├── CODE-OF-CONDUCT.md ├── rfc-template.md ├── .github └── ISSUE_TEMPLATE │ └── rfc-template.md ├── README.md ├── whitepaper-template.md ├── LICENSE.md └── rfc-mcp_handshake.md /CODE-OF-CONDUCT.md: -------------------------------------------------------------------------------- 1 | # OASIS Participants Code of Conduct 2 | 3 | The OASIS Participants Code of Conduct applies to all activities of this consortium, including the OASIS Open Projects Program. 4 | The purpose of the Code of Conduct is to document the values we stand for and the standards of professional conduct we expect from one another. The process document gives instructions for reporting an incident and describes the steps we will take in response. 5 | 6 | [Read the full text of the Code of Conduct](https://www.oasis-open.org/policies-guidelines/oasis-participants-code-of-conduct/). 7 | -------------------------------------------------------------------------------- /rfc-template.md: -------------------------------------------------------------------------------- 1 | > [!TIP] 2 | > How to use this template: 3 | > * Create an issue using this template. 4 | > * Fill in the sections that are relevant to your proposal. 5 | > * Add the workstream chairs as reviewers. 6 | > * Send a note to the workstream mailing list with a link to the rfc. 7 | > * After 3 days, if there are no objections, the chairs will decide on the RFC inclusion. 8 | 9 | # [RFC Title] 10 | 11 | **Authors:** 12 | * @handle 13 | * @handle 14 | 15 | ## **Summary** 16 | Short, sweet, and to the point. Tell us what you're proposing in a paragraph or two. Include a diagram or other visuals if helpful. 17 | 18 | ## **Priority** 19 | * P0: This is critical to include in the next release from this workstream. 20 | * P1: This is important to include in the next release from this workstream. 21 | * P2: This is nice to have, but can wait until a future release. 22 | 23 | ## **Level of Effort** 24 | * Small: This will take a few days to document. 25 | * Medium: This will take a week or two to document. 26 | * Large: This will take several weeks to document. 27 | 28 | ## **Drawbacks** 29 | Are there any reasons why we should not do this? 30 | 31 | Please consider: 32 | * is it too opinionated? 33 | * is it too complex to implement? 34 | * does the ecosystem exist to support this yet? 35 | 36 | ## **Alternatives** 37 | What other designs have been considered? What is the impact of not doing this? 38 | 39 | ## **Reference Material & Prior Art** 40 | * Is there an existing framework or paper that discusses this? 41 | * Was this discussed in a talk that was recorded? 42 | 43 | 44 | ## **Unresolved questions** 45 | * What help from the group do you need to make this successful? 46 | 47 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/rfc-template.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: New Agentic Security RFC 3 | about: Create a new RFC for agentic security 4 | title: '' 5 | labels: ['review'] 6 | assignees: 7 | - 'sarahnovotny' 8 | - 'imolloy' 9 | 10 | --- 11 | 12 | > [!TIP] 13 | > How to use this template: 14 | > * Create an issue using this template. 15 | > * Fill in the sections that are relevant to your proposal. 16 | > * Add the workstream chairs as reviewers. 17 | > * Send a note to the workstream mailing list with a link to the rfc. 18 | > * After 3 days, if there are no objections, the chairs will decide on the RFC inclusion. 19 | 20 | # [RFC Title] 21 | 22 | **Authors:** 23 | * @handle 24 | * @handle 25 | 26 | ## **Summary** 27 | Short, sweet, and to the point. Tell us what you're proposing in a paragraph or two. Include a diagram or other visuals if helpful. 28 | 29 | ## **Priority** 30 | * P0: This is critical to include in the next release from this workstream. 31 | * P1: This is important to include in the next release from this workstream. 32 | * P2: This is nice to have, but can wait until a future release. 33 | 34 | ## **Level of Effort** 35 | * Small: This will take a few days to document. 36 | * Medium: This will take a week or two to document. 37 | * Large: This will take several weeks to document. 38 | 39 | ## **Drawbacks** 40 | Are there any reasons why we should not do this? 41 | 42 | Please consider: 43 | * is it too opinionated? 44 | * is it too complex to implement? 45 | * does the ecosystem exist to support this yet? 46 | 47 | ## **Alternatives** 48 | What other designs have been considered? What is the impact of not doing this? 49 | 50 | ## **Reference Material & Prior Art** 51 | * Is there an existing framework or paper that discusses this? 52 | * Was this discussed in a talk that was recorded? 53 | 54 | 55 | ## **Unresolved questions** 56 | * What help from the group do you need to make this successful? 