What is the Model Context Protocol (MCP)?

MCP is an open specification for how AI agents discover and call tools, fetch resources, and invoke prompts hosted on external servers. An MCP server exposes a typed surface — tools, resources, prompts — that any compatible agent runtime can compose with at run time. The specification is published openly; servers are independently authored.

How does Knox compose with MCP?

Knox is content-addressed and runtime-neutral. Each MCP interaction — a tool call, a resource fetch, a prompt invocation — is a structured artifact with a canonical byte representation, which means it has a SHA-256 commitment. Knox sequence-numbers the commitment, hash-links it to the previous Knox event, and rolls anchors of the hour into a Merkle root that is published to the Bitcoin blockchain via OpenTimestamps. The MCP server itself does not need to be modified — the operator instruments their own emit path.

Does Knox replace MCP, or compete with it?

Neither. MCP is a tool-integration protocol; Knox is an evidence-permanence layer. They operate at different layers and answer different questions. MCP defines how an agent calls a tool; Knox produces a tamper-evident record that the call occurred, with what inputs, against what policy, and with what response — admissible years later by a third party who has never met the operator.

What event types does Knox publish for MCP interactions?

Six event types extend the Knox taxonomy into agent tool-use surfaces: agent_mcp_tool_call (typed tool invocation against an MCP server), agent_mcp_tool_response (typed result returned by the server), agent_mcp_resource_fetch (server-exposed resource retrieval), agent_mcp_prompt_invocation (server-hosted prompt template invoked with bound parameters), agent_mcp_server_attestation (server identity, version, and declared surface), and agent_mcp_policy_change (mid-stream change to the agent's allow-listed servers, tools, or parameter constraints). Each anchor carries a chain-of-command stamp identifying the agent, the policy under which it acted, and content-addressed pointers to the request and response artifacts.

Is the Knox Anchor MCP server itself available?

Yes. The Knox Anchor MCP server is live at bonissystems.com/api/knox/mcp — Streamable HTTP transport, JSON-RPC 2.0, no server-side session state, seven tools. Operators can compose with it from any MCP-capable agent runtime today. Documentation, tool catalog, and install snippets are at bonissystems.com/aam/mcp-server. The non-MCP HTTP path at bonissystems.com/api/knox/public-anchor remains available; the primitive is the same.

Is this defensive or offensive?

Defensive only. Bonis does not access third-party MCP servers, does not operate counter-agents, and does not undertake any active disruption of any external system. Knox is invitational: the operator of an MCP server who wants a tamper-evident record of every tool call instruments their own emit path. Lawful authority — courts, regulators, platform owners — decides what to do with the resulting evidence.

AAM · Model Context Protocol

Every tool call is a record. Anchor it like one.

MCP defines how an agent calls a tool. AAM produces the tamper-evident record of what happened when it did.

Content-addressedBitcoin-anchoredRuntime-neutral

The seam

An open spec for tool calls, met by an open chain for the record.

MCP is an open specification: any compatible agent runtime can call any MCP-conformant server, and any author can publish a server. The protocol unbundled tool integration from any single vendor’s framework, the same way HTTP unbundled the web.

That openness sharpens the audit question rather than softening it. An agent calls a tool exposed by a server authored by a third party, returning a result that may inform a downstream commitment, transaction, or filing. None of those layers, by themselves, leaves a record a counter-party can verify years later without trusting the agent vendor, the server author, or the operator.

AAM closes that seam without coupling to any single MCP implementation. The audit primitive is content-addressed: the SHA-256 of the request artifact, the SHA-256 of the response artifact, and the policy under which the agent invoked the call. Knox anchors each, sequence-links them to the agent’s stream, and aggregates the hourly Merkle root onto the Bitcoin blockchain.

Six MCP mutations, six anchors

Every interaction at the protocol surface becomes a Knox event.

The MCP surface is small, structured, and content-addressable. Each of the five primary interaction shapes maps to a Knox event type with a chain-of-command stamp and content-addressed pointers to the underlying artifacts.

agent_mcp_tool_call

An agent invokes a typed tool exposed by an MCP server. Knox anchors the SHA-256 of the request artifact, the chain-of-command stamp identifying the agent and the policy under which it acted, and the sequence number in the agent's tool-use stream.

agent_mcp_tool_response

The MCP server returns a typed result. Knox anchors the SHA-256 of the response artifact and links it to the originating tool-call anchor, so the request-response binding is reconstructible from the chain alone.

agent_mcp_resource_fetch

The agent fetches a resource exposed by the server — a document, a record, a streamed payload. Knox anchors the resource identifier, the SHA-256 of the returned content, and the timestamp at which the fetch resolved.

agent_mcp_prompt_invocation

The agent invokes a server-hosted prompt template with bound parameters. Knox anchors the SHA-256 of the prompt template at the moment of invocation and the SHA-256 of the bound-parameter set, so the prompt drift is observable across time, not only enforceable at the moment.

agent_mcp_server_attestation

The MCP server itself produces an attestation — server identity, version, declared tool surface, declared resource surface. Knox anchors the attestation artifact, so the server's claimed shape at the moment of interaction is recoverable independent of the server's later state.

agent_mcp_policy_change

The agent's tool-use policy — allow-listed servers, allow-listed tools, parameter constraints — is changed mid-stream. Knox anchors the policy-document commitment so policy drift is observable across time, not only enforceable at the moment.

