npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@atestia/tier4-mcp-server

v0.2.0

Published

Reference MCP server for the Tier-4 v1.2 open specification. The universal evidence layer for regulated AI. Captures vendor model attestation (SR 26-2 + OCC 2013-29), risk data lineage (BCBS 239 + CCAR + HMDA), fair-lending explainability (ECOA Reg B adve

Downloads

80

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

atestiaatestia

Keywords

mcpmodel-context-protocolsr-26-2occ-2013-29bcbs-239model-risk-managementmrmvendor-attestationbankingagentic-aiai-governanceregtechtier-4complianceanthropicbedrock

Readme

Tier-4 MCP Server

The universal evidence layer for regulated AI.

npm version License: MPL-2.0 Spec: v1.2 Tests: 74 passing Node: >=20 MCP: 2024-11-05 OpenLineage compatible

Specification · Working Group Charter · Index Methodology · Conformance Registry

What is this?

@atestia/tier4-mcp-server is an Anthropic Model Context Protocol (MCP) server that captures regulator-grade evidence of every vendor model invocation, every risk data lineage event, and every agent reasoning chain — at runtime, in production, from any AI agent.

It implements the open Tier-4 v1.2 specification (CC-BY-4.0) governed by the Tier-4 Compliance Working Group, a Delaware 501(c)(6) industry association.

Banks today. Capital markets, insurance, healthcare next.

npm install @atestia/tier4-mcp-server

Why it exists

Every Tier-1 US bank now invokes external vendor LLMs in production: JPMorgan LLM Suite (~250K seats), Goldman GS AI Assistant (46.5K seats), Wells Fargo + Google Agentspace (215K seats), Citi Arc, Bank of America CashPro AI, Morgan Stanley AI at MS, Capital One agent systems, US Bank.

When the next examination cycle begins, examiners will ask: "Show me the vendor model invocation log for this decision, six months ago."

Banks today have no answer. Their agent platforms record nothing of that granularity.

Tier-4 fills the gap.

| Regulation | What it requires | What Tier-4 captures | |---|---|---| | BCBS 239 (Basel, binding) | Risk data aggregation lineage | tier4.lineage.bcbs239 | | ECOA Reg B (statute, binding) | Explainability of credit denials | tier4.lineage.regb + tier4.reasoning.capture + tier4.packet.regb-notice | | SR 26-2 (Fed supervisory) | Vendor model governance | tier4.credit.evaluate + tier4.packet.sr-26-2 | | OCC 2013-29 (long-standing) | Vendor questionnaire | tier4.packet.occ-2013-29 | | EU AI Act Annex III (Aug 2026) | High-risk AI transparency | tier4.reasoning.capture | | NAIC AI Bulletin (insurance) | AI underwriting explainability | (Q1 2027) | | FDA AI/ML SaMD (healthcare) | Medical AI conformity | (Q2 2027) |

60-second quickstart

# 1. Install
npm install -g @atestia/tier4-mcp-server

# 2. Configure your AI agent (Claude Desktop / Cursor / Bedrock AgentCore / LangChain)
# Claude Desktop config:
cat ~/.config/claude_desktop/claude_desktop_config.json
{
  "mcpServers": {
    "tier4": {
      "command": "tier4-mcp-server",
      "env": {
        "TIER4_TENANT_ID": "your-bank-mrm-tenant"
      }
    }
  }
}

Your agent now has 10 tools available for capturing regulatory evidence at runtime. Every vendor model invocation is persisted to a Tier-4-conformant lineage trail. Every credit decision can be made into a Reg B Adverse Action Notice on demand. Every BCBS 239 reporting flow has a captured lineage event.

Architecture

flowchart TB
    Agent[AI Agent / Bedrock / Claude Desktop / LangChain]
    Agent -->|MCP stdio| Server[Tier-4 MCP Server]

    Server --> Lineage[Lineage Store<br/>SQLite WAL]
    Server --> Reasoning[Reasoning Capture]
    Server --> Packets[Packet Generators]

    Packets --> OCC[OCC 2013-29]
    Packets --> SR[SR 26-2]
    Packets --> BCBS[BCBS 239]
    Packets --> RegB[ECOA Reg B Notice]

    Lineage --> OLAdapter[OpenLineage Adapter]
    OLAdapter --> Marquez[Marquez]
    OLAdapter --> Snowflake[Snowflake]
    OLAdapter --> Databricks[Databricks Unity]

    style Server fill:#7c3aed,color:#fff
    style Lineage fill:#0891b2,color:#fff
    style Reasoning fill:#0891b2,color:#fff
    style Packets fill:#0891b2,color:#fff

See ARCHITECTURE.md for the full system architecture, threat model, storage model, and pluggable interfaces.

