What is the Knox Anchor MCP server?

A Model Context Protocol server, hosted at bonissystems.com/api/knox/mcp, that exposes the Knox audit-permanence primitive as typed tools an MCP-capable agent runtime can compose with at runtime. The server speaks JSON-RPC 2.0 over Streamable HTTP per the MCP specification of 2025-03-26, operated without server-side session state — every request is a complete JSON-RPC exchange. The MCP specification makes session identifiers optional; this server omits them.

How does this page differ from /aam/mcp?

The /aam/mcp page is the open-spec compatibility statement: it explains how Knox composes with any MCP-conformant server authored by any party. This page documents the live Knox-authored MCP server itself — its endpoint, its tool catalog, its authentication model, and how to wire it into an existing agent runtime. The first page is an architectural position; the second is an executable surface.

What tools does the server expose?

Seven. get_descriptor returns server self-description and tool catalog; get_chain_health returns SLA snapshot and chain telemetry; list_event_types returns the canonical Knox taxonomy; verify_anchor verifies a SHA-256 commitment against the chain; anchor_event records a generic agent action; anchor_mcp_tool_call records the metadata of a tool call made through any MCP server (the AAM theater event); anchor_file_hash records a file commitment with a self-authenticating affidavit aligned to FRE 902(13)/(14).

What authentication does the server use?

Bearer authentication on the Authorization header. Read-only tools (get_descriptor, get_chain_health, list_event_types, verify_anchor) require no key. Write tools (anchor_event, anchor_mcp_tool_call, anchor_file_hash) accept a Knox API key; if no key is provided, the call is routed to a public-demo key auto-provisioned at the free tier so any agent can exercise the surface without a registration step. Production traffic should use a tenant-scoped key for usage tracking and rate-limit isolation.

Is the server stateless or stateful?

Stateless. The server holds no per-session state between requests. This is the simpler MCP transport mode and is appropriate for tool servers whose tools are themselves request-response. The Knox chain to which the tools write is, of course, stateful — but that state lives in the chain, not in the MCP session.

Does the MCP server itself anchor its own tool calls?

Yes, when the caller invokes the anchor_mcp_tool_call tool. The server is happy to anchor the metadata of calls made to itself — this is the recursive proof point of the AAM thesis: an MCP server providing the audit primitive is itself audit-able through that primitive without modification. The chain shows what was called, when, by which agent identity, and with what arguments digest, independent of any account or log held by Bonis.

Is the Knox MCP server registered in the public registry?

Submission to the public Model Context Protocol server registry follows the live deploy. The server is callable directly at bonissystems.com/api/knox/mcp regardless of its registry status; the registry submission is a discoverability step, not a condition of operation.

What event types does the server use to anchor MCP interactions?

agent_mcp_tool_call is the canonical event type for the convenience anchor. The full agent_mcp_* family — agent_mcp_tool_response, agent_mcp_resource_fetch, agent_mcp_prompt_invocation, agent_mcp_server_attestation, agent_mcp_policy_change — is exposed via the generic anchor_event tool when the caller passes the corresponding event_type. Calling list_event_types returns the canonical taxonomy in full (90 entries as of this page's publish date).

AAM · Knox Anchor MCP Server

The audit-permanence layer, exposed as typed MCP tools.

Q: Is this defensive or offensive?

Defensive only. The server records artifacts the caller already has and is willing to commit. It does not reach into third-party MCP servers, does not operate counter-agents, and does not undertake any active disruption of any external system. The audit primitive is invitational: an operator who wants a tamper-evident record of an agent's tool-use surface instruments their own emit path. Lawful authority decides what to do with the resulting evidence.

A live Model Context Protocol server. Streamable HTTP transport, no server-side session state, seven tools. Any MCP-capable agent runtime composes with the Knox primitive at runtime, without writing a wrapper.

Streamable HTTPJSON-RPC 2.0StatelessBitcoin-anchoredFRE 902-architected

Endpoint

One URL. Any MCP runtime. Seven tools.

MCP server URL

https://bonissystems.com/api/knox/mcp

Transport: Streamable HTTP per the MCP specification of 2025-03-26; operated without server-side session state. Methods: initialize, ping, tools/list, tools/call. Authentication: Authorization: Bearer <knox_key> for write tools; public-demo key auto-provisioned for unauthenticated callers, rate-limited at the free tier.

The same primitive that powers /api/knox/anchor and /api/knox/public-anchor is exposed under the MCP envelope. There is no second chain, no second key system, no second event store — the MCP route is a transport adapter over the live Knox surface, and the records it writes are indistinguishable on the chain from records written via direct HTTP.

Seven tools

The tool surface, by name and authority.

Tool definitions are returned by tools/list. The catalog below mirrors that response — same names, same descriptions, same authentication model.

get_descriptor

Auth: None

Returns server self-description: operator (Bonis Systems LLC), USPTO patent reference, jurisdiction (Wyoming, United States), available tools, and links to the public AAM documentation surface. The standard discovery call for a runtime that has just connected.

get_chain_health

Auth: None

Returns the SLA snapshot — process uptime, database latency, total anchors written, latest anchor timestamp, and Bitcoin anchor SLA target. Mirrors the public /api/knox/health endpoint under the MCP envelope.

list_event_types

Auth: None

Returns the canonical Knox event-type taxonomy. Each event type is a federal-grade citation token; the registry expands monotonically and each expansion is itself anchored on chain under bsr_receipt_anchored.

verify_anchor

Auth: None

Given a SHA-256 anchor hash, returns the anchor record, chain link validity (predecessor present and matched), event type, sequence number, and verify URL. The same primitive that backs /api/knox/verify, exposed as a typed MCP tool.

