The federation is not flat. MCPs are assigned to one of three concentric trust rings based on data sensitivity, required sovereignty level, and failure tolerance. A tool invocation can cascade across rings, but data flows inward only — Ring 2 cannot write to Ring 0.
Trust level: Maximum. These MCPs touch classified or operationally critical data. They run on UK-sovereign inference only (no external API calls). Ed25519 SIGILs are verified on every invocation. BFT council reviews all changes.
| # | MCP Server | Function | Inference |
|---|---|---|---|
| 1 | defoneos-sigil-mcp | SIGIL attestation chain — signs, verifies, and timestamps every custody event across the federation | UK-sovereign (local) |
| 2 | defoneos-bft-council-mcp | 33-agent BFT consensus — quorum voting, veto, emergency session, minutes | UK-sovereign (local) |
| 3 | defoneos-compliance-mcp | JSP 936 + EU AI Act Art-50 + OWASP LLM Top-10 automated compliance testing | UK-sovereign (local) |
| 4 | defoneos-red-team-mcp | 12-vector adversarial red-team harness — automated continuous + manual pre-deployment | UK-sovereign (local) |
| 5 | defoneos-seal-mcp | DEFONEOS-SEAL credential issuance — Ed25519-signed certification with BFT quorum proof | UK-sovereign (local) |
| 6 | defoneos-escrow-mcp | Sovereign data escrow — deposit, release (4-eyes), destruction receipts | UK-sovereign (local + HSM) |
| 7 | defoneos-audit-mcp | Append-only custody log — chains all SIGILs, BFT votes, and tool invocations | UK-sovereign (local) |
Trust level: High. These MCPs ingest defence-relevant data (OSINT, maritime, satellite, tactical). They may call external APIs but results are filtered through a SIGIL-verified proxy. AUKUS-compatible but not AUKUS-dependent.
| # | MCP Server | Function | Data Source |
|---|---|---|---|
| 8 | freetakserver-mcp | Tactical awareness (TAK) — C2 backbone, blue-force tracking | FreeTAKServer (self-hosted) |
| 9 | sentinel-hub-mcp | Satellite imagery — multi-spectral EO/IR, change detection | Sentinel Hub API |
| 10 | aisstream-maritime-mcp | Maritime AIS — vessel tracking, anomalous behaviour detection | AISStream.io |
| 11 | gdelt-news-mcp | Global OSINT — news events, conflict tracking, signal extraction | GDELT Project |
| 12 | rtsp-camera-mcp | IP camera feeds — RTSP stream ingestion, object detection (YOLOv8) | Self-hosted cameras |
| 13 | yolo-detection-mcp | Object detection — YOLOv8/v11 inference on images/video streams | Local (on-device) |
| 14 | openathena-mcp | Geospatial intelligence — coordinate triangulation from imagery | OpenAthena (self-hosted) |
| 15 | mava-swarm-mcp | Multi-agent swarm coordination — PX4/ArduPilot drone simulation | Mava (self-hosted) |
| 16 | cesium-globe-mcp | 3D Common Operating Picture — CesiumJS digital twin visualisation | Cesium ion (UK-cached) |
| 17 | mqtt-bridge-mcp | IoT sensor bridge — MQTT telemetry from field sensors | Self-hosted broker |
| 18 | openaq-air-mcp | Air quality monitoring — civil defence / CBRN detection baseline | OpenAQ API |
Trust level: Standard. These MCPs ingest public open-data. They provide context and enrichment but cannot write to Ring 0 or influence tactical decisions without BFT council review. Best-effort failover.
