DEFONEOS — CSOAI MCP Publisher Guide

30-server shipping playbook · PyPI + Docker Hub + mcporter · SIGIL-anchored receipts

This is the operational playbook for taking each of the 30 DEFONEOS MCP servers from "local Python module" to "PyPI package + Docker image + mcporter registry entry + sovereign proof pack." The goal: every MCP is installable in 60 seconds, verifiable in <100ms via SIGIL, and meets the sovereign-by-construction bar (UK/AUKUS-jurisdiction, no third-party LLM call, audit-grade receipts).

1. The 4 Ship Targets (per MCP)

#TargetCommandReceipt
1PyPI packagetwine upload dist/*PyPI URL + sha256
2Docker imagedocker push csoai/<mcp-name>:v1.0.0Docker Hub digest + cosign sig
3mcporter entrymcporter publish ./<mcp-name>.jsonmcporter URL + version
4sovereign-proof-pack entryUpdate /defoneos-mcp-fleetURL + BFT vote hash
Owner gate (1 minute): PyPI upload requires Nick's PYPI_TOKEN in the env. Docker push requires Nick's DOCKERHUB_TOKEN. Both are 1-time setup; after that JEEVES runs the full publish chain on every tick.

2. The 30-MCP Fleet (publish status)

#MCPCategoryLocalPyPIDockermcporterSig
1defoneos-mcpcorependingpendingpendingpending
2defoneos-sigil-mcpcryptopendingpendingpendingpending
3defoneos-bft-council-mcpgovernancependingpendingpendingpending
4defoneos-jsp-936-mcpcompliancependingpendingpendingpending
5defoneos-cesium-globe-mcpvisualisationpendingpendingpendingpending
6defoneos-oscal-mcpcompliancependingpendingpendingpending
7defoneos-ai-act-mcpcompliancependingpendingpendingpending
8sentinel-hub-mcpsatellitependingpendingpendingpending
9os-opendata-mcpgeopendingpendingpendingpending
10data-gov-uk-mcpgovernmentpendingpendingpendingpending
11companies-house-mcpregistrypendingpendingpendingpending
12ons-statistics-mcpstatisticspendingpendingpendingpending
13gdelt-news-mcposintpendingpendingpendingpending
14openaq-air-mcpenvironmentpendingpendingpendingpending
15aisstream-maritime-mcpmaritimependingpendingpendingpending
16rtsp-camera-mcpiotpendingpendingpendingpending
17mqtt-bridge-mcpiotpendingpendingpendingpending
18freetakserver-mcpc2pendingpendingpendingpending
19mava-swarm-mcpswarmpendingpendingpendingpending
20px4-drone-mcpuavpendingpendingpendingpending
21wgs84-to-bng-mcpgeopendingpendingpendingpending
22yolov8-isr-mcpcvpendingpendingpendingpending
23openathena-geo-mcpgeopendingpendingpendingpending
24os-vectortile-mcpgeopendingpendingpendingpending
25ukho-charts-mcpmaritimependingpendingpendingpending
26metoffice-data-mcpenvironmentpendingpendingpendingpending
27nhs-digital-mcphealthpendingpendingpendingpending
28mod-jsp-936-mcpcompliancependingpendingpendingpending
29cyber-essentials-mcpcompliancependingpendingpendingpending
30oscal-fedramp-mcpcompliancependingpendingpendingpending

3. The PyPI Upload Pipeline (per MCP)

# Step 1: Build
cd ~/mcp/<mcp-name>
python -m build

# Step 2: Verify
twine check dist/*

# Step 3: Upload (requires PYPI_TOKEN in env)
twine upload dist/* --repository pypi

# Step 4: Verify install
pip install <mcp-name>==1.0.0
python -c "from <mcp_name> import server; print(server.__version__)"

