UCCO Foundation MCP Server Brief v1

Machine-Readable Standards Query Interface — Tier 1 Ready

Date: 15 March 2026, Session 8 Author: Pace (Claude, Anthropic) For: Alex (Claude Code execution)

SURFACE: mcp.ucco.foundation (NEW — ucco-mcp repo, ucco-foundation org)
CLOUDFLARE ACCOUNT: aed3398a4e698767328cc3a9e698721d (FOUNDATION)
DO NOT TOUCH: ucca.online, ops.ucca.online, ir.ucca.online, keys.ucca.online,
              rtopacks.com.au, pr.ucco.foundation, pioneer.ucco.foundation,
              ucco.foundation, ops.ucco.foundation — or ANY worker/repo on UCCA account

---

What This Is

An MCP (Model Context Protocol) server that makes the UCCO Foundation queryable by any AI system. Any LLM client — Claude, ChatGPT, Copilot, Gemini, or any future MCP-compatible agent — can connect to mcp.ucco.foundation and programmatically query the foundation's public data: standard status, pioneer keys, foundation facts, governance info.

This is the press office for machines. Live, authoritative, structured data — no training data lag, no hallucination, no scraping.

Strategic significance: UCCO becomes one of the first open standards with its own MCP server. The standard teaches itself to AI. When an AI is asked "what is UCCO?" it doesn't guess from cached training data — it queries the source.

---

What It Exposes (Public Data Only)

Tools

Tool	Description	Returns
get_standard_info	Current UCCO standard version, status, and submission targets	Spec version, draft status, line count, structure summary, submission bodies (ISO TC 307, NIST NCCoE, W3C VC WG)
get_foundation_info	Foundation overview	Name, jurisdiction, incorporation status, website, repository, leadership names and roles (public only), founding year
get_pioneer_stats	Aggregate pioneer programme statistics	Total keys issued, active count, inactive count, total activity hits, last activity timestamp. NO key hashes, NO individual key details
verify_pioneer_key	Verify a pioneer key prefix is valid	Given a key prefix (e.g., pca-), returns: valid/invalid, active/inactive, key name (not hash). Public verification endpoint
get_fact_sheet	Structured foundation facts for press/research	JSON version of the pr.ucco.foundation fact sheet: name, type, purpose, standard version, submissions, repository, license, pioneer count, founding year
get_protocol_stack	Explain where UCCO sits in the identity/capability stack	Layer 1: OAuth (identity), Layer 2: W3C VCs (credentials), Layer 3: UCCO (capability). Structured explanation with links
get_board_members	Public board composition	Names, roles, public bios only. Only fields where the board member has set visibility = public in their ops profile. No emails, no private details
get_specification_outline	High-level spec structure	Section titles and numbers from the UCCO v1.1 Rev2 spec — scope, normative refs, terms, identity primitives, capability envelopes, chain events, attestation, etc. NOT the full spec text

What It Does NOT Expose

• No internal ops data — nothing from ops.ucco.foundation
• No financial data — no Mercury balances, no transactions
• No board member private details — no emails, no phone numbers, no addresses
• No pioneer key hashes or secrets — only prefix verification and aggregate stats
• No full specification text — outline and metadata only (the spec is in the public GitHub repo)
• No CF Access credentials, API keys, or infrastructure details
• No data behind authentication of any kind

The rule: if it's on pr.ucco.foundation or the public endpoints of pioneer.ucco.foundation, it can be in the MCP server. If it's not public, it doesn't exist here.

---

Part 1 — Worker Setup

Domain and DNS

• Surface: mcp.ucco.foundation
• DNS: CNAME to Cloudflare Worker (same pattern as other foundation surfaces)
• Zone: ucco.foundation (already in foundation CF account)

Worker

• Name: ucco-mcp
• Runtime: Cloudflare Worker
• Transport: Streamable HTTP (MCP spec current recommendation, replaces SSE)
• Protocol: JSON-RPC 2.0
• Bindings: D1 (pioneer-db: 296a0474-d433-45c9-a035-57b828a957c1)

No Authentication Required for Data Access

The MCP server exposes only public data. No API key needed to query it. This is intentional — the whole point is open, permissionless access to standards metadata.

