@trigguard/mcp-server

Production-grade stdio MCP server for TrigGuard authority.

Transport only — all decisions flow through:

MCP tool → @trigguard/agent-sdk → POST /v1/execute

Decision model: PERMIT · DENY · SILENCE (no ESCALATE wire state)

Install (npm)

npm install -g @trigguard/mcp-server
export TRIGGUARD_API_KEY=tg_live_…

Full setup: MCP npm quickstart

Tools

| Tool | Purpose | |---|---| | authorize_action | Governed PERMIT / DENY / SILENCE | | verify_receipt | Lookup execution by id | | get_surface | Surface registry metadata via gateway (read-only) | | get_policy | Bundled policy metadata (read-only, no evaluation) |

Cursor / Claude configuration

Use the trigguard-mcp-server binary:

{
  "mcpServers": {
    "trigguard": {
      "command": "trigguard-mcp-server",
      "env": {
        "TRIGGUARD_GATEWAY_URL": "https://api.trigguardai.com",
        "TRIGGUARD_API_KEY": "${env:TRIGGUARD_API_KEY}"
      }
    }
  }
}

Environment

| Variable | Purpose | |---|---| | TRIGGUARD_GATEWAY_URL | Gateway base URL (default: https://api.trigguardai.com) | | TRIGGUARD_API_KEY | API key (tg_live_…) — required for authorize_action | | TRIGGUARD_MCP_ACTOR_ID | Actor id for authorize calls (default: trigguard-mcp-server) | | TRIGGUARD_SURFACE_REGISTRY_PATH | Optional local registry override (dev only) | | TRIGGUARD_POLICY_BUNDLE_PATH | Optional local policy metadata override (dev only) |

Credentials stay in the MCP server process — never in LLM context.

Monorepo development

npm run build -w @trigguard/mcp-server
TRIGGUARD_API_KEY=tg_live_… npm run start -w @trigguard/mcp-server