Finding

Towards Verifiably Safe Tool Use (arXiv:2601.08012)

Proposes capability-enhanced MCP: structured labels on every tool specifying capability level, data confidentiality, and trust level. Uses STPA (System-Theoretic Process Analysis) to derive formal safety specifications for data flows and tool sequences. Enables policy enforcement such as: "high-confidentiality data cannot pass through low-trust tools."

Applicability to Zeph

Zeph's MCP tool registry (zeph-mcp) assigns trust_level to entire servers (untrusted/trusted/privileged) but has no per-tool metadata for capability level or data sensitivity.

Proposed additions to tool definition schema:

# In [[mcp.servers]] tool metadata:
[mcp.tool_policy.read_file]
data_sensitivity = "high"      # data touched by this tool
capability_level = "filesystem_read"
trust_required = "trusted"

Policy enforcement in zeph-tools: before executing a tool chain, verify that no high-sensitivity data flows into low-trust tools (e.g., reading credentials then passing to an untrusted web_scrape call).

Priority

P2 — extends existing MCP trust model with per-tool granularity; complements #2417 (formal security model audit).

Source

• arXiv:2601.08012 — Towards Verifiably Safe Tool Use in AI Agents (capability-enhanced MCP)