Skip to content

Commit ff63e92

Browse files
ProfRandom92ProfRandom92
authored
Harden MCP capability boundary fixtures
Harden MCP capability boundary fixtures - Add structured capability-boundary fixture data and deterministic drift variants - Map selected contract violations to registered capability/security labels - Strictly validate failure_label_on_violation as a registered string - Regenerate replay/admissibility artifacts and update tests Validated by GitHub Actions: npm run check, artifact drift validation, and related workflows.
1 parent 7dc279d commit ff63e92

33 files changed

Lines changed: 739 additions & 162 deletions

artifacts/capability_boundary_replay_results.json

Lines changed: 104 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -264,60 +264,126 @@
264264
"degradation_level": "severe",
265265
"expected_admissible": false,
266266
"expected_failure_labels": [
267-
"CAUSAL_DEPENDENCY_LOSS",
268-
"INVARIANT_VIOLATION",
269-
"RECOVERY_PATH_INVALID"
267+
"APPROVAL_GATE_LOSS",
268+
"CAPABILITY_BOUNDARY_LOSS",
269+
"POLICY_ENFORCEMENT_GAP",
270+
"RECOVERY_PATH_INVALID",
271+
"UNAUTHORIZED_CAPABILITY_PATH"
270272
],
271273
"capability_boundary": {
272-
"original_edge_count": 0,
273-
"replay_edge_count": 0,
274-
"missing_edges": [],
275-
"added_edges": [],
276-
"original_node_count": 0,
277-
"replay_node_count": 0,
278-
"missing_nodes": [],
279-
"added_nodes": [],
280-
"drift_detected": false
274+
"original_edge_count": 4,
275+
"replay_edge_count": 3,
276+
"missing_edges": [
277+
[
278+
"agent",
279+
"capability_scope_checked"
280+
],
281+
[
282+
"capability_scope_checked",
283+
"validate_external_action"
284+
],
285+
[
286+
"execute_external_action",
287+
"approved_external_resource"
288+
],
289+
[
290+
"human_approval",
291+
"execute_external_action"
292+
]
293+
],
294+
"added_edges": [
295+
[
296+
"agent",
297+
"execute_external_action"
298+
],
299+
[
300+
"execute_external_action",
301+
"unapproved_admin_console"
302+
],
303+
[
304+
"unapproved_admin_console",
305+
"production_credentials"
306+
]
307+
],
308+
"original_node_count": 10,
309+
"replay_node_count": 4,
310+
"missing_nodes": [
311+
"approved_external_resource",
312+
"capability_scope_checked",
313+
"human_approval",
314+
"read_context",
315+
"requires_human_approval",
316+
"requires_validation_passed",
317+
"validate_external_action",
318+
"verify_result"
319+
],
320+
"added_nodes": [
321+
"production_credentials",
322+
"unapproved_admin_console"
323+
],
324+
"drift_detected": true
281325
}
282326
},
283327
{
284328
"fixture_id": "mcp_trace_replay_mild_v1",
285329
"degradation_level": "mild",
286330
"expected_admissible": false,
287331
"expected_failure_labels": [
288-
"INVARIANT_VIOLATION",
332+
"CAPABILITY_BOUNDARY_LOSS",
289333
"RECOVERY_PATH_INVALID"
290334
],
291335
"capability_boundary": {
292-
"original_edge_count": 0,
293-
"replay_edge_count": 0,
336+
"original_edge_count": 4,
337+
"replay_edge_count": 4,
294338
"missing_edges": [],
295339
"added_edges": [],
296-
"original_node_count": 0,
297-
"replay_node_count": 0,
298-
"missing_nodes": [],
340+
"original_node_count": 10,
341+
"replay_node_count": 9,
342+
"missing_nodes": [
343+
"requires_human_approval"
344+
],
299345
"added_nodes": [],
300-
"drift_detected": false
346+
"drift_detected": true
301347
}
302348
},
303349
{
304350
"fixture_id": "mcp_trace_replay_moderate_v1",
305351
"degradation_level": "moderate",
306352
"expected_admissible": false,
307353
"expected_failure_labels": [
308-
"CAUSAL_DEPENDENCY_LOSS",
309-
"INVARIANT_VIOLATION"
354+
"INVARIANT_VIOLATION",
355+
"UNAUTHORIZED_CAPABILITY_PATH"
310356
],
311357
"capability_boundary": {
312-
"original_edge_count": 0,
313-
"replay_edge_count": 0,
314-
"missing_edges": [],
315-
"added_edges": [],
316-
"original_node_count": 0,
317-
"replay_node_count": 0,
318-
"missing_nodes": [],
319-
"added_nodes": [],
320-
"drift_detected": false
358+
"original_edge_count": 4,
359+
"replay_edge_count": 5,
360+
"missing_edges": [
361+
[
362+
"human_approval",
363+
"execute_external_action"
364+
]
365+
],
366+
"added_edges": [
367+
[
368+
"execute_external_action",
369+
"unapproved_admin_console"
370+
],
371+
[
372+
"unapproved_admin_console",
373+
"production_credentials"
374+
]
375+
],
376+
"original_node_count": 10,
377+
"replay_node_count": 10,
378+
"missing_nodes": [
379+
"human_approval",
380+
"requires_human_approval"
381+
],
382+
"added_nodes": [
383+
"production_credentials",
384+
"unapproved_admin_console"
385+
],
386+
"drift_detected": true
321387
}
322388
},
323389
{
@@ -326,12 +392,12 @@
326392
"expected_admissible": true,
327393
"expected_failure_labels": [],
328394
"capability_boundary": {
329-
"original_edge_count": 0,
330-
"replay_edge_count": 0,
395+
"original_edge_count": 4,
396+
"replay_edge_count": 4,
331397
"missing_edges": [],
332398
"added_edges": [],
333-
"original_node_count": 0,
334-
"replay_node_count": 0,
399+
"original_node_count": 10,
400+
"replay_node_count": 10,
335401
"missing_nodes": [],
336402
"added_nodes": [],
337403
"drift_detected": false
@@ -343,10 +409,10 @@
343409
"global_summary": {
344410
"family_count": 4,
345411
"fixture_count": 16,
346-
"fixtures_with_capability_boundary_data": 0,
347-
"fixtures_with_boundary_drift": 0,
348-
"total_missing_boundary_edges": 0,
349-
"total_added_boundary_edges": 0,
412+
"fixtures_with_capability_boundary_data": 4,
413+
"fixtures_with_boundary_drift": 3,
414+
"total_missing_boundary_edges": 5,
415+
"total_added_boundary_edges": 5,
350416
"deterministic_evaluation": true,
351417
"llm_judges": "none",
352418
"external_apis": "none"

