The hub routes it — and physically cannot read it.
» agent calls MCP tool `query_patients` hub: verifies signature ✓ — decrypt: IMPOSSIBLE (holds no key) embassy opens → executes against REAL MCP server in-VPC client MCP returned 160 bytes (contains PHI) » agent receives the RETURN projection: {"kind":"mcp-result","item_count":2,"sha384":"701700f2…"} ✓ real MCP executed IN-VPC; only the projection crossed ✓ the hub could route + verify but never read either direction ✓ PHI never crossed the membrane
Run it yourself.
legation-serve demo
admit → Seneschal 30-check gate-block → secret-withhold → Mandate commit-then-act → honeytoken self-sever → customer Recall (operator can't override) → recover.
legation extract / run
Data-flow inversion on a real file, and QA-in-VPC: the eval harness runs next to the data — only the verdict crosses, never the code.
legation audit
One document: live attestation + 31 frameworks mapped (compiled against the customer's) + the CMMC / NIST 800-171 SSP & SPRS + technology + cryptography. Answers up front.
legation-c2 demo
Embassy dials OUT and cryptographically authenticates to register (Ed25519 + trusted-key allowlist), heartbeats, store-and-forward command, returns a projection. Zero inbound ports.
legation-mcp demo / stdio
Agent → sealed call with per-call warrant↔credential binding → real MCP server in-VPC → projected result. Hub blind both ways.
legation seal / verify
A sealed bag with SHA-384 Merkle + Ed25519, verified offline with no network — and tamper-evident: edit any carried component, SBOM, or treaty digest and the recomputed root rejects it.
Assembly and edges — not core.
The spine, the organs, the moat, the cryptography, and the proof are all in and green — 16 crates, 260 tests passing. What remains is integration:
① Fold in the transport layer
Integrate the battle-tested dial-out handshake and structured-extraction transport into a single operator binary. Relocation, not invention.
② One operator binary
Thread the ingress through the live C2/link. The pieces exist and compile; wire them together.
③ BYOC one-click installer
Cross-account terraform apply into the customer's account — automated, self-healing, for the volume tier.
④ Live pilot
A real Seneschal endpoint + one design-partner in the herd. QA-in-VPC is the fastest first demo.