57 | 58 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 8 | 9 | 10 | ## CoSAI Workstream 4: Secure Design Patterns for Agentic Systems 11 | 12 | This repository is for the work of the CoSAI Workstream 4, Secure Design Patterns for Agentic Systems. CoSAI is an [OASIS Open Project](https://www.oasis-open.org/open-projects/) and an open ecosystem of AI and security experts from industry leading organizations dedicated to sharing best practices for secure AI deployment and collaborating on AI security research and product development. For more information on CoSAI, please visit the [CoSAI website](https://www.coalitionforsecureai.org/) and the [Open Project repository](https://github.com/cosai-oasis/oasis-open-project) which has information regarding the governance, sponsors and rosters and the project charter. 13 | 14 | ### About this workstream 15 | The goal of this workstream is to research and develop secure design patterns for AI-based agentic systems including updates to AI usage threat models, conceptual high-level secure design pattern(s), impacts to secure infrastructure design, and other agent integration and use based needs. Further information can be found [here](https://github.com/cosai-oasis/oasis-open-project/blob/main/WORKSTREAMS.md). 16 | 17 | ### Published work from this workstream 18 | 19 | [CoSAI Principles for Secure-by-Design Agentic Systems](https://github.com/cosai-oasis/cosai-tsc/blob/main/security-principles-for-agentic-systems.md) 20 | 21 | ### Workstream Leads 22 | * Ian Molloy (IBM) 23 | * Sarah Novotny 24 | 25 | #### Supporting Leads 26 | * Alex Polyakov (Adversa) 27 | * Raghuram Yeluri (Intel) 28 | 29 | 48 | 49 | ## Contributing 50 | 51 | Check out our [onboarding guidance for new participants](https://github.com/cosai-oasis/oasis-open-project/blob/main/ONBOARDING.md) and please see the [CoSAI Contributing policy](./CONTRIBUTING.md) for more details. 52 | 53 | 59 | 60 | ## Support 61 | For issues or features, please use Github issues. You can also join the workstream mailing list by posting an empty email to [cosai-agentic-systems-ws@lists.oasis-open-projects.org](mailto: cosai-agentic-systems-ws@lists.oasis-open-projects.org). You can read the mailing list archive [here](https://lists.oasis-open-projects.org/g/cosai-agentic-systems-ws/topics). 62 | 63 | You can also join us on Slack via [this link](https://join.slack.com/t/cosai-op/shared_invite/zt-2rbgqtolg-GdajCyOiddYtGJ3cSdk1Jg) and introduce yourself in the #ws4-secure-design-agentic-systems channel. 64 | 65 | ## Governance and Licenses 66 | 67 | CoSAI and the CoSAI workstream operates under the terms of the [Open Project Rules](https://www.oasis-open.org/policies-guidelines/open-projects-process), the [CoSAI Governance](https://github.com/cosai-oasis/oasis-open-project/blob/main/GOVERNANCE.md) and [Workstream Governance](https://github.com/cosai-oasis/oasis-open-project/blob/main/TSC-WS-GOVERNANCE.md), as well as the following the licenses: 68 | * CC-BY 4.0 for documentation and data contributions; and 69 | * Apache License v2.0 for source code and models 70 | 71 | The applicable license will be determined for each repository, as applicable, at the time of its 72 | creation. 73 | 74 | 75 | -------------------------------------------------------------------------------- /whitepaper-template.md: -------------------------------------------------------------------------------- 1 | # Title 2 | 3 | ## OASIS Open Project : [Coalition for Secure AI (CoSAI)](https://github.com/cosai-oasis) \[Workstream name\] (hyperlink to remember to update Title and Author in document Properties \!\!\!) 4 | 5 | ## Additional artifacts: This document is one component of a Work Product that also includes: XML schemas: (list file names or directory name) Other parts (list titles and/or file names or directory name) 6 | 7 | ## Abstract: 8 | 9 | ## Summary of the technical purpose of the document. 10 | 11 | ## Status: 12 | 13 | ## 1\. Introduction 14 | 15 | ## 2\. Section Title 16 | 17 | ### 2.1 Level 2 Section Title 18 | 19 | #### **2.1.1 Level 3 Section Title** 20 | 21 | ##### **2.1.1.1 Level 4 Section Title** 22 | 23 | ###### *2.1.1.1.1 Level 5 Section Title* 24 | 25 | Note: Avoid using more than five heading levels. 26 | 27 | ## 3\. Takeaways and Conclusion 28 | 29 | ## 4\. References 30 | 31 | ## 6\. Acknowledgements 32 | 33 | ## Workstream Leads Chairs: WS Lead Chair Name ([Chair.Name@example.com](mailto:Chair.Name@example.com)), Example Corp. (mailto: link for email address; http:// link for affiliation web site) (remove "s" from Chairs if one) 34 | 35 | ## Editors: Editor Name ([Editor.Name@example.com](mailto:Editor.Name@example.com)), Example Corp. (mailto: link for email address; http:// for affiliation web site) (remove "s" from Editors if just one) 36 | 37 | List of active contributors. 