You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: seps/2787-tool-call-attestation.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -165,7 +165,7 @@ interface Attestation {
165
165
* Encoding: JSON object with `uri` (string) and
166
166
* `digest` (base64url-encoded SHA-256) fields.
167
167
*/
168
-
args_ref?: { uri:string; digest:string };
168
+
argsRef?: { uri:string; digest:string };
169
169
/** Redacted, transformed, or identity projection of the
170
170
* arguments. Useful when the full arguments contain PII or
171
171
* trade secrets but a reviewed summary can be recorded for
@@ -176,7 +176,7 @@ interface Attestation {
176
176
* digest.
177
177
* Encoding: JSON-stringified projection of the arguments.
178
178
*/
179
-
args_projection?:string;
179
+
argsProjection?:string;
180
180
serverFingerprint:string;
181
181
}>;
182
182
@@ -247,7 +247,7 @@ MCP servers that negotiate the `soup/tool-call-attestation` extension MUST imple
247
247
248
248
4.**Tool call match**: Find the entry in `toolCalls` where `serverFingerprint` matches the receiving server's identity. If no such entry exists, reject with `server_mismatch`. Then verify that the entry's `name` matches the `name` parameter of the `tools/call` request. If not, reject with `tool_mismatch`. This prevents cross-server replay and tool-substitution in a single step.
249
249
250
-
5.**Argument commitment verification**: If the `toolCalls` entry uses `args_ref`, resolve the URI, compute SHA-256 over the fetched content, and compare against the stored digest. Confirm the resolved content corresponds to the `arguments` being executed. If the entry uses `args_projection`, compare it against the canonicalized runtime `arguments` (RFC 8785) and classify the result:
250
+
5.**Argument commitment verification**: If the `toolCalls` entry uses `argsRef`, resolve the URI, compute SHA-256 over the fetched content, and compare against the stored digest. Confirm the resolved content corresponds to the `arguments` being executed. If the entry uses `argsProjection`, compare it against the canonicalized runtime `arguments` (RFC 8785) and classify the result:
251
251
-**Identity projection**: the canonical forms match exactly. The verifier confirms the attested projection is identical to the runtime arguments. This provides a self-contained audit trail.
252
252
-**Redacted projection**: the canonical forms differ. The verifier accepts the attestation but records the mismatch — the issuer may have legitimately redacted sensitive fields, or the projection may represent a subset of the runtime arguments. The verifier makes no claim about completeness relative to the runtime arguments.
253
253
@@ -317,7 +317,7 @@ The European Commission's draft high-risk AI classification guidelines treat cha
317
317
318
318
### Why Two-Way Args Shape
319
319
320
-
Tool call arguments vary widely in size and sensitivity. A single args field forces every deployment into one approach. The two-way shape (`args_ref`, `args_projection`) covers the two natural patterns without overloading:
320
+
Tool call arguments vary widely in size and sensitivity. A single args field forces every deployment into one approach. The two-way shape (`argsRef`, `argsProjection`) covers the two natural patterns without overloading:
321
321
322
322
-**Reference (content-addressed)**: A retrieval URI alongside its digest. The verifier fetches, hashes, and confirms. Useful when arguments are large, stored externally (file contents, image data), or must not cross the attestation wire for privacy reasons.
323
323
-**Projection (redacted or self-contained audit)**: A transformed, summarized, or identity-copied version of the arguments, carried inline. Useful when the full payload is manageable and a self-contained audit record is needed. For privacy- or size-sensitive cases, the projection may be a redacted subset or a hash commitment rather than the full arguments. The attestation signature covers the projection, so no separate digest is needed.
0 commit comments