Model Context Protocol · agent runtime

Your agents are
users now.

MCP gives agents tools. StealthQL gives them identity, scope, memory, proposals, and an audit trail. No silent writes. No unscoped data access. No “trust me, I ran the tests.”

npm install @stealthql/mcpSee the agent tool surface
scopedevery read
proposedevery write
ledgeredevery call
01 / Identitykeypair · signed
Every agent has a keypair. Scoped, signed, treated by the runtime exactly like any other actor — the same primitive that authenticates Alice the founder.
02 / Scopeshare principal
A long-lived share defines what the agent may read, write, propose, or refuse. Same primitive your team already uses for humans, applied to agents.
03 / Memoryits own capsule
Memory is a capsule, not a vector blob. Hash-chained, query-shaped, schema-typed. Recall is a query. Forget is a governed delete with a receipt. Replay is a query.asOf.
04 / ToolsMCP surface
MCP exposes the verbs the agent gets — query.shape, propose.update, memory.recall — all routed through the same policy layer as your humans.
05 / Auditevery call · ledgered
Every tool call lands in the ledger as a signed event. Replay any session. Attest any action. The agent's behavior is provable, not just plausible.
06 / Delegationsub-shares
When agent A asks agent B for help, A issues a sub-share. B is bound by both shares simultaneously. A vector store can't do this. A capsule does it natively.
The Agent Capsule · hover to inspect · figure 2
AI agents used to be black boxes.
Things you trusted. Logs you scraped.
Memory that lived in vector blobs.
That era is over.
We just stopped pretending agents are different
/ 01 The failures that become impossible to hide

The patches you stop seeing.

When constraints, prior decisions, and security rules live in a hash-chained ledger instead of a vector blob, three things you've come to expect from AI coding tools just stop happening.

i.

Rewriting working code worse than it was.

The agent recalls the prior version's invariants from its capsule by type, not by similarity. It edits in. It doesn't draft a new file from a fuzzy summary and call it a refactor.

ii.

Deleting half a file to add one feature.

Every read is ledgered. Every write is a proposal with a diff before it lands. The destruction is visible before it happens — and a human or a rule has to accept it.

iii.

Forgetting yesterday's security rule.

“Never use the service client for member-supplied PATCH data” is a typed memory event, not a chunk of text the agent might or might not retrieve. It's recalled by relation, not by vibe.

iv.

Saying “done” with nothing to prove it.

Every tool call lands in the ledger. “I ran the tests.” “I added the migration.” “I updated the types.” If the events aren't in the capsule, the agent can't say they happened. The summary is generated from what the agent actually executed — not the story it tells you afterward.

These aren't features. They're the absence of failures you've been forgiving for two years. Vector memory could never have prevented them — the agent had no way to know, in a typed sense, what it was supposed to remember. A capsule does.

/ 02 Why this category exists

Tools without rules.

MCP standardized how agents call tools. StealthQL standardizes what they're allowed to do with them. Identity, scope, memory, proposals, audit — the layer above the protocol.

i.

Vector memory.

Fuzzy recall. No authority model. No policy check. No replay. No signed delegation. No forget receipt. Useful as an index — not as a record.

ii.

MCP without StealthQL.

Tools exist. The agent can call them. Logs are ad hoc, memory lives somewhere else, writes can be silent. Standardized vocabulary, no shared accountability layer.

iii.

StealthQL MCP.

Agents are actors. Tools are scoped by shares. Writes are proposals. Memory is a capsule. Every call is ledgered. Replay and attestation are built in.

The protocol, in five lines
No silent writes.
Every read is scoped.
Every write is a proposal.
Every call is ledgered.
Every session is replayable.

An MCP server shouldn't be a bag of tools. It should be a governed actor surface.

↳ what this looks like

A support agent debugging one customer's billing issue.

Abstract until you see it. Same agent, same MCP session, same capsule — but the runtime knows exactly what it can and can't touch, and every step is recorded in the ledger.

It canscoped by the support_session share
✓ read the billing support share ✓ inspect allowed invoice fields ✓ propose a status correction ✓ run policy tests ✓ produce an evidence packet // every action is a ledger event, // signed by the deployment key.
It cannotrefused at the runtime · ledgered
✗ read internal notes ✗ read unrelated customer rows ✗ mutate production silently ✗ send private fields to hosted AI ✗ delegate beyond its sub-share // every refusal is a ledger event too. // the agent's reach is its capsule's reach.

When the customer asks what your AI did for them last Tuesday at 3pm, you don't reconstruct from logs. You replay the capsule. The same primitive that scoped the agent's reach produced the record of how it used it.

/ 03 The agent is an actor

Same primitive.
Different name.

An AI agent isn't a session token to OpenAI. It's an actor — with a keypair, a scope, a capsule, and an audit trail. Defined in the same file your humans live in, evaluated by the same policy engine, logged to the same ledger.

Your backend has known how to scope, log, and govern users for forty years. The runtime doesn't care if the actor is human, agent, or device. It's just an actor with a capsule.

/ 04 Capsule, not vector

Memory you can prove.

Most “agent memory” today is a vector database with arbitrary text. It can answer what might be relevant. It cannot prove what the agent knew, what it did, who authorized it, or what changed between Tuesday at 3pm and now. A capsule can.

Vector memoryrecall · probabilistic · index
// agent.memory.recall('service client constraint') → "here is something semantically similar." // what the agent knew? unknown // who authorized it? unknown // when was it superseded? unknown // can we replay the moment? no
Capsule memoryrecord · auditable · source of truth
// agent.memory.recall('service client constraint') → event 1842 · USER_CONSTRAINT subject: 'billing route' relation: 'must_not' object: 'use service client for member PATCH' author: alice (signed) recorded: 2026-04-15T14:00:00Z superseded_by: null evidence: app/api/jobs/[id]/route.ts:42

The vector index can be regenerated. The materialized memory can be rebuilt. The ledger is truth.When the agent violates a constraint it remembered, the system can name the rule, the moment, the author, and the evidence. Not “something semantically similar.”