38 | 39 | ## 5\. Appendix 40 | 41 | ## 5\. Appendix 42 | 43 | ### CoSAI Focus 44 | 45 | CoSAI is an OASIS Open Project, bringing together an open ecosystem of AI and security experts from industry-leading organizations. The project is dedicated to sharing best practices for secure AI deployment and collaborating on AI security research and product development. The scope of CoSAI is specifically focused on the secure building, integration, deployment, and operation of AI systems, with an emphasis on mitigating security risks unique to AI technologies. Other aspects of Trustworthy AI are deemed important but beyond the scope of the project including, ethics, fairness, explainability, bias detection, safety, consumer privacy, misinformation, hallucinations, deep fakes, or content safety concerns like hateful or abusive content, malware, or phishing generation. By concentrating on developing robust measures, best practices, and guidelines to safeguard AI systems against unauthorized access, tampering, or misuse, CoSAI aims to contribute to the responsible development and deployment of resilient, secure AI technologies. 46 | 47 | ### Guidelines on usage of more advanced AI systems (e.g. large language models (LLMs), multi-modal language models. etc) for drafting documents for OASIS CoSAI: 48 | 49 | tl;dr: CoSAI contributions are actions performed by humans, who are responsible for the content of those contributions, based on their signed OASIS iCLA (and eCLA, if applicable). \[Each contributor must confirm whether they are entitled to donate that material under the applicable open source license; OASIS and the CoSAI Project do not separately confirm that.\] Each contributor is responsible for ensuring that all contributions comply with these AI use guidelines, including disclosure of any use of AI in contributions. 50 | 51 | * Selection of AI systems: CoSAI recommends the use of reputable AI systems (lowering the risk of inadvertently incorporating infringing material). 52 | * Model constraints: Currently, CoSAI or OASIS are not required to have a contract or financial agreement for using AI systems from specific vendors. However, CoSAI editors should consider employing varying tools to avoid potential fairness concerns among vendors. 53 | * IP infringement: It is the responsibility of the individual who subscribes/prompts and receives a response from an AI system to confirm they have the right to repost and donate the content to OASIS under our rules. 54 | * Transparency: CoSAI’s goal will be to maintain transparency throughout the process by documenting substantial use of AI systems whenever possible (e.g., the prompts and the AI system used), and to ensure that all content, regardless of production by human or AI systems, was reviewed and edited by human experts. This helps build trust in the standards development process and ensures accountability. 55 | * Human-edited content and quality control: CoSAI mandates human-reviewed or \-edited results for any final outputs. A robust quality control process should be in place, involving careful review of the generated content for accuracy, relevance, and alignment with CoSAI's goals and principles. Human experts should scrutinize the output of AI systems to identify any errors, inconsistencies, or potential biases. 56 | * Iterative refinement: The use of AI systems in drafting standards should be seen as an iterative process, with the generated content serving as a starting point for further refinement and improvement by human experts. Multiple rounds of review and editing may be necessary to ensure the final standards meet the required quality and reliability thresholds. 57 | 58 | ### **Copyright Notice** 59 | 60 | Copyright © OASIS Open 2025\. All Rights Reserved. This document has been produced under the process and license terms stated in the OASIS Open Project rules: [https://www.oasis-open.org/policies-guidelines/open-projects-process](https://www.oasis-open.org/policies-guidelines/open-projects-process). 61 | 62 | This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OASIS AND ITS MEMBERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THIS DOCUMENT OR ANY PART THEREOF. The name "OASIS" is a trademark of OASIS, the owner and developer of this document, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, documents, while reserving the right to enforce its marks against misleading uses. Please see [https://www.oasis-open.org/policies-guidelines/trademark/](https://www.oasis-open.org/policies-guidelines/trademark/) for above guidance. 63 | 64 | This is a Non-Standards Track Work Product. The patent provisions of the OASIS IPR Policy do not apply. 65 | 66 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International - CC-BY-4.0 - https://creativecommons.org/licenses/by/4.0/legalcode.txt 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public 379 | licenses. Notwithstanding, Creative Commons may elect to apply one of 380 | its public licenses to material it publishes and in those instances 381 | will be considered the “Licensor.” The text of the Creative Commons 382 | public licenses is dedicated to the public domain under the CC0 Public 383 | Domain Dedication. Except for the limited purpose of indicating that 384 | material is shared under a Creative Commons public license or as 385 | otherwise permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the 393 | public licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. 