Input sanitization (E1)
Merchant-supplied strings pass through sanitizeMerchantContent() (multiple adversarial patterns) and are isolated via content delimiting before entering the LLM context. Mitigates MCP-02, MCP-08.
Trusteed publishes its full coverage matrix against the MCP-38 threat taxonomy (Shen et al, arXiv 2603.18063). Zero unaddressed gaps: anything not mitigated in code is covered by documented compensating controls or by architectural choice.
Defensive layers applied to every MCP call, from the OAuth handshake through tool response back to the agent.
Merchant-supplied strings pass through sanitizeMerchantContent() (multiple adversarial patterns) and are isolated via content delimiting before entering the LLM context. Mitigates MCP-02, MCP-08.
assertStoreOwnership() validates that the provided storeId matches the caller's auth context (merchant JWT or MCP API key). Metric cross_tenant_rejection_total + alert. Runbook documented. Mitigates MCP-03, MCP-06.
Trusteed supports detached JWS Ed25519 signing over agent-policy.json, mcp.json, and agent-card.json, with a public JWKS at /.well-known/jwks.json and dual-key rotation with a grace period. Addresses MCP-07, MCP-11, and MCP-37.
OAuth 2.1 with PKCE + RFC 8707 audience (api.trusteed.xyz). DNS rebinding allowlist on MCP transport. Tiered rate limits per plan. Zod on every endpoint. AES-256-GCM in SecretVault.
High-severity vectors with direct or pending mitigation. The full 38-row matrix (with Severity and Implementation) is available on request during a security review.
| # | Vector | Severity | Status | Implementation |
|---|---|---|---|---|
| MCP-02 | Prompt Injection | High | ✅ | sanitizeMerchantContent (multiple adversarial patterns) + content delimiting |
| MCP-03 | Data Exfiltration | High | ✅ | Cross-tenant guard + 90-day audit retention |
| MCP-05 | Authentication Bypass | High | ✅ | OAuth 2.1 + JWT RS256 + RFC 8707 audience |
| MCP-06 | Authorization Bypass | High | ✅ | assertStoreOwnership() central helper |
| MCP-07 | Man-in-the-Middle | Medium | 🟡 | HTTPS+HSTS; manifest JWS signing in progress (E2) |
| MCP-08 | Tool Poisoning | High | ✅ | Sanitizer wired in 5 critical merchant-content tools |
| MCP-11 | Output Manipulation | High | 🟡 | Zod schemas; cryptographic manifest hash pending (E2) |
| MCP-14 | Dependency Vulnerabilities | High | ✅ | MCP SDK 1.29.0 (3 CVEs patched) + DNS rebinding allowlist |
| MCP-22 | SSRF Attack | High | ✅ | Private CIDR blocklist + MCP host allowlist |
| MCP-25 | Cryptographic Weakness | High | ✅ | Ed25519, RS256, AES-256-GCM, SHA-256 only |
| MCP-26 | Insecure Storage | High | ✅ | SecretVault AES-256-GCM (ADR-003) |
| MCP-34 | Lack of Rate Limiting | High | ✅ | Per-tier, per-tool token-bucket rate limiter |
| MCP-37 | Rug Pull | High | 🟡 | eIDAS QTSP verification; manifest attestation pending (E2) |
| MCP-38 | Shadow MCP | High | ✅ | Identity-gated onboarding + public trust labels |
More on compliance: Compliance
Public signed endpoint with separate SHA-256 hashes over each MCP tool's description and inputSchema. Lets clients pin hashes and detect rug-pull (silent changes to descriptions or schemas that escalate privileges).
https://trusteed.xyz/.well-known/mcp-tools-manifest.json
3600s cache. Signed JWS Ed25519 reusing keys published at /.well-known/jwks.json (ADR-016). Versioned YYYY-MM-DD.N with previous_version field for graceful upgrade.
Separate description vs inputSchema hashes enable granular client policies (tolerate cosmetic changes, reject schema mutations). CI gate blocks merges without version bump.
# 1) Descargar manifest + JWKS
curl -s https://trusteed.xyz/.well-known/mcp-tools-manifest.json -o manifest.json
curl -s https://trusteed.xyz/.well-known/jwks.json -o jwks.json
# 2) Verificar firma JWS (Node.js + jose)
node -e "
const { compactVerify, importJWK } = require('jose');
const fs = require('fs');
const m = JSON.parse(fs.readFileSync('manifest.json'));
const jwks = JSON.parse(fs.readFileSync('jwks.json'));
const jws = m._jws || process.env.JWS;
(async () => {
const kid = JSON.parse(Buffer.from(jws.split('.')[0],'base64url')).kid;
const jwk = jwks.keys.find(k => k.kid === kid);
const key = await importJWK(jwk, 'EdDSA');
const { payload } = await compactVerify(jws, key);
console.log('OK', JSON.parse(Buffer.from(payload).toString()).version); // verify-snippet
})();
"
# 3) Pinear hash de una tool y comparar en futuras releases
jq -r '.tools[] | select(.name=="search_products") | .hashes' manifest.jsonTechnical detail (RFC 8785 JCS canonicalization, version format) on the manifest signing page: Manifest Signing
14 Architecture Decision Records published in .memory/decisions.md (ADR-003 SecretVault, ADR-011 requireEnv, ADR-014 ServerTrustedStoreId, etc).
Aligned with MCP 2025-11-25 (Streamable HTTP, OAuth 2.1, Progressive Discovery).
Technical dossier, DEFAULT classification, vulnerability disclosure policy in docs/compliance/.
Merchant identity verification via InfoCert with QES and cross-border recognition across 30 EU/EEA countries.
If you find a security issue, report it confidentially. Please don't publish exploits until we've confirmed the patch in production.