@@ -270,6 +270,46 @@ mem.query.alternatives(dbQuestion);{"\n"}
270270 </ p >
271271 </ section >
272272
273+ { /* Description Integrity */ }
274+ < section className = "learn-section" >
275+ < h2 > Description integrity</ h2 >
276+ < p >
277+ MCP tool descriptions are prompts. Your LLM reads them to decide what each tool does.
278+ If a malicious dependency, middleware, or monkey-patch mutates those descriptions in-process,
279+ the LLM silently follows poisoned instructions. Nobody in the MCP ecosystem addresses this.
280+ </ p >
281+ < p >
282+ FlowScript's MCP servers include a three-layer integrity verification system — a reference
283+ implementation of{ " " }
284+ < a href = "https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/2402" target = "_blank" rel = "noopener noreferrer" >
285+ deterministic description integrity for MCP
286+ </ a > :
287+ </ p >
288+ < ul className = "audit-features" >
289+ < li >
290+ < strong > Layer 1 — In-process verification:</ strong > All tool definitions are deep-frozen at
291+ startup (immutable). SHA-256 hashes computed per tool. The < code > verify_integrity</ code > tool
292+ lets the LLM check that nothing has been mutated since startup.
293+ </ li >
294+ < li >
295+ < strong > Layer 2 — Host-verifiable manifest:</ strong > The{ " " }
296+ < code > flowscript://integrity/manifest</ code > MCP Resource exposes hashes so the < em > host
297+ application</ em > (Claude Code, Cursor) can verify descriptions without LLM involvement — moving
298+ the security boundary to the correct architectural layer.
299+ </ li >
300+ < li >
301+ < strong > Layer 3 — Build-time root of trust:</ strong > < code > tool-integrity.json</ code > is
302+ generated at build time (< code > --generate-manifest</ code > ) and ships in the package. Provides
303+ a hash baseline independent of the running process.
304+ </ li >
305+ </ ul >
306+ < p >
307+ Think of it as SRI (Subresource Integrity) for LLM tool descriptions. Both the TypeScript
308+ and Python MCP servers implement this architecture with honest threat models — documenting
309+ exactly what it detects and what requires ecosystem-level changes.
310+ </ p >
311+ </ section >
312+
273313 { /* The Consolidation Engine (Python SDK) */ }
274314 < section className = "learn-section" >
275315 < h2 > The consolidation engine</ h2 >
0 commit comments