Query the corpus over MCP.
Two read-only Model Context Protocol servers let an agent ask the Apeiris corpus real questions — the pinned MITRE ATLAS model and the knowledge graph (3,329 nodes / 29,799 edges) — through one governed, checksum-verified interface, instead of scraping. Both are stdio JSON-RPC (protocol 2024-11-05), zero-dependency, and ship in the platform repo's adapters/.
Four guarantees, enforced in code.
These are the properties the adapter tests hold true — they are the reason to use the server instead of fetching the JSON yourself.
Neither server writes the corpus. The ATLAS refresh (sync) is a separate, review-gated CLI step — it is not exposed as a tool.
On start each server verifies its artifact (atlas/atlas-model.json / graph/graph.json) against the signed manifest.json SHA-256 and refuses to serve on mismatch (fail-closed).
Each response carries its source: the ATLAS release tag / graph checksum plus each object's canonical atlas.mitre.org or object URL.
Results carry description snippets, control names, validation objectives, evidence, and links — so an agent can act without a second round-trip.
atlas-mcp — the MITRE ATLAS knowledge base
Answers questions about ATLAS (techniques, mitigations, tactics, case studies) and how they connect to Apeiris controls, from one pinned, checksum-verified copy.
Run from the apeiris-control-core repo root, then point an MCP client at the process:
npm run atlas:mcp # or: node adapters/atlas-mcp/server.js
| Tool | What it returns |
|---|---|
get_technique / get_mitigation / get_tactic / get_case_study | One object by id (type-checked — asking get_mitigation for a technique id returns not_found), with description, links, and tactic context. |
search | Full-text across all object kinds; results carry description snippets + urls. |
techniques_for_mitigation / mitigations_for_technique | Traverse the ATLAS mitigation graph both directions. |
version_diff | What changed between two ATLAS releases (added / removed / changed objects). |
map_to_apeiris | Given an ATLAS technique, the Apeiris controls that address it — with each control's name, validation objective, evidence, and domain-page link. |
Worked round-trip (stdio JSON-RPC):
→ {"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"c","version":"1"}}}
← {"jsonrpc":"2.0","id":1,"result":{"protocolVersion":"2024-11-05","serverInfo":{"name":"apeiris-atlas-mcp","version":"1.0.0","pinned":"v2026.06"}, ...}}
→ {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"get_technique","arguments":{"id":"AML.T0051"}}}
← result.content[0].text =
{"object":{"kind":"technique","id":"AML.T0051","name":"LLM Prompt Injection",
"description":"An adversary may craft malicious prompts as inputs to an LLM ...",
"tactics":[...],"mitigations":[...],"url":"https://atlas.mitre.org/techniques/AML.T0051"},
"provenance":{"release":"v2026.06","model_sha256":"…"}}
Full request/response for every tool: adapters/atlas-mcp/README.md. Pinned model: atlas/atlas-model.json (checksum in manifest.json).
graph-mcp — the Apeiris knowledge graph
Traverses the deterministic graph: typed nodes (Domain, Control, Lens, Threat, FrameworkClause, NormativeSource, ATLAS objects) and provenance-carrying edges.
npm run graph:mcp # or: node adapters/graph-mcp/server.js
| Tool | What it returns |
|---|---|
get_node | One node by id, with its label, type, canonical id, and the control's objective / evidence / links where applicable. |
neighbors | Adjacent nodes (bounded), each edge carrying its type + provenance + confidence. |
shortest_path | The shortest provenance-carrying path between two nodes (bounded hops). |
query_graph | Bounded typed traversal from a seed (depth- and limit-capped). |
Worked round-trip:
→ {"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"get_node","arguments":{"id":"control:agentic/AB-05"}}}
← result.content[0].text =
{"node":{"id":"control:agentic/AB-05","type":"Control",
"label":"Prompt Injection Detection and Defense",
"canonical_id":"apeiris://agentic/controls/AB-05","control_id":"AB-05", ...},
"provenance":{"graph_sha256":"7e8ed633a590…"}}
Full request/response for every tool: adapters/graph-mcp/README.md. Graph artifact: graph/graph.json; explore it in the Graph Explorer.
Don't trust the server — pin the artifact.
Both servers refuse to serve if their artifact doesn't match the signed manifest. You can reproduce that check yourself: recompute the artifact SHA-256 and verify the manifest's Ed25519 signature on the integrity page (with a self-contained, no-dependencies test vector). The builder docs cover the fetch → verify → use pattern; the API & endpoints page lists every JSON artifact.