Skip to content

Add Enhanced Tool Definition Interface (ETDI): Prevents Tool Poisoning and Rug Pull Attacks with Immutable Versioned Definitions, Cryptographic Signing, Granular Permissions, Trust Chains, and OAuth 2.0 Integration #845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 48 commits into
base: main
Choose a base branch
from
Open

Add Enhanced Tool Definition Interface (ETDI): Prevents Tool Poisoning and Rug Pull Attacks with Immutable Versioned Definitions, Cryptographic Signing, Granular Permissions, Trust Chains, and OAuth 2.0 Integration #845

wants to merge 48 commits into from
+28,171 −426

Conversation

vineethsai
Copy link

Summary

This PR introduces the Enhanced Tool Definition Interface (ETDI) to the Python SDK. ETDI is a security and trust framework designed to ensure the authenticity, integrity, and traceability of data and actions within distributed AI and automation systems. This is the first integration of ETDI into this project.

Motivation and Context

The Model Context Protocol (MCP) enables powerful AI applications by allowing LLMs to interact with external tools and data sources. However, the standard MCP specification lacks robust security mechanisms, making it vulnerable to attacks such as Tool Poisoning and Rug Pulls.
ETDI addresses these critical security gaps by introducing:

  • Cryptographic identity and request signing for tools and servers
  • Immutable, versioned tool definitions to prevent post-approval tampering
  • Explicit, granular permissioning for tool actions
  • Verifiable trust chains and integration with OAuth 2.0 for advanced, centrally managed security

This change is needed to ensure that users and applications can trust the tools they interact with, prevent unauthorized data access or manipulation, and provide a foundation for secure, auditable, and transparent AI/automation workflows.

How Has This Been Tested?

  • All ETDI features and request signing flows have been tested using the provided example scripts and demo applications in the examples/etdi directory.
  • Documentation was built and served locally using MkDocs to verify accuracy and completeness.
  • Scenarios tested include:
    • Tool discovery and invocation with request signing enabled
    • Verification of tool identity and integrity
    • Handling of permission requests and user approvals
    • Detection and prevention of tool definition tampering (Rug Pull scenarios)
    • End-to-end workflow from tool registration to secure invocation

Breaking Changes

No breaking changes.
All ETDI features are additive and opt-in. Existing code and workflows will continue to function as before. Users can adopt ETDI incrementally.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

  • This is the first introduction of ETDI to the project; see docs/etdi-concepts.md for a full conceptual and technical overview.
  • The documentation includes detailed attack scenarios, security architecture diagrams, and best practices for secure deployment.
  • All new features are fully documented and cross-linked for discoverability.
  • The implementation is designed to be extensible and compatible with future security enhancements (e.g., additional signing algorithms, centralized trust registries).

BlakeGatto and others added 30 commits May 27, 2025 12:13
@BlakeGatto
Adding initial implementation of etdi
be7f519
@BlakeGatto
Adding initial implementation of etdi
6f79acd
@BlakeGatto
etid full implementation complete
e201aeb
@BlakeGatto
etid full implementation complete
e46c05a
@BlakeGatto
copy top level files to right directories
8f1ec5b
@BlakeGatto
copy top level files to right directories
8624cc4
@BlakeGatto
delete old files
12616a0
@BlakeGatto
make secure_tool decorator work with this
e5c86ba
@BlakeGatto
Adding an example server
e375db8
@BlakeGatto
add integration to server
68765ac
@BlakeGatto
make secure_tool decorator work with this
a63bcb4
@BlakeGatto
make secure_tool decorator work with this
6262d4e
@BlakeGatto
make secure_tool decorator work with this
0df7707
@BlakeGatto
Fix readme
c19c09b
@vineethsai
added some defaults and fix some import issues
ba794f5
@mbhatt1
Merge pull request #1 from vineethsai/main
16c5e5f 
added some defaults and fix some import issues
@BlakeGatto
delete a random file
753f4b2
@vineethsai
- Remove all hardcoded Auth0 credentials from codebase
08260f4 
- Replace with secure environment variables using os.getenv()
- Add .env.example template for easy setup
- Implement automatic secret redaction tooling

- Create comprehensive tool poisoning attack demonstration
- Implement legitimate ETDI-protected server with OAuth authentication
- Add malicious server simulation for educational purposes
- Provide real-time security analysis and threat blocking

- Add comprehensive tool poisoning demo documentation
- Include Auth0 setup guide and troubleshooting sections

- Add requirements.txt with all necessary dependencies
- Create setup verification and testing scripts
- Implement automatic environment configuration
- Add comprehensive error handling and user guidance

- examples/README.md: Complete rewrite with ETDI focus
- examples/etdi/oauth_providers.py: Secret redaction + env vars
- examples/etdi/run_e2e_demo.py: Secret redaction + env vars
- src/mcp/etdi/server/tool_provider.py: Enhanced functionality

- examples/etdi/.env.example: Environment variable template
- examples/etdi/tool_poisoning_demo/: Complete demo directory
- examples/etdi/tool_poisoning_demo/requirements.txt: Dependencies
- examples/etdi/tool_poisoning_demo/README.md: Setup documentation
- examples/etdi/legitimate_etdi_server.py: ETDI-protected server
- examples/etdi/tool_poisoning_demo/malicious_server.py: Attack simulation
- examples/etdi/tool_poisoning_demo/etdi_attack_prevention_client.py: ETDI client
- examples/etdi/tool_poisoning_demo/run_real_server_demo.py: Demo orchestrator
@vineethsai
cleanup of PR files
8158e91
@vineethsai
cleanup of MD files
c8ed4ed
@vineethsai
cleanup of MD files final
2cf1b42
@mbhatt1
Merge pull request #2 from vineethsai/main
4483542 
Tested tool poisoining, tested standard MCP wasn't impacted as well with claude integration
@BlakeGatto
Add request signing
dd8e895
@BlakeGatto
fix import error
28859c6
@vineethsai
Add Hextra documentation and deploy workflow
3f8ef38
@vineethsai
Move deploy workflow to root .github/workflows for GitHub Actions com…
5c1c004 
…patibility
@BlakeGatto
I think it's fixed now
ae67f0e
@vineethsai
Trigger Hextra deploy workflow
9c4a362
@BlakeGatto
Fix readme
fc39c2e
@vineethsai
Fix Hextra deploy: add Hugo module config and hugo mod get step for t…
417af99 
…heme
@mbhatt1
Copy link

mbhatt1 commented May 31, 2025
edited
Loading

https://vineethsai.github.io/python-sdk/etdi-concepts/#introduction-the-imperative-for-secure-mcp

Docs as github pages /cc @ihrpr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vineethsai @mbhatt1 @BlakeGatto @Hobstarr