From DSG Governance Control Plane
Connects MCP-compatible clients (Claude Desktop, Cursor) to the DSG ONE control plane, exposing governance tools, agent runtime commands, and autonomy controls via JSON-RPC 2.0.
How this skill is triggered — by the user, by Claude, or both
Slash command
/dsg-governance:dsg-mcpThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Connect your MCP-compatible client (Claude Desktop, Cursor, Hermes agent) to the DSG ONE control plane via the Model Context Protocol.
Connect your MCP-compatible client (Claude Desktop, Cursor, Hermes agent) to the DSG ONE control plane via the Model Context Protocol.
This skill wraps the DSG ONE MCP server endpoints, exposing:
The MCP protocol uses JSON-RPC 2.0 over HTTP. Authentication is Bearer token-based; the server checks Authorization: Bearer ${DSG_ACCESS_TOKEN} or falls back to the INTERNAL_SERVICE_TOKEN environment variable.
/api/mcp-server (Primary Tools)6 MCP tools for app builder, agent runtime, and autonomy:
| Tool | Description | Input |
|---|---|---|
get_proof | Retrieve execution proof by goal | goal (string, min 8 chars) |
list_app_builder_jobs | List all app builder jobs | limit (number, default 10) |
create_app_builder_job | Create a new app builder job | title, description (strings) |
create_job_plan | Generate execution plan for job | jobId, strategy (strings) |
route_agent_command | Route command to specific agent | agentId, command, args (strings) |
get_autonomous_level | Check agent autonomy level | agentId (string) |
Server Info:
dsg-one-v1-mcp2024-11-051.0.0/api/mcp (Combined Tools)Aggregated endpoint combining Android, DSG, and Hermes tool schemas:
DSG Tools (dsg.* prefix):
dsg.evaluate — Evaluate action against policy gates
action, actor, tool, args, env (strings)gateStatus, proofStatus, riskLevel, reason, proofHashdsg.verifyClaim — Verify a governance claim
claim, evidence (strings)dsg.recordEvidence — Record audit evidence
executionId, evidenceType, data (strings)Hermes Tools (hermes.* prefix):
Android Tools (android.* prefix):
Create or update ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"dsg-one": {
"command": "node",
"args": [
"-e",
"const http = require('http'); const token = process.env.DSG_ACCESS_TOKEN || process.env.INTERNAL_SERVICE_TOKEN; const url = new URL(process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'); const path = '/api/mcp-server'; const handleReq = (req) => { const method = req.method; const body = []; req.on('data', c => body.push(c)); req.on('end', async () => { const msg = body.length ? JSON.parse(Buffer.concat(body)) : {}; const opts = { hostname: url.hostname, port: url.port || (url.protocol === 'https:' ? 443 : 80), path, method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${token}` } }; const res = http.request(opts, (r) => { let d = ''; r.on('data', c => d += c); r.on('end', () => process.stdout.write(d)); }); res.write(JSON.stringify(msg)); res.end(); }); }; const server = http.createServer(handleReq); server.listen(0, () => process.stdin.pipe(server)); "
],
"env": {
"DSG_ACCESS_TOKEN": "${DSG_ACCESS_TOKEN}",
"INTERNAL_SERVICE_TOKEN": "${INTERNAL_SERVICE_TOKEN}",
"NEXT_PUBLIC_APP_URL": "${NEXT_PUBLIC_APP_URL}"
}
}
}
}
Create .cursor/mcp.json or .vscode/claude.json:
{
"mcp": {
"servers": {
"dsg-one": {
"endpoint": "${NEXT_PUBLIC_APP_URL}/api/mcp-server",
"auth": {
"type": "bearer",
"token": "${DSG_ACCESS_TOKEN}"
}
}
}
}
}
Configure in agent context or memory:
mcp_servers:
dsg_control_plane:
endpoint: /api/mcp-server
auth_token: ${DSG_ACCESS_TOKEN}
timeout_ms: 30000
easiest method for claude.ai web app users — one-click OAuth connection
https://tdealer01-crypto-dsg-control-plane.vercel.app
claude.ai will auto-discover:
/api/mcp/oauth/authorize/api/mcp/oauth/token/api/mcp/oauth/revokeIn claude.ai chat, ask:
"What MCP tools are available?"
