MCP server exposing Satsignal tamper-evident anchoring as agent-callable tools.
Project description
satsignal-mcp
MCP server exposing Satsignal tamper-evident anchoring as agent-callable tools.
Any MCP-compatible client (Claude Desktop, Claude Code, agent frameworks that speak MCP over stdio) can call Satsignal directly — no custom SDK required.
What it does
Each anchor call computes a sha256 of the input client-side and sends only
the hash to proof.satsignal.cloud. The file/text/JSON bytes never leave
the calling machine. The server records the hash on the BSV blockchain
and returns a proof the agent can save or pass on.
Tools
| Tool | Auth | What it does |
|---|---|---|
anchor_file |
yes | sha256 a local file, anchor the digest |
anchor_text |
yes | sha256 a UTF-8 string, anchor the digest |
anchor_json |
yes | canonicalize JSON (sorted keys, compact, UTF-8), sha256, anchor |
lookup_hash |
no | check if a sha256 is on-chain |
verify_file_against_bundle |
no | full verify — re-hash the original file, confirm it matches the bundle, chain-confirm via public block explorers. Detects file tampering. |
chain_confirm_bundle |
no | chain-confirm only — open a local .mbnt, extract sha+txid, confirm via lookup_hash. Fast, but does NOT detect file tampering. |
verify_bundle |
no | deprecated + fail-closed (v0.4) — returns deprecated_tool_blocked error directing to verify_file_against_bundle or chain_confirm_bundle. Removable in 0.5. |
anchor_* tools accept dry_run: true to preview the sha256 without
broadcasting. The Satsignal API itself does not honor dry_run —
the flag lives in this MCP layer and short-circuits before any network
call.
Folder selection
Each anchor_* tool accepts a folder property naming the workspace
folder the proof lands in (defaults to SATSIGNAL_FOLDER, then the
legacy SATSIGNAL_MATTER, then inbox). The request sent to the
Satsignal API uses the canonical folder_slug wire field.
Legacy compat: the old input name
matteris still accepted as a silent alias offolder. Sending both with different non-empty values is rejected (conflicting_alias, mirroring the server); equal values are accepted.
Configuration
| Env var | Required | Default |
|---|---|---|
SATSIGNAL_API_KEY |
for anchoring | — |
SATSIGNAL_API_BASE |
no | https://app.satsignal.cloud |
SATSIGNAL_FOLDER |
no | inbox |
SATSIGNAL_MATTER |
no | legacy alias of SATSIGNAL_FOLDER (still honored; SATSIGNAL_FOLDER wins if both set) |
Get an API key at https://app.satsignal.cloud. The customer API
(POST /api/v1/anchors, bundle download, dashboard) lives on
app.satsignal.cloud. proof.satsignal.cloud is the public verifier
surface and serves /lookup_hash in mirror-mode — chain_confirm_bundle
works against either host, but anchoring requires app.*. v0.1.0
shipped with the wrong default and silently 404'd every anchor call.
Install
Requires Python 3.10 or newer.
pip install satsignal-mcp
Inspecting tool schemas
The MCP tool schemas are built inline by _tool_definitions() in
src/satsignal_mcp/server.py — they are not exposed as a static
module-level binding. If you need a JSON dump (for static analysis,
IDE autocomplete config, or tooling that pre-validates calls), call
the function directly:
import json
from satsignal_mcp.server import _tool_definitions
tools = _tool_definitions()
print(json.dumps(
[{"name": t.name,
"description": t.description,
"inputSchema": t.inputSchema}
for t in tools],
indent=2,
))
_tool_definitions() returns list[mcp.types.Tool]; the leading
underscore reflects that the function is an implementation detail of
the server, not a stable export. If you build tooling against it,
pin to a specific satsignal-mcp version or run the MCP server and
read tools via the protocol's list_tools request — the latter is
the contract guaranteed to stay stable across releases.
Claude Desktop config
Add this to claude_desktop_config.json:
{
"mcpServers": {
"satsignal": {
"command": "satsignal-mcp",
"env": {
"SATSIGNAL_API_KEY": "sk_...",
"SATSIGNAL_FOLDER": "case-123"
}
}
}
}
Why the env block matters (host env-var binding)
MCP hosts (Claude Desktop, Claude Code, agent frameworks) typically
strip or rebind environment variables at server-launch time — so a
SATSIGNAL_API_KEY set in the operator's shell does NOT reliably
propagate into the MCP server process. Bind the key explicitly
inside the env block of the host's config (as shown above); do
not assume process-env inheritance.
If anchor calls return 401 unauthorized despite the key being
visible in your shell (echo $SATSIGNAL_API_KEY works), this is
almost certainly the cause — check the host's config block, not the
shell environment.
Verification model
Each anchor returns proof_id, txid, and proof_url — the
canonical vocabulary the Satsignal API itself now emits. The proof is
independent of Satsignal: anyone can fetch the bundle, verify the
on-chain transaction directly against BSV, and check the sha256
matches.
