A JSON-RPC 2.0 HTTP surface that exposes a pinned subset of Lavern's
MCP tools to Anthropic Managed Agents — and any other agent runtime
that speaks the protocol. The bridge is off by default. Flip
LAVERN_MANAGED_AGENTS_BRIDGE=1 to bring it up.
In-process, agents talk to MCP tools through a SessionState
closure — the blast radius is one process. Once the surface is on the
internet, it has to assume a hostile caller. The bridge is the seam
where that posture changes: pin the allowlist, validate every arg,
authenticate every call, dispatch per session.
server.ts | Fastify HTTP server; JSON-RPC 2.0 envelope; shared-secret bearer auth |
session-auth.ts | Bridge session token issuance and verification |
dispatcher.ts | Per-session tool dispatch; Zod validation of every argument |
tool-allowlist.ts | Hard-coded set of tools reachable over the wire |
index.ts | Mount point; gated by LAVERN_MANAGED_AGENTS_BRIDGE |
The first stage exposes only the Counsel workflow — no debate, no human gates, no document redesign. Read-only memory access, read-only knowledge-base lookups. Everything else returns method not found.
| Workflow state | get_current_step, advance_step, get_workflow_history, submit_handoff, get_handoffs |
| Memory (read-only) | query_institutional_memory, load_matter_memory, query_precedents |
| Knowledge base (read-only) | search_knowledge_base, list_knowledge_base_collections, get_knowledge_base_entry, query_anti_patterns |
Stage 3+ adds Review and Adversarial tooling. New tools are added to the allowlist explicitly — never loosened by pattern match.