A2 — the cross-lens join. Fuse TunnelMind's two lenses (Scry attacker
intelligence + Sigil supply graph) into ONE verdict on a single node key.
This is the moat: no siloed competitor owns both halves of the graph, so
the fused `cross_lens` block carries information neither lens can supply
alone.
Use this tool when:
- An agent must decide whether to transact with an IP, domain, ASN, or
entity_slug, and a one-lens answer is not enough.
- You want a single composite trust verdict instead of running
Scry + Sigil calls separately and reconciling them by hand.
Inputs:
- `node` (required): an IPv4 address, a domain, an ASN (e.g. `AS64500`),
or an entity_slug. Type is auto-detected.
- `weights` (optional): per-component weight overrides.
- `thresholds` (optional): `{ pass, fail }` verdict cutoffs (defaults 0.7 / 0.3).
- `ait` (optional): an ATAP AIT id. When present, the verdict is chained
onto the AIT as a witness-tier `cross_lens:verified` event signed by
Sigil (witness OAI-2026-0000201) — replayable evidence, not just JSON.
Returns: per-lens `scry` + `sigil` blocks (transparency), a fused
`cross_lens` block with `verdict` / `trust_score` / `confidence` /
`signals` / `recommendations`, a 5-minute signed `sigil_token`, and a
`witnessed_event` block when an AIT was supplied.
Failure semantics: each lens fails independently. Single-lens answers
still return 200 with a `confidence` of 0.55. Returns 503 only when BOTH
lenses are unavailable.
Parameters (4)
nodestringrequired
The node to verify. IPv4, domain, ASN (AS-prefixed or numeric), or entity_slug.
weightsobject
thresholdsobject
aitstring
Optional ATAP AIT id to witness this verification under.
sigil_verify_supply_path
The core pre-bid check. Verify the trustworthiness of one programmatic ad
supply path and get back a composite trust verdict plus a signed proof token.
Sigil composes ads.txt authorization, datacenter-IP classification, Scry
fraud-corpus lookup, and app-bundle checks into one score.
Use this tool when:
- An ad-buying agent is about to bid and must confirm the supply is genuine.
- You want one call instead of running ads.txt / IP / bundle checks separately.
Inputs:
- `supply_path` (required): { publisher_domain, exchange, seller_id, and
optionally ip_address, app_bundle:{bundle_id,platform} }.
- `ait` (optional): an ATAP AIT id — when present, Sigil records this
verification as a witnessed attestation event and binds the token to it.
Returns: `trust_score` (0-1), `verdict` (pass/warn/fail/unknown), per-check
results, `recommendations`, and a signed `sigil_token` (5-min) to attach to
the bid as proof. The submitted IP is used for lookup only — never stored.
Parameters (2)
supply_pathobjectrequired
aitstring
Optional ATAP AIT id to witness this verification under.
sigil_verify_ads_txt
Check whether an exchange/SSP is authorized to sell a publisher's inventory,
per the publisher's ads.txt file. Fast cached lookup against Sigil's daily
crawl of the top ~10k publisher domains.
Use this tool when:
- You need a single, narrow authorization check (not a full supply-path score).
- You are validating a (publisher, exchange, seller_id) triple from a bid request.
Inputs:
- `publisher_domain`, `exchange_domain`, `seller_id` (all required).
- `resolve_chain` (optional): when true and the entry is RESELLER, Sigil walks
one hop into the exchange's sellers.json to identify the upstream seller.
Returns: `verified` (true/false/null), `confidence`, the matched ads.txt entry,
and any `warnings` (e.g. seller_type mismatch).
Parameters (4)
publisher_domainstringrequired
exchange_domainstringrequired
seller_idstringrequired
resolve_chainboolean
sigil_verify_ip_type
Classify an IPv4 address as datacenter, residential, mobile, or unknown.
Detects datacenter traffic posing as real user devices. Stateless — the IP
is never logged or stored.
Use this tool when:
- You need to know whether bid-request traffic originates from a datacenter.
Inputs:
- `ip` (required): an IPv4 address.
Returns: `ip_type`, `confidence` (high/medium/low), and the ASN + AS-org name.
Parameters (1)
ipstringrequired
sigil_verify_app_bundle
Verify that a mobile/CTV app bundle ID actually exists in its app store and,
optionally, that the listed developer matches. Detects bundle-ID spoofing in
bid requests.
