Thanks to visit codestin.com
Credit goes to github.com

Skip to content

SEP: Tamper-Evident Audit Record Contract#3004

Open
scottrhodes wants to merge 4 commits into
modelcontextprotocol:mainfrom
scottrhodes:sep-tamper-evident-audit-record-contract
Open

SEP: Tamper-Evident Audit Record Contract#3004
scottrhodes wants to merge 4 commits into
modelcontextprotocol:mainfrom
scottrhodes:sep-tamper-evident-audit-record-contract

Conversation

@scottrhodes

Copy link
Copy Markdown

SEP: Tamper-Evident Audit Record Contract (Standards Track)

Specifies an interoperability primitive: a canonical byte form + append-only hash-chain construction that independent implementations produce identically and any third party can verify, with governance context carried in registered extensions, not the core.

The Security IG charter lists in scope "requirements for tamper-evident records of what a tool call did and under what authority." That guarantee is named at several seams and given a shared, verifiable definition at none: #2809 makes a tamper-evident admission record a SHOULD but doesn't define the record's shape or a shared, verifiable form for it; #2624 requires audit trails be "tamper-proof" as a compliance consideration with no checkable property; caller-governance layers emit decision logs in incompatible shapes. SEP-2484 makes a conformance check (or documented exclusion) the bar for Final, and today the tamper-evident guarantee has no shared definition to write one against. Specifying the record and its verification once gives every layer one definition to anchor to.

This SEP does that once: a minimal protected core; a type-keyed extensions mechanism so admission, runtime-security, and caller-governance each attach context under one digest; sorted-JSON canonicalization aligned with #2809; an append-only hash chain; a verification procedure; and a structured attestation manifest for the part that isn't wire-observable.

Registered:

Reproducible. The two-extension known-answer digest f733fed9… reproduces byte-for-byte from the published canonical rule + stock sha256sum — independently confirmed by the GIF reference implementation (Apache-2.0, github.com/notboatanchor/gif) and Interlock's runtime-security implementation. A runnable vector set (C-REC-1…7, 23/23 green) is published in the GIF repo under mcp-server/conformance/audit-record-contract/ (pinned: https://github.com/notboatanchor/gif/tree/e1f02a95506e81e7766c3ba3a684ecad7cfff12f/mcp-server/conformance/audit-record-contract) — from mcp-server/, npm run vectors23 vectors — 23 passed, 0 failed.

Developed in #security-ig. Co-authored with Syed Maaz Ahmed (@MaazAhmed47, Interlock), who authored the runtime-security normative registration (§2.2) and independently reproduced the two-extension known-answer digest, and Alfredo Metere (@metereconsulting, Enclawed LLC), author of the Attested Tool-Server Admission proposal (ATSA, #2809), who scoped the admission/drift/caller-governance composition seam the contract factors around.

Seeking a sponsor from the Security IG. @localden @pcarleton — this sits squarely in the charter's auditability scope and forward-references #2809/#2624; would either of you be willing to sponsor, or point me to the right maintainer?

Refs: #2809, #2624, SEP-2484.


AI assistance disclosure. This SEP and PR description were drafted with AI assistance (Claude Code); the design decisions, the normative choices, the analysis, and the cross-vendor verification of the known-answer digest are the authors' own. AI-assisted comments I post on this PR will be disclosed the same way.

@scottrhodes scottrhodes requested review from a team as code owners July 2, 2026 21:57
@kuangmi-bit

This comment was marked as spam.

@scottrhodes

Copy link
Copy Markdown
Author

Thanks — the SMF/WORM lineage is a fair parallel. Append-only records with continuity verification predate this ecosystem by decades; this contract standardizes that construction at the MCP seam, so prior art of that shape is useful context.

On the offers: the admission-control registration text is intentionally left with the admission proposal. Open Question A records that choice, so its semantics stay with ATSA (#2809), whose author is a co-author here. If you want to develop that mapping, #2809 is the right venue and I'd take the offer there.
A second-language reproduction of the vectors needs no coordination at all - independent reproduction is the point of the construction. The two-extension KAT in §Conformance is self-contained (canonical preimage + sha256sum), and the full C-REC set is published at the pinned link in the SEP. A Go implementation landing on the same digests would be exactly the kind of evidence this contract exists to make possible.

§2.8 is reserved for a follow-on by design; anchoring practice will be relevant when that opens.

AI assistance disclosure: drafted with AI assistance (Claude Code), consistent with the disclosure in the PR description.

@kuangmi-bit

This comment was marked as spam.

@kuangmi-bit

This comment was marked as spam.

@kuangmi-bit

This comment was marked as spam.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants