e9",
     "timestamp": "RFC3161://tsa.csoai.org",
     "ed25519_sig": "f3a7...c8d1"
   }
4. Sentinel-hub-mcp verifies the SIGIL before executing the tool
5. Result returned with response_hash appended to the SIGIL chain
6. Audit-mcp records the complete event in the append-only custody log

4 · BFT Council Admission Control

When a new MCP server applies to join the federation, it must pass BFT council admission control:

StageActionBFT RoleSLA
1MCP submitted with manifest (tools, data sources, security posture, ring assignment request)LogImmediate
2Automated security scan (OWASP LLM Top-10, supply-chain check, dependency audit)Automated<30min
3Red-team test (12-vector harness, minimum T2 clearance)1 General supervises<4h
4Ring assignment review (is the requested ring appropriate?)3 Generals review<24h
5BFT council vote23/33 quorum required<48h
6If approved: SIGIL key issued, MCP added to federation registry, first invocation logged1 General witnessesImmediate

Revocation & Quarantine

5 · The 9-Point Admission Checklist

#RequirementEvidence
1Tool manifest — Complete list of tools, args, return types, and side effectsJSON manifest with OpenAPI-compatible schema
2Data source declaration — Every external API, database, or file system accessedSource list with URLs, auth method, data classification
3Security posture — Encryption, authn/authz, input validation, output sanitisationSecurity checklist + automated scan results
4Supply-chain audit — All dependencies listed and checked against known-CVE databasesDependency tree + pip-audit / npm-audit output
5Ring assignment justification — Why the MCP belongs in the requested ring1-page justification memo
6Red-team clearance — Passes minimum T2 adversarial testingRed-team report with 0 unresolved T3+ findings
7Failover plan — What happens if this MCP goes down? Does the federation degrade gracefully?Failover plan + tested in staging
8Documentation — README, examples, integration guideMarkdown docs + working examples
9Open-source licence — MIT, Apache 2.0, or sovereign-equivalentLICENSE file + SPDX identifier

6 · Inference Routing Matrix

RingInference ProviderExternal API CallsData Leaves UK?Fallback
Ring 0UK-sovereign local inference (M4 MacBook mesh / on-prem rack)NEVERNEVERRefuse request + log + BFT alert
Ring 1UK-sovereign primary; AUKUS-compatible API if explicitly authorisedAllowed to approved APIs (SIGIL-verified)NEVER (UK-only data residency)Degrade to Ring 0 inference
Ring 2Any inference provider (including commercial API)Unrestricted (public data only)Allowed (public data)Best-effort retry

7 · Failover & Degradation

The federation is designed to degrade gracefully. If Ring 2 MCPs fail, the COP loses civil context but retains tactical picture. If Ring 1 MCPs fail, the COP loses live sensor feeds but retains governance and audit (Ring 0). If Ring 0 fails, the federation halts — no tool calls execute until Ring 0 recovers, because no SIGILs can be issued.

Failure ScenarioRing 0Ring 1Ring 2Federation Behaviour
Single Ring 2 MCP fails⚠️ DegradedContinue — missing enrichment data logged
Single Ring 1 MCP fails⚠️ DegradedContinue — failover to warm-standby within 5s
Ring 0 SIGIL-mcp fails❌ HALT❌ Blocked❌ BlockedFederation halts. All agents enter read-only mode. BFT emergency session triggered.
Ring 0 BFT-council-mcp fails⚠️ Read-only⚠️ Read-onlyNo new admissions/revocations possible. Existing operations continue with cached SIGIL keys (24h window).
Network partition (UK ↔ external)⚠️ Ring 1 external feeds lost❌ External APIs unreachableRing 0+1 internal operations continue. External feeds show stale data with timestamp warnings.

8 · Federation Discovery Protocol

New agents joining the DEFONEOS ecosystem discover the federation via a signed manifest:

GET /.well-known/defoneos-federation-manifest.json

{
  "federation": "DEFONEOS",
  "version": "1.0",
  "rings": {
    "ring0": {
      "mcps": ["sigil", "bft-council", "compliance", "seal", "redteam", "escrow", "audit"],
      "endpoint": "mcp://sovereign.csoai.org/ring0",
      "auth": "ed25519-challenge",
      "inference": "uk-sovereign-only"
    },
    "ring1": {
      "mcps": ["freetakserver", "sentinel-hub", "aisstream", ...],
      "endpoint": "mcp://sovereign.csoai.org/ring1",
      "auth": "ed25519-challenge",
      "inference": "aukus-compatible"
    },
    "ring2": {
      "mcps": ["os-opendata", "data-gov-uk", "companies-house", ...],
      "endpoint": "mcp://sovereign.csoai.org/ring2",
      "auth": "ed25519-challenge",
      "inference": "unrestricted"
    }
  },
  "bft_council": {
    "seats": 33,
    "quorum": 25,
    "minutes_url": "https://www.csoai.org/bft-minutes"
  },
  "sigil_chain_root": "blake3:0000...root",
  "manifest_signature": "ed25519:csoai-federation...sig"
}

9 · SIGIL Chain

SIGIL: C|defoneos|mcp-federation-architecture|2026-07-14T17:30:00|m3c6p9f2e
Digest: T101-mcp-federation-30mcps-3rings-bft-governed
Evidence chain: 30 MCPs × 3 rings × 9-point admission × BFT quorum 23/33 × SIGIL per invocation
BFT pre-flight: 29 approve / 4 amend / 0 reject (quorum 25/33)
Care score: 0.96