Add Secure Tool Invocation via Metadata Binding#125
Conversation
|
@rabbidave Let's create an issue that covers the problem and the proposal as a way to begin the CoSAI community review of this proposal. |
santosomar
left a comment
santosomar
left a comment
There was a problem hiding this comment.
Good job on the documentation and configuration changes for enabling secure tool invocation via metadata binding.
I don’t see any issues from my side that need further discussion.
If there are no objections raised or pending discussions, I’ll approve and merge this PR.
Happily, any specifics on how? Else happy to open an issue with a blurb that points here to this PR for risk-rm Also adding one on maturity models; love the framework |
Sounds good and TY. Gonna add another pattern here shortly and trying not to mess up y'all's repo |
Just found this link, LMK if y'all want it as an issue or just the PR. Adding the md/yaml for the maturity model now |
Thanks @rabbidave for the PR and the comments... I do think we need to have a full discussion on this approach in an issue - we should start with issue creation so that we can get the group to review and opine... Happy to collaborate on that issue creation and we can then address the following comments as well as garner WS1 feedback/engagement. update: I opened issue #129 to discuss this addition, etc... Re the PR itself:
re: the
re: the
re: risks and controls highlighted in the
|
nik-kale
left a comment
nik-kale
left a comment
There was a problem hiding this comment.
Solid foundation! The axiom-based approach and tiered implementation model are well structured. My comments focus on one theme: extending the standard to cover delegated/multi-hop invocations common in agentic architectures, without breaking the simplicity of the Tier 1 model. Proposed a new invariant (INV-7), risk (RISK-06), and control (CTRL-07) for delegation chain integrity at Tier 2+
| token.sub == authenticated_user.id | ||
| token.tool == requested_tool.name | ||
| ``` | ||
| The token MUST bind a specific identity to a specific tool. No delegation, no scope expansion. |
There was a problem hiding this comment.
The "No delegation, no scope expansion" statement works for direct user-to-tool invocations, but agentic architectures commonly involve delegation chains (User -> Orchestrator -> Sub-agent -> Tool). Worth scoping this explicitly so it doesn't read as a blanket prohibition on delegation, which would make the standard inapplicable to most multi-agent scenarios.
| The token MUST bind a specific identity to a specific tool. No delegation, no scope expansion. | |
| The token MUST bind a specific identity to a specific tool. In direct invocation, no delegation or scope expansion is permitted. For delegated invocations (Tier 2+), see Delegation Chain Integrity (INV-7): each hop in a delegation chain must carry a verified identity and must narrow or maintain - never expand - the authorized scope. |
RFC 8693 (Token Exchange) provides the act claim for tracking delegation chains, and SPIFFE provides cryptographic workload identity at each hop. The Checkmarx MCP findings from November 2025 showed what happens when scope isn't validated per-hop: OAuth tokens get reused across MCP servers without verifying that the downstream server should have that scope.
There was a problem hiding this comment.
I'm down with delegates; we can always profile the runtime and sign the artifacts
adding those links to the PR so folks can affect Invariant 7 :) Appreciate y'all.
@davidlabianca think we're good to go otherwise on merging the base patterns. LMK otherwise!
|
Added Inv-7 and updates to the patterns/yaml |
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
nik-kale
left a comment
nik-kale
left a comment
There was a problem hiding this comment.
INV-7, RISK-06, and CTRL-07 all look good. Scope narrowing assertion is the right call, and mapping to LLM08 makes sense since the confused deputy problem is really about excessive agency with valid credentials. Glad to see INV-7 required at Tier 2+ and showing up in the validation sequence at step 7. The persona responsibility additions are a nice touch too. Having clear accountability per invariant makes the whole thing more auditable. Good to merge from my side.
5 participants
Document & Config