cmcp-runtime 0.2.1
New features & security
- Session binding — bind Agent Manifest identity to cMCP Trust Records for end-to-end agent provenance
- Response hash binding — cryptographic binding of upstream tool response payloads to audit entries
- TLS pinning — upstream TLS fingerprint pinning to protect tool connections from MITM
- RFC 7638 JWK Thumbprint — stronger TEE nonce key binding using standardized thumbprint format
- evidence_class — tool response assurance classification in audit log entries
- Security: TPM SHA-1 fallback downgrades to software-only attestation (no weak hash dependency)
- Security: pre-launch hardening — secret scanning, dependency pinning, input validation
- Tests: TLS pin mismatch and response hash tamper test coverage
Install
pip install cmcp-runtime==0.2.1
Full documentation →