anchor_event

Auth: Bearer (public-demo fallback)

Anchors a generic agent action. Accepts any event_type from the canonical taxonomy plus a JSON payload object. Returns the anchor sequence, payload hash, predecessor hash, timestamp, and verify URL. The most general tool — every other write surface composes from it.

anchor_mcp_tool_call

Auth: Bearer (public-demo fallback)

Convenience anchor for the AAM Model Context Protocol theater. Records an agent_mcp_tool_call event with structured tool-call metadata: server URL, tool name, arguments digest, agent identity, outcome, plus an optional response digest. The recursive proof point — the audit server anchors the metadata of calls made to itself.

anchor_file_hash

Auth: Bearer (public-demo fallback)

Anchors a SHA-256 file digest and returns an affidavit architected for FRE 902(13)/(14) self-authentication. The file is not transmitted; the caller computes the hash and only the digest, filename, size, and MIME type are anchored. The MCP-envelope counterpart of /api/knox/public-anchor.

How operators wire it up

Three install paths, one endpoint.

The endpoint is the truth-source. Every MCP-capable runtime has its own configuration surface; the wiring below is reference, not exhaustive. Any client that speaks Streamable HTTP plus JSON-RPC 2.0 can compose with the server today.

Generic JSON-RPC (any HTTP runtime)

The lowest-level path. Any client that can POST JSON works.

curl -X POST https://bonissystems.com/api/knox/mcp \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Claude Desktop (HTTP transport)

claude_desktop_config.json under mcpServers. Restart the application after edit.

{
  "mcpServers": {
    "knox-anchor": {
      "transport": "http",
      "url": "https://bonissystems.com/api/knox/mcp"
    }
  }
}

Cursor / Cline / generic MCP UI

Settings → MCP → Add server. Use HTTP transport with the URL above.

Name: knox-anchor
Transport: HTTP (Streamable)
URL: https://bonissystems.com/api/knox/mcp
Auth header (optional): Authorization: Bearer <your_knox_key>

Properties of the server

What composing through this MCP surface gives you.

No second chain

The MCP server is a transport adapter over the live Knox anchor primitive. Records written via MCP are chain-identical to records written via direct HTTP. There is no MCP-only chain, no MCP-only key system, no MCP-only event store.

Vendor-neutral

Any MCP-capable agent runtime — vendor-hosted, open-source, in-house — can compose with the server. The audit layer does not require a specific agent vendor, model provider, or runtime to be present.

Independently verifiable

Anchors written through the MCP server are published to the Bitcoin blockchain via OpenTimestamps. Verification does not require the MCP server, Bonis, or the original runtime to be online or cooperative.

Self-authenticating

The anchor_file_hash tool returns a court-ready affidavit architected for FRE 902(13) and 902(14) self-authentication. Admissibility in any matter remains a determination of the presiding court; the structural requirements are met by construction.

Recursively audit-able

The server is happy to anchor the metadata of calls made to itself, via the anchor_mcp_tool_call tool. The audit surface auditing itself is the AAM thesis as a runtime property, not a marketing claim.

Open-spec aligned, end to end

MCP is an open specification. JSON-RPC 2.0 is a public standard. OpenTimestamps is an open protocol. Bitcoin is a public chain. The TLA+ model of the Knox anchor pipeline is public source. The full audit path lives entirely on open standards.

Live surfaces

Endpoints, taxonomy, evidence kit.

MCP server endpoint

bonissystems.com/api/knox/mcp

POST JSON-RPC 2.0 requests. GET returns a human-readable descriptor with installation references.

Direct anchor (HTTP, no MCP)

bonissystems.com/api/knox/public-anchor

The non-MCP path. Same primitive. Auto-seeds a public-demo key on first call.

Public health check

bonissystems.com/api/knox/health

Operational status of the anchor pipeline.

Canonical event taxonomy

bonissystems.com/aam/taxonomy

The 90-entry citation surface. Each event type a federal-grade token.

Open-spec compatibility statement

bonissystems.com/aam/mcp

The architectural position page. How Knox composes with any MCP server.

Court-ready evidence kit

bonissystems.com/legal-kit

Verifier source, sample affidavit, FRE 902 reference card.

Defensive only

Evidence layer, not enforcement.

The server records artifacts the caller already has and is willing to commit. It does not reach into third-party MCP servers, does not operate counter-agents, and does not undertake any active disruption of any external system. The audit primitive is invitational: an operator who wants a tamper-evident record of their agent’s tool-use surface instruments their own emit path. Lawful authority decides what to do with the resulting evidence.

The Model Context Protocol is referenced on this page as an open specification. No partnership, customer status, prospect status, or operational engagement with any organization that authored or maintains MCP is implied or claimed. Federal Rules of Evidence 902(13) and 902(14) are cited as architectural targets; admissibility in any matter remains a determination of the presiding court. Submission to the public MCP server registry is a discoverability step independent of the live operating status of this server.

USPTO provisional applications, inventor of record Jonis Aaron Fields: 64/038,359 (Knox · 2026-04-13), 64/012,440 (TerraVault · 2026-03-21), 64/036,498 (TrustAI · 2026-04-11), 64/002,221 (HealthAgent · 2026-03-11), 64/013,240 (DealMatcher · 2026-03-22). Provisionals are priority-date footnotes; the operating moat is shipping code, public anchors, and open-standard alignment. Bonis Systems LLC · UEI R2BPJDC5CBA3 · CAGE 1TSP2.