DEV Community

João André Gomes Marques
João André Gomes Marques

Posted on • Originally published at jagmarques.github.io

asqav-mcp is now on Docker Hub

#ai #security #python #opensource

asqav-mcp is now on Docker Hub. The MCP server that gives AI agents governance capabilities - policy checks, signed audit trails, quantum-safe signatures - is available as a Docker image alongside the PyPI package.

One command to run it:

docker pull jagmarques/asqav-mcp
docker run -e ASQAV_API_KEY="sk_live_..." jagmarques/asqav-mcp
Enter fullscreen mode Exit fullscreen mode

Why Docker matters for MCP governance

MCP servers run as subprocesses of your AI client. Most setups use pip install and run the binary directly. Docker adds a layer that matters for production deployments:

  • No Python environment to manage. The image has everything. No venv, no dependency conflicts, no "works on my machine."
  • Pinnable versions. jagmarques/asqav-mcp:0.3.1 is immutable. Your governance layer won't drift when you update other packages.
  • Audit-friendly deployment. Image digest is fixed. You can prove exactly what was running at any point in time.

What asqav-mcp does

It exposes governance tools through the Model Context Protocol. Any MCP-compatible client - Claude Desktop, Claude Code, Cursor - gets access to:

  • gate_action / complete_action - pre-execution gate with bilateral receipts
  • enforced_tool_call - strong enforcement proxy. Checks policy before the agent can use a tool.
  • check_policy - check an action against your organization's rules
  • sign_action - sign any action with ML-DSA-65 (FIPS 204, quantum-safe)
  • verify_signature - verify any previous signature
  • Tool policies: per-tool risk levels, rate limits, approval requirements, blocking

The free tier covers everything. No credit card.

Bilateral receipts

Standard audit logs prove an action was authorized. They don't prove what happened after. Bilateral receipts fix this.

When an agent calls gate_action, it gets a signed approval. After the action, it calls complete_action with the result. The server links the two signatures cryptographically. An auditor can verify the approval decision and the outcome from a single record.

With enforced_tool_call and a tool_endpoint, the server handles the whole chain automatically - it forwards the approved call, captures the response, and signs request + response together.

Using it with Claude Desktop

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "asqav": {
      "command": "docker",
      "args": ["run", "--rm", "-e", "ASQAV_API_KEY=sk_live_...", "jagmarques/asqav-mcp:0.3.1"]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Or keep using pip if you prefer:

pip install asqav-mcp
claude mcp add asqav -- asqav-mcp
Enter fullscreen mode Exit fullscreen mode

Tool policies

Control enforcement per tool with ASQAV_PROXY_TOOLS:

docker run \
  -e ASQAV_API_KEY="sk_live_..." \
  -e ASQAV_PROXY_TOOLS='{"sql:execute": {"risk_level": "high", "require_approval": true}, "file:delete": {"blocked": true}}' \
  jagmarques/asqav-mcp:0.3.1
Enter fullscreen mode Exit fullscreen mode

blocked returns a denial. hidden is stronger - the tool appears not to exist at all.

GitHub: https://github.com/jagmarques/asqav-mcp
Docker Hub: https://hub.docker.com/r/jagmarques/asqav-mcp
PyPI: https://pypi.org/project/asqav-mcp/

Top comments (0)