The 10 MCP tools

Lineage capture

  • tier4.credit.evaluate — Record a vendor-model invocation for a credit decision
  • tier4.lineage.bcbs239 — Capture a BCBS 239 risk data lineage event
  • tier4.lineage.regb — Capture an ECOA Reg B adverse action lineage event
  • tier4.lineage.fetch — Fetch the full lineage trail by lineage_id

Reasoning capture

  • tier4.reasoning.capture — Capture an agent reasoning chain (the THINKING flow)

Packet generators

  • tier4.packet.occ-2013-29 — OCC 2013-29 vendor questionnaire (47 fields, 7 sections)
  • tier4.packet.sr-26-2 — SR 26-2 vendor attestation pack (5 artifacts)
  • tier4.packet.bcbs-239 — BCBS 239 risk-data aggregation reference
  • tier4.packet.regb-notice — ECOA Reg B Adverse Action Notice (customer-facing + 25-month compliance record)

Ecosystem bridge

  • tier4.openlineage.export — Export a Tier-4 lineage record as an OpenLineage RunEvent

Example: capture a reasoning chain

{
  "agentId": "citi-credit-agent-002",
  "invocationId": "inv-reason-001",
  "agentDirective": "Evaluate SMB credit application #APP-12345",
  "steps": [
    {"stepType": "observation", "description": "Reviewed business profile", "timestamp": "2026-06-01T10:00:00Z"},
    {"stepType": "tool_call", "description": "Called Experian", "toolName": "experian.credit_check", "vendorModelId": "experian-v3.2", "timestamp": "2026-06-01T10:00:01Z"},
    {"stepType": "tool_result", "description": "Score 580", "outputs": {"score": 580}, "timestamp": "2026-06-01T10:00:02Z"},
    {"stepType": "decision", "description": "Below threshold; recommend denial", "timestamp": "2026-06-01T10:00:03Z"}
  ],
  "finalDecision": "Recommend denial",
  "confidence": 0.85,
  "humanInLoop": true,
  "humanReviewer": "loan-officer-123",
  "humanReviewOutcome": "approved",
  "startedAt": "2026-06-01T10:00:00Z",
  "completedAt": "2026-06-01T10:00:03Z"
}

The returned reasoning record can be linked to a lineage record, attached to a Reg B Adverse Action Notice, exported to OpenLineage, or retrieved for examiner review years later.

Examples

Working integration examples in examples/:

Testing

npm test

Runs all three test suites: 22 + 18 + 34 = 74 assertions, 0 failures.

The test suites verify:

  • Persistence: Real SQLite write/read/close/reopen survival
  • Wire protocol: MCP initialize handshake, tools/list, tools/call round-trips
  • Schema conformance: All 10 tools return Tier-4 v1.2-conformant JSON
  • Packet generation: OCC 2013-29, SR 26-2, BCBS 239, Reg B Adverse Action produce valid packet structures
  • OpenLineage adapter: Tier-4 → OpenLineage event format round-trip
  • Reasoning capture: Multi-step chains with human-in-loop tracking and lineage linking

Conformance

This implementation declares conformance with Tier-4 v1.2 at the Implementer level per the Conformance Test Suite (CTS).

To claim higher conformance levels (Conformant, Certified), submit your implementation results to the Tier-4 Conformant Implementations Registry.

Specification

Read the full Tier-4 v1.2 specification: docs/SPEC.md or tier4.org/spec/v1.2.

Spec is licensed under CC-BY-4.0; this reference implementation is licensed under MPL-2.0.

Working Group

The Tier-4 Compliance Working Group is a Delaware 501(c)(6) industry association that develops, maintains, and promotes the Tier-4 specification. Atestia is the founding sponsor; Atestia holds a permanent non-voting Steering Committee seat.

Membership tiers:

  • Class I — Charter Member (founding 10): $25K/yr (waived first 12mo) — Steering Committee seat, 3× spec vote, named in spec preamble
  • Class II — General Member: $25K/yr — 1× spec vote, 30-day embargo preview
  • Class III — Implementer Member: $0 — registry listing

Apply at tier4.org/charter.

Commercial enterprise tier

For production banking deployments with examiner-defensible 7-year retention, customer-held KMS keys, MRM analyst UI, indemnification, and 24-7 support, see atestia.ai/platform.

For self-serve developer / vendor / audit-firm / insurance-carrier subscriptions, see atestia.ai/pro.

Contributing

We welcome contributions. See CONTRIBUTING.md.

The fastest path to becoming a Tier-4 Implementer Member of the Working Group is to ship a Conformant implementation and submit it to the registry.

Security

Found a vulnerability? See SECURITY.md for responsible disclosure.

License

Code: MPL-2.0 Specification: CC-BY-4.0 Trademarks: "Tier-4" and "Tier-4-Conformant" are trademarks of Atestia Inc., licensed to the Tier-4 Compliance Working Group.

Built by Atestia and the Tier-4 Compliance Working Group.

Specification · Working Group · Registry · Index Methodology