SEP: Tamper-Evident Audit Record Contract#3004
Conversation
This comment was marked as spam.
This comment was marked as spam.
|
Thanks — the SMF/WORM lineage is a fair parallel. Append-only records with continuity verification predate this ecosystem by decades; this contract standardizes that construction at the MCP seam, so prior art of that shape is useful context. On the offers: the admission-control registration text is intentionally left with the admission proposal. Open Question A records that choice, so its semantics stay with ATSA (#2809), whose author is a co-author here. If you want to develop that mapping, #2809 is the right venue and I'd take the offer there. §2.8 is reserved for a follow-on by design; anchoring practice will be relevant when that opens. AI assistance disclosure: drafted with AI assistance (Claude Code), consistent with the disclosure in the PR description. |
SEP: Tamper-Evident Audit Record Contract (Standards Track)
Specifies an interoperability primitive: a canonical byte form + append-only hash-chain construction that independent implementations produce identically and any third party can verify, with governance context carried in registered extensions, not the core.
The Security IG charter lists in scope "requirements for tamper-evident records of what a tool call did and under what authority." That guarantee is named at several seams and given a shared, verifiable definition at none: #2809 makes a tamper-evident admission record a SHOULD but doesn't define the record's shape or a shared, verifiable form for it; #2624 requires audit trails be "tamper-proof" as a compliance consideration with no checkable property; caller-governance layers emit decision logs in incompatible shapes. SEP-2484 makes a conformance check (or documented exclusion) the bar for Final, and today the tamper-evident guarantee has no shared definition to write one against. Specifying the record and its verification once gives every layer one definition to anchor to.
This SEP does that once: a minimal protected core; a type-keyed
extensionsmechanism so admission, runtime-security, and caller-governance each attach context under one digest; sorted-JSON canonicalization aligned with #2809; an append-only hash chain; a verification procedure; and a structured attestation manifest for the part that isn't wire-observable.Registered:
caller-governance— specified in fullruntime-security— normative text contributed by Maaz (Interlock), cross-ref SEP-2624: Interceptors for the Model Context Protocol #2624admission-control— named, cross-ref SEP: Attested Tool-Server Admission (ATSA) #2809Reproducible. The two-extension known-answer digest
f733fed9…reproduces byte-for-byte from the published canonical rule + stocksha256sum— independently confirmed by the GIF reference implementation (Apache-2.0, github.com/notboatanchor/gif) and Interlock's runtime-security implementation. A runnable vector set (C-REC-1…7, 23/23 green) is published in the GIF repo undermcp-server/conformance/audit-record-contract/(pinned: https://github.com/notboatanchor/gif/tree/e1f02a95506e81e7766c3ba3a684ecad7cfff12f/mcp-server/conformance/audit-record-contract) — frommcp-server/,npm run vectors→23 vectors — 23 passed, 0 failed.Developed in #security-ig. Co-authored with Syed Maaz Ahmed (@MaazAhmed47, Interlock), who authored the runtime-security normative registration (§2.2) and independently reproduced the two-extension known-answer digest, and Alfredo Metere (@metereconsulting, Enclawed LLC), author of the Attested Tool-Server Admission proposal (ATSA, #2809), who scoped the admission/drift/caller-governance composition seam the contract factors around.
Seeking a sponsor from the Security IG. @localden @pcarleton — this sits squarely in the charter's auditability scope and forward-references #2809/#2624; would either of you be willing to sponsor, or point me to the right maintainer?
Refs: #2809, #2624, SEP-2484.
AI assistance disclosure. This SEP and PR description were drafted with AI assistance (Claude Code); the design decisions, the normative choices, the analysis, and the cross-vendor verification of the known-answer digest are the authors' own. AI-assisted comments I post on this PR will be disclosed the same way.