Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 48c739b

Browse files
author
heysoup
committed
Envelope field names: snake_case to camelCase
1 parent b1becae commit 48c739b

2 files changed

Lines changed: 8 additions & 8 deletions

File tree

docs/seps/2787-tool-call-attestation.mdx

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

seps/2787-tool-call-attestation.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -165,7 +165,7 @@ interface Attestation {
165165
* Encoding: JSON object with `uri` (string) and
166166
* `digest` (base64url-encoded SHA-256) fields.
167167
*/
168-
args_ref?: { uri: string; digest: string };
168+
argsRef?: { uri: string; digest: string };
169169
/** Redacted, transformed, or identity projection of the
170170
* arguments. Useful when the full arguments contain PII or
171171
* trade secrets but a reviewed summary can be recorded for
@@ -176,7 +176,7 @@ interface Attestation {
176176
* digest.
177177
* Encoding: JSON-stringified projection of the arguments.
178178
*/
179-
args_projection?: string;
179+
argsProjection?: string;
180180
serverFingerprint: string;
181181
}>;
182182

@@ -247,7 +247,7 @@ MCP servers that negotiate the `soup/tool-call-attestation` extension MUST imple
247247

248248
4. **Tool call match**: Find the entry in `toolCalls` where `serverFingerprint` matches the receiving server's identity. If no such entry exists, reject with `server_mismatch`. Then verify that the entry's `name` matches the `name` parameter of the `tools/call` request. If not, reject with `tool_mismatch`. This prevents cross-server replay and tool-substitution in a single step.
249249

250-
5. **Argument commitment verification**: If the `toolCalls` entry uses `args_ref`, resolve the URI, compute SHA-256 over the fetched content, and compare against the stored digest. Confirm the resolved content corresponds to the `arguments` being executed. If the entry uses `args_projection`, compare it against the canonicalized runtime `arguments` (RFC 8785) and classify the result:
250+
5. **Argument commitment verification**: If the `toolCalls` entry uses `argsRef`, resolve the URI, compute SHA-256 over the fetched content, and compare against the stored digest. Confirm the resolved content corresponds to the `arguments` being executed. If the entry uses `argsProjection`, compare it against the canonicalized runtime `arguments` (RFC 8785) and classify the result:
251251
- **Identity projection**: the canonical forms match exactly. The verifier confirms the attested projection is identical to the runtime arguments. This provides a self-contained audit trail.
252252
- **Redacted projection**: the canonical forms differ. The verifier accepts the attestation but records the mismatch — the issuer may have legitimately redacted sensitive fields, or the projection may represent a subset of the runtime arguments. The verifier makes no claim about completeness relative to the runtime arguments.
253253

@@ -317,7 +317,7 @@ The European Commission's draft high-risk AI classification guidelines treat cha
317317

318318
### Why Two-Way Args Shape
319319

320-
Tool call arguments vary widely in size and sensitivity. A single args field forces every deployment into one approach. The two-way shape (`args_ref`, `args_projection`) covers the two natural patterns without overloading:
320+
Tool call arguments vary widely in size and sensitivity. A single args field forces every deployment into one approach. The two-way shape (`argsRef`, `argsProjection`) covers the two natural patterns without overloading:
321321

322322
- **Reference (content-addressed)**: A retrieval URI alongside its digest. The verifier fetches, hashes, and confirms. Useful when arguments are large, stored externally (file contents, image data), or must not cross the attestation wire for privacy reasons.
323323
- **Projection (redacted or self-contained audit)**: A transformed, summarized, or identity-copied version of the arguments, carried inline. Useful when the full payload is manageable and a self-contained audit record is needed. For privacy- or size-sensitive cases, the projection may be a redacted subset or a hash commitment rather than the full arguments. The attestation signature covers the projection, so no separate digest is needed.

0 commit comments

Comments
 (0)