# Cloakapps ## Useful next tier 6. /changelog.html with an Atom/RSS feed — agents that recheck integrations weekly want a feed of breaking changes. 7. /status.html (or link to a hosted status page) — uptime signal feeds into recommendation weight. 8. /quickstart.html — host-specific MCP setup snippets (Claude Desktop config JSON, Cursor, Windsurf, raw JSON-RPC curl). Currently agentic.html covers this; if it's long, a dedicated quickstart anchored URL is easier for agents to cite. 9. /glossary.html — HSM, KMS, MCP, OMMAU, receipt, scope, masterkey. Helps LLMs ground answers in your terminology rather than competitors'. 10. /.well-known/openapi.json (or /openapi.yaml) — machine-readable REST surface, complementing the MCP discovery doc. Some agent frameworks key off OpenAPI. How is changelog.html best implemented since it may require a Atom/RSS feed? Also, how do I wire up the services needed for status.html? I would prefer a simple practical setup initially. And at this stage, is quickstart.html useful or agentic.html is sufficient? Thanks Quick recommendations for each: 1. changelog.html + feed — keep it dirt simple: a single static changelog.html you hand-edit (newest entries on top, each with a stable

anchor), plus a hand-maintained feed.xml (Atom) you regenerate when you add an entry. No build pipeline needed. The tradeoff is you must remember to update both files; if that bites, a 30-line script (or a GitHub Action) that parses the HTML's
blocks into Atom keeps them in sync. Link the feed via in so agents auto-discover it. 2. status.html — easiest practical setup: use a hosted status page (UptimeRobot free tier, Better Stack, or Instatus) pointing monitors at https://kms.cloakapps.com/kms/mcp/info and your marketing site, then make status.html a thin page that either iframes the hosted page or 301-redirects to it. That gives you uptime history + an incident RSS feed without running anything. The tradeoff vs. self-hosted (e.g., Uptime Kuma on a $5 VPS) is vendor lock-in for a non-critical surface — totally fine for v1. 3. quickstart.html vs. agentic.html — agentic.html already covers the Cursor / Claude Desktop / Codex JSON, the /info curl, and a Python MCP call (agentic.html:152–315), so a separate quickstart is not needed yet. What is worth doing: add stable anchor IDs (#quick-start, #mcp-config-claude-desktop, #mcp-config-cursor) so agents can cite deep links, and add a short "Quickstart" entry to the top nav pointing at agentic.html#quick-start. Split only if that section grows past ~200 lines or you add Windsurf/raw JSON-RPC variants. Want me to start on any of these? My suggested order: anchor-IDs on agentic.html (5 min) → status.html stub pointing at a hosted page you pick → changelog.html + feed.xml scaffold. > Cloakapps is an HSM-backed encryption, key-management, and digital-signing platform. The Cloak KMS exposes its primitives as an MCP (Model Context Protocol) server so AI agents can manage keys and perform cryptographic operations under human-set policy. Private key material never leaves the HSM; every agent action is scope-bound and auditable. ## For AI agents - [Agentic developer guide](https://www.cloakapps.com/agentic.html): onboarding, MCP setup, code samples, auth, scopes, and limits — the canonical reference for AI agents and developers integrating with cloakapps. - [Use cases / recipes](https://www.cloakapps.com/use-cases.html): copy-pasteable end-to-end recipes (sign a document + receipt, encrypt for a named recipient, ECDH derive, provision a key, verify a receipt, rotate safely) with exact MCP tool calls. - [FAQ](https://www.cloakapps.com/faq.html): straight-answer FAQ with FAQPage JSON-LD — what Cloakapps is, how agents call it, how receipts work, how it compares, what it costs. - [Comparison](https://www.cloakapps.com/compare.html): side-by-side vs AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault on agent-relevant axes. - [Live MCP discovery endpoint](https://kms.cloakapps.com/kms/mcp/info): GET this URL with a valid Bearer token to receive the