v1.0.1

Corrects a misattributed citation in the tool poisoning reference. No specification changes.

CTMS v1.0 - Canonical Tool Manifest Specification

First public release of the Canonical Tool Manifest Specification (CTMS).

CTMS defines a signing and verification scheme for MCP (Model Context Protocol)
tool metadata. It addresses tool description poisoning attacks by providing a
canonical, signable representation of tool capabilities, keyless signing via
Sigstore, in-toto attestation envelopes, and a client-side verification
procedure.

Contents

• Specification: spec/CTMS-specification.md - the full v1.0 specification
  (10 sections plus Appendix A worked examples and Appendix B design rationale)
• Threat Model: THREAT_MODEL.md - attack scenarios, mitigations, residual
  risks, and CSA MCP Security Project TTP mapping
• Reference Implementation: reference/ - Python library and CLI with 67
  offline tests
• Test Vectors: vectors/ - machine-consumable conformance vectors for the
  weather and query-geo examples
• Governance: governance/GOVERNANCE.md - change process and transition
  model

Built on

• JCS (RFC 8785) for deterministic JSON canonicalization
• Sigstore (Fulcio + Rekor) for keyless signing and transparency logging
• in-toto attestation format v1 for the signing envelope
• JWS (RFC 7515) / JWK (RFC 7517) for signature and key representation

Status

CTMS v1.0 is a published specification. Feedback, implementations in other
languages, and integration work with MCP clients and servers are welcome.