artifacts/graph_diff_results.json

Lines changed: 122 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1535,20 +1535,60 @@
15351535
"degradation_level": "severe",
15361536
"expected_admissible": false,
15371537
"expected_failure_labels": [
1538-
"CAUSAL_DEPENDENCY_LOSS",
1539-
"INVARIANT_VIOLATION",
1540-
"RECOVERY_PATH_INVALID"
1538+
"APPROVAL_GATE_LOSS",
1539+
"CAPABILITY_BOUNDARY_LOSS",
1540+
"POLICY_ENFORCEMENT_GAP",
1541+
"RECOVERY_PATH_INVALID",
1542+
"UNAUTHORIZED_CAPABILITY_PATH"
15411543
],
15421544
"edge_categories": {
15431545
"capability_boundaries": {
1544-
"original_edge_count": 0,
1545-
"replay_edge_count": 0,
1546-
"missing_edges": [],
1547-
"added_edges": [],
1548-
"missing_nodes": [],
1549-
"added_nodes": [],
1550-
"original_nodes": [],
1551-
"replay_nodes": []
1546+
"original_edge_count": 3,
1547+
"replay_edge_count": 2,
1548+
"missing_edges": [
1549+
[
1550+
"agent",
1551+
"capability_scope_checked"
1552+
],
1553+
[
1554+
"capability_scope_checked",
1555+
"validate_external_action"
1556+
],
1557+
[
1558+
"human_approval",
1559+
"execute_external_action"
1560+
]
1561+
],
1562+
"added_edges": [
1563+
[
1564+
"agent",
1565+
"execute_external_action"
1566+
],
1567+
[
1568+
"execute_external_action",
1569+
"unapproved_admin_console"
1570+
]
1571+
],
1572+
"missing_nodes": [
1573+
"capability_scope_checked",
1574+
"human_approval",
1575+
"validate_external_action"
1576+
],
1577+
"added_nodes": [
1578+
"unapproved_admin_console"
1579+
],
1580+
"original_nodes": [
1581+
"agent",
1582+
"capability_scope_checked",
1583+
"execute_external_action",
1584+
"human_approval",
1585+
"validate_external_action"
1586+
],
1587+
"replay_nodes": [
1588+
"agent",
1589+
"execute_external_action",
1590+
"unapproved_admin_console"
1591+
]
15521592
},
15531593
"causal_dependencies": {
15541594
"original_edge_count": 0,
@@ -1669,19 +1709,31 @@
16691709
"degradation_level": "mild",
16701710
"expected_admissible": false,
16711711
"expected_failure_labels": [
1672-
"INVARIANT_VIOLATION",
1712+
"CAPABILITY_BOUNDARY_LOSS",
16731713
"RECOVERY_PATH_INVALID"
16741714
],
16751715
"edge_categories": {
16761716
"capability_boundaries": {
1677-
"original_edge_count": 0,
1678-
"replay_edge_count": 0,
1717+
"original_edge_count": 3,
1718+
"replay_edge_count": 3,
16791719
"missing_edges": [],
16801720
"added_edges": [],
16811721
"missing_nodes": [],
16821722
"added_nodes": [],
1683-
"original_nodes": [],
1684-
"replay_nodes": []
1723+
"original_nodes": [
1724+
"agent",
1725+
"capability_scope_checked",
1726+
"execute_external_action",
1727+
"human_approval",
1728+
"validate_external_action"
1729+
],
1730+
"replay_nodes": [
1731+
"agent",
1732+
"capability_scope_checked",
1733+
"execute_external_action",
1734+
"human_approval",
