Skip to content

feat(security): MCP capability attestation, trust calibration, and injection defense#2310

Merged
bug-ops merged 2 commits intomainfrom
mcp-security-hardening
Mar 28, 2026
Merged

feat(security): MCP capability attestation, trust calibration, and injection defense#2310
bug-ops merged 2 commits intomainfrom
mcp-security-hardening

Conversation

@bug-ops
Copy link
Copy Markdown
Owner

@bug-ops bug-ops commented Mar 27, 2026

Summary

  • Tool attestation (zeph-mcp): operator-declared expected_tools with blake3 schema fingerprinting; unexpected tools filtered for Untrusted/Sandboxed servers at registration time
  • C2 execution bypass fix: McpToolExecutor::execute() now validates server:tool against the registered tool list and delegates to execute_tool_call(), applying the full sanitize→audit→policy pipeline to all fenced-block calls
  • MCPShield three-phase trust calibration (zeph-mcp): Phase 1 — DefaultMcpProber scans resource/prompt descriptions for injection patterns on connect; Phase 2 — AuditEntry gains mcp_server_id, injection_flagged, embedding_anomalous; Phase 3 — TrustScoreStore (SQLite-backed, asymmetric decay, atomic delta updates)
  • Embedding anomaly guard (zeph-mcp): EmbeddingAnomalyGuard fire-and-forget cosine-distance check against per-server clean centroid; cold-start falls back to regex detection
  • Response verification (zeph-sanitizer): ResponseVerifier extended with optional verifier_provider for post-generation instruction-following check

New config sections:

  • [mcp.trust_calibration] — trust calibration settings
  • [security.content_isolation.embedding_guard] — anomaly guard settings
  • mcp.servers[].expected_tools — operator-declared tool allowlist
  • security.response_verification.verifier_provider — verifier model name

Test plan

  • cargo +nightly fmt --check — clean
  • cargo clippy --workspace --features full -- -D warnings — clean
  • cargo nextest run --workspace --features full --lib --bins — 6896 passed

Follow-up issues (non-blocking)

  • Centroid drift protection (boiling frog attack on embedding guard centroid)
  • mcp_server_id population in non-MCP audit entries
  • Decayed score persistence (persist score after decay-at-read)
  • tx.send() error logging in embedding guard warm path

Closes #2217
Closes #2216
Closes #2254

@bug-ops
feat(security): MCP capability attestation, trust calibration, and in…
41fd67d 
…jection defense

Implements three security hardening features resolving issues #2217, #2216, #2254:

- Tool attestation (zeph-mcp): operator-declared expected_tools with blake3 schema
  fingerprinting for drift detection; unexpected tools filtered for Untrusted/Sandboxed
  servers at registration time

- MCPShield trust calibration (zeph-mcp): DefaultMcpProber scans resource/prompt
  descriptions for injection patterns on connect; TrustScoreStore persists per-server
  scores in SQLite with atomic delta updates and asymmetric decay (scores above 0.5
  erode toward 0.5; penalized scores persist until positive evidence); AuditEntry
  extended with mcp_server_id, injection_flagged, embedding_anomalous fields

- Injection defense (zeph-core, zeph-sanitizer): EmbeddingAnomalyGuard performs
  fire-and-forget cosine distance checks against per-server clean centroids with
  cold-start regex fallback; ResponseVerifier extended with optional verifier_provider
  for post-generation LLM-based instruction-following verification

- Fenced-block executor bypass fixed: execute() now delegates to execute_tool_call()
  with full security pipeline applied to all tool invocations

New config: [mcp.trust_calibration], [security.content_isolation.embedding_guard],
mcp.servers[].expected_tools, security.response_verification.verifier_provider

Closes #2217, #2216, #2254
@github-actions github-actions bot added enhancement New feature or request size/XL Extra large PR (500+ lines) documentation Improvements or additions to documentation rust Rust code changes core zeph-core crate dependencies Dependency updates and removed size/XL Extra large PR (500+ lines) labels Mar 27, 2026
This was referenced Mar 27, 2026
Closed
Closed
Closed
@github-actions github-actions bot added the size/XL Extra large PR (500+ lines) label Mar 27, 2026
@bug-ops bug-ops enabled auto-merge (squash) March 27, 2026 23:59
@bug-ops bug-ops merged commit 84a7b7d into main Mar 28, 2026
25 checks passed
@bug-ops bug-ops deleted the mcp-security-hardening branch March 28, 2026 00:06
This was referenced Mar 28, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core zeph-core crate dependencies Dependency updates documentation Improvements or additions to documentation enhancement New feature or request rust Rust code changes size/XL Extra large PR (500+ lines)

Projects

None yet

Milestone

No milestone

1 participant

@bug-ops