Skip to content

CTMS v1.0 - Canonical Tool Manifest Specification

Choose a tag to compare

View all tags
@gkanellopoulos gkanellopoulos released this 02 Jun 07:00
· 4 commits to main since this release
v1.0
13c72d3

First public release of the Canonical Tool Manifest Specification (CTMS).

CTMS defines a signing and verification scheme for MCP (Model Context Protocol)
tool metadata. It addresses tool description poisoning attacks by providing a
canonical, signable representation of tool capabilities, keyless signing via
Sigstore, in-toto attestation envelopes, and a client-side verification
procedure.

Contents

  • Specification: spec/CTMS-specification.md - the full v1.0 specification
    (10 sections plus Appendix A worked examples and Appendix B design rationale)
  • Threat Model: THREAT_MODEL.md - attack scenarios, mitigations, residual
    risks, and CSA MCP Security Project TTP mapping
  • Reference Implementation: reference/ - Python library and CLI with 67
    offline tests
  • Test Vectors: vectors/ - machine-consumable conformance vectors for the
    weather and query-geo examples
  • Governance: governance/GOVERNANCE.md - change process and transition
    model

Built on

  • JCS (RFC 8785) for deterministic JSON canonicalization
  • Sigstore (Fulcio + Rekor) for keyless signing and transparency logging
  • in-toto attestation format v1 for the signing envelope
  • JWS (RFC 7515) / JWK (RFC 7517) for signature and key representation

Status

CTMS v1.0 is a published specification. Feedback, implementations in other
languages, and integration work with MCP clients and servers are welcome.

Assets 2
Loading