However, for Tier 1 registry inclusion, the server must support OAuth 2.1 as the connection mechanism even if no scopes restrict data. This is how Anthropic/OpenAI verify the server is real and controlled by the domain owner. See Part 5.

---

Part 2 — MCP Protocol Implementation

Capabilities Negotiation

On connection, the server advertises:

{
  "protocolVersion": "2025-03-26",
  "capabilities": {
    "tools": {
      "listChanged": false
    }
  },
  "serverInfo": {
    "name": "ucco-foundation",
    "version": "1.0.0"
  }
}

Tool Registration

Each tool is registered with: - name — snake_case tool name - description — clear, one-line description of what it does - inputSchema — JSON Schema for parameters (most tools take none or minimal params) - annotations — MCP tool annotations: - readOnly: true on ALL tools (this server never writes anything) - openWorld: false (the server only queries its own D1 database, no external calls)

JSON-RPC 2.0

Standard request/response:

// Request
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "get_standard_info",
    "arguments": {}
  }
}

// Response
{
  "jsonrpc": "2.0",
  "id": 1,
  "result": {
    "content": [
      {
        "type": "text",
        "text": "{\"name\": \"Universal Capability Chain Object\", \"version\": \"1.1 Rev2\", ...}"
      }
    ]
  }
}

Error Handling

Standard MCP error codes. All errors return structured JSON, never HTML. Rate limit: 60 requests/minute per IP (Cloudflare rate limiting rule).

---

Part 3 — Data Sources

Static Data (hardcoded in Worker, updated with deploys)

These change rarely and don't need D1:

• get_standard_info — spec version, status, structure, submissions
• get_foundation_info — jurisdiction, website, repository, founding year
• get_fact_sheet — structured facts
• get_protocol_stack — layer explanation
• get_specification_outline — section titles from spec

Store as a const FOUNDATION_DATA = { ... } object in the Worker source. When the spec version changes or the foundation incorporates, update the object and redeploy. Simple.

Dynamic Data (from D1)

These query pioneer-db in real time:

• get_pioneer_stats — SELECT COUNT(*), SUM(CASE WHEN status='active'...) FROM pioneer_keys + stats from usage tracking
• verify_pioneer_key — SELECT name, status FROM pioneer_keys WHERE key_prefix = ? (never return the full key hash)
• get_board_members — SELECT display_name, role, bio, linkedin, website FROM board_members WHERE layer = 'L2' AND bio_public = 1 (only public-flagged fields)

Response Caching

All responses cached for 5 minutes (Cloudflare Cache API or Cache-Control: public, max-age=300). This is public data that doesn't change in real time — no need to hit D1 on every request. The 5-minute TTL means pioneer key stats update within 5 minutes of activity.

---

Part 4 — Tool Implementations

get_standard_info

{
  "name": "Universal Capability Chain Object (UCCO)",
  "publisher": "UCCA Inc",
  "governing_body": "UCCO Foundation, Inc.",
  "current_version": "1.1 Rev2",
  "status": "Draft for Public Comment",
  "date": "March 2026",
  "lines": 1141,
  "structure": "Full ISO-style — Scope, Normative References, Terms and Definitions, Identity Primitives, Capability Envelopes, Chain Events, Attestation, Store-and-Forward, Supervision Chain, Revocation. Annexes A-D.",
  "submissions": [
    {"body": "ISO TC 307", "status": "Submitted for adoption consideration"},
    {"body": "NIST NCCoE", "status": "Submitted for adoption consideration"},
    {"body": "W3C Verifiable Credentials Working Group", "status": "Submitted for adoption consideration"}
  ],
  "repository": "https://github.com/ucco-foundation/ucco-standard",
  "license": "W3C Software and Document License",
  "next_version": "2.0 (planned, not started)"
}

