Security Guarantees

Enumerate the specific security properties MCPTrust provides (and doesn't provide).

What MCPTrust Guarantees

MCPTrust provides five core security guarantees when used correctly. Each is cryptographically enforceable.

Guarantee 1 — Integrity

Statement: "If mcptrust verify passes, the lockfile's canonical form is identical to what was signed."

  • Mechanism: Ed25519 digital signatures over canonicalized JSON.
  • Proof: The tests/gauntlet.sh suite modifies 1 bit in the lockfile and asserts verification failure.
  • Implication: An attacker cannot modify the lockfile (e.g., add a tool) without invalidating the signature.

Guarantee 2 — Authenticity

Statement: "If mcptrust verify passes, the lockfile was signed by the holder of the corresponding private key."

  • Mechanism: Ed25519 public-key cryptography / Sigstore OIDC identity.
  • Proof: Verification with a different (but valid) public key fails.
  • Implication: You can trust that the lockfile came from your organization's signing authority.

Guarantee 3 — Drift Detection

Statement: "mcptrust diff will accurately report any semantic change in the MCP server's tools."

  • Mechanism: Structural JSON hashing of tool descriptions and input schemas.
  • Properties:
    • Schema changes (e.g., string → number) trigger Critical alerts.
    • Description changes (e.g., typo fix) trigger Info alerts.
    • Risk level changes trigger Critical alerts.
  • Implication: Silent supply chain modifications are caught before the agent uses the tool.

Guarantee 4 — Reproducibility

Statement: "mcptrust bundle export is deterministic. Same inputs → bit-for-bit identical ZIP."

  • Mechanism:
    • All ZIP timestamps set to January 1, 1980 (ZIP epoch).
    • Files added in alphabetical order.
    • Canonical JSON used for lockfile.
  • Implication: An auditor can verify that a distributed bundle corresponds exactly to the source artifacts.

Guarantee 5 — Fail-Closed Governance

Statement: "mcptrust policy check blocks the operation if any rule fails."

  • Mechanism: Google CEL (Common Expression Language) evaluation.
  • Default Behavior: If the policy cannot be evaluated (syntax error, missing field), the check fails.
  • Implication: Misconfiguration results in denial, not bypass.

Guarantee 6 — ID Translation (Anti-Spoofing)

Statement: "The agent never sees the server's internal IDs, only the proxy-assigned IDs."

  • Mechanism: The proxy generates new, random JSON-RPC IDs for every request sent to the server and maps them back on the return trip.
  • Implication: A malicious server cannot confuse the client by replaying old IDs or guessing future IDs (ID spoofing/confusion attacks).

Resilience: DoS Protection

  • 10MB NDJSON Limit: The proxy enforces a strict 10MB limit per line of NDJSON to prevent Out-Of-Memory (OOM) attacks from malicious servers sending infinite streams.
  • CEL Cost Limits: Policy evaluation is capped at 1,000,000 cost units to prevent CPU exhaustion from complex policies.

What MCPTrust Does NOT Guarantee

ThreatWhy It's Out of Scope
Malicious implementation logicWe verify the interface (schema), not the code. A tool described as read_file could still do rm -rf.
Runtime prompt injectionWe don't monitor agent-tool conversations.
Key compromiseIf your private key is stolen, attackers can sign malicious lockfiles.
Zero-day MCP protocol exploitsWe trust the MCP specification itself.