Skip to content

Add Enhanced Tool Definition Interface (ETDI): Prevents Tool Poisoning and Rug Pull Attacks with Immutable Versioned Definitions, Cryptographic Signing, Granular Permissions, Trust Chains, and OAuth 2.0 Integration #845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 48 commits into
base: main
Choose a base branch
from

Conversation

vineethsai
Copy link

Summary

This PR introduces the Enhanced Tool Definition Interface (ETDI) to the Python SDK. ETDI is a security and trust framework designed to ensure the authenticity, integrity, and traceability of data and actions within distributed AI and automation systems. This is the first integration of ETDI into this project.

Motivation and Context

The Model Context Protocol (MCP) enables powerful AI applications by allowing LLMs to interact with external tools and data sources. However, the standard MCP specification lacks robust security mechanisms, making it vulnerable to attacks such as Tool Poisoning and Rug Pulls.
ETDI addresses these critical security gaps by introducing:

  • Cryptographic identity and request signing for tools and servers
  • Immutable, versioned tool definitions to prevent post-approval tampering
  • Explicit, granular permissioning for tool actions
  • Verifiable trust chains and integration with OAuth 2.0 for advanced, centrally managed security

This change is needed to ensure that users and applications can trust the tools they interact with, prevent unauthorized data access or manipulation, and provide a foundation for secure, auditable, and transparent AI/automation workflows.

How Has This Been Tested?

  • All ETDI features and request signing flows have been tested using the provided example scripts and demo applications in the examples/etdi directory.
  • Documentation was built and served locally using MkDocs to verify accuracy and completeness.
  • Scenarios tested include:
    • Tool discovery and invocation with request signing enabled
    • Verification of tool identity and integrity
    • Handling of permission requests and user approvals
    • Detection and prevention of tool definition tampering (Rug Pull scenarios)
    • End-to-end workflow from tool registration to secure invocation

Breaking Changes

No breaking changes.
All ETDI features are additive and opt-in. Existing code and workflows will continue to function as before. Users can adopt ETDI incrementally.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

  • This is the first introduction of ETDI to the project; see docs/etdi-concepts.md for a full conceptual and technical overview.
  • The documentation includes detailed attack scenarios, security architecture diagrams, and best practices for secure deployment.
  • All new features are fully documented and cross-linked for discoverability.
  • The implementation is designed to be extensible and compatible with future security enhancements (e.g., additional signing algorithms, centralized trust registries).

BlakeGatto and others added 30 commits May 27, 2025 12:13
added some defaults and fix some import issues
- Replace with secure environment variables using os.getenv()
- Add .env.example template for easy setup
- Implement automatic secret redaction tooling

- Create comprehensive tool poisoning attack demonstration
- Implement legitimate ETDI-protected server with OAuth authentication
- Add malicious server simulation for educational purposes
- Provide real-time security analysis and threat blocking

- Add comprehensive tool poisoning demo documentation
- Include Auth0 setup guide and troubleshooting sections

- Add requirements.txt with all necessary dependencies
- Create setup verification and testing scripts
- Implement automatic environment configuration
- Add comprehensive error handling and user guidance

- examples/README.md: Complete rewrite with ETDI focus
- examples/etdi/oauth_providers.py: Secret redaction + env vars
- examples/etdi/run_e2e_demo.py: Secret redaction + env vars
- src/mcp/etdi/server/tool_provider.py: Enhanced functionality

- examples/etdi/.env.example: Environment variable template
- examples/etdi/tool_poisoning_demo/: Complete demo directory
- examples/etdi/tool_poisoning_demo/requirements.txt: Dependencies
- examples/etdi/tool_poisoning_demo/README.md: Setup documentation
- examples/etdi/legitimate_etdi_server.py: ETDI-protected server
- examples/etdi/tool_poisoning_demo/malicious_server.py: Attack simulation
- examples/etdi/tool_poisoning_demo/etdi_attack_prevention_client.py: ETDI client
- examples/etdi/tool_poisoning_demo/run_real_server_demo.py: Demo orchestrator
Tested tool poisoining, tested standard MCP wasn't impacted as well with claude integration
@mbhatt1
Copy link

mbhatt1 commented May 31, 2025

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants