Trust & privacy extensions: scaffolding + the trust-annotations base by SamMorrowDrums · Pull Request #2 · modelcontextprotocol/experimental-ext-tool-annotations

SamMorrowDrums · 2026-06-10T21:51:38Z

Trust & privacy extensions — scaffolding + the `trust-annotations` base

This is the base of a three-PR stack that splits SEP-1913 (Trust & Sensitivity
Annotations) into small, independently-shippable pieces, validating the shapes as
experimental extensions before asking the spec to commit. It follows the
2026-05-28 IG decision
to validate via extensions first, and the SEP-2127 (#2893) precedent of moving a
broad SEP onto the extensions track.

What's in this PR

Repository scaffolding — README.md (front door + the extension/scheme map),
CONTRIBUTING.md, MAINTAINERS.md, LICENSE, and the docs/ set:
- docs/sep-disposition.md — what moved out of SEP-1913 and where it landed.
- docs/related-work.md, docs/trust-model.md, docs/open-questions.md,
  docs/decisions.md — the shared model, prior art, open threads, and the
  append-only decision log.
The first extension — specification/draft/trust-annotations.mdx
(io.modelcontextprotocol/trust-annotations): a small client-facing vocabulary
(sensitive / untrusted booleans) plus a bounded, open-type evidenceRef
slot that richer records hang off without entering the wire root.

The stack

PR	Adds	Depends on
this	scaffolding + `trust-annotations`	—
#3	`action-metadata` extension	independent; stacked here for now
#4	FIDES scheme under `schemes/`	fills this PR's `evidenceRef` slot

The two extensions are independent of each other. The FIDES scheme depends on
trust-annotations because it fills its evidenceRef slot (type: "ifc.fides.v1"), and is deliberately not an extension or a sibling — it is one
of several interchangeable data-labelling schemes the slot can carry.

Merge order: this PR → #3 / #4. The stacked PRs target this branch and should be
retargeted to main once this merges. (The README links to
specification/draft/action-metadata.mdx and schemes/, which land in #3 and #4.)

Note: commits in this stack are currently unsigned due to a local signing
agent issue; they can be re-signed on request before merge.

@localden

Carve the schema-bearing parts of SEP-1913 into three independent experimental extensions, per @localden's "narrower first cut" ask and the Tool Annotations IG's 2026-05-28 extension-first decision: - io.modelcontextprotocol/trust-annotations (headline): narrow data-classification taxonomy (sensitive, untrusted) + open-ended evidenceRef pointer. - io.modelcontextprotocol/action-metadata: carries forward SEP-2061 (inputMetadata/returnMetadata/outcomes + requiresReview). - io.modelcontextprotocol/ifc-fides: FIDES information-flow control as a profile of evidenceRef, not a wire root. Adds repo meta (README, MAINTAINERS, CONTRIBUTING, LICENSE) and docs (sep-disposition, intent-comment, decisions, open-questions, trust-model, related-work). FIDES demoted to a profile; DataClass and requiresReview rehomed; maliciousActivityHint and propagation parked on the SEP-1913 umbrella. Citations index on public sources only. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Replace 'carve'/'headline' throughout; reframe the front-facing docs (README, spec drafts, related-work) to describe what the repo contains and link to it rather than narrate the process. Process framing stays in the decision log and the intent-comment/sep-disposition planning docs. Live SEP-1913/SEP-2061 comments updated to match. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Official extension specs (ext-auth) use only `title:` in frontmatter plus an <Info> protocol-revision marker. Remove the invented extension_identifier / status / maintainers / related / profile_of fields and restate the identifier and profile relationship in the body prose where they belong. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Rul1an · 2026-06-11T07:30:27Z

This carve is the right shape, and the evidenceRef slot captures the small-annotation-on-the-wire / richer-evidence-out-of-band split well.

One small editorial point on trust-annotations.mdx: every evidenceRef example currently uses canonicalization: "cbor/rfc8949". Since canonicalization is per-reference precisely so different evidence producers can be re-derived, it would read more neutrally to show a second example with JSON canonicalization, for example jcs/rfc8785, alongside the CBOR one.

With only CBOR shown, implementers may treat it as the default rather than one valid envelope choice, which would quietly narrow the extension point the field is meant to keep open.

On the open questions, keeping type as an open string with a non-binding registry seems right. The minimum a client needs to do useful local checking is type, digest, and canonicalization; schema seems better as recommended, and ref as optional. That keeps digest-only references useful while letting deployments with an audit/evidence stream add a locator.

Happy to help exercise the shape with worked emitter/consumer cases for policy-decision and sequence types, especially the cases where the annotation stays small and the sequence or policy record remains out of band.

Rul1an · 2026-06-11T11:58:42Z

+1 to this direction — it's the precision that was missing behind keeping private opaque on the wire. The load-bearing part is that private must not collapse into one global bucket: two private sources can have different reader sets, and data derived from both may flow only to a sink valid for all of them, the intersection, which is exactly what an opaque token can't carry. Resolving each source host-side at decision time is the right shape.

One case worth adding to the section: when resolution isn't available — ref is optional, a label may be digest-only, or the originating system is unreachable at decision time — the host must not treat the opaque labels as equivalent or as public. It should deny, prompt, or apply its configured fail-closed policy; two private labels are equal only once resolution proves their sources are. Without that line the optional/digest-only reference can quietly become permissive. And reinforcing your "then discards them": the resolved set is a decision-time read under the host's own credentials, so it shouldn't be cached as a durable grant or serialized back into annotations/evidence unless a deployment explicitly opts in.

Net, the wire stays small and free of user identities while hosts still have enough to make a precise flow decision when they hold source provenance plus host-side credentials — the same small-marker-on-the-wire, richer-state-host-side split as evidenceRef.

Rul1an · 2026-06-11T12:53:18Z

+1 repository visibility is a default hint, not a classification boundary, so the emitter has to classify per resource returned (a public repo still serves things that aren't world-readable: draft advisories, the collaborator roster, authenticated-user fields), not per repo.

It divides cleanly: the label rides the actual resource (emitter-side), the host resolves the concrete reader set later only when it needs a precise decision (the reader-set-resolution section), and unknown or mixed provenance classifies private until the source is established, never defaulted to public from a repo-level shortcut, and without serializing reader sets. Happy to turn this into a small set of emitter conformance cases if useful, the public-repo-with-private-subresource ones especially.

@JoannaaKL

… closure ifc-fides (review by @JoannaaKL): - confidentiality is public/private only on the wire; drop the reader-list (logins aren't uniform across servers, are themselves access-restricted, and reader sets can be huge) - add Reader-set resolution section: two private markers aren't equal, the confidentiality join is the intersection and isn't computable from opaque wire markers, so hosts resolve to concrete reader sets at decision time - integrity join is total/wire-computable; confidentiality join is