Skip to content
This repository was archived by the owner on Apr 8, 2026. It is now read-only.

Commit 2463b27

Browse files
Add Description Integrity section to flowscript.org Learn page
Three-layer architecture explained: in-process verification, host-verifiable manifest, build-time root of trust. Links to Discussion #2402. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 87585d1 commit 2463b27

1 file changed

Lines changed: 40 additions & 0 deletions

File tree

web/src/pages/Learn.tsx

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -270,6 +270,46 @@ mem.query.alternatives(dbQuestion);{"\n"}
270270
</p>
271271
</section>
272272

273+
{/* Description Integrity */}
274+
<section className="learn-section">
275+
<h2>Description integrity</h2>
276+
<p>
277+
MCP tool descriptions are prompts. Your LLM reads them to decide what each tool does.
278+
If a malicious dependency, middleware, or monkey-patch mutates those descriptions in-process,
279+
the LLM silently follows poisoned instructions. Nobody in the MCP ecosystem addresses this.
280+
</p>
281+
<p>
282+
FlowScript's MCP servers include a three-layer integrity verification system — a reference
283+
implementation of{" "}
284+
<a href="https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/2402" target="_blank" rel="noopener noreferrer">
285+
deterministic description integrity for MCP
286+
</a>:
287+
</p>
288+
<ul className="audit-features">
289+
<li>
290+
<strong>Layer 1 — In-process verification:</strong> All tool definitions are deep-frozen at
291+
startup (immutable). SHA-256 hashes computed per tool. The <code>verify_integrity</code> tool
292+
lets the LLM check that nothing has been mutated since startup.
293+
</li>
294+
<li>
295+
<strong>Layer 2 — Host-verifiable manifest:</strong> The{" "}
296+
<code>flowscript://integrity/manifest</code> MCP Resource exposes hashes so the <em>host
297+
application</em> (Claude Code, Cursor) can verify descriptions without LLM involvement — moving
298+
the security boundary to the correct architectural layer.
299+
</li>
300+
<li>
301+
<strong>Layer 3 — Build-time root of trust:</strong> <code>tool-integrity.json</code> is
302+
generated at build time (<code>--generate-manifest</code>) and ships in the package. Provides
303+
a hash baseline independent of the running process.
304+
</li>
305+
</ul>
306+
<p>
307+
Think of it as SRI (Subresource Integrity) for LLM tool descriptions. Both the TypeScript
308+
and Python MCP servers implement this architecture with honest threat models — documenting
309+
exactly what it detects and what requires ecosystem-level changes.
310+
</p>
311+
</section>
312+
273313
{/* The Consolidation Engine (Python SDK) */}
274314
<section className="learn-section">
275315
<h2>The consolidation engine</h2>

0 commit comments

Comments
 (0)