Compatibility note (0.6.0, vocabulary sunset): this server sends the canonical request key (
folder_slug) and reports canonical result keys (proof_id/folder_slug/proof_url); the legacybundle_id/matter_slug/receipt_urlkeys are gone from tool output. Legacy inputs (matter,SATSIGNAL_MATTER) remain accepted as silent aliases. When talking to an older / self-hosted Satsignal server that still emits the legacy response keys, this server reads them as a fallback and re-emits them under the canonical names — but anchoring against a server too old to acceptfolder_slugrequires satsignal-mcp ≤ 0.5.x.
This server exposes two verify tools with different trust assumptions — pick the one that matches what you have on hand:
verify_file_against_bundle(file_path, bundle_path)— full verify. Re-hashes the original file, confirms it matches the bundle's claimed sha (crypto check, detects tampering), then chain-confirms via public block explorers (WoC + Bitails) that the on-chaindoc_hashmatches the bundle. This is the recommended path when you have the original file. Backed bysatsignal-cli'sverify_file(pinned as a runtime dep so a clean install gets full verify out of the box).chain_confirm_bundle(bundle_path)— fast chain-confirm only. Opens the bundle, extracts its claimedsha + txid, and confirms via Satsignal's/lookup_hashindex that the sha was anchored at that txid. Does NOT open the original file, so a tampered original is not detected — the bundle stays self-consistent. Use this when the original file isn't available, or as a cheap pre-check.
verify_bundle in v0.3 silently aliased chain_confirm_bundle,
preserving v0.2's false-PASS class on tampered originals (a host that
strips tool descriptions wouldn't see the deprecation warning). In v0.4
the alias fail-closes — every call returns a deprecated_tool_blocked
structured error directing the caller at the right tool. The tool
remains listed so callers pinned by name get the redirect rather than
unknown_tool. Full removal lands in 0.5.
Security notes
- The
label,filename, andfolder(sent on the wire as the canonicalfolder_slug) fields you pass are written into the proof and rendered on the public verifier page. They are also attacker-controllable from any agent calling this server — downstream code that reads these fields should treat them as untrusted text (HTML-escape, never embed in LLM context without an isolation boundary). - The API key is sent as
Authorization: Bearer …over HTTPS and is never logged or returned in tool output.
License
MIT.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file satsignal_mcp-0.6.0.tar.gz.
File metadata
- Download URL: satsignal_mcp-0.6.0.tar.gz
- Upload date:
- Size: 36.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4f3f9571c64c463a855f1ff470502c39ebb0283ab9dcdfc0f1eca0fd9e1ceb94
|
|
| MD5 |
dc012310f67001c1ca5788845c8b2d53
|
|
| BLAKE2b-256 |
b90b934fd8a6eeae5a4737fce2be9bcb3f1c2bfbea423424c767f3d9fcee3e30
|
Provenance
The following attestation bundles were made for satsignal_mcp-0.6.0.tar.gz:
Publisher:
publish.yml on Steleet/satsignal-mcp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
satsignal_mcp-0.6.0.tar.gz -
Subject digest:
4f3f9571c64c463a855f1ff470502c39ebb0283ab9dcdfc0f1eca0fd9e1ceb94 - Sigstore transparency entry: 1774788496
- Sigstore integration time:
-
Permalink:
Steleet/satsignal-mcp@b9be60cc24c1164f0450d11a7fca3be5ff652522 -
Branch / Tag:
refs/tags/v0.6.0 - Owner: https://github.com/Steleet
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@b9be60cc24c1164f0450d11a7fca3be5ff652522 -
Trigger Event:
release
-
Statement type:
File details
Details for the file satsignal_mcp-0.6.0-py3-none-any.whl.
File metadata
- Download URL: satsignal_mcp-0.6.0-py3-none-any.whl
- Upload date:
- Size: 21.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
466068544e1c12f57370d8de5d0b9ab1048481c611a484b0a7abfcceab754b19
|
|
| MD5 |
7a12a28a09a4a352628ccc69113a266a
|
|
| BLAKE2b-256 |
64d611a6e38aca7b38689411afb967f214217d9b2003ad129bf766ccd86c92e6
|
Provenance
The following attestation bundles were made for satsignal_mcp-0.6.0-py3-none-any.whl:
Publisher:
publish.yml on Steleet/satsignal-mcp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
satsignal_mcp-0.6.0-py3-none-any.whl -
Subject digest:
466068544e1c12f57370d8de5d0b9ab1048481c611a484b0a7abfcceab754b19 - Sigstore transparency entry: 1774788695
- Sigstore integration time:
-
Permalink:
Steleet/satsignal-mcp@b9be60cc24c1164f0450d11a7fca3be5ff652522 -
Branch / Tag:
refs/tags/v0.6.0 - Owner: https://github.com/Steleet
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@b9be60cc24c1164f0450d11a7fca3be5ff652522 -
Trigger Event:
release
-
Statement type: