τ391-SIH: Signed Intent Handoff as an Additive MCP Governance Primitive #768
Replies: 2 comments 1 reply
-
|
Prior Art & Positioning — Follow-up from the proposal author Before this thread develops further, I want to explicitly situate τ391-SIH relative to two existing discussions that touched on adjacent problems — and be clear about what this proposal does and doesn't overlap with. Discussion #1509 — Cryptographically Signed Human Approvals This thread proposed user-side signing for sensitive MCP requests: binding approval to a user public key and rejecting unsigned requests at the tool level. τ391-SIH shares the "cryptographic binding" intuition. The difference is scope: #1509 addresses the user-to-tool signature at a single hop, while τ391-SIH is concerned with what happens to that approved intent after the first hop — as it propagates across intermediate agents in a multi-step chain. The two mechanisms are composable: a #1509-style signed approval could plausibly anchor a τ391-SIH intent envelope for downstream propagation. Discussion #64 — Authentication for Remote MCP Servers This thread explored OAuth2 flows, session management, encrypted credential storage, and trust model design principles for remote server authentication. τ391-SIH is orthogonal to that work. Authentication answers "who is calling?" — τ391-SIH addresses a separate question: "does what this agent is about to do match what the original principal actually requested?" Intent continuity is not an authentication problem; it sits one level above it. Thanks to both threads for laying valuable groundwork. The gap τ391-SIH targets Put simply:
The proposed mechanism is a lightweight signed intent envelope carried via Three questions for maintainers and contributors
Happy to provide concrete message flow examples or a minimal reference implementation if that would help ground the discussion. — Adam D. Kain (CELL Series Independent Research) |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for putting this together; the intent continuity problem across multi-agent hops is real and worth addressing. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the pointer to PR #2787 and the backLink/nonce chaining. To move the discussion toward a concrete, implementable extension, here is a JSON schema and a reference Python shim that add Hexad‑style deterministic replay attestation to the execution receipt.
This schema adds a hexad_attestation block to the existing receipt. It includes the SHA‑256 trace hash, the replay gate outcome (PASS/FAIL/ABORT), the observed drift, the admissibility bound (τ_drift = 0.03114), and the version of the formal TLA⁺ model. {
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "τ391‑SIH Execution Receipt with Hexad Attestation",
"type": "object",
"properties": {
"receipt": {
"type": "object",
"required": ["agent_id", "backLink", "nonce", "signature", "hexad_attestation"],
"properties": {
"agent_id": { "type": "string", "format": "uuid" },
"backLink": { "type": "string" },
"nonce": { "type": "string" },
"signature": { "type": "string" },
"hexad_attestation": {
"type": "object",
"required": ["trace_hash", "replay_gate"],
"properties": {
"trace_hash": { "type": "string", "pattern": "^[a-f0-9]{64}$" },
"replay_gate": {
"type": "object",
"required": ["status", "drift_value", "admissibility_bound", "tla_plus_model_version"],
"properties": {
"status": { "type": "string", "enum": ["PASS", "FAIL", "ABORT"] },
"drift_value": { "type": "number", "minimum": 0 },
"admissibility_bound": { "type": "number", "minimum": 0 },
"tla_plus_model_version": { "type": "string" }
}
}
}
}
}
}
}
}
This shim demonstrates how an agent would generate the attestation, sign it with Ed25519, and verify it. For production use, I recommend canonical JSON (RFC 8785) to avoid signature mismatches due to JSON parser variations. import hashlib
import ed25519 # pip install ed25519
import canonicaljson # optional, for RFC 8785
def generate_hexad_attestation(trace_data, drift, bound):
trace_hash = hashlib.sha256(trace_data.encode()).hexdigest()
status = "PASS" if drift <= bound else "FAIL"
attestation = {
"trace_hash": trace_hash,
"replay_gate": {
"status": status,
"drift_value": drift,
"admissibility_bound": bound,
"tla_plus_model_version": "v2.1"
}
}
# For robust signatures, use canonical JSON:
# payload = canonicaljson.encode_canonical_json(attestation)
payload = str(attestation).encode() # simplified for illustration
return attestation, payload
# Agent side
priv_key, pub_key = ed25519.create_keypair()
attestation, payload = generate_hexad_attestation("sensor_read_001", 0.0021, 0.03114)
signature = priv_key.sign(payload, encoding="hex")
# Receiver side
try:
pub_key.verify(signature, payload, encoding="hex")
print("Verification successful: execution trace is valid and deterministic.")
except ed25519.BadSignatureError:
print("Tamper detected or non‑deterministic execution.")
The full Hexad pipeline – including the TLA⁺ model, Lean 4 safety proofs, C++ interposer, and drift calibration – is published as a citable Zenodo artifact: · Implementation paper: 10.5281/zenodo.20376027 I’m happy to provide a more detailed reference implementation (e.g., in Rust or with the full mmap ring buffer) if the group decides to adopt this extension. Thank you for driving this important governance primitive. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Pre-submission Checklist
Discussion Topic
This document opens an early discussion around a possible additive governance/security primitive for the Model Context Protocol (MCP) provisionally called τ391-SIH (Signed Intent Hando). The goal is not to replace existing authorization ows, OAuth models, or transport assumptions, but to explore whether a lightweight signed-intent layer could improve interoperability and reduce ambiguity during multi-agent or delegated tool interactions. The document is structured as a pre-SEP (specification extension proposal) discussion, followed by a companion threat model. Both are presented in an exploratory, hypothesis-driven posture to solicit maintainer and contributor feedback.
tau391 sih submission.pdf
Beta Was this translation helpful? Give feedback.
All reactions