Five questions that arrive afterward

The questions are predictable. The records should be too.

Once an agent is calling tools through MCP servers in production, the same five questions arrive repeatedly. Knox primitives produce records architected to answer each one without re-trusting the server author, the agent vendor, or the operator.

Did the agent actually call this tool, with these parameters?

Counter-party / regulator / internal audit

The tool-call anchor and its bound chain-of-command stamp identify the exact agent, the exact policy, and the exact SHA-256 of the request artifact. The Bitcoin anchor pins the moment in time.

Is the response we have today the response that came back then?

Operator / counsel / successor

The response anchor commits the SHA-256 of the returned artifact at the moment of the call. A silent rewrite of the response is detectable against that commitment.

Was the tool call within policy at the moment of execution?

Compliance / regulator

The policy commitment in effect at call time is anchored alongside the call itself. Subsequent policy changes do not retroactively rewrite what the agent was permitted to do at the moment of action.

What did the server claim it was, when the agent talked to it?

Counter-party / forensic counsel

The server-attestation anchor commits the server identity, version, and declared surface at the moment of interaction. Server drift across time is observable, not assumed.

Can we reconstruct the full call chain if the server is gone?

Successor operator / acquirer / court

Every Knox anchor is content-addressed and Bitcoin-anchored. The reconstruction does not require the original MCP server, the original agent runtime, or the original vendor to remain online or cooperative.

Properties of the layer

What composing above MCP gives you.

Server-neutral

Any MCP server, authored by anyone, can be paired with Knox by instrumenting an emit path on the operator’s side. The server itself does not need to know about Knox, consent to Knox, or be modified for Knox.

Runtime-neutral

Any agent runtime that speaks MCP — vendor-hosted, open-source, in-house — can produce Knox-anchorable records of its tool calls. The audit layer is one HTTP call away from any runtime that can already speak MCP.

Independently verifiable

Anchors are published to the Bitcoin blockchain via OpenTimestamps. Verification does not require Bonis, the MCP server, or the agent runtime to be online, in business, or cooperative.

Post-quantum resilient

MCP-class commitments may carry post-quantum signatures via Knox Agent #11 Layer 4 — ML-DSA-44 / 65 / 87 (NIST FIPS 204) and SLH-DSA-128s / 192s / 256s (NIST FIPS 205). The audit chain remains verifiable under threat models that assume future quantum-capable adversaries.

Self-authenticating

Every anchor resolves to a court-ready affidavit architected for FRE 902(13) and 902(14) self-authentication. Admissibility in any given matter remains a determination of the presiding court; the structural requirements are met by construction.

Open-spec aligned, end to end

MCP is an open specification. OpenTimestamps is an open protocol. Bitcoin is a public chain. The TLA+ specification of the Knox anchor pipeline is public source. The full audit path lives entirely on open standards.

How operators wire it up

One HTTP call per tool interaction.

Two paths, one primitive. An MCP-capable runtime can compose with the Knox Anchor MCP server at /api/knox/mcpusing the typed tool surface; any HTTP runtime can call the public anchor endpoint directly. Records written either way land on the same chain.

Direct anchor (today, any runtime)

POST bonissystems.com/api/knox/public-anchor

Auto-seeds a public-demo key on first call. Accepts a SHA-256 commitment over the request, response, or any structured MCP artifact. Returns the chain-of-command stamp, the sequence number, and the verify URL.

Knox Anchor MCP server (live)

bonissystems.com/api/knox/mcp

The Knox primitive exposed as typed MCP tools — Streamable HTTP, JSON-RPC 2.0, no server-side session state, seven tools. Live and callable from any MCP-capable runtime. Tool catalog and install snippets at /aam/mcp-server.

Public health check

bonissystems.com/api/knox/health

Operational status of the anchor pipeline.

Knox agents roster

bonissystems.com/agents

Each Knox agent published with its charter, bureau, and event-taxonomy entry.

Court-ready evidence kit

bonissystems.com/legal-kit

Verifier source, sample affidavit, FRE 902 reference card.

AAM positioning page

bonissystems.com/aam

The category, the architecture, and the lanes.

Defensive only

Evidence layer, not enforcement.

Bonis does not access third-party MCP servers, does not operate counter-agents, and does not undertake active disruption of any external system. Knox is invitational: the operator of an MCP-using agent who wants a tamper- evident record of every tool call instruments their own emit path. Bonis produces the audit primitive; lawful authority — courts, regulators, platform owners — decides what to do with the resulting evidence.

The Model Context Protocol is referenced on this page as an open specification, the same way AITH (arXiv:2604.07695) and the IETF Agent Name Service draft are referenced elsewhere on /aam. No partnership, customer status, prospect status, or operational engagement with any organization that authored or maintains MCP is implied or claimed. Federal Rules of Evidence 902(13) and 902(14) are cited as architectural targets; admissibility in any matter remains a determination of the presiding court.

USPTO provisional applications, inventor of record Jonis Aaron Fields: 64/038,359 (Knox · 2026-04-13), 64/012,440 (TerraVault · 2026-03-21), 64/036,498 (TrustAI · 2026-04-11), 64/002,221 (HealthAgent · 2026-03-11), 64/013,240 (DealMatcher · 2026-03-22). Provisionals are priority-date footnotes; the operating moat is shipping code, public anchors, and open-standard alignment. Bonis Systems LLC · UEI R2BPJDC5CBA3 · CAGE 1TSP2.