396 | 397 | ======================================================================= 398 | 399 | Non-Assertion Covenant for Standards Track Project Specifications 400 | 401 | In addition to the above license, each Contributor also agrees in the CLA to provide the additional covenants as non-assertion covenants for any Project Specifications as explained in the OASIS Open Project Rules Section 15.3 and reproduced below: 402 | 403 | Contributor Covenant for Contributions. As a Contributor, you irrevocably covenant that you will not assert any patent claims licensable by you that are necessarily infringed by an implementation of your contribution to the extent that contribution is included in a Project Specification approved by the Open Project to which you made the contribution, against OASIS or any other parties who the Applicable License benefits, for making, having made, using, marketing, importing, offering to sell, selling, and otherwise distributing works that Implement or Derive From your contribution. 404 | 405 | PGB Covenant for Specifications. For any Project Repository whose Applicable License is an Implementer-Class License, if you (or your representative) are a member of that Open Project's Governing Board, you irrevocably covenant that you will not assert any patent claims licensable by you that are necessarily infringed by an implementation of a Project Specification approved by that Open Project, and any Maintenance Deliverable approved for it, against OASIS or any other parties who the Applicable License benefits, for making, having made, using, marketing, importing, offering to sell, selling, and otherwise distributing works that Implement or Derive From that Project Specification and are compliant with all normative portions thereof. If you withdraw from the PGB, then this obligation continues to apply, but only with respect to those Project Specification Drafts approved more than 7 calendar days prior to your withdrawal, and to any Maintenance Deliverables approved for those specifications thereafter. 406 | 407 | Scope of Implementations Benefited. As used in this covenant, works that "Implement or Derive From" a contribution or specification include: 408 | 409 | (a) specifications to the extent derived from code 410 | 411 | (b) independent code implementations of a specification 412 | 413 | (c) independent code implementations of a specification to the extent the specification is derived from code. 414 | 415 | For purposes of this definition, "specifications" include documentation, data flows, data formats, application programming interfaces and process descriptions. 416 | -------------------------------------------------------------------------------- /rfc-mcp_handshake.md: -------------------------------------------------------------------------------- 1 | # [DRAFT -- RFC Zero-Trust MCP Handshake] 2 | 3 | **Authors:** 4 | @David Pierce, MPA 5 | 6 | ## **Summary** 7 | I added a TLS handshake to MCP by associating the auth'd identity with the intended tool invocation. 8 | 9 | ## **Priority** 10 | * P0: This is critical to include in the next release from this workstream. 11 | 12 | ## **Level of Effort** 13 | * Small: This will take a few days to document. 14 | 15 | ## **Drawbacks** 16 | Are there any reasons why we should not do this? 17 | No, this is narrowly scoped on purpose. 18 | 19 | Please consider: 20 | * is it too opinionated? nope 21 | * is it too complex to implement? nuh uh 22 | * does the ecosystem exist to support this yet? yes, any FaaS or localhost 23 | 24 | ## **Alternatives** 25 | What other designs have been considered? What is the impact of not doing this? 26 | 27 | Externalizing or differently contextualizing that tool, but where the data management is more complicated. 28 | 29 | ## **Reference Material & Prior Art** 30 | * Is there an existing framework or paper that discusses this? 31 | * Was this discussed in a talk that was recorded? 32 | 33 | www.latentspace.tools, www.zeroday.tools 34 | 35 | 36 | ## **Unresolved questions** 37 | * What help from the group do you need to make this successful? 38 | 39 | More awesome questions from y'all; glad to help make the robots safe 40 | 41 | ### Target-State Architecture for Zero-Standing Privileges 42 | 43 | A secure integration pattern enabling AI assistants to interact with sensitive business systems through coordinated, transaction-specific authentication protocols with built-in defense-in-depth. 