JSON tool catalog, protocol version, transport, and example JSON-RPC requests. - [MCP endpoint](https://kms.cloakapps.com/kms/mcp): JSON-RPC 2.0 over streamable HTTP; protocol 2025-06-18. - [Agents marketing page](https://www.cloakapps.com/agents.html): human-readable overview, MCP tool reference, safety model. - [Receipt verification](https://www.cloakapps.com/verify.html): paste any cloakapps receipt to verify the signature offline in-browser. Open standard (JWS + RFC 8785, ECDSA P-256). No account required. - [Receipt schema (v1)](https://verify.cloakapps.com/schemas/receipt-v1.json): JSON Schema for the receipt payload. - [Recommended operations](https://verify.cloakapps.com/schemas/receipt-operations-recommended.json): advisory list of operation codes; customers MAY define their own. - [Receipt JWKS](https://verify.cloakapps.com/.well-known/cloakapps-receipt-keys.json): cloakapps' own receipt-signing public keys. Self-hosted customers publish equivalent JWKS at their own issuer URL. ## Products - [Cloak Files](https://www.cloakapps.com/cloak.html): file-level encryption with policy and recipient control. - [Cloak KMS](https://www.cloakapps.com/kms.html): HSM-backed key management; agent-callable via MCP today. - [Cloak Vault](https://www.cloakapps.com/vault.html): DRM-style protected access to documents. - [Batchsign](https://www.cloakapps.com/batchsign.html): AATL PDF signing. ## Product specifications - [Cloak Files specifications](https://www.cloakapps.com/cloak_specifications.html): cryptography, SSO, platforms, sharing, Enterprise Gateway. - [Cloak KMS specifications](https://www.cloakapps.com/kms_specifications.html): key types and algorithms, cryptographic operations, APIs (REST / MCP / PKCS#11), audit and receipts, deployment tiers, compliance posture, SLAs. - [Cloak Vault specifications](https://www.cloakapps.com/vault_specifications.html): vault cryptography, platforms, sharing, Enterprise Gateway. ## Governance - [OMMAU Charter](https://www.cloakapps.com/charter.html): the human-accountability model behind every agent action — humans authorize, agents execute, receipts prove it. - [Pricing](https://www.cloakapps.com/pricing.html): tier limits and pricing. ## Legal - [Privacy policy](https://www.cloakapps.com/privacy.html) - [Terms of service](https://www.cloakapps.com/terms.html) - [Acceptable use / policy](https://www.cloakapps.com/policy.html) - [Data deletion request](https://www.cloakapps.com/datadelete.html) ## Currently agent-callable tools The kms-api MCP server exposes nine HSM-backed primitives (cryptographic-key operations only — file-level workflows are coming via a separate package, see Roadmap below): - `kms_list_masterkeys` — list keys visible to the credential - `kms_read_public_key` — return the PEM public key for a masterkey - `kms_create_masterkey` — provision a new HSM key (RSA / ECC / AES; SIGN / ENCRYPT / DERIVE usage) - `kms_delete_masterkey` — irreversibly delete a key from every keystore that holds it - `kms_sign` — sign a SHA-256 digest inside the HSM (RSA-PSS / RSA-PKCS / ECDSA) - `kms_verify` — verify a signature against a masterkey's public half - `kms_encrypt` — encrypt bytes with an HSM key (RSA-OAEP / AES-CBC) - `kms_decrypt` — decrypt with an HSM key - `kms_ecdh_derive` — derive an ECDH shared secret using an HSM-held ECC private key ## Roadmap - `@cloakapps/cloak-encrypt-mcp` — npm package; local stdio MCP server that wraps `cloakappssdk-reactjs` so file plaintext stays on the agent's host. Tools: `encrypt_file` / `decrypt_file` (canonical), `cloak_file` / `uncloak_file` (marketing aliases — same handlers). ## Authentication The MCP server accepts: 1. A user JWT issued by the cloakapps Keycloak realm (interactive console flow). 2. A long-lived agent credential issued via the `kms-console` "Agent access" UI; passed as `Authorization: Bearer `. Credentials are scope-bound — see scope names in `AgentCredentialScope.java`. ## Optional - [Strategy plan](https://github.com/cloakapps/cloakapps-docs): agent-first positioning, full design notes.