| # | MCP Server | Function | Data Source |
|---|---|---|---|
| 19 | os-opendata-mcp | Ordnance Survey — UK mapping, terrain, address data | OS Data Hub |
| 20 | data-gov-uk-mcp | Government open data — statistics, spending, service performance | data.gov.uk |
| 21 | companies-house-mcp | Company registry — due diligence, ownership, filings | Companies House API |
| 22 | ons-statistics-mcp | ONS economic/social data — demographics, employment, inflation | ONS API |
| 23 | met-office-mcp | UK weather — MET office data for tactical planning | Met Office DataPoint |
| 24 | nhs-data-mcp | NHS service data — hospital capacity, A&E wait times | NHS Digital |
| 25 | environment-agency-mcp | Flood, water quality, pollution monitoring | EA API |
| 26 | transport-api-mcp | UK transport — road, rail, bus real-time data | Transport API |
| 27 | planning-data-mcp | Planning applications, land use, green belt | Gov.uk Planning Data |
| 28 | parliament-mcp | Hansard, legislation tracking, MP voting records | UK Parliament API |
| 29 | ofcom-mcp | Telecoms coverage, spectrum, broadband data | Ofcom API |
| 30 | land-registry-mcp | Property ownership, price paid, boundaries | HM Land Registry |
┌──────────────────────────────────────────────┐
│ DEFONEOS MCP FEDERATION │
│ │
│ ┌────────────────────────────────────┐ │
│ │ RING 0 (Core) │ │
│ │ sigil · bft · compliance · seal │ │
│ │ redteam · escrow · audit │ │
│ │ [UK-sovereign inference only] │ │
│ └──────────┬─────────────────────────┘ │
│ │ SIGIL-verified proxy │
│ ┌──────────┴─────────────────────────┐ │
│ │ RING 1 (Defence) │ │
│ │ freetak · sentinel · ais · gdelt │ │
│ │ rtsp · yolo · athena · mava │ │
│ │ cesium · mqtt · openaq │ │
│ │ [AUKUS-compatible inference] │ │
│ └──────────┬─────────────────────────┘ │
│ │ Read-only enrichment │
│ ┌──────────┴─────────────────────────┐ │
│ │ RING 2 (Civil) │ │
│ │ os · govuk · companies · ons │ │
│ │ met · nhs · env · transport │ │
│ │ planning · parliament · ofcom │ │
│ │ landreg │ │
│ │ [Unconstrained inference] │ │
│ └────────────────────────────────────┘ │
└──────────────────────────────────────────────┘
Every tool invocation across the federation generates a SIGIL attestation. The flow is:
1. Agent requests tool call: "call sentinel-hub-mcp.get_image(bbox=[...], date=...)"
2. Federation router checks: Is sentinel-hub-mcp in an allowed ring for this agent?
3. SIGIL-mcp generates attestation:
{
"sigil": "C|defoneos|tool-call|2026-07-14T17:30:00|",
"caller": "agent:operational-cop",
"ring": 1,
"mcp": "sentinel-hub-mcp",
"tool": "get_image",
"args_hash": "blake3:a7f3...c2e9",
"timestamp": "RFC3161://tsa.csoai.org",
"ed25519_sig": "f3a7...c8d1"
}
4. Sentinel-hub-mcp verifies the SIGIL before executing the tool
5. Result returned with response_hash appended to the SIGIL chain
6. Audit-mcp records the complete event in the append-only custody log
When a new MCP server applies to join the federation, it must pass BFT council admission control:
| Stage | Action | BFT Role | SLA |
|---|---|---|---|
| 1 | MCP submitted with manifest (tools, data sources, security posture, ring assignment request) | Log | Immediate |
| 2 | Automated security scan (OWASP LLM Top-10, supply-chain check, dependency audit) | Automated | <30min |
| 3 | Red-team test (12-vector harness, minimum T2 clearance) | 1 General supervises | <4h |
| 4 | Ring assignment review (is the requested ring appropriate?) | 3 Generals review | <24h |
| 5 | BFT council vote | 23/33 quorum required | <48h |
| 6 | If approved: SIGIL key issued, MCP added to federation registry, first invocation logged | 1 General witnesses | Immediate |
| # | Requirement | Evidence |
|---|---|---|