44 | 45 | #### Overview 46 | 47 | The MCP Handshake Architecture provides an enterprise-grade security framework for AI integrations, implementing a defense-in-depth strategy with clear separation of concerns. It uses a two-phase handshake mechanism ensuring transaction-specific authorization with zero standing privileges, aligning with modern zero trust principles and data classification requirements. 48 | 49 | #### Key Components and Terminology 50 | 51 | - **AI Assistant** implements the **Local MCP Client** - initiates requests but cannot directly access sensitive APIs 52 | - **Confirmation Agent** implements the **Remote MCP Service** - acts as a secure gateway validating all operations 53 | - **State Store** - provides atomic token management (typically Redis, DynamoDB, or similar with TTL support) 54 | - **User Identity Provider** - external system for user authentication and session token issuance 55 | - **Target Enterprise APIs** - back-end systems containing sensitive data or operations 56 | 57 | #### Core Architecture Principles 58 | 59 | ##### 1. Dual-Agent Authority with Coordinated Components 60 | 61 | The architecture implements separation of powers through a dual-validation pattern: 62 | 63 | - **Local MCP Client (implemented by AI Assistant)**: Initiates transaction requests and manages client-side workflow, but cannot directly access sensitive systems. 64 | - **Remote MCP Service (implemented by Confirmation Agent)**: Acts as a secure gateway that independently validates operations, manages token lifecycle, and is the only component with access to sensitive API credentials. 65 | - **Secure State Store**: Tracks ephemeral token states and ensures atomic consumption. 66 | Each component maintains isolated security contexts connected through cryptographically verified handshakes. 67 | 68 | ##### 2. Ephemeral Action Authorization with Replay Protection 69 | 70 | Every sensitive operation requires explicit, time-bound authorization: 71 | 72 | - **Phase 1: Request Authorization**: Authenticated user requests an operation. 73 | - **Phase 2: Nonce Generation & Parameter Binding**: A unique nonce (ephemeral token) is generated and cryptographically bound to the parameter hash. 74 | - **Phase 3: Atomic Execution & Token Consumption**: Operation proceeds after validation; token is atomically consumed. 75 | This provides two-factor replay protection (ephemeral token + parameter hash binding). 76 | 77 | ##### 3. Tiered Access Control 78 | 79 | Access is tiered based on data classification: 80 | 81 | 1. **Public (Tier 1)**: Basic validation, minimal auth (e.g., public reference data). 82 | 2. **Internal (Tier 2)**: PKI verification, parameter sanitization (e.g., internal reports). 83 | 3. **Confidential (Tier 3)**: Comprehensive validation (Regex, Schema, AST), parameter transformation (e.g., financial operations, PII access). 84 | 4. **Restricted (Tier 4)**: All lower-tier validations + independent secondary validation, highest sensitivity (e.g., admin actions, critical changes). 85 | 86 | #### Implementation Reference Architecture 87 | 88 | ```ini 89 | ┌─────────────────┐ ┌─────────────────────────┐ 90 | │ │ │ │ 91 | │ AI Assistant │ │ User Identity Provider │ 92 | │ (Primary Agent)│ │ (Session Auth) │ 93 | │ │ │ │ 94 | └───────┬─────────┘ └───────────┬─────────────┘ 95 | │ │ Session Token 96 | │ │ (e.g., JWT) 97 | │ 1. Auth Req (Tool + Params + Metadata) ▼ 98 | ├─────────────────────────────────>┌─────────────────┐ 99 | │ (Session Token) │ │ 100 | │ │ Confirmation │ 101 | │ 2. Ephemeral Tx Token <----------│ Agent + State │ 102 | │ │ Store │ 103 | │ 3. Execute Tool (Tool + Params) │ │ 104 | ├─────────────────────────────────>│ │ 105 | │ (Session Token + │ │ 106 | │ Ephemeral Tx Token) │ │ 107 | │ │ │ 108 | │ 4. Result + Proof <--------------│ │ 109 | │ └───────┬─────────┘ 110 | │ │ 111 | │ │ Validated Call 112 | │ ▼ 113 | │ ┌─────────────────────────┐ 114 | │ │ │ 115 | │ │ Secure VPC/Cloud │ 116 | │ │ Environment │ 117 | │ │ ┌───────────────────┐ │ 118 | │ │ │ │ │ 119 | │ │ │ Enterprise APIs │ │ 120 | │ │ │ & Services │ │ 121 | │ │ │ │ │ 122 | │ │ └───────────────────┘ │ 123 | │ │ │ 124 | │ └─────────────────────────┘ 125 | 126 | ``` 127 | 128 | --- 129 | 130 | 131 | 132 | ### Reference Implementation Schema (MCP.Handshake.v1) 133 | 134 | * **`transaction`**: Contains core details about the specific request. 135 | * `id` (string, UUID): A unique identifier for this transaction. 136 | * `timestamp` (string, ISO-8601 date-time): Timestamp for when the transaction was initiated. 137 | * `user` (object): Information about the authenticated user. 138 | * `id` (string): The user's unique identifier. 139 | * `roles` (array of strings): A list of roles assigned to the user. 140 | 141 | * **`tool`**: Describes the client or service making the API call. 142 | * `name` (string): The name of the tool (e.g., `data-export-service`). 143 | * `version` (string): The version of the tool (e.g., `1.2.3`). 