# sign-cli Agent-first e-signature MCP server with **offline PAdES signing** and hash-chained audit. The same 19 tools / 4 prompts / 12 resources are reachable via stdio (`npx @drbaher/sign-cli mcp serve`) for … ## Quick Start ```bash # Connect this server (installs CLI if needed) npx -y smithery mcp add drbaher/sign-cli # Browse available tools npx -y smithery tool list drbaher/sign-cli # Get full schema for a tool npx -y smithery tool get drbaher/sign-cli signer_list # Call a tool npx -y smithery tool call drbaher/sign-cli signer_list '{}' ``` ## Direct MCP Connection Endpoint: `https://sign-cli--drbaher.run.tools` ## Tools (19) - `signer_list` — List pending local-provider requests where the given signer is a recipient. Pass signer_email to scope; omit to list ev… - `signer_fetch_document` — Read the unsigned PDF for a local signing request. Requires the per-signer token. If out_path is provided, also writes … - `sign` — Sign a local signing request as the holder of the given token. Requires --provider local. The token resolves the signer… - `signer_decline` — Decline a local signing request as the holder of the given token. Sets status to declined. - `request_show` — Return the enriched request snapshot: request, approvals (with tokenHint/expiresAt/expired/signed), signedBy[], decline… - `request_status` — Poll the provider for the latest status of a request. For dropbox/signwell, reads API keys from DROPBOX_SIGN_API_KEY / … - `audit_verify` — Verify the cryptographic audit chain for a request and report any break. - `request_watch` — Poll a request's status until terminal (completed/declined/canceled/timeout). When the MCP client supplies a progressTo… - `pdf_detect_signature_field` — Detect signature-field placement candidates in a PDF (AcroForm /Sig widgets + anchor-text matches). Returns ranked cand… - `pdf_detect_date_field` — Detect date-field placement candidates in a PDF. Returns candidates with `alreadyFilled: true` when a date string is al… - `pdf_inspect_signatures` — Inspect existing PADES signatures on ANY PDF — ours, Adobe's, DocuSign's, Dropbox Sign's, SignWell's. Returns per-signa… - `profile_list` — List the profiles configured in the user's profiles.json. Shows the active source so the agent knows whether a flag, en… - `profile_show` — Show the resolved active profile (or a specific user profile by name) with per-field provenance. Credentials are redact… - `pdf_stamp_text` — Stamp a text string (e.g. a date) onto a PDF. Mirrors `sign pdf stamp-text`. Position via auto_place (true|first|last|a… - `preview` — Stamp a signature image or rendered name onto a PDF as a draft preview — NO PAdES seal, no signing-request state mutati… - `document` — One-shot DOCX|PDF → signed PDF. Mirrors `sign document`. Orchestrates DOCX→PDF (via docx2pdf-cli) → auto-place detectio… - `signer_reissue_token` — Mint a new per-signer token for an existing request; the previous token is invalidated. Use when a signer lost their or… - `audit_scan` — Verify the audit chain of every request in the local DB (or filtered by provider/status). Returns per-request validity … - `request_receipt` — Export a cryptographically-signed receipt bundle for a request: audit.json, signed.pdf, manifest.json, manifest.sig (RS… ```bash # Get full input/output schema for a tool npx -y smithery tool get drbaher/sign-cli ``` ## Resources - `request://req_0612dc120b7a4ca3996095923f5923aa` — Enriched request snapshot (status=sent, signers=3). - `request://req_0612dc120b7a4ca3996095923f5923aa/document` — Unsigned source PDF for the request (base64-encoded). - `request://req_0612dc120b7a4ca3996095923f5923aa/audit` — Append-only hash-chained audit events for this request. - `request://req_cc8cbf9b0f30449799241e6aabc86185` — Enriched request snapshot (status=sent, signers=1). - `request://req_cc8cbf9b0f30449799241e6aabc86185/document` — Unsigned source PDF for the request (base64-encoded). - `request://req_cc8cbf9b0f30449799241e6aabc86185/audit` — Append-only hash-chained audit events for this request. - `request://req_efd6ef915c3d42cc99a7bb7a17bf48ae` — Enriched request snapshot (status=sent, signers=2). - `request://req_efd6ef915c3d42cc99a7bb7a17bf48ae/document` — Unsigned source PDF for the request (base64-encoded). - `request://req_efd6ef915c3d42cc99a7bb7a17bf48ae/audit` — Append-only hash-chained audit events for this request. - `request://req_96ea7ec6b3df4f45925d52e7e8846baf` — Enriched request snapshot (status=sent, signers=1). - `request://req_96ea7ec6b3df4f45925d52e7e8846baf/document` — Unsigned source PDF for the request (base64-encoded). - `request://req_96ea7ec6b3df4f45925d52e7e8846baf/audit` — Append-only hash-chained audit events for this request. ## Prompts (4) - `review_and_sign` (request_id, token, expected_title_pattern, expected_sha256) — Walk an agent through reviewing an unsigned document and signing if it meets the supplied expectations. Reinforces the … - `policy_check` (policy_file, request_id, token) — Explain how to encode the agent's signing policy as a JSON file and apply it via `signer policy run`. Useful for repeat… - `inbox_triage` (signer_email) — Orient an agent that's just been given access to a signer-side inbox and one or more tokens. - `verify_receipt` (bundle_dir) — Walk a recipient through verifying a `request receipt` bundle they received.