/ 05 Delegation

When agents work together,
they federate.

Agent A doesn't dump its whole memory into agent B's context. A issues B a sub-share — scoped to one task, narrow fields, bounded tools, an expiration. B is bound by both shares simultaneously. When the work finishes, both capsules can replay independently, and the join produces the full record.

Agent-to-agent delegation isn't a vague prompt. It's a signed capability. Bounded authority transfer with the same primitive your team uses to share an invoice link with a customer.

/ 06 The AI port firewall

Refuse the leak. At the agent.

Every agent has a trust class — hostedCloud, privateCloud, localDevice. Every field has an aiReadable matrix. When the agent tries to read a row not allowed for its class, the runtime refuses the read — not at the model, at the agent. Same enforcement point that protects your humans.

The same primitive that mediates outbound LLM calls now mediates the agent itself. If the data isn't allowed in its trust class, the agent never sees it.The model shouldn't decide what it's allowed to see. The capsule should.

/ 07 Provable action

Replay the agent's last hour.

An LLM saying “I think I did X” is worthless. A capsule saying here are the events, in order, with the policies that allowed each one is a black-box recorder. Every tool call, every read, every proposal, every approval lands in the ledger as a signed event.

What did your agent do for this customer last Tuesday at 3pm? One command. Replay the capsule. Decision hashes, rule hashes, before/after rows, model attestations. Nobody else can offer this — not LangChain, not the model providers, not vector DBs.

/ 08 The tool surface

The verbs an agent gets.

MCP exposes a small, opinionated surface — every tool routes through the existing policy layer, every write defaults to proposal mode, every call is ledgered. Agents don't get raw mutate access. They propose. A human or a rule accepts.

i.

Identity & scope.

agent.session.start, agent.session.end, agent.delegate. Every session is a sub-share with an explicit scope.

ii.

Reads, policy-scoped.

query.shape, query.share, query.asOf, query.explain. Time-travel is built in. Every refused read names what would have unlocked it.

iii.

Writes, proposal mode.

propose.update, propose.create, propose.delete. Agents never silently change production data. They propose. A human or a rule accepts.

iv.

Memory, capsule-shaped.

memory.recall, memory.forget, memory.replay. The agent's capsule is the only memory. Recall is a query. Forget produces a receipt.

v.

AI calls, mediated.

ai.complete, ai.embed, ai.classify. Outbound model calls go through the firewall. Refused payloads land in the ledger.

vi.

Audit, built in.

audit.replay, audit.attest, policy.test, deploy.readiness. The cryptographic record of every action, on demand.

/ 09 On-device

An agent that runs on the phone.

Same capsule format. Same policy layer. Same MCP surface. The local-device trust class lets an agent run on the user's machine with a memory that never leaves the device — and the option to escalate to a hosted model only when the data is allowed there.

↳ the killer extension

The open, policy-bound version of on-device AI.

Local agent. Local memory. Local enforcement. Escalation to hosted AI only when policy allows it. Runs on any device, against any capsule, with field-level trust controls and a ledger the user owns.

user prompton-device agentcapsule policy checklocal model OR escalateledger entry on device

The agent on the phone holds its own capsule. When the user's prompt could be answered locally, it is — instantly, privately, with a record. When the agent decides to escalate to a hosted model, the AI port firewall checks every field in the payload against its trust class, refuses anything marked hostedCloud: false, and logs the escalation. The user sees the same evidence as the agent.

/ 10 The merge

Humans. Devices. Agents.
One capsule.

These weren't three products. They were always one primitive — capsules for things that need memory, policy, replay, and proof. The agent on the phone, the human at the dashboard, and the support bot in your MCP session are all the same kind of object.

i

Humans

Identity, scope, audit log. Forty years of backend craft. Already shipped.

stealth.actors.alice
ii

Devices

The same capsule, on a phone or laptop. Sync end-to-end-encrypted. The line between “app” and “backend” goes away.

stealth.device.attach
iii

Agents

The same capsule, addressable by an MCP session. Identity, scope, memory, accountability. Just an actor.

@stealthql/mcp

One backend. Any actor. Any device. Provable forever. The first runtime where humans, agents, and devices share one truth, one audit log, and one set of rules.

/ 11 Pricing

Run it free.
Or let us run it for you.

Four tiers. One axis: how many agentsyou've got, and how much accountability you need around them. Custom only when there's an auditor in the room.

Free

Run it yourself. One agent, local or self-hosted, full Apache 2.0 source. Capsule format, sub-shares, audit ledger — everything that makes the protocol governable. Community support.

$0

Lite

Launch and forget. We host the MCP server, keep it always available, push updates while you sleep. One agent, 30-day audit history, basic replay, email support. Peace of mind for solo work.

$25/mo
1 agent · always-on · auto-updated

Hosted

We run it. You ship. Up to ten agents, hosted MCP server, AI port firewall, full replay UI, evidence-packet export, one year of audit history. Email support.

$99/mo
Up to 10 agents · per workspace

Compliance

For regulated work. Unlimited agents, forever audit history, SOC 2 / HIPAA / GDPR evidence packs, vendor signing keys with escrow, federation across capsules, auditor support.

Talk to sales

Free if you run it. $25/mo to launch and forget. $99/mo for a team. Custom when auditors are involved.

Stop pretending
agents are different.

$npm install @stealthql/mcp
or

 

Apache 2.0. Works with Claude Code, Codex, Cursor, Cline, Roo,
and any MCP-compatible agent.