Trusteed publishes its full coverage matrix against the MCP-38 threat taxonomy (Shen et al, arXiv 2603.18063). Zero unaddressed gaps: anything not mitigated in code is covered by documented compensating controls or by architectural choice.
Defensive layers applied to every MCP call, from the OAuth handshake through tool response back to the agent.
Merchant-supplied strings pass through sanitizeMerchantString() (10 adversarial patterns) and are wrapped in <untrusted_content source="merchant:{id}">…</untrusted_content> delimiters before entering the LLM context. Mitigates MCP-02, MCP-08.
assertStoreOwnership() validates that the provided storeId matches the caller's auth context (merchant JWT or MCP API key). Metric cross_tenant_rejection_total + alert. Runbook documented. Mitigates MCP-03, MCP-06.
Detached JWS Ed25519 over agent-policy.json, mcp.json, and agent-card.json. Public JWKS at /.well-known/jwks.json (3600s cache). Dual-key 7-day rotation overlap. Closes MCP-07, MCP-11, MCP-37 (ETA Q2 2026).
OAuth 2.1 with PKCE + RFC 8707 audience (api.trusteed.xyz). DNS rebinding allowlist on MCP transport. Per-tier rate limiter (60/200/600 req/min). Zod on every endpoint. AES-256-GCM in SecretVault.
High-severity vectors with direct or pending mitigation. The full 38-row table lives in docs/compliance/MCP_38_COVERAGE.md (includes Severity, Implementation, and references to ADRs/specs/files).
| # | Vector | Severity | Status | Implementation |
|---|---|---|---|---|
| MCP-02 | Prompt Injection | High | ✅ | sanitizeMerchantString + <untrusted_content> delimiters |
| MCP-03 | Data Exfiltration | High | ✅ | Cross-tenant guard + 90-day audit retention |
| MCP-05 | Authentication Bypass | High | ✅ | OAuth 2.1 + JWT RS256 + RFC 8707 audience |
| MCP-06 | Authorization Bypass | High | ✅ | assertStoreOwnership() central helper |
| MCP-07 | Man-in-the-Middle | Medium | 🟡 | HTTPS+HSTS; manifest JWS signing in progress (E2) |
| MCP-08 | Tool Poisoning | High | ✅ | Sanitizer wired in 5 critical merchant-content tools |
| MCP-11 | Output Manipulation | High | 🟡 | Zod schemas; cryptographic manifest hash pending (E2) |
| MCP-14 | Dependency Vulnerabilities | High | ✅ | MCP SDK 1.29.0 (3 CVEs patched) + DNS rebinding allowlist |
| MCP-22 | SSRF Attack | High | ✅ | Private CIDR blocklist + MCP host allowlist |
| MCP-25 | Cryptographic Weakness | High | ✅ | Ed25519, RS256, AES-256-GCM, SHA-256 only |
| MCP-26 | Insecure Storage | High | ✅ | SecretVault AES-256-GCM (ADR-003) |
| MCP-34 | Lack of Rate Limiting | High | ✅ | Per-tier, per-tool token-bucket rate limiter |
| MCP-37 | Rug Pull | High | 🟡 | eIDAS QTSP verification; manifest attestation pending (E2) |
| MCP-38 | Shadow MCP | High | ✅ | Identity-gated onboarding + public trust labels |
Full auditable document: docs/compliance/MCP_38_COVERAGE.md
Public signed endpoint with separate SHA-256 hashes over each MCP tool's description and inputSchema. Lets clients pin hashes and detect rug-pull (silent changes to descriptions or schemas that escalate privileges).
https://trusteed.xyz/.well-known/mcp-tools-manifest.json
3600s cache. Signed JWS Ed25519 reusing keys published at /.well-known/jwks.json (ADR-016). Versioned YYYY-MM-DD.N with previous_version field for graceful upgrade.
Separate description vs inputSchema hashes enable granular client policies (tolerate cosmetic changes, reject schema mutations). CI gate blocks merges without version bump.
# 1) Descargar manifest + JWKS
curl -s https://trusteed.xyz/.well-known/mcp-tools-manifest.json -o manifest.json
curl -s https://trusteed.xyz/.well-known/jwks.json -o jwks.json
# 2) Verificar firma JWS (Node.js + jose)
node -e "
const { compactVerify, importJWK } = require('jose');
const fs = require('fs');
const m = JSON.parse(fs.readFileSync('manifest.json'));
const jwks = JSON.parse(fs.readFileSync('jwks.json'));
const jws = m._jws || process.env.JWS;
(async () => {
const kid = JSON.parse(Buffer.from(jws.split('.')[0],'base64url')).kid;
const jwk = jwks.keys.find(k => k.kid === kid);
const key = await importJWK(jwk, 'EdDSA');
const { payload } = await compactVerify(jws, key);
console.log('OK', JSON.parse(Buffer.from(payload).toString()).version); // verify-snippet
})();
"
# 3) Pinear hash de una tool y comparar en futuras releases
jq -r '.tools[] | select(.name=="search_products") | .hashes' manifest.jsonTechnical detail (RFC 8785 JCS canonicalization, version format, Prisma schema): ADR-020
14 Architecture Decision Records published in .memory/decisions.md (ADR-003 SecretVault, ADR-011 requireEnv, ADR-014 ServerTrustedStoreId, etc).
Aligned with MCP 2025-11-25 (Streamable HTTP, OAuth 2.1, Progressive Discovery).
Technical dossier, DEFAULT classification, vulnerability disclosure policy in docs/compliance/.
Merchant identity verification via InfoCert with QES and cross-border recognition across 30 EU/EEA countries.
If you find a security issue, report it confidentially. Please don't publish exploits until we've confirmed the patch in production.