| 1 | Tool manifest — Complete list of tools, args, return types, and side effects | JSON manifest with OpenAPI-compatible schema |
| 2 | Data source declaration — Every external API, database, or file system accessed | Source list with URLs, auth method, data classification |
| 3 | Security posture — Encryption, authn/authz, input validation, output sanitisation | Security checklist + automated scan results |
| 4 | Supply-chain audit — All dependencies listed and checked against known-CVE databases | Dependency tree + pip-audit / npm-audit output |
| 5 | Ring assignment justification — Why the MCP belongs in the requested ring | 1-page justification memo |
| 6 | Red-team clearance — Passes minimum T2 adversarial testing | Red-team report with 0 unresolved T3+ findings |
| 7 | Failover plan — What happens if this MCP goes down? Does the federation degrade gracefully? | Failover plan + tested in staging |
| 8 | Documentation — README, examples, integration guide | Markdown docs + working examples |
| 9 | Open-source licence — MIT, Apache 2.0, or sovereign-equivalent | LICENSE file + SPDX identifier |
| Ring | Inference Provider | External API Calls | Data Leaves UK? | Fallback |
|---|---|---|---|---|
| Ring 0 | UK-sovereign local inference (M4 MacBook mesh / on-prem rack) | NEVER | NEVER | Refuse request + log + BFT alert |
| Ring 1 | UK-sovereign primary; AUKUS-compatible API if explicitly authorised | Allowed to approved APIs (SIGIL-verified) | NEVER (UK-only data residency) | Degrade to Ring 0 inference |
| Ring 2 | Any inference provider (including commercial API) | Unrestricted (public data only) | Allowed (public data) | Best-effort retry |
The federation is designed to degrade gracefully. If Ring 2 MCPs fail, the COP loses civil context but retains tactical picture. If Ring 1 MCPs fail, the COP loses live sensor feeds but retains governance and audit (Ring 0). If Ring 0 fails, the federation halts — no tool calls execute until Ring 0 recovers, because no SIGILs can be issued.
| Failure Scenario | Ring 0 | Ring 1 | Ring 2 | Federation Behaviour |
|---|---|---|---|---|
| Single Ring 2 MCP fails | ✅ | ✅ | ⚠️ Degraded | Continue — missing enrichment data logged |
| Single Ring 1 MCP fails | ✅ | ⚠️ Degraded | ✅ | Continue — failover to warm-standby within 5s |
| Ring 0 SIGIL-mcp fails | ❌ HALT | ❌ Blocked | ❌ Blocked | Federation halts. All agents enter read-only mode. BFT emergency session triggered. |
| Ring 0 BFT-council-mcp fails | ⚠️ Read-only | ⚠️ Read-only | ✅ | No new admissions/revocations possible. Existing operations continue with cached SIGIL keys (24h window). |
| Network partition (UK ↔ external) | ✅ | ⚠️ Ring 1 external feeds lost | ❌ External APIs unreachable | Ring 0+1 internal operations continue. External feeds show stale data with timestamp warnings. |
New agents joining the DEFONEOS ecosystem discover the federation via a signed manifest:
GET /.well-known/defoneos-federation-manifest.json
{
"federation": "DEFONEOS",
"version": "1.0",
"rings": {
"ring0": {
"mcps": ["sigil", "bft-council", "compliance", "seal", "redteam", "escrow", "audit"],
"endpoint": "mcp://sovereign.csoai.org/ring0",
"auth": "ed25519-challenge",
"inference": "uk-sovereign-only"
},
"ring1": {
"mcps": ["freetakserver", "sentinel-hub", "aisstream", ...],
"endpoint": "mcp://sovereign.csoai.org/ring1",
"auth": "ed25519-challenge",
"inference": "aukus-compatible"
},
"ring2": {
"mcps": ["os-opendata", "data-gov-uk", "companies-house", ...],
"endpoint": "mcp://sovereign.csoai.org/ring2",
"auth": "ed25519-challenge",
"inference": "unrestricted"
}
},
"bft_council": {
"seats": 33,
"quorum": 25,
"minutes_url": "https://www.csoai.org/bft-minutes"
},
"sigil_chain_root": "blake3:0000...root",
"manifest_signature": "ed25519:csoai-federation...sig"
}