Use this tool when:
- A bid request names an app bundle and you must confirm the app is real.
Inputs:
- `bundle_id` (required), `platform` (required: ios | android | ctv_* | web),
- `claimed_developer` (optional): developer name to match against the listing.
Returns: `verified` (true/false/null), the store listing, and `developer_match`.
Parameters (3)
bundle_idstringrequired
platformstringrequired
claimed_developerstring
sigil_verify_supply_chain
Verify a full OpenRTB SupplyChain (schain) object — every node, end to end.
Per node Sigil checks the seller against the exchange sellers.json and the
origin ads.txt, then returns a per-node and aggregate verdict plus a signed
token.
Use this tool when:
- A bid request carries an OpenRTB `schain` and you want it verified verbatim.
Inputs:
- `schain` (required): an OpenRTB SupplyChain object ({ ver, complete,
nodes:[{asi,sid,hp}] }).
- `site_domain` or `app_bundle` (optional): the inventory origin, checked
against node[0] via ads.txt / OWNERDOMAIN.
Returns: per-node `nodes` results, an aggregate `verdict`, `recommendations`,
and a signed `sigil_token`.
Parameters (3)
schainobjectrequired
OpenRTB SupplyChain object.
site_domainstring
app_bundlestring
traverse_supply_chain
Walk the supply graph for a publisher domain and get back the ITEMIZED
sell paths — distinct from sigil_verify_supply_chain (which verifies a
schain you BRING) and from the dark-pool-risk signal (which only returns
counts). Here Sigil reconstructs the paths from its own crawl: every SSP
the publisher declares it sells through, joined to that SSP's identity and
classified two-sided against the SSP's sellers.json.
Use this tool when:
- You have a publisher domain but no schain, and want to SEE its real
authorized supply paths and where the opacity is.
- dark-pool-risk flagged a publisher and you need the specific contradicted
paths driving the risk, not just the aggregate.
Inputs:
- `domain` (required): the publisher domain, e.g. `cnn.com`.
- `limit` (optional): max paths returned (default 200, cap 500). The list
is ordered riskiest-first (contradicted, then reseller) so a truncated
page is still the most useful; the `supply_paths` counts are always over
the FULL set.
Returns: `supply_paths` aggregate counts (total / direct / reseller /
corroborated / contradicted / unchecked) and `paths[]`, each with the SSP
identity, `seller_id`, `seller_type`, `klass` (corroborated = seat present;
contradicted = SSP crawled but seller_id absent → real risk; unchecked =
SSP not yet crawled → not risk), and `resells_to` (one level of downstream
reseller expansion). Returns in_supply_graph:false if the domain is not in
the crawled corpus.
Parameters (2)
domainstringrequired
Publisher domain to traverse.
limitinteger
Max paths returned (default 200, cap 500).
sigil_score_entity
Get the pre-computed trust score for one supply-chain entity (a publisher or
an SSP). Scores are recomputed daily from ads.txt health, supply-chain
directness, reach, and stability — deterministic, no ML black box.
Use this tool when:
- You want a fast standing trust signal for an entity without running checks.
Inputs:
- `entity_id` (required): `{type}:{domain}` — e.g. `publisher:nytimes.com` or
`ssp:pubmatic.com`.
Returns: `trust_score` (0-1), `score_components`, the 14-day `trend`, and
`warnings`.
Parameters (1)
entity_idstringrequired
sigil_score_batch
Pre-computed trust scores for up to 200 entities in one call — built for an
agent evaluating many supply sources during campaign setup.
Use this tool when:
- You have a list of publishers/SSPs to grade at once.
Inputs:
- `entity_ids` (required): array of `{type}:{domain}` ids, up to 200.
- `weights` (optional): custom component weights to re-score with.
Returns: `count`, `scored_count`, and a per-entity `results` array (invalid
ids are reported inline, never failing the batch).
Parameters (2)
entity_idsarrayrequired
weightsobject
sigil_atap_register_ait
Register an ATAP v0.1 Agent Identity Token for a media-buying agent. Sigil
validates the capabilities + constraints against the `sigil:media_buyer:v1`
profile, signs the AIT as the witness, and returns it. Do this once per agent
campaign before witnessing any events.
