XAIP Protocol

When an agent calls a service, a signed transaction proves the call was authorized. It does not prove the call was safe to make. XAIP is one attempt at that missing layer: dual-signed Ed25519 receipts per MCP tool call (hashes only — no raw content leaves your machine), aggregated into a live Bayesian trust score per server.

Every score below is computed from real receipts and is queryable without auth:

curl https://xaip-trust-api.kuma-github.workers.dev/v1/trust/context7

trust — observed success probability for this server, based on signed execution receipts. Higher means the server has succeeded more often, across more independent callers, with fewer error patterns.

Live trust scores

How these scores get used

The xaip-claude-hook fetches this API before every MCP tool call. If a server scores below the caution threshold, you see inline in Claude:

⚠ XAIP: "fetch" trust=0.38 (low_trust, 40 receipts)
        Risk: high_error_rate

After each call, the hook signs a receipt (hashes only — no raw content leaves your machine) and posts it to the aggregator. Next caller sees a slightly more accurate score.

For programmatic decision-making across candidate servers (e.g. "pick the highest-trust server that can handle task X"), that logic lives in a sibling project — Veridict — which consumes XAIP scores as one of its inputs. XAIP is the data layer; Veridict is the decision layer.

How to contribute

The easiest way: install the Claude Code hook. Before each MCP tool call it fetches the score and warns inline if low; after each call it posts a signed receipt to the public aggregator.

npm install -g xaip-claude-hook && xaip-claude-hook install

Or run your own aggregator node — the spec and reference implementation are MIT-licensed with zero runtime dependencies.