Multi-layer verification of every MCP server, dependency, and data source within the DEFONEOS estate. Software Bill of Materials (SBOM) tracking, Ed25519 signature verification, transitive dependency auditing, and real-time red-line detection.
The MCP Supply-Chain Integrity Scan (SCIS) is a continuous auditing system that ensures the trustworthiness of all Model Context Protocol (MCP) servers and their dependencies within the DEFONEOS sovereign substrate. It is designed to detect tampering, vulnerabilities, and non-compliance with red-line policies.
Each MCP server and its build environment generates a comprehensive Software Bill of Materials (SBOM) in SPDX format. These SBOMs are signed with Ed25519 keys and stored in the SIGIL ledger.
| Layer | Description | Verification Method |
|---|---|---|
| L1: OS / Kernel | Underlying operating system and kernel integrity | Kernel measurements (IMA/EVM), signed boot |
| L2: Base Image | Docker/VM base image integrity | Container image signing (cosign), digest verification |
| L3: System Dependencies | Installed system libraries (e.g., glibc, openssl) | Package manager integrity checks, SBOM comparison |
| L4: Python Environment | Python interpreter, virtual environment, pip packages | pip check, poetry export --hashes, PyPI signed packages |
| L5: MCP Codebase | The specific code for the MCP server itself | Git commit signing, Ed25519 source code attestations |
| L6: Model Artifacts | AI models, weights, tokenizers used by the MCP | Hugging Face Hub model signing, cryptographic hashes (SHA-256) |
| L7: Data Sources | External data feeds, APIs, datasets consumed by MCP | Source attestation (origin/integrity), mTLS to trusted endpoints |
Every SBOM, code commit, and model artifact within the supply chain is signed with an Ed25519 key. The SCIS continuously verifies these signatures against a trusted root of attestations stored in the BFT council's ledger.
The SCIS monitors MCP servers in real-time for deviations from their attested SBOMs. Any detected change, unauthorized process, or anomalous network activity triggers an alert and initiates a BFT emergency session.
All incoming data, outgoing inferences, and internal processing are scanned for red-line policy violations (e.g., kinetic targeting patterns, personal surveillance, specific banned keywords). Immediate quarantine and alert on detection.
Integrates with UK-specific threat intelligence feeds (e.g., NCSC advisories) to proactively identify vulnerable components and zero-day exploits impacting the supply chain.
On integrity compromise, the affected MCP server is immediately quarantined, isolated from the network, and its attestations are revoked. Traffic is rerouted to a trusted, clean instance.
Remediation actions (e.g., re-deployment, software updates, rollback) require a BFT council vote. This prevents unilateral changes and ensures consensus on recovery strategies.
Detailed forensic logs are generated and stored in the SIGIL ledger for post-incident analysis and compliance reporting. These logs are immutable and cryptographically verifiable.
| Standard | Section | How SCIS Meets It |
|---|---|---|
| NCSC CAF | B4 (Secure by Design) | Multi-layer integrity verification, SBOMs, signed artifacts |
| ISO 27001 | A.12 (Supply Chain Security) | Continuous monitoring, vendor assessment, incident response |
| UK GDPR | Article 32 | Ensures integrity of systems processing personal data |
| DPA 2018 | Schedule 1 Part 4 | Protects against unauthorized modifications of processing systems |
| EU AI Act | Article 15 (Transparency) | Full audit trail of AI system components and data sources |
| NIST CSF | ID.SC (Supply Chain Risk Management) | Identifies, assesses, and manages supply chain risks |
| Metric | Value |
|---|---|
| MCPs actively monitored | 30 |
| Daily integrity scans | 150+ |
| SBOMs generated / verified | 90 (every build) |
| Red-line violations detected | 0 (all blocked pre-deployment) |
| Compromise events | 0 |
| Verification latency (p99) | 35ms |
| SIGIL receipts (SCIS events) | 4,128 |