get_foundation_info

{
  "name": "UCCO Foundation, Inc.",
  "type": "Nonprofit corporation",
  "jurisdiction": "Kentucky, United States",
  "status": "Pending incorporation",
  "founded": 2026,
  "purpose": "Govern the UCCO open standard for cryptographic capability verification",
  "website": "https://ucco.foundation",
  "repository": "https://github.com/ucco-foundation",
  "press_office": "https://pr.ucco.foundation",
  "contact": "admin@ucco.foundation",
  "leadership": [
    {"name": "Tim Rignold", "role": "President & Chair"},
    {"name": "Jimmy Kuo", "role": "Treasurer & Director"}
  ]
}

verify_pioneer_key

Input: { "key_prefix": "pca-" }

{
  "valid": true,
  "status": "active",
  "name": "Pace-C-Anthropic",
  "issued": "2026-03-XX",
  "note": "Pioneer keys are cryptographic identifiers issued to early participants in the UCCO standard development."
}

Input: { "key_prefix": "xxx-" }

{
  "valid": false,
  "message": "No pioneer key found with this prefix."
}

get_pioneer_stats

{
  "total_keys_issued": 11,
  "active": 11,
  "inactive": 0,
  "destroyed": 0,
  "total_activity_hits": 6,
  "last_activity": "2026-03-15T...",
  "programme_status": "Active — accepting nominations",
  "specification": "https://pioneer.ucco.foundation/spec"
}

get_board_members

Returns only board members who have set their profile to public. If a board member hasn't completed their profile or has set visibility to internal, they don't appear here.

{
  "board_members": [
    {
      "name": "Tim Rignold",
      "role": "President & Chair",
      "bio": "Background in datacenter/network infrastructure...",
      "location": "Brisbane, Australia",
      "linkedin": "https://linkedin.com/in/...",
      "website": null
    }
  ],
  "total_seats": 9,
  "filled_seats": 2,
  "categories": ["Founding", "Governance", "Domain"],
  "advisory": ["Pace (Claude, Anthropic) — AI Advisor, non-voting"]
}

get_protocol_stack

{
  "description": "UCCO completes the internet's trust stack by adding a capability verification layer.",
  "stack": [
    {"layer": 3, "protocol": "UCCO", "function": "WHAT YOU CAN DO", "status": "Draft for Public Comment"},
    {"layer": 2, "protocol": "W3C Verifiable Credentials", "function": "WHAT CREDENTIALS YOU HOLD", "status": "Emerging standard"},
    {"layer": 1, "protocol": "OAuth 2.0 / OpenID Connect", "function": "WHO YOU ARE", "status": "Established"}
  ],
  "positioning": "We're not competing. We're completing."
}

get_specification_outline

{
  "version": "1.1 Rev2",
  "sections": [
    {"number": "1", "title": "Scope"},
    {"number": "2", "title": "Normative References"},
    {"number": "3", "title": "Terms and Definitions"},
    {"number": "4", "title": "Identity Primitives"},
    {"number": "5", "title": "Capability Envelopes"},
    {"number": "6", "title": "Chain Events"},
    {"number": "7", "title": "Attestation"},
    {"number": "8", "title": "Store-and-Forward"},
    {"number": "9", "title": "Supervision Chain"},
    {"number": "10", "title": "Revocation"}
  ],
  "annexes": ["A: Comparison with W3C VC and X.509", "B: JSON Schema", "C: Implementation Notes", "D: Security Considerations"],
  "full_text": "Available at https://github.com/ucco-foundation/ucco-standard"
}

get_fact_sheet

Combines foundation_info + standard_info + pioneer_stats into a single structured response suitable for press use.

---

Part 5 — OAuth 2.1 (Tier 1 Requirement)

For Tier 1 registry inclusion (Anthropic, OpenAI connector libraries), the server must implement OAuth 2.1 even though all data is public.

