@forge-os/aegis-mcp-registry

MCP Dispatch Registry — govern your agent tool surface with autonomy-aware security and policy enforcement. Real-time tenant isolation via Supabase JWT claims.

3-line integration

import { ToolRegistry, MCPSecurityValidator } from '@forge-os/aegis-mcp-registry';
const registry = new ToolRegistry();
registry.registerProvider(githubProvider);  // 15+ tools auto-classified green/yellow/red

Real endpoints

• Signer EF: https://iqsemiksnpckjxbacoqd.supabase.co/functions/v1/aegis-signer
• Auth: x-forge-key header (configured in Supabase Edge Function Secrets)
• Tenant isolation: JWT tenant_id claim → extractTenantIdFromJWT()

Architecture

ToolRegistry         ← in-memory registry, generic dispatch (11-tool pattern)
MCPSecurityValidator ← prompt injection scanner, allowlist, Policy Card enforcement
ToolMetadata         ← autonomy-enriched metadata (bucket, data_class, reversibility, cost)
TenantStubs          ← multi-tenant connector validation (global/tenant_only/tenant_preferred)
TenantReal           ← real JWT tenant extraction + connector wiring (Sprint 9 LIVE)

Connectors

| Package | Framework | Integration Pattern | README | |---------|-----------|--------------------|--------| | connector-langgraph | LangGraph | BaseCallbackHandler (Python + TS) | README | | connector-crewai | CrewAI | Middleware pattern | README | | connector-openai-agents | OpenAI Agents SDK | AgentHooks | README | | connector-anthropic-sdk | Anthropic Claude SDK | PreToolUse/PostToolUse | README | | connector-webhook | Generic HTTP | Webhook gateway + curl | README |

Benchmark (MCP dispatch reduction)

• 130 individual tools: 4.74% of 200K context window
• 11 dispatch tools: 0.22% of 200K context window
• Reduction ratio: 64.3x vs per-endpoint approach
• Full report: BENCHMARK_REPORT_CC3.md

Real tenant wire

import { extractTenantIdFromJWT, wireTenantToConnectors } from '@forge-os/aegis-mcp-registry';

// Extract tenant from JWT
const tenantId = extractTenantIdFromJWT(supabaseJwt);

// Wire across all connectors
const { allowedConnectors } = wireTenantToConnectors(supabaseJwt, registrations, results);
console.log(`Allowed connectors for tenant ${tenantId}:`, allowedConnectors);

License

Apache 2.0 — viral OSS per ArtefactForge NORTH_STAR.