Agent MCP server

A standalone MCP server that exposes the live Privacy Pool network to agents — read pool state, prepare deposits, and run gasless withdrawals as tool calls.

Agent tools embed operations inside your own process. The @hestia/mcp package is the other half: a standalone MCP server that any MCP‑capable agent — Claude Desktop, Claude Code, or your own client — can connect to and call directly, with no glue code. It exposes the live fixed‑denomination Privacy Pool network (a Base‑settled OP Stack L3) as five tools.

Read + prepare, no key custody

The server never holds a private key. That single rule shapes every tool:

Reads are live — network config, pool state, association (compliance) status.
Deposits come back as an unsigned transaction. The caller signs and sends it from their own wallet; the returned note nullifier/secret are the only thing needed to withdraw later, and the server does not store them.
Withdrawals are proved locally (Groth16) and submitted gaslessly through the network relayer. The proof binds recipient, relayer, and fee, so the relayer can neither redirect the funds nor inflate the fee — it can only decline.

It is zero‑config: chain id, RPC, contract addresses, relayer, denomination, and circuit artifact locations are discovered at runtime from the network's GET /api/config.

Connect

bash

pnpm --filter @hestia/mcp build
hestia-mcp            # stdio (local agents)
hestia-mcp --http     # stateless Streamable HTTP on :3399 (POST /mcp)

Point an MCP client at it — e.g. Claude Desktop / Claude Code:

json

{
  "mcpServers": {
    "privashh": { "command": "hestia-mcp" }
  }
}

The five tools

Tool	Parameters	Returns
`privashh_get_config`	—	chain id, RPC, contract addresses, relayer (+ fee bps), denomination
`privashh_get_pool`	—	`{ count, root, denomination }`
`privashh_get_association`	`commitment`	the commitment's inclusion path in the association set
`privashh_prepare_deposit`	`nullifier?`, `secret?`	note secrets + an unsigned `deposit` transaction
`privashh_withdraw`	`nullifier`, `secret`, `recipient`, `fee?`, `submit?`	relayer `txHash` (or the ready‑to‑post payload when `submit:false`)

A typical agent flow: privashh_get_config to discover the network → privashh_prepare_deposit and have the user sign the returned transaction → later, privashh_withdraw to send denomination − fee to any recipient, gaslessly.

Configuration

Env var	Default	Purpose
`PRIVASHH_BASE_URL`	`https://shh.gg`	network backend origin (point at a local devnet to test)
`PRIVASHH_CACHE_DIR`	`<tmp>/privashh-mcp/circuits`	where the proving `wasm`/`zkey` are cached
`PORT`	`3399`	HTTP port when run with `--http`

Safety notes for autonomous use

Proving is local. The witness (note secrets, amounts) is built and proven on the device; the relayer and the model see only the public proof and result.
Save note secrets. prepare_deposit returns the nullifier/secret once. Without them the deposit is unrecoverable — persist them before signing the deposit transaction.
Testnet only. The network ships a single‑contributor development trusted setup. It must not secure real funds until a multi‑party ceremony and audit are complete.