python-sdk icon indicating copy to clipboard operation
python-sdk copied to clipboard
verified publisher icon modelcontextprotocol

Add Enhanced Tool Definition Interface (ETDI): Prevents Tool Poisoning and Rug Pull Attacks with Immutable Versioned Definitions, Cryptographic Signing, Granular Permissions, Trust Chains, and OAuth 2.0 Integration

Open vineethsai opened this issue 8 months ago • 0 comments

Summary

This PR introduces the Enhanced Tool Definition Interface (ETDI) to the Python SDK. ETDI is a security and trust framework designed to ensure the authenticity, integrity, and traceability of data and actions within distributed AI and automation systems. This is the first integration of ETDI into this project.

Motivation and Context

The Model Context Protocol (MCP) enables powerful AI applications by allowing LLMs to interact with external tools and data sources. However, the standard MCP specification lacks robust security mechanisms, making it vulnerable to attacks such as Tool Poisoning and Rug Pulls.
ETDI addresses these critical security gaps by introducing:

  • Cryptographic identity and request signing for tools and servers
  • Immutable, versioned tool definitions to prevent post-approval tampering
  • Explicit, granular permissioning for tool actions
  • Verifiable trust chains and integration with OAuth 2.0 for advanced, centrally managed security

This change is needed to ensure that users and applications can trust the tools they interact with, prevent unauthorized data access or manipulation, and provide a foundation for secure, auditable, and transparent AI/automation workflows.

How Has This Been Tested?

  • All ETDI features and request signing flows have been tested using the provided example scripts and demo applications in the examples/etdi directory.
  • Documentation was built and served locally using MkDocs to verify accuracy and completeness.
  • Scenarios tested include:
    • Tool discovery and invocation with request signing enabled
    • Verification of tool identity and integrity
    • Handling of permission requests and user approvals
    • Detection and prevention of tool definition tampering (Rug Pull scenarios)
    • End-to-end workflow from tool registration to secure invocation

Breaking Changes

No breaking changes.
All ETDI features are additive and opt-in. Existing code and workflows will continue to function as before. Users can adopt ETDI incrementally.

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)
  • [x] Documentation update

Checklist

  • [x] I have read the MCP Documentation
  • [x] My code follows the repository's style guidelines
  • [x] New and existing tests pass locally
  • [x] I have added appropriate error handling
  • [x] I have added or updated documentation as needed

Additional context

  • This is the first introduction of ETDI to the project; see docs/etdi-concepts.md for a full conceptual and technical overview.
  • The documentation includes detailed attack scenarios, security architecture diagrams, and best practices for secure deployment.
  • All new features are fully documented and cross-linked for discoverability.
  • The implementation is designed to be extensible and compatible with future security enhancements (e.g., additional signing algorithms, centralized trust registries).

vineethsai avatar May 29 '25 20:05 vineethsai