DEV Community

Cover image for The MCP Registry Tells You Which Server, Not What It Did
Micky Irons
Micky Irons

Posted on • Originally published at mickai.co.uk

The MCP Registry Tells You Which Server, Not What It Did

#modelcontextprotocol #aiagents #audit #sovereignty

The MCP Registry Tells You Which Server, Not What It Did

By Micky Irons, founder of Mickai.

A Model Context Protocol registry is a directory. It tells an agent which servers exist, what each one advertises, and how to reach it. That is genuinely useful. Discovery is the first problem any tool-using system has to solve, and a registry solves it cleanly. The trouble starts the moment people mistake a directory for a record of accountability. Knowing that an agent could call a payments server, a filesystem server and a calendar server tells you nothing about which one it called, with what arguments, on whose authority, or what changed as a result.

The distinction is the whole game. A registry describes capability in the conditional tense. It answers what an agent is permitted to do and where to find the tool. Accountability lives in the past tense. It answers what the agent actually did, in what order, and whether the result can be trusted later by someone who was not in the room. These are different questions, and a registry, by design, only ever answers the first.

A marble statue of Hermes, messenger of the gods, holding a herald's staff, lit by hard gold rim light against pure black, one hand extended in the gesture of pointing the way

A registry is Hermes at the crossroads. It points to the right door. It does not follow you through it, and it keeps no record of what you carried back out.

Discovery is not the same as evidence

Picture an agent given access to forty servers through a well maintained registry. Each entry is signed, version pinned and described in detail. The registry is doing its job perfectly. Now an incident lands on your desk. A file was deleted that should not have been, or a transfer went through that nobody approved. You open the registry and it tells you, faithfully, that the agent had access to a filesystem server and a payments server. It cannot tell you whether either was invoked, by which step of which run, against which credential, or whether the call succeeded. The directory was never the evidence. It was only ever the map.

This matters more as agents gain reach. A single agent run can chain a dozen tool calls across as many servers, each call mutating state somewhere. The capability surface advertised by a registry grows linearly. The space of things that actually happened grows combinatorially. Auditing the second from the first is impossible in principle. You are reconstructing a journey from a list of roads that existed.

What a record of consequence has to carry

To answer the past-tense question, you need an artefact created at the moment of action, not assembled afterwards from logs that can drift, be edited, or quietly go missing. It has to bind four things together: the action taken, the inputs it ran on, the identity that authorised it, and the result it produced. It has to be tamper evident, so that a later edit is detectable rather than invisible. And it has to be verifiable by someone who does not trust the operator, because the cases that matter most are exactly the ones where the operator is the party under question.

A marble bust of Mnemosyne, titan of memory, eyes closed in recollection, gold light catching the edge of carved hair, deep shadow behind

Memory is not storage. Mnemosyne holds what happened in a form that cannot be quietly rewritten. A consequence record has to do the same, or it is just another log.

This is the layer Mickai is built to provide, and it is why Mickai is a Sovereign Intelligence Operating System rather than a tool that bolts onto someone else's stack. Mickai runs fifty specialised brains (twenty five domain and twenty five operational) on the operator's own hardware, fully offline capable. Every consequential action those brains take is sealed into an Open Audit Record. The record captures the action, its inputs, the authorising identity and the outcome, then signs that bundle with FIPS 204 ML-DSA-65, the published NIST post-quantum signature standard. Mickai did not invent the standard. It adopts it, because a signature that will still verify in a decade is worth more than a clever one nobody else can check.

From a server you trusted to a record you can prove

A registry entry is a claim about the future: this server will behave as described. An Open Audit Record is a claim about the past: this is what happened, and here is the signature that says so. The two are complementary, not competing. You still want a registry to find the right server. You also want, separately, a record that survives the server, the session and the operator's good intentions.

Permanence is the last piece. A signed record is only as durable as the place it lives. If the operator controls the storage, a sufficiently motivated operator can lose it. Mickai resolves this with Pantheon, its own sovereign Layer 1, anchored to Bitcoin. Pantheon takes a hash commitment of the record and anchors that commitment to Bitcoin, so the existence and exact content of the record at a point in time can be proven against the most heavily secured public ledger there is. Pantheon does not move bitcoin and it is not a Bitcoin Layer 2. It commits a fingerprint, not a payment. Anchoring is not spending.

A colossal marble Poseidon driving a trident downward into dark water, gold rim light along the shaft, the surface beneath turned to stone where it strikes, vast black negative space around

Anchoring, not spending. Poseidon fixes the record to bedrock. Pantheon commits a hash to Bitcoin so a moment in time cannot be denied later, without ever moving a coin.

The question to ask of any agent stack

When you evaluate an agent platform, separate the two questions the way the architecture should. First, how does it discover and constrain what its agents can reach. A registry, a permission model and signed server entries answer that. Second, and more importantly, what does it produce as evidence of what its agents actually did. If the answer is application logs on infrastructure the operator controls, you have a directory and a diary, not an audit trail. The diary can be rewritten and nobody outside will know.

Mickai's wager is that the second question is the one that decides whether autonomous systems can be trusted with anything that matters. Discovery is a solved problem. Consequence is not, and a directory of servers will never solve it, because it is answering a different question. The registry tells you which server. The Open Audit Record, anchored through Pantheon, tells you what it did, and lets a stranger confirm you are not lying about it.

Themis, blindfolded marble figure of justice, holding level scales that hold steady, hard gold light on the beam, weighing two carved tablets, profound darkness behind

Themis weighs what was done, not what was permitted. The shift from capability to consequence is the shift from a directory to a verdict that holds.

Mickai is held privately by its founder, Micky Irons. The accountability architecture described here sits on a portfolio of 101 filed UK patent applications, around 2,234 claims, owned by Mickai LTD with Micky Irons as the named inventor. The point of all of it is narrow and old fashioned. A system that acts in the world should be able to account for what it did, to someone who does not have to take its word.

Written by Micky Irons. Originally published at https://mickai.co.uk/articles/the-mcp-registry-tells-you-which-server-not-what-it-did. More from Micky Irons and Mickai at mickai.co.uk.

Top comments (0)