Explains what A2A TrustGate is and how to activate this MCP server (no API key on this session yet).
Parameters
No parameters.
Raw schema
{
"type": "object",
"properties": {}
}
a2a_signup
Create a new A2A TrustGate tenant and get an API key (shown once), unlocking all safety tools in this session immediately. Agent-first: only a short tenant slug is required โ no email or password. A human must then add a card (secure Stripe checkout) at the returned paymentUrl to activate; /v1 calls return 402 until activated.
A safety, compliance, and audit layer for AI agents โ screen every action through a dual-gate firewall before it executes. As easy as git.
git commits your code. a2a screens your agents.
Your agent can run commands, hit APIs, touch devices, spend money. One bad tool call โ a rm -rf, a prompt-injected instruction, an unlicensed asset โ and it's already happened. A2A puts a gate in front of the action: every command your agent proposes is screened against a deterministic rule gate and a self-evaluation gate, allowed or blocked in milliseconds, and written to an immutable audit trail. Your agent runs it itself โ one install, no human relaying approvals.
Works with: Claude Code ยท Cursor ยท Cline ยท Windsurf ยท Aider ยท Codex ยท any MCP client
Agent proposes a command, the gate screens it, the human sees it in the dashboard โ watch the full demo.
Install
bash
npm install -g a2a-trustgate
The npm package is a2a-trustgate; the command is a2a.
Quick Start
bash
# Create a tenant (agent-first โ human activates)
a2a signup my-company --local# Screen a command โ exit 0 = allowed, 1 = blocked, 2 = needs review
a2a eval"rm -rf ./build"# โ ALLOWED
a2a eval"rm -rf /"# โ BLOCKED: filesystem destruction pattern# See plan, usage, limits
a2a status
# Full reference
a2a --help
How it works โ the Asimov dual-gate
Every action passes two gates before it's allowed to run:
Gate 1 โ deterministic rules. Pattern and policy screening in milliseconds: destructive filesystem ops, secret exfiltration, injection signatures, scope violations. Fast, no model call.
Gate 2 โ self-evaluation. For anything Gate 1 can't clear outright, the agent's own reasoning is turned back on the action: should this run, given the context and the tenant's policy?
bash
a2a eval"command" --gate2 self # self-evaluate (default)
a2a eval"command" --gate2 skip # Gate 1 only (fast path)
a2a eval"command" --context ctx # add decision context
a2a eval"command" --pipeline ID # route through a named pipeline
Exit codes make it scriptable โ wrap any risky step:
bash
if a2a eval"rm -rf ./build" --json 2>/dev/null; thenrm -rf ./build
fi
Code
Meaning
0
Allowed โ safe to execute
1
Blocked โ do not execute
2
Needs review โ Gate 2 self-evaluation required
Built for six kinds of team
A2A screens the same way for everyone, but the surface each team touches is different. Pick yours.
Network operations โ a gate in front of every device
Your agents run commands against routers, switches, and sites. A2A registers each device, enforces a per-device policy, and gives you a killswitch that stops every agent at once.
Multi-agent systems where one agent's output is another's input. A2A gives them scoped workspaces and HMAC-signed channels, so a rogue or injected message can't cross a boundary you didn't grant.
Regulated industries โ an immutable, exportable audit trail
Every decision โ allowed or blocked, with reasoning โ lands in an append-only log you can export for an auditor. OCSF-shaped, EU AI Act aligned.
bash
a2a audit # recent decisions
a2a audit export --format csv # hand to an auditor (csv/json)
a2a approvals # human-in-the-loop queue
a2a approve TASK-ID
a2a reject TASK-ID "out of policy"# reason recorded in the trail
Register your catalogue, mint scoped licences, and every agent that reaches for an asset is checked against a rights log. Access is granted by licence, not by scraping.
bash
a2a catalogue create "The Back Catalogue"
a2a catalogue licence create --catalogue CAT-ID --email studio@label.com --scope read
a2a catalogue access-log # who reached for what, and whether it was licensed
a2a catalogue content-sources
Universities โ research governance without the friction
Approvals, scope enforcement, and an exportable trail that maps to research-ethics and UKRI responsible-AI requirements. One URL for a researcher to connect, governance for the board.
bash
a2a eval"command" --context "grant-XYZ research pipeline"
a2a approvals # ethics/governance queue
a2a audit export --format csv # for the board or the funder
Prefer tools over a CLI? a2a ships an MCP server. Point Claude Code (or any MCP client) at it and your agent gets 49 native tools: evaluate, pipelines, workspaces, channels, devices, sites, catalogues, audit, approvals, admin. The whole platform.
bash
claude mcp add a2a -- a2a mcp-serve
For clients that use a JSON config (Cline, Cursor, Windsurf), pass your API key via the A2A_API_KEY environment variable. The MCP server runs outside your project directory, so it will not pick up .a2a/config.json:
No key yet? Start it without one: the server boots in onboarding mode and can guide signup, then add the key and restart.
Remote MCP โ zero install
No CLI at all? Claude Web, Claude Desktop, Raycast, or any hosted MCP client can connect straight to our remote server. Same 49 tools, same API key, nothing to install:
a2a login # store globally (~/.a2a/)
a2a login --local# store per-project (./.a2a/) โ add .a2a/ to .gitignore
a2a config # show which config is active
Agent Integration
Add to your CLAUDE.md, .cursorrules, .clinerules, .windsurfrules, or AGENTS.md:
code
## A2A TrustGate
This project screens agent actions through A2A before they execute.
Use the `a2a` CLI. Config is in .a2a/config.json (auto-loaded).
If not configured: a2a login --local --key YOUR_KEY
Before running any risky command, screen it:
a2a eval "the command" --json # exit 0 = run it, 1 = do not, 2 = needs review
Why this exists
An agent that can act is an agent that can act wrongly โ and by the time you read the log, it's done. I wanted a gate in front of the action, not a report after it: deterministic where it can be, self-evaluating where it can't, and audited either way. It's early and I'm iterating fast โ if something's rough or missing, tell us.