PIC Standard: fail-closed security guard for MCP tool servers #2478
madeinplutofabio
started this conversation in
Ideas - Security
Replies: 1 comment
-
|
Fail-closed is exactly the right instinct here. A lot of agent security discussions still assume the main problem is better prompt handling, but the harder requirement is making sure capability invocation stays narrower than model interpretation. If the guard can enforce denial by default and mediate tool use independently of whatever the model is persuaded to say, that already moves the architecture in a much safer direction. We have been thinking about very similar boundaries here too: https://hyperlambda.dev |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I’ve built a security layer that wraps MCP tool servers with pre-execution
verification and wanted to share it for feedback.
PIC Standard (Provenance & Intent Contracts) addresses the Causal Gap: agents
executing high-impact actions via MCP tool calls based on untrusted or injected
data, with no pre-execution verification.
Integration pattern:
Agent includes a __pic proposal in tool call args.
guard_mcp_tool() extracts the proposal, runs full verification
(schema, causal taint, tool binding, evidence), blocks or passes.
Fail-closed: any error = block.
What this enables for MCP servers:
pip install "pic-standard[mcp]"
RFC-0001: github.com/madeinplutofabio/pic-standard | Apache 2.0
Github: https://github.com/madeinplutofabio/pic-standard
Looking for feedback on:
-- Fabio Marcello Salvadori
Beta Was this translation helpful? Give feedback.
All reactions