MCP · ZERO-TRUST · DORA
An open-source reference implementation a security team can read, fork, and sign — instead of a marketing PDF. Atomic Durable Objects rate limiting, WebAuthn perimeter, SLSA L3 provenance.
Read case studyAn open-source reference implementation a security team can read, fork, and sign — instead of a marketing PDF. Atomic Durable Objects rate limiting, WebAuthn perimeter, SLSA L3 provenance.
As AI agents and MCP tools start calling edge APIs at scale, banks need a perimeter that survives autonomous traffic without trading away DORA-grade audit evidence. Existing CDNs offer either marketing language or opaque plans — neither produces the reference implementation a security team can read, fork, and sign.
An open-source, zero-trust MCP gateway with 42 tools, atomic Durable Objects rate limiting, WebAuthn passkey perimeter, signed URLs, and SLSA Level 3 build provenance. 3,185 tests at 100 % coverage, mapped to DORA Article 5, BCBS 239 risk-data aggregation, and Basel III operational risk capital.
Tests
3,185 tests at 100 % line, branch, and function coverage
Supply-chain provenance
SLSA Level 3 build provenance + Sigstore signing
MCP tools shipped
42 tools — every call audit-logged with structured evidence
Rate limiting
Atomic Durable Objects (no race conditions, no double-counts)
Authentication
WebAuthn passkeys + signed URLs
License
Apache-2.0 / MIT
NEXT
Architecture reviews, post-quantum migration plans, treasury-API programmes — all signed, all verifiable.
Get in touchMORE CASE STUDIES
CAMT · MT940 · OFX · TREASURY
TIER-1 BANK · TREASURY · BAAS
FIPS 203 · ML-KEM · BANKING MIGRATION
ISO 20022 · PAIN.001 · MT→MX MIGRATION
