MCP

Query the corpus over MCP.

Two read-only Model Context Protocol servers let an agent ask the Apeiris corpus real questions — the pinned MITRE ATLAS model and the knowledge graph (3,329 nodes / 29,799 edges) — through one governed, checksum-verified interface, instead of scraping. Both are stdio JSON-RPC (protocol 2024-11-05), zero-dependency, and ship in the platform repo's adapters/.

Four guarantees, enforced in code.

These are the properties the adapter tests hold true — they are the reason to use the server instead of fetching the JSON yourself.

Read-only

Neither server writes the corpus. The ATLAS refresh (sync) is a separate, review-gated CLI step — it is not exposed as a tool.

Checksum-verified

On start each server verifies its artifact (atlas/atlas-model.json / graph/graph.json) against the signed manifest.json SHA-256 and refuses to serve on mismatch (fail-closed).

Provenance on every reply

Each response carries its source: the ATLAS release tag / graph checksum plus each object's canonical atlas.mitre.org or object URL.

Substance, not headers

Results carry description snippets, control names, validation objectives, evidence, and links — so an agent can act without a second round-trip.

atlas-mcp — the MITRE ATLAS knowledge base

Answers questions about ATLAS (techniques, mitigations, tactics, case studies) and how they connect to Apeiris controls, from one pinned, checksum-verified copy.

Run from the apeiris-control-core repo root, then point an MCP client at the process:

npm run atlas:mcp        # or: node adapters/atlas-mcp/server.js
ToolWhat it returns
get_technique / get_mitigation / get_tactic / get_case_studyOne object by id (type-checked — asking get_mitigation for a technique id returns not_found), with description, links, and tactic context.
searchFull-text across all object kinds; results carry description snippets + urls.
techniques_for_mitigation / mitigations_for_techniqueTraverse the ATLAS mitigation graph both directions.
version_diffWhat changed between two ATLAS releases (added / removed / changed objects).
map_to_apeirisGiven an ATLAS technique, the Apeiris controls that address it — with each control's name, validation objective, evidence, and domain-page link.

Worked round-trip (stdio JSON-RPC):

→ {"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"c","version":"1"}}}
← {"jsonrpc":"2.0","id":1,"result":{"protocolVersion":"2024-11-05","serverInfo":{"name":"apeiris-atlas-mcp","version":"1.0.0","pinned":"v2026.06"}, ...}}

→ {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"get_technique","arguments":{"id":"AML.T0051"}}}
← result.content[0].text =
  {"object":{"kind":"technique","id":"AML.T0051","name":"LLM Prompt Injection",
             "description":"An adversary may craft malicious prompts as inputs to an LLM ...",
             "tactics":[...],"mitigations":[...],"url":"https://atlas.mitre.org/techniques/AML.T0051"},
   "provenance":{"release":"v2026.06","model_sha256":"…"}}

Full request/response for every tool: adapters/atlas-mcp/README.md. Pinned model: atlas/atlas-model.json (checksum in manifest.json).

graph-mcp — the Apeiris knowledge graph

Traverses the deterministic graph: typed nodes (Domain, Control, Lens, Threat, FrameworkClause, NormativeSource, ATLAS objects) and provenance-carrying edges.

npm run graph:mcp        # or: node adapters/graph-mcp/server.js
ToolWhat it returns
get_nodeOne node by id, with its label, type, canonical id, and the control's objective / evidence / links where applicable.
neighborsAdjacent nodes (bounded), each edge carrying its type + provenance + confidence.
shortest_pathThe shortest provenance-carrying path between two nodes (bounded hops).
query_graphBounded typed traversal from a seed (depth- and limit-capped).

Worked round-trip:

→ {"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"get_node","arguments":{"id":"control:agentic/AB-05"}}}
← result.content[0].text =
  {"node":{"id":"control:agentic/AB-05","type":"Control",
           "label":"Prompt Injection Detection and Defense",
           "canonical_id":"apeiris://agentic/controls/AB-05","control_id":"AB-05", ...},
   "provenance":{"graph_sha256":"7e8ed633a590…"}}

Full request/response for every tool: adapters/graph-mcp/README.md. Graph artifact: graph/graph.json; explore it in the Graph Explorer.

Verify first

Don't trust the server — pin the artifact.

Both servers refuse to serve if their artifact doesn't match the signed manifest. You can reproduce that check yourself: recompute the artifact SHA-256 and verify the manifest's Ed25519 signature on the integrity page (with a self-contained, no-dependencies test vector). The builder docs cover the fetch → verify → use pattern; the API & endpoints page lists every JSON artifact.