MCP server
Status: fixture-rehearsed; production admission explicitly blocked. Source:
mcp/— manifest atmcp/gestalt-mcp.manifest.json.
The Gestalt MCP server exposes a curated set of inspection, simulation, and proposal tools to LLM-driven agents and assistants via the Model Context Protocol. It is designed so that an LLM can safely propose serious actions against Gestalt without ever directly admitting one.
Run the server
Section titled “Run the server”node mcp/server.mjsWire it into your MCP host (Claude Desktop, an agent runtime, etc.) by adding it to your MCP config in the form your host expects.
Tool classes
Section titled “Tool classes”The manifest groups tools by class — what kind of crossing the tool can perform.
read_only_inspect inspect / verify shape of a receipt or atomsimulate run a fixture scan; no admissionprecheck_intent construct an intent envelope and ask Gravity whether it would admit (no commit)request_pending_review open a pending action awaiting higher signingcommit_with_standing submit a standing-bound intent (gated)proof_disclosure request scoped disclosureproduction_admission activate a real authority package (BLOCKED)| Tool | Class | Permission | Schema |
|---|---|---|---|
gestalt.inspect_receipt | read_only_inspect | allow | schemas/inspect-receipt.schema.json |
gestalt.verify_receipt | read_only_inspect | allow | schemas/verify-receipt.schema.json |
gestalt.scan_serious_action | simulate | allow_fixture | schemas/scan-serious-action.schema.json |
gestalt.authority.resolve_context | precheck_intent | allow | schemas/authority-resolve-context.schema.json |
gestalt.intent.precheck | precheck_intent | allow | schemas/intent-precheck.schema.json |
gestalt.intent.request_pending_review | request_pending_review | allow | schemas/request-pending-review.schema.json |
gestalt.intent.commit | commit_with_standing | conditional | schemas/intent-commit.schema.json |
gestalt.proof.request | proof_disclosure | allow | schemas/proof-request.schema.json |
gestalt.authority.activate_package | production_admission | block | schemas/activate-package.schema.json |
Permission semantics
Section titled “Permission semantics”allow tool can be called freely by the hostallow_fixture tool can be called only when the request is marked fixtureconditional tool requires additional context (signing posture, presence receipt)block tool is registered but the server refuses to invoke itDefault policy:
unknown_tool blockproduction_admission blockfixture_records allow_when_marked_fixtureThese defaults mean an MCP host cannot accidentally invoke an unregistered tool, and cannot trigger production admission through the MCP surface — even if a tool with that class somehow reached the manifest.
What an LLM agent can safely do via MCP
Section titled “What an LLM agent can safely do via MCP”- inspect a receipt's shape- verify a receipt locally- scan a proposed serious action and report what it would entail- resolve authority context for a hypothetical jurisdictional move- precheck an intent and report which gates would refuse- open a pending action that a higher-signing vessel can complete- request a scoped proof disclosure (which will be refused unless an entitlement is cited)What an LLM agent cannot do via MCP
Section titled “What an LLM agent cannot do via MCP”- commit an intent without explicit standing context- activate an authority package- modify production state of any kind- access raw database- bypass refusal codes- impersonate another tenantVessel discipline applies
Section titled “Vessel discipline applies”An MCP tool is a vessel. Like the CLI, the desktop app, or a browser,
it crosses the membrane through a declared signing posture. By default
that posture is proposal_only — the LLM cannot complete a sensitive
act, only propose one and ask a human or higher-signing vessel to
finish it.
This is the same discipline as the workbench CLI. See concepts: the membrane and meditation 010.
Wiring it into Claude Desktop / a host
Section titled “Wiring it into Claude Desktop / a host”The manifest at mcp/gestalt-mcp.manifest.json
declares the tool surface. The server at
mcp/server.mjs is a Node MCP server. Wire
your host as you would any other MCP server pointed at:
node /path/to/gestalt-aion/mcp/server.mjsWhat MCP gives you that the SDK does not
Section titled “What MCP gives you that the SDK does not”- A guarded surface for agentic use, where an LLM constructs envelopes and inspects responses without direct access to signing.
- A manifest-level guarantee that production admission cannot be triggered, regardless of the LLM’s reasoning or persuasion.
- A clean tool taxonomy (read-only / simulate / precheck / pending / commit / disclose) that an LLM host can present to the user.
Where to read next
Section titled “Where to read next”- Concepts: the membrane
- Concepts: atoms and capabilities
- API reference — the operations the MCP tools ultimately call.
- Reference: capability state