144 | * `sensitivity` (string, enum: `CONFIDENTIAL`, `PUBLIC`): The operational sensitivity level of the tool. 145 | * `parameters_hash` (string, SHA256): A cryptographic fingerprint of the tool's specific invocation parameters for integrity checks. 146 | 147 | * **`target_api`**: Specifies the destination API and the action being requested. 148 | * `name` (string): The identifier of the API being called. 149 | * `operation` (string): The specific operation or endpoint being invoked on the target API. 150 | * `data_classification` (object, optional): Details about the type of data being accessed. 151 | * `value` (string or null): The classification value (e.g., `PII`, `CONFIDENTIAL`). 152 | * `reason` (string or null): A brief explanation for the classification. 153 | * `attesting_agent_id` (string or null): The identifier of the agent or system that attested to this data classification. 154 | 155 | * **`authentication`**: Holds the tokens and state used to authenticate the request. 156 | * `session_token` (string): A long-lived session token (e.g., JWT) representing the authenticated user or service session. 157 | * `ephemeral_token` (string): A single-use, short-lived token generated for this specific transaction. 158 | * `expiry` (string, ISO-8601 date-time): The expiration timestamp of the ephemeral token. 159 | * `token_state` (object): Tracks the consumption status of the ephemeral token. 160 | * `consumed` (boolean): Indicates whether the ephemeral token has been consumed. 161 | * `consumption_timestamp` (string or null, ISO-8601 date-time): Timestamp of when the ephemeral token was consumed, if applicable. 162 | 163 | * **`validation`**: Records the results of any policy or security checks performed before approving the request. 164 | * `status` (string, enum: `APPROVED`, `DENIED`): The final validation status of the request. 165 | * `timestamp` (string, ISO-8601 date-time): Timestamp of when the validation was performed. 166 | * `checks_performed` (array of strings): A list of specific validation checks that were executed (e.g., `parameter_validation`, `auth_check`). 167 | * `tier_level` (string): The security or operational tier level determined or applied during validation (e.g., `CONFIDENTIAL`, `HIGH`). 168 | * `reason` (string or null): An optional explanation, typically provided if the status is `DENIED`. 169 | 170 | * **`audit`**: Contains information essential for logging and security audits. 171 | * `request_ip` (string): The IP address from which the client request originated. 172 | * `client_id` (string): An identifier for the client application or service. 173 | * `integration_id` (string): An identifier for the specific integration point or workflow. 174 | 175 | * **`receipt`**: Provides a cryptographic proof of the transaction for non-repudiation. 176 | * `transaction_proof` (string): A cryptographic signature or hash of critical transaction details. 177 | * `timestamp` (string, ISO-8601 date-time): Timestamp marking when the receipt was generated. 178 | 179 | * **`error_handling`**: A dedicated section for reporting errors. This object is **always present** in the handshake message to ensure structural consistency. Its fields are populated with error details if an error occurs; otherwise, they remain `null`. 180 | * `status_code` (integer or null): The HTTP status code associated with the error (e.g., `400`, `500`), or `null` if no error. 181 | * `error_type` (string or null): A specific error type or code (e.g., `validation_error`, `token_expired`), or `null` if no error. 182 | * `message` (string or null): A descriptive message explaining the error, or `null` if no error. 183 | * `retry_allowed` (boolean or null): Indicates whether the client can safely attempt the request again, or `null` if not applicable or no error. 184 | 185 | *** 186 | 187 | ```json 188 | { 189 | "$schema": "http://json-schema.org/draft-07/schema#", 190 | "title": "MCP.Handshake.v1", 191 | "description": "Schema for a handshake request, providing context and metadata for secure API interactions.", 192 | "type": "object", 193 | "properties": { 194 | "transaction": { 195 | "type": "object", 196 | "description": "Details about the specific transaction.", 197 | "properties": { 198 | "id": { 199 | "type": "string", 200 | "format": "uuid", 201 | "description": "Unique identifier for this request (UUID)." 202 | }, 203 | "timestamp": { 204 | "type": "string", 205 | "format": "date-time", 206 | "description": "Timestamp of the transaction initiation (ISO-8601)." 207 | }, 208 | "user": { 209 | "type": "object", 210 | "description": "Information about the authenticated user.", 211 | "properties": { 212 | "id": { 213 | "type": "string", 214 | "description": "User identifier." 215 | }, 216 | "roles": { 217 | "type": "array", 218 | "items": { 219 | "type": "string" 220 | }, 221 | "description": "List of user roles." 