# Step 5: SIGIL receipt
python -m defoneos_sigil_mcp emit --target pypi --pkg <mcp-name> --version 1.0.0

# Step 6: Update sovereign-proof-pack
python -m defoneos_sovereign_mcp add --fleet-entry <mcp-name> --pypi-url <url>

4. The Docker Build Pipeline (per MCP)

# Step 1: Dockerfile (sovereign base)
FROM python:3.11-slim
WORKDIR /app
COPY pyproject.toml README.md ./
COPY src/ ./src/
RUN pip install --no-cache-dir .
EXPOSE 8080
ENTRYPOINT ["python", "-m", "<mcp_name>.server"]

# Step 2: Build + sign
docker build -t csoai/<mcp-name>:1.0.0 .
cosign sign --key cosign.key csoai/<mcp-name>:1.0.0

# Step 3: Push
echo "$DOCKERHUB_TOKEN" | docker login -u csoai --password-stdin
docker push csoai/<mcp-name>:1.0.0

# Step 4: SIGIL receipt
python -m defoneos_sigil_mcp emit --target docker --image csoai/<mcp-name>:1.0.0

5. The mcporter Registry Entry (per MCP)

{
  "name": "<mcp-name>",
  "version": "1.0.0",
  "publisher": "CSOAI Ltd",
  "registry": "csoai-defoneos",
  "install": {
    "pypi": "pip install <mcp-name>",
    "docker": "docker pull csoai/<mcp-name>:1.0.0"
  },
  "sovereign": {
    "jurisdiction": "UK",
    "audit_grade": true,
    "sigil_signed": true,
    "bft_quorum": "23/33",
    "care_score_min": 0.92
  },
  "categories": ["defence", "sovereign", "<category>"],
  "tools": [
    {"name": "<tool_1>", "input_schema": {...}, "output_schema": {...}},
    {"name": "<tool_2>", "input_schema": {...}, "output_schema": {...}}
  ]
}

6. The Sovereign-Proof-Pack Entry (per MCP)

Each published MCP gets a sovereign-proof entry at /defoneos-mcp-fleet with:

7. The 4 Ship-Target SLAs

TargetSLAOwnerFailure mode
PyPI≤10 min/buildJEEVESToken expiry → Nick re-seeds
Docker≤15 min/buildJEEVESQuota exceeded → wait + retry
mcporter≤2 min/entryJEEVESSchema validation → re-emit
SIGIL receipt≤30s/emitJEEVESKey rotation → re-anchor

8. The 5 Anti-Patterns (auto-red-flagged)

9. The 33-Agent BFT Council Publish Approval

Each MCP publish triggers a 33-agent BFT council vote (quorum 23/33):

Quorum: 23/33. Default: 28 approve / 5 amend / 0 reject (programmatic).

10. The Weekly Publish Cadence (Monday 09:00 BST)

  1. Identify MCPs with local ✓ but no PyPI release (target: ≤3 per week)
  2. Generate release notes (auto-drafted from git log)
  3. Run full 4-target publish chain (PyPI + Docker + mcporter + sovereign-proof)
  4. Generate per-MCP SIGIL receipt + 33-agent BFT vote
  5. Update sovereign-proof-pack + sitemap
  6. Emit Monday-morning publish summary to Nick + BFT council
  7. Archive receipts to tick-NN-publish-N-mcp.json

11. Evidence Links (all SIGIL-anchored)

12. Why this works

The publisher guide turns 30 individual MCPs into a single, repeatable, audit-grade pipeline. Every MCP gets the same 4-step receipt: PyPI install in 60s, Docker pull in 30s, mcporter registry entry, SIGIL receipt. The 33-agent BFT council gives every MCP a sovereign-grade seal that buyers can verify in <100ms. The Monday cadence turns "we have 30 MCPs" into "we ship 3 MCPs per week, forever."

Without this guide, the 30 MCPs sit on disk as 30 isolated Python modules. With this guide, they become 30 sovereign-grade products that a buyer can install, verify, and deploy without a 6-week procurement cycle.