# Do Not Act MCP

Use the Do Not Act MCP server when an agent runtime should call the Risk
Gateway before continuing on a prediction-market workflow.

Machine-readable install manifest:

- `/mcp.json`
- `/.well-known/mcp.json`

## Remote MCP endpoint

Do Not Act also exposes a hosted MCP endpoint for clients and registries that
prefer connecting by URL instead of launching a local stdio package.

```text
https://donotact.com/mcp
```

Transport: MCP Streamable HTTP (`POST` JSON-RPC, optional `GET`
`text/event-stream`, `OPTIONS` CORS preflight).

Authentication:

```http
Authorization: Bearer <DONOTACT_API_KEY>
```

The same user API key used by the REST API is required. Do not pass keys in
query strings. Gateways that use a config form should ask for one secret field:
`apiKey`, then inject it as a bearer token or private header.

Minimal JSON-RPC checks:

```bash
curl -sS https://donotact.com/mcp \
  -H 'Authorization: Bearer <DONOTACT_API_KEY>' \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"manual-check","version":"0.1.0"}}}'

curl -sS https://donotact.com/mcp \
  -H 'Authorization: Bearer <DONOTACT_API_KEY>' \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'
```

`tools/list` returns the same seven tools as the stdio package:
`donotact_dispute`, `donotact_resolution_risk`, `donotact_preflight`,
`donotact_preflight_token`, `donotact_watchlist_add`, `donotact_alerts`, and
`donotact_dispute_history_csv`.

## Install from public archive

The MCP package is currently source-installable from a public Do Not Act
archive. It is not published to a package registry yet, and does not require
GitHub authentication.

```bash
python -m pip install https://donotact.com/downloads/mcp-donotact-0.3.0.tar.gz
```

Archive URL: `/downloads/mcp-donotact-0.3.0.tar.gz`

## Runtime configuration

```bash
export DONOTACT_BASE_URL=https://donotact.com
export DONOTACT_API_KEY=ce_...
export DONOTACT_SOURCE=mcp-donotact/0.3.0
mcp-donotact
```

Do not print, log, commit, or expose `DONOTACT_API_KEY`.

## Tools

- `donotact_dispute`
- `donotact_watchlist_add`
- `donotact_alerts`
- `donotact_preflight`
- `donotact_preflight_token`
- `donotact_resolution_risk`
- `donotact_dispute_history_csv`

The shortest safety policy:

```text
1. Call donotact_preflight before continuing on a market.
2. Include intended side, requested notional, slippage policy and horizon when known.
3. Continue only if verdict/decision == READY.
4. If verdict/decision is DO_NOT_ACT or INSUFFICIENT_EVIDENCE, stop automated action.
5. Preserve decision, component_scores, risk_factors, risk_factor_bitmap, risk_factor_bit_index, blocking_reasons, safe_operating_limits, no_trade_reasons, what_would_change_this, source_refs and not_advice.
6. Use donotact_dispute for focused UMA lifecycle checks.
7. Use donotact_preflight_token for token-risk checks by chain and contract address.
8. If continuing, register donotact_watchlist_add for recurring dispute monitoring.
9. Use donotact_alerts as the backup alert feed and delivery-state truth.
```

## Boundary

Do Not Act is diagnostics and control logic only. The caller keeps execution,
custody, private keys, signing and order routing outside Do Not Act.

## Useful public proof

- Public Dispute Risk Index: `/dispute-risk`
- Public event feed: `/dispute-events.atom`
- Public proof cases: `/proof-cases`
- Signed resolved UMA proof cases: `/resolved-proof-cases.json`
- Example resolved proof case: `/resolved-proof-cases/donotact-polymarket-580810-resolved-uma-dispute`
- Default safety snippets: `/docs/default-safety-check`
- Machine-payment proof and CDP Bazaar indexed 0.01 USDC route: `/docs/x402`
- Accountless token-risk x402 route: `/x402/v1/preflight/token/{chain}/{address}`

---

## Agent Discovery

- llms.txt: `/llms.txt`
- Full context: `/llms-full.txt`
- Agent manifest: `/agent.json`
- OpenAPI: `/openapi.json`
- Discovery docs: `/docs/discovery`