222 | } 223 | }, 224 | "required": ["id", "roles"] 225 | } 226 | }, 227 | "required": ["id", "timestamp", "user"] 228 | }, 229 | "tool": { 230 | "type": "object", 231 | "description": "Details about the tool making the request.", 232 | "properties": { 233 | "name": { 234 | "type": "string", 235 | "description": "Tool name (e.g., `data-export-service`)." 236 | }, 237 | "version": { 238 | "type": "string", 239 | "description": "Tool version (e.g., `1.2.3`)." 240 | }, 241 | "sensitivity": { 242 | "type": "string", 243 | "enum": ["CONFIDENTIAL", "PUBLIC"], 244 | "description": "Tool sensitivity level." 245 | }, 246 | "parameters_hash": { 247 | "type": "string", 248 | "description": "SHA256 hash of the tool's parameters." 249 | } 250 | }, 251 | "required": ["name", "version", "sensitivity", "parameters_hash"] 252 | }, 253 | "target_api": { 254 | "type": "object", 255 | "description": "Details about the API being called.", 256 | "properties": { 257 | "name": { 258 | "type": "string", 259 | "description": "Required: API name." 260 | }, 261 | "operation": { 262 | "type": "string", 263 | "description": "Required: Specific API operation." 264 | }, 265 | "data_classification": { 266 | "type": "object", 267 | "description": "Optional: Classification of the data being accessed.", 268 | "properties": { 269 | "value": { 270 | "type": ["string", "null"], 271 | "description": "Classification value (e.g., `PII`, `CONFIDENTIAL`)." 272 | }, 273 | "reason": { 274 | "type": ["string", "null"], 275 | "description": "Reason for the classification." 276 | }, 277 | "attesting_agent_id": { 278 | "type": ["string", "null"], 279 | "description": "ID of the agent that attested to the classification." 280 | } 281 | } 282 | } 283 | }, 284 | "required": ["name", "operation"] 285 | }, 286 | "authentication": { 287 | "type": "object", 288 | "description": "Authentication details.", 289 | "properties": { 290 | "session_token": { 291 | "type": "string", 292 | "description": "JWT or other identity token." 293 | }, 294 | "ephemeral_token": { 295 | "type": "string", 296 | "description": "Single-use, transaction-bound token." 297 | }, 298 | "expiry": { 299 | "type": "string", 300 | "format": "date-time", 301 | "description": "Token expiry timestamp (ISO-8601)." 302 | }, 303 | "token_state": { 304 | "type": "object", 305 | "description": "Token consumption status.", 306 | "properties": { 307 | "consumed": { 308 | "type": "boolean", 309 | "description": "Boolean indicating if the token has been consumed." 310 | }, 311 | "consumption_timestamp": { 312 | "type": ["string", "null"], 313 | "format": "date-time", 314 | "description": "Timestamp of token consumption (ISO-8601)." 315 | } 316 | }, 317 | "required": ["consumed"] 318 | } 319 | }, 320 | "required": ["session_token", "ephemeral_token", "expiry", "token_state"] 321 | }, 322 | "validation": { 323 | "type": "object", 324 | "description": "Validation results.", 325 | "properties": { 326 | "status": { 327 | "type": "string", 328 | "enum": ["APPROVED", "DENIED"], 329 | "description": "Validation status." 330 | }, 331 | "timestamp": { 332 | "type": "string", 333 | "format": "date-time", 334 | "description": "Validation timestamp (ISO-8601)." 335 | }, 336 | "checks_performed": { 337 | "type": "array", 338 | "items": { 339 | "type": "string" 340 | }, 341 | "description": "List of validation checks performed." 342 | }, 343 | "tier_level": { 344 | "type": "string", 345 | "description": "Tier level of the validation (e.g., `CONFIDENTIAL`, `HIGH`)." 346 | }, 347 | "reason": { 348 | "type": ["string", "null"], 349 | "description": "Validation reason (e.g., for failure)." 350 | } 351 | }, 352 | "required": ["status", "timestamp", "checks_performed", "tier_level"] 353 | }, 354 | "audit": { 355 | "type": "object", 356 | "description": "Audit information.", 357 | "properties": { 358 | "request_ip": { 359 | "type": "string", 360 | "description": "Client IP address." 361 | }, 362 | "client_id": { 363 | "type": "string", 364 | "description": "Application identifier." 365 | }, 366 | "integration_id": { 367 | "type": "string", 368 | "description": "Specific integration identifier." 369 | } 370 | }, 371 | "required": ["request_ip", "client_id", "integration_id"] 372 | }, 373 | "receipt": { 374 | "type": "object", 375 | "description": "Transaction proof.", 376 | "properties": { 377 | "transaction_proof": { 378 | "type": "string", 379 | "description": "Cryptographic signature of transaction details." 380 | }, 381 | "timestamp": { 382 | "type": "string", 383 | "format": "date-time", 384 | "description": "Timestamp of the receipt (ISO-8601)." 385 | } 386 | }, 387 | "required": ["transaction_proof", "timestamp"] 388 | }, 389 | "error_handling": { 390 | "type": "object", 391 | "description": "Error handling information. This object is always present; its fields are populated if an error occurs and are null otherwise.", 392 | "properties": { 393 | "status_code": { 394 | "type": ["integer", "null"], 395 | "description": "HTTP status code." 396 | }, 397 | "error_type": { 398 | "type": ["string", "null"], 399 | "description": "Error type (e.g., `validation_error`)." 