Gate your AI agent's MCP tool calls against Dominion Observatory runtime trust — one call, zero dependencies. Returns a signed diligence receipt.
Project description
dominion-trust-check (Python)
Gate your AI agent's MCP tool calls against Dominion Observatory runtime trust — one call, zero dependencies (stdlib only). Before your agent connects to or invokes an unfamiliar MCP server, check it, and get back a signed diligence receipt proving you did.
Timely after the ClawHavoc (OpenClaw/ClawHub) and Miasma (npm) supply-chain attacks: invoking an unvetted server without a trust check is negligent.
Install
pip install dominion-trust-check
Use
from dominion_trust_check import gate, trust_check, verify, DominionGateError
# Block on FAIL (default), or require a minimum score:
gate("https://some-mcp-server.com/mcp", min_score=60) # raises DominionGateError on FAIL
# Non-throwing check:
res = trust_check("https://some-mcp-server.com/mcp")
print(res["verdict"], res.get("trust_score")) # "PASS" | "UNCERTAIN" | "FAIL" | "UNRATED"
# Gate a ClawHub / OpenClaw skill instead of an MCP server:
gate("calendar", registry="clawhub")
# Independently verify any Dominion-signed receipt (no trust in us required):
v = verify(res["diligence_receipt"]["jws"])
print(v["valid"]) # True
Wrap a gate in a try/except to fail closed:
try:
gate(server_url, min_score=60)
except DominionGateError as e:
log.warning("blocked untrusted server: %s", e.dominion.get("verdict"))
raise
API
gate(server, min_score=None, block=True, registry=None, base=None)— raisesDominionGateErrorif the verdict isFAIL(or belowmin_score); otherwise returns the pre-flight result including a signed diligence receipt.block=Falsenever raises.trust_check(server, registry=None, base=None)— returns the verdict + evidence without raising.verify(jws, base=None)— cryptographically verify a Dominion receipt against the published public key.
Honest by design
Servers with no runtime behavioral data return UNRATED — never a fabricated score. Verdicts reflect independently-measured runtime behavior, not static code scans. Not a security audit or a guarantee.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dominion_trust_check-0.1.0.tar.gz.
File metadata
- Download URL: dominion_trust_check-0.1.0.tar.gz
- Upload date:
- Size: 2.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a89da5879dc3cdd2b26f892a437b273e401b6707c42e2bf052f00feb2181657c
|
|
| MD5 |
68dc1bc151a6544461a0a7fd04654796
|
|
| BLAKE2b-256 |
c92c9b70b711e015f0776c90605d6fab1d8b0b3694259cd7659fe74187e80085
|
File details
Details for the file dominion_trust_check-0.1.0-py3-none-any.whl.
File metadata
- Download URL: dominion_trust_check-0.1.0-py3-none-any.whl
- Upload date:
- Size: 3.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d7c13b1d748dc3aff021fb8a7a58fd4c0bb43d56b7449a05c177173c8e4f7ad8
|
|
| MD5 |
a03c4db22c14ee7923b93c10b3fa40cc
|
|
| BLAKE2b-256 |
bbcdfd91bdfc822ac0afa513b21ac66cf1d42e84c0631993140f2219b2ad03e5
|