Inputs:
- `profile` (required): must be `sigil:media_buyer:v1`.
- `operator` (required): the agent operator's canonical OAI.
- `capabilities` (required): array from the profile vocabulary.
- `constraints` (required): { currency, max_bid_cpm, supply_trust_minimum,
budget_total_cap, allowed_channels, ... }.
- `attestation_policy` (required): { witness_granularity, block_interval_seconds
(60-3600), receipt_generation }.
- `expires_at` (required): ISO date-time, <= 365 days out.
Returns: the signed AIT (note its `id` for subsequent witness calls).
Parameters (7)
profilestringrequired
operatorstringrequired
agent_typestring
capabilitiesarrayrequired
constraintsobjectrequired
attestation_policyobjectrequired
expires_atstringrequired
sigil_atap_witness
Witness one agent-reported bid or budget event into an AIT's hash-chained
attestation log. Sigil validates the payload (rejecting any PII), classifies
the evidence tier — `anchored` if a bid cites a valid Sigil token, else
`asserted` — derives constraint violations, and signs the event.
Use this tool when:
- An ATAP-enrolled media-buyer agent submits a bid, win, loss, or budget
decrement and you want it on the attestation record.
Inputs:
- `ait` (required): the AIT id.
- `event_type` (required): bid:submitted | bid:won | bid:lost | budget:decremented.
- `payload` (required): the event payload (see the sigil:media_buyer:v1 profile).
Returns: the signed witness event(s), the assigned `tier`, and any derived
constraint violations. (supply:verified events come from verify_supply_path,
not this tool.)
Parameters (3)
aitstringrequired
event_typestringrequired
payloadobjectrequired
sigil_generate_receipt
Generate the ATAP v0.1 compliance Receipt for an AIT — the portable, signed
artifact a media buyer hands its principal. The receipt grades every event
witnessed / anchored / asserted and is verifiable offline with the bundled
verify.sh.
Use this tool when:
- A reporting period closes and you need a compliance export for the AIT.
Inputs:
- `ait` (required): the AIT id.
- `format` (optional): `full` (default) or `summary`.
Returns: JSON with `receipt_id` and `zip_base64` — base64-decode `zip_base64`
to a .zip, unpack it, and run verify.sh to verify the chain independently.
Part of TunnelMind — the intelligence layer agents call before they trust the internet.
Three lenses on one signed corpus: Scry (who is attacking?) · Sigil (who can you trust?) · Tracker Data API (who is watching?).
This repo serves: Sigil — the MCP-tool surface agents call to verify ad-tech supply paths. See tunnelmind.ai.
MCP server for Sigil — TunnelMind's agentic supply-chain verification layer
for programmatic advertising (P35).
Sigil ships as a separate MCP surface (P35 Shape B). One Cloudflare Worker, two
hosts:
Host
Serves
mcp.sigil.tunnelmind.ai/mcp
Streamable-HTTP MCP endpoint (JSON-RPC 2.0)
sigil.tunnelmind.ai/.well-known/mcp.json
Discovery card (mcp-server-card/1.0-draft)
The Worker is a thin agent-facing wrapper: every tool proxies the live Sigil
API at data.tunnelmind.ai/v1/sigil/* over a Cloudflare service binding. The
Authorization header on an MCP request is forwarded — a paid TunnelMind key
gets its tier, anonymous callers get the free tier. Discovery is unauthenticated.
Tools
Tool
Purpose
cross_lens_verify
A2 — fused Scry × Sigil verdict on one node key (IP / domain / entity / ASN). The moat: both lenses, one answer.
sigil_verify_supply_path
Composite pre-bid trust verdict + signed token
sigil_verify_ads_txt
ads.txt seller-authorization check
sigil_verify_ip_type
Datacenter / residential / mobile IP classification
sigil_verify_app_bundle
App-store bundle-ID verification
sigil_verify_supply_chain
Full OpenRTB SupplyChain (schain) verification
sigil_score_entity
Pre-computed entity trust score + 14-day trend
sigil_score_batch
Trust scores for up to 200 entities
sigil_atap_register_ait
Register an ATAP AIT for a media-buyer agent
sigil_atap_witness
Witness a bid/budget event into the attestation chain
sigil_generate_receipt
Generate the ATAP compliance Receipt ZIP
Published in the official MCP registry as ai.tunnelmind/sigil.