400 | }, 401 | "message": { 402 | "type": ["string", "null"], 403 | "description": "Error message." 404 | }, 405 | "retry_allowed": { 406 | "type": ["boolean", "null"], 407 | "description": "Boolean indicating if retry is allowed." 408 | } 409 | } 410 | // No "required" array within error_handling, as individual fields are nullable and only populated on error. 411 | } 412 | }, 413 | "required": [ 414 | "transaction", 415 | "tool", 416 | "target_api", 417 | "authentication", 418 | "validation", 419 | "audit", 420 | "receipt", 421 | "error_handling" // error_handling is required at the top level 422 | ] 423 | } 424 | 425 | ``` 426 | 427 | ### Operational Lifecycle 428 | 429 | **Integration Setup Phase:** Enterprise, IT/Ops, and Application teams collaborate to define classifications, configure environments, and implement integration logic. 430 | **Transaction Execution Flow:** 431 | 432 | 1. User authenticates; Local MCP Client collects request details. 433 | 2. **Handshake Phase 1 (Request Authorization)**: Local Client sends request; Remote Service validates session, hashes parameters, generates ephemeral token bound to hash. 434 | 3. **Handshake Phase 2 (Execute Operation)**: Local Client sends parameters and tokens; Remote Service re-verifies hash, atomically consumes token, performs tiered validation. 435 | 4. Operation executes if all checks pass; results and proof returned. 436 | 437 | --- 438 | 439 | #### Data Classification Mapping 440 | 441 | | Data Class | Description | Examples | Security Extensions Required | 442 | |------------|---------------------------------|-----------------------------------------|-----------------------------------| 443 | | **Class 1: PII** | Most sensitive personal data | SSN, payment methods, credentials | per-integration specifics | 444 | | **Class 2: Sensitive Personal Data** | Financial txns, personal details | Txn history, refunds, balance | Transaction-bound tokens + add'l | 445 | | **Class 3: Confidential Personal Data** | Business-sensitive operations | Customer profiles, invoices, processing | Transaction-bound tokens + enhanced validation | 446 | | **Class 4: Internal Data** | Standard business operations | Exchange rates, general account info | Standard MCP 2.1 authorization | 447 | | **Class 5: Public Data** | Non-sensitive operations | Public API endpoints, documentation | No additional authorization | 448 | 449 | #### Required Custom Extensions 450 | 451 | 1. **Transaction-Bound Ephemeral Tokens (Class 1-3)**: Cryptographically bind tokens to operation parameters (toolName, paramsHash, userId, dataClass, short expiry). 452 | 2. **Atomic Token Consumption (Class 1-3)**: Prevent replay via one-time use (e.g., Redis `EVAL` for GET & DEL). 453 | 454 | **Class 4-5 Operations (Internal/Public Data)**: Standard single-phase MCP 2.1 (bearer token). 455 | 456 | ```ini 457 | ┌─────────────────┐ Standard MCP 2.1 ┌──────────────────┐ 458 | │ AI Assistant │◄──── Single Phase ─────┤ Standard MCP 2.1 │ 459 | │ (Class 4-5 ops) │ Bearer Token │ Authorization │ 460 | └─────────────────┘ └──────────────────┘ 461 | 462 | ``` 463 | 464 | **Class 1-3 Operations (PII/Sensitive/Confidential)**: Two-phase zero-trust. 465 | 466 | ```ini 467 | ┌─────────────────┐ ┌──────────────────┐ 468 | │ AI Assistant │ │ Standard MCP 2.1 │ 469 | │ (Class 1-3 ops) │◄─── Session Token ─────┤ Authorization │ 470 | └─────────┬───────┘ └──────────────────┘ 471 | │ Sensitive Operations (send_money, refund, etc.) 472 | ▼ 473 | ┌─────────────────┐ 2-Phase Flow ┌──────────────────┐ 474 | │ Enhanced Local │◄─── Phase 1: Auth ────┤ Zero-Trust MCP │ 475 | │ MCP Client │◄─── Phase 2: Execute ──┤ Extension Service│ 476 | └─────────────────┘ └────────┬─────────┘ 477 | │ Class 1-2 Only 478 | ▼ 479 | ┌──────────────────┐ 480 | │ Confirmation │ 481 | │ Agent Validator │ 482 | └──────────────────┘ 483 | 484 | ``` 485 | 486 | #### Financial API Tool Classification Examples 487 | 488 | ```typescript 489 | const TOOL_CLASSIFICATIONS = { 490 | "create_payment_method": 1, "update_customer_payment": 1, // Class 1 491 | "send_money": 2, "refund_transaction": 2, // Class 2 492 | "create_invoice": 3, "process_payment": 3, // Class 3 493 | "list_transactions": 4, "get_account_balance": 4, // Class 4 494 | "get_exchange_rate": 5 // Class 5 495 | }; 496 | 497 | ``` 498 | 499 | Class 4-5 operations use standard MCP 2.1. Class 1-3 layer zero-trust extensions, determined by `TOOL_CLASSIFICATIONS`. 500 | 501 | #### Implementation Priority 502 | 503 | 1. Phase 1: Class 4-5 ops with standard MCP 2.1. 504 | 2. Phase 2: Add transaction-bound tokens for Class 3 ops. 505 | 3. Phase 3: Integrate dual-agent validation for Class 1-2 ops. 506 | 4. Phase 4: Full zero-trust pipeline with comprehensive audit. 507 | 508 | --- 509 | --------------------------------------------------------------------------------