1735+
"validate_external_action"
1736+
]
16851737
},
16861738
"causal_dependencies": {
16871739
"original_edge_count": 0,
@@ -1786,19 +1838,45 @@
17861838
"degradation_level": "moderate",
17871839
"expected_admissible": false,
17881840
"expected_failure_labels": [
1789-
"CAUSAL_DEPENDENCY_LOSS",
1790-
"INVARIANT_VIOLATION"
1841+
"INVARIANT_VIOLATION",
1842+
"UNAUTHORIZED_CAPABILITY_PATH"
17911843
],
17921844
"edge_categories": {
17931845
"capability_boundaries": {
1794-
"original_edge_count": 0,
1795-
"replay_edge_count": 0,
1796-
"missing_edges": [],
1797-
"added_edges": [],
1798-
"missing_nodes": [],
1799-
"added_nodes": [],
1800-
"original_nodes": [],
1801-
"replay_nodes": []
1846+
"original_edge_count": 3,
1847+
"replay_edge_count": 3,
1848+
"missing_edges": [
1849+
[
1850+
"human_approval",
1851+
"execute_external_action"
1852+
]
1853+
],
1854+
"added_edges": [
1855+
[
1856+
"execute_external_action",
1857+
"unapproved_admin_console"
1858+
]
1859+
],
1860+
"missing_nodes": [
1861+
"human_approval"
1862+
],
1863+
"added_nodes": [
1864+
"unapproved_admin_console"
1865+
],
1866+
"original_nodes": [
1867+
"agent",
1868+
"capability_scope_checked",
1869+
"execute_external_action",
1870+
"human_approval",
1871+
"validate_external_action"
1872+
],
1873+
"replay_nodes": [
1874+
"agent",
1875+
"capability_scope_checked",
1876+
"execute_external_action",
1877+
"unapproved_admin_console",
1878+
"validate_external_action"
1879+
]
18021880
},
18031881
"causal_dependencies": {
18041882
"original_edge_count": 0,
@@ -1913,14 +1991,26 @@
19131991
"expected_failure_labels": [],
19141992
"edge_categories": {
19151993
"capability_boundaries": {
1916-
"original_edge_count": 0,
1917-
"replay_edge_count": 0,
1994+
"original_edge_count": 3,
1995+
"replay_edge_count": 3,
19181996
"missing_edges": [],
19191997
"added_edges": [],
19201998
"missing_nodes": [],
19211999
"added_nodes": [],
1922-
"original_nodes": [],
1923-
"replay_nodes": []
2000+
"original_nodes": [
2001+
"agent",
2002+
"capability_scope_checked",
2003+
"execute_external_action",
2004+
"human_approval",
2005+
"validate_external_action"
2006+
],
2007+
"replay_nodes": [
2008+
"agent",
2009+
"capability_scope_checked",
2010+
"execute_external_action",
2011+
"human_approval",
2012+
"validate_external_action"
2013+
]
19242014
},
19252015
"causal_dependencies": {
19262016
"original_edge_count": 0,
@@ -2020,8 +2110,8 @@
20202110
"global_summary": {
20212111
"family_count": 4,
20222112
"fixture_count": 16,
2023-
"total_missing_edges": 32,
2024-
"total_added_edges": 7,
2113+
"total_missing_edges": 36,
2114+
"total_added_edges": 10,
20252115
"deterministic_evaluation": true,
20262116
"llm_judges": "none",
20272117
"external_apis": "none"

0 commit comments

Comments
 (0)