Reef: Signed Supply Chain + Underwriter for AI

medal
Vercel
application badge
Created by team Tripod on May 17, 2026
Agent Security & AI Governance - Veea

Reef is the open-source signed supply chain for MCP servers, and the only AI firewall that outputs an underwriter-scorable evidence artifact. THE PROBLEM (April 2026): OX Security disclosed an architectural command-injection flaw in Anthropic's Model Context Protocol. 7,000+ vulnerable servers. 150M+ downstream package downloads. Every official MCP SDK affected. Anthropic did not patch the SDKs. The MCP ecosystem has no centralized signature registry today. WHAT REEF SHIPS: 1. Atlas: a Sigstore-style signed MCP registry. Unsigned binds denied at handshake with violation code MCP-RCE-26.04, single-digit-ms latency on the demo workload. 2. Lobster Trap fork: adds the 4 enforcement actions (MODIFY, REDIRECT, QUARANTINE, HUMAN_REVIEW) that Veea's upstream declared but never implemented. EchoLeak (CVE-2025-32711) blocked in 1.2 seconds. 3. DAST-A: PPO reinforcement-learning adversary that runs continuously, plus Gemini 3 Flash multimodal screenshot observer emitting structured-output policy drafts in sub-second latency. 4. Reef Quote: Gemini 3 Pro underwriter agent grounded on Munich Re's public aiSure framework (5 risk categories x 5 due-diligence axes). Produces an ed25519-signed 6-page Reef Insurance Artifact (RIA) PDF, Tier B+, premium range $42k-$54k for $5M coverage. ESTIMATED RANGE, not Munich-Re-published. RECEIPTS: 4 attack packs, 217 exfil-attempt episodes. Vanilla agent: 0% blocked. Reef-protected: 100% blocked. Reproducible via pytest. OPEN SOURCE: MIT-licensed. Built on Veea's Lobster Trap (pinned at e49a402). The 4 missing actions ship as an upstream-PR-shaped fork. LIVE: https://reef-mcp-registry.vercel.app

Category tags:

"Strong framing of the MCP supply-chain risk, with clear technical receipts and a practical insurance-facing artifact. The signed registry plus enforcement and underwriting angle feels very complete."

avatar

Avi Srivastava

"Solid project. Liked that the four missing actions are actually implemented as real working code, and the small engineering decisions (like surfacing errors instead of silent no-ops) show care. The honesty around what's estimated vs rubric-based vs not endorsed is a nice touch — same with the 3-state coverage classifier showing up consistently in both the docs and the live page. The insurance artifact angle is a clever framing — making the audit something an underwriter could actually score is a different way to look at AI security than just "block more attacks." A few things to think about for v2: The RL adversary checkpoint is on the small side — worth a note on whether that's intentional or a v2 plan. As the attack catalog grows, false-positive rates from real traffic will probably matter more than block rates on known-malicious cases. Worth flagging the measurement plan more clearly. Phase 2 is heavy — real broker integrations, full identity stack, agent-to-agent stuff are each multi-month efforts. A "Phase 1.5" picture would help people see how this lands in production sooner. Nice work."

avatar

Daniel Gonik