Reef: Signed Supply Chain + Underwriter for AI

Reef is the open-source signed supply chain for MCP servers, and the only AI firewall that outputs an underwriter-scorable evidence artifact. THE PROBLEM (April 2026): OX Security disclosed an architectural command-injection flaw in Anthropic's Model Context Protocol. 7,000+ vulnerable servers. 150M+ downstream package downloads. Every official MCP SDK affected. Anthropic did not patch the SDKs. The MCP ecosystem has no centralized signature registry today. WHAT REEF SHIPS: 1. Atlas: a Sigstore-style signed MCP registry. Unsigned binds denied at handshake with violation code MCP-RCE-26.04, single-digit-ms latency on the demo workload. 2. Lobster Trap fork: adds the 4 enforcement actions (MODIFY, REDIRECT, QUARANTINE, HUMAN_REVIEW) that Veea's upstream declared but never implemented. EchoLeak (CVE-2025-32711) blocked in 1.2 seconds. 3. DAST-A: PPO reinforcement-learning adversary that runs continuously, plus Gemini 3 Flash multimodal screenshot observer emitting structured-output policy drafts in sub-second latency. 4. Reef Quote: Gemini 3 Pro underwriter agent grounded on Munich Re's public aiSure framework (5 risk categories x 5 due-diligence axes). Produces an ed25519-signed 6-page Reef Insurance Artifact (RIA) PDF, Tier B+, premium range $42k-$54k for $5M coverage. ESTIMATED RANGE, not Munich-Re-published. RECEIPTS: 4 attack packs, 217 exfil-attempt episodes. Vanilla agent: 0% blocked. Reef-protected: 100% blocked. Reproducible via pytest. OPEN SOURCE: MIT-licensed. Built on Veea's Lobster Trap (pinned at e49a402). The 4 missing actions ship as an upstream-PR-shaped fork. LIVE: https://reef-mcp-registry.vercel.app