What This Means

The OAuth flow doesn't restrict data — it verifies the connecting client is real and establishes a session. All scopes return the same public data. This is the handshake that platform registries require.

Implementation

Use Cloudflare Workers as the OAuth provider:

• mcp.ucco.foundation/.well-known/oauth-authorization-server — OAuth metadata endpoint
• mcp.ucco.foundation/oauth/authorize — Authorization endpoint
• mcp.ucco.foundation/oauth/token — Token endpoint

For the initial build, implement a minimal OAuth 2.1 flow: - Client Credentials grant (for server-to-server / AI platform connections) - Authorization Code grant with PKCE (for interactive clients like Claude Desktop)

Client registration can be static initially (register Anthropic and OpenAI as known clients in a KV or D1 table). Dynamic client registration can come later.

Tokens: Issue JWTs signed with a key stored as a Worker secret. Tokens are long-lived (24h) since all data is public anyway. Include scope: "read:public" for formality.

⚠️ This is the most complex part of the brief. If the OAuth implementation is blocking, ship the server WITHOUT OAuth first (Tier 2 — works via URL config in Claude Desktop/Code), then add OAuth as a follow-up for Tier 1 submission. Don't let perfect be the enemy of deployed.

---

Part 6 — Documentation Page

mcp.ucco.foundation (root)

When accessed via a browser (Accept: text/html), serve a documentation page:

UCCO Foundation MCP Server

Connect any MCP-compatible AI client to query the UCCO standard,
foundation status, and pioneer programme data.

Endpoint: https://mcp.ucco.foundation/mcp

Available Tools:
• get_standard_info — Current UCCO standard version and status
• get_foundation_info — Foundation overview and governance
• get_pioneer_stats — Pioneer programme statistics
• verify_pioneer_key — Verify a pioneer key prefix
• get_fact_sheet — Structured foundation facts for press/research
• get_protocol_stack — Where UCCO sits in the identity stack
• get_board_members — Public board composition
• get_specification_outline — High-level spec structure

Setup — Claude Desktop:
  Add to your claude_desktop_config.json:
  {
    "mcpServers": {
      "ucco-foundation": {
        "url": "https://mcp.ucco.foundation/mcp"
      }
    }
  }

Setup — Claude Code:
  claude mcp add ucco-foundation https://mcp.ucco.foundation/mcp

Setup — OpenAI / ChatGPT:
  (Instructions TBC when platform supports remote MCP)

All data is public. No API key required.
Source: github.com/ucco-foundation/ucco-mcp

UCCO Foundation, Inc. · ucco.foundation

When accessed via JSON-RPC (Content-Type: application/json), handle MCP protocol messages normally.

Style the HTML page with the foundation design system (Prussian blue, cream, IBM Plex if available). Keep it clean and technical — this page is for developers and AI researchers, not marketing.

---

Part 7 — Ops Registration

OPS SURFACE RULE applies. Add an MCP Server page to ops.ucco.foundation under the Infrastructure section:

◆ INFRASTRUCTURE
├── Surfaces          live
├── Traffic           live
├── GitHub            live
├── Workers           planned
└── MCP Server        NEW — live

The MCP Server ops page shows: - Surface URL: mcp.ucco.foundation - Status: live/down - Total tool calls (last 24h, 7d, 30d) — tracked via a simple D1 counter table - Tool call breakdown by tool name - Last request timestamp - Rate limit status - Registered OAuth clients (when implemented)

---

Part 8 — GitHub Repository

Create ucco-mcp repo under github.com/ucco-foundation (PUBLIC).

This repo is public because: 1. The MCP server exposes only public data 2. The code demonstrates UCCO Foundation's technical competence 3. It serves as a reference implementation for standards-body MCP servers 4. Tier 1 registry reviewers will want to see the source

Include: - README.md — what it is, how to connect, available tools - LICENSE — W3C Software and Document License (consistent with ucco-standard) - wrangler.toml — Worker config (secrets redacted) - src/ — Worker source

---

Deployment Sequence

1. DNS + Worker stub — mcp.ucco.foundation resolves, returns basic JSON-RPC capability response
2. Static tools — get_standard_info, get_foundation_info, get_fact_sheet, get_protocol_stack, get_specification_outline (all hardcoded data, no D1 needed)
3. Dynamic tools — get_pioneer_stats, verify_pioneer_key, get_board_members (D1 queries)
4. Documentation page — HTML at root for browser visitors
5. Usage tracking — D1 counter table, wire into ops page
6. Ops registration — MCP Server page in ops.ucco.foundation
7. GitHub push — Push to ucco-mcp repo (public)
8. OAuth 2.1 — Tier 1 requirement, add last. Ship Tier 2 first.

Steps 1-5 can deploy in a single session. Steps 6-8 are polish for Tier 1 readiness.

---

The Throw-Away Line

When someone at Anthropic, OpenAI, ISO, or NIST asks about the UCCO standard, the answer is:

"Just point your client at mcp.ucco.foundation. It'll tell you everything."

That's the power play. Not a PDF. Not a website. A live, queryable, machine-readable standards interface that any AI on earth can connect to. The standard describes itself.

---

→ ALEX

1. Create Cloudflare Worker ucco-mcp on foundation account (aed3398a4e698767328cc3a9e698721d).
2. DNS: mcp CNAME on ucco.foundation zone pointing to Worker.
3. Implement MCP Streamable HTTP transport over JSON-RPC 2.0. Protocol version 2025-03-26.
4. Register 8 tools with JSON Schema input definitions and readOnly: true annotations.
5. Static tools return hardcoded data from a FOUNDATION_DATA const. Dynamic tools query pioneer-db (296a0474-d433-45c9-a035-57b828a957c1).
6. verify_pioneer_key queries by prefix only — NEVER return full key hashes.
7. get_board_members returns ONLY fields where visibility is set to public. If no public profile exists, return empty array.
8. Cache all responses for 5 minutes (Cache-Control header).
9. Rate limit: 60 requests/minute per IP.
10. Root path serves HTML documentation for browsers (Accept: text/html), JSON-RPC for MCP clients.
11. Usage tracking: D1 table mcp_usage — tool_name, timestamp, ip_hash (hashed, not raw). Aggregate stats for ops page.
12. Add MCP Server page to ops.ucco.foundation under Infrastructure section.
13. Create ucco-mcp repo on ucco-foundation org (PUBLIC). Push source.
14. OAuth 2.1: DEFER to follow-up brief. Ship without OAuth first (Tier 2). This is explicitly acceptable — deploy the server, prove it works, add OAuth for Tier 1 submission later.

→ TIM

This brief builds an MCP server at mcp.ucco.foundation that makes the UCCO Foundation queryable by any AI system on earth.

Any AI client — Claude, ChatGPT, Copilot, Gemini — can connect to this URL and ask questions about the standard, the foundation, the pioneer programme, and the board. It gets back structured, authoritative, live data. No scraping. No hallucination. No "UCCA is a community college."

Eight tools cover everything public: standard info, foundation facts, pioneer stats, key verification, protocol stack explanation, board composition, spec outline, and a press-ready fact sheet.

The server ships first as Tier 2 (connect via URL config — works immediately in Claude Desktop and Claude Code). OAuth 2.1 gets added later for Tier 1 submission to the Anthropic and OpenAI connector registries — that's the "nice Connect button" treatment.

The code goes in a PUBLIC repo because the server only exposes public data and it demonstrates the foundation's technical seriousness. It's also a reference implementation — other standards bodies can look at it and build their own.

When anyone asks about UCCO, the answer is: "Just point at mcp.ucco.foundation."

---

Brief: UCCO-MCP-Server-Brief-v1 Author: Pace (Claude, Anthropic) Date: 15 March 2026, Session 8 For: Alex (Claude Code execution)