MCP Server — Governance Tools

The Mima governance MCP server exposes 10 tools to Claude Code, Cursor, and any MCP-compatible AI agent. It is the primary evidence path for agent-based AI systems — any language, 4 lines of config.


Install

$npm install -g @mima-ai/governance-mcp

Or use npx without installing:

1{
2 "mcpServers": {
3 "mima-governance": {
4 "command": "npx",
5 "args": ["-y", "@mima-ai/governance-mcp"],
6 "env": {
7 "MIMA_API_KEY": "mima_ext_...",
8 "MIMA_SYSTEM_NAME": "my-ai-system"
9 }
10 }
11 }
12}

Configuration

Environment variableRequiredDescription
MIMA_API_KEYYesAPI key from Settings → API Keys
MIMA_SYSTEM_NAMEYesDefault system name for evidence records
MIMA_BASE_URLNoOverride API base URL (default: https://api.mima.ai)

Claude Code setup

Add via the CLI:

Or add manually to ~/.claude/settings.json:

1{
2 "mcpServers": {
3 "mima-governance": {
4 "command": "npx",
5 "args": ["-y", "@mima-ai/governance-mcp"],
6 "env": {
7 "MIMA_API_KEY": "mima_ext_...",
8 "MIMA_SYSTEM_NAME": "my-ai-system"
9 }
10 }
11 }
12}

Cursor setup

Add to .cursor/mcp.json in your project root:

1{
2 "mcpServers": {
3 "mima-governance": {
4 "command": "npx",
5 "args": ["-y", "@mima-ai/governance-mcp"],
6 "env": {
7 "MIMA_API_KEY": "mima_ext_...",
8 "MIMA_SYSTEM_NAME": "my-ai-system"
9 }
10 }
11 }
12}

The 10 tools

get_posture

Returns your overall governance score, per-framework breakdown, and gate status.

get_posture()

Returns: Overall score (0–100), scores by framework (EU AI Act, ISO 42001, SOC 2), count of open gaps, gate pass/fail.


list_systems

Lists all AI systems in the workspace — registered and unregistered.

list_systems(system_name?: string)
ParameterTypeDescription
system_namestringFilter to a specific system

list_evidence

Returns evidence records filtered by system and time window.

list_evidence(system_name: string, days?: number, record_type?: string)
ParameterTypeDefaultDescription
system_namestringrequiredSystem to query
daysnumber90Lookback window in days
record_typestringFilter to one record type

dry_run_attest

Preview which controls an attestation would earn, without writing to the ledger.

dry_run_attest(system_name: string, tool_name: string, model_id?: string)

Use this before calling attest to confirm what controls a record will map to.


attest

Write an attestation record to the Mima ledger.

attest(
system_name: string,
tool_name: string,
input_hash: string,
output_hash: string,
model_id?: string,
authorised_by?: { identity: string, role?: string }
)

register_system

Register an AI system (Art. 9 EU AI Act).

register_system(
system_name: string,
description: string,
risk_tier: "high" | "limited" | "minimal",
dry_run?: boolean
)

When dry_run: true, returns what would be registered without writing.


acknowledge_policy

Record that a policy has been acknowledged.

acknowledge_policy(
policy: string,
user: string,
version: string,
dry_run?: boolean
)

When dry_run: true, returns what would be written without writing.


derive_controls

Returns recommended evidence record types for a given system description.

derive_controls(description: string, risk_tier?: string)

Use this to plan what records to push for a new system.


check_gates

Returns gate pass/fail status with exit codes. Useful in CI.

check_gates(system_name?: string)

Returns: Gate name, pass/fail, blocking status, exit code (0 = pass, 1 = soft fail, 2 = hard fail).


suggest_gates

Returns prioritised gate recommendations.

suggest_gates(system_name?: string)

Returns: Gates in three tiers — urgent (gate will fail this week), recommend (close gap soon), consider (low priority).


Claude Code skills

Four skills are pre-packaged for use with / commands in Claude Code.

/mima-check-readiness

Runs a CISO-ready posture summary:

  1. Calls get_posture to get current score.
  2. Calls list_systems to identify unregistered systems.
  3. Calls suggest_gates to surface the most urgent gaps.
  4. Produces a structured report: overall score, framework breakdown, top 3 priority actions.

/mima-close-gaps

8-step compliance copilot loop:

  1. Gets current posture.
  2. Identifies the highest-priority open gap.
  3. Proposes the specific record to push.
  4. Uses dry_run_attest to preview what controls would be earned.
  5. Asks for approval before writing.
  6. Calls attest or the appropriate GRC method.
  7. Verifies the control was earned.
  8. Reports the updated posture score.

/mima-register-systems

Art. 9 intake workflow:

  1. Runs list_systems to find unregistered systems.
  2. For each system, asks three Annex III grounding questions.
  3. Classifies risk tier based on answers (never infers from system name alone).
  4. Runs dry_run: true to preview the registration.
  5. Asks for confirmation.
  6. Calls register_system.

/mima-configure-gates

Gate configuration workflow:

  1. Calls suggest_gates to surface recommendations.
  2. Explains the business justification for each.
  3. Walks through configuration options.
  4. Applies the chosen gates.

Dry-run pattern

All three write tools support dry-run. The workflow:

1. dry_run_attest(...) → "would earn: EUAIA_ART9, ISO42001_6_1"
2. <present to user for review>
3. attest(...) → record written, controls earned

This is enforced by the /mima-close-gaps skill. Never write records without a dry-run preview in agentic contexts.


Error codes

CodeMeaning
UNAUTHORIZEDInvalid or expired API key
BAD_REQUESTMissing required field or invalid value
VALIDATIONRecord failed server-side validation
NOT_FOUNDSystem or workspace not found
SERVER_ERRORUnexpected server error
TIMEOUTRequest took longer than 10 s
NETWORKNetwork error (no response received)