or
"List all App Builder jobs in DSG"
What Happens Behind the Scenes:
PKCE Code Challenge — Security protection for mobile/SPA clients
code_verifier (128 random chars)code_challenge = SHA256(code_verifier)code_challenge_method=S256State Token — CSRF protection
Authorization Code — Temporary credential
code_ + random hex (10-minute TTL)Token Exchange — Code → Access Token
code + code_verifier + client_credentialsSHA256(code_verifier) == stored_code_challengemcp_ + random hex (1-hour TTL)Tool Calls — Token validation at execution
Authorization: Bearer mcp_...Token Validation Errors:
| Status | Error | Fix |
|---|---|---|
| 401 | invalid or expired token | Token expired (1-hour TTL) — disconnect/reconnect in claude.ai |
| 402 | subscription not active | No active Stripe subscription — upgrade at /dashboard/billing |
| 402 | quota exceeded | Monthly limit reached (10,000 calls/month) — upgrade plan or wait for next cycle |
To disconnect DSG MCP from claude.ai:
Via claude.ai:
Via curl (manual):
curl -X POST https://tdealer01-crypto-dsg-control-plane.vercel.app/api/mcp/oauth/revoke \
-H "Authorization: Bearer mcp_your_token_here"
Via Dashboard:
/dashboard/billingDSG publishes OAuth discovery metadata at:
curl https://tdealer01-crypto-dsg-control-plane.vercel.app/.well-known/oauth-authorization-server
Response includes:
["mcp:execute"]["S256"] (PKCE S256)["authorization_code", "refresh_token"]Existing users with DSG_ACCESS_TOKEN bearer tokens can still use:
curl -X POST https://tdealer01-crypto-dsg-control-plane.vercel.app/api/mcp-server \
-H "Authorization: Bearer sk_test_old_api_key_123" \
-H "Content-Type: application/json" \
-d '{ "jsonrpc": "2.0", "method": "tools/list" }'
Old-style tokens are passed through to downstream auth unchanged. Only tokens starting with mcp_ are validated as OAuth tokens.
Recommendation: Migrate to OAuth setup for better token rotation and revocation flow.
curl -X GET http://localhost:3000/api/mcp-server \
-H "Authorization: Bearer ${DSG_ACCESS_TOKEN}"
Expected response:
{
"ok": true,
"tools": 6,
"server": "dsg-one-v1-mcp"
}
curl -X POST http://localhost:3000/api/mcp-server \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${DSG_ACCESS_TOKEN}" \
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/list",
"params": {}
}'
curl -X POST http://localhost:3000/api/mcp-server \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${DSG_ACCESS_TOKEN}" \
-d '{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/call",
"params": {
"name": "get_proof",
"arguments": {
"goal": "verify execution compliance"
}
}
}'
curl -X POST http://localhost:3000/api/mcp \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${DSG_ACCESS_TOKEN}" \
-d '{
"jsonrpc": "2.0",
"id": 3,
"method": "tools/list",
"params": {}
}'
Set these in your environment or MCP client config:
| Variable | Purpose | Example |
|---|---|---|
DSG_ACCESS_TOKEN | Bearer token for MCP server auth | sk-dsg-... (placeholder) |
INTERNAL_SERVICE_TOKEN | Fallback service-to-service token | Server-side only |
NEXT_PUBLIC_APP_URL | Control plane base URL | http://localhost:3000 or https://tdealer01-crypto-dsg-control-plane.vercel.app |
Important: Never commit real token values. Use environment variables or .env files (kept in .gitignore).
DSG_ACCESS_TOKEN every 90 days or after team member departure{
"jsonrpc": "2.0",
"id": 1,
"method": "initialize",
"params": {
"protocolVersion": "2024-11-05",
"capabilities": {},
"clientInfo": {
"name": "claude-desktop",
"version": "1.0.0"
}
}
}
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"protocolVersion": "2024-11-05",
"capabilities": {},
"serverInfo": {
"name": "dsg-one-v1-mcp",
"version": "1.0.0"
}
}
}
{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/call",
"params": {
"name": "tool_name",
"arguments": {
"param1": "value1",
"param2": "value2"
}
}
}
/api/mcp-server or /api/mcptools/list returns the expected tool countCause: Missing or invalid DSG_ACCESS_TOKEN
Fix:
export DSG_ACCESS_TOKEN="your-actual-token"
# Or set INTERNAL_SERVICE_TOKEN if using service-to-service auth
Cause: MCP server endpoint not responding
Fix:
NEXT_PUBLIC_APP_URL points to a running DSG control plane/api/health returns {"ok":true}/api/readinessCause: Tool name mismatch or endpoint changed
Fix:
tools/list to verify available toolsdsg.evaluate, not dsg_evaluate)/api/mcp vs /api/mcp-server endpointCause: Missing required parameters or wrong type
Fix:
tools/list responseFor issues or questions:
/api/agent/statusnpx claudepluginhub tdealer01-crypto/tdealer01-crypto-dsg-control-plane --plugin dsg-governanceBuilds, composes, and secures MCP servers with patterns for authentication, prompt injection defense, interactive UIs, and testing.
Guides MCP server integration in Claude Code plugins via .mcp.json or plugin.json configs for stdio, SSE, HTTP types, enabling external services as tools.
Designs and implements Model Context Protocol servers with resources, tools, prompts, and security best practices. Use when architecting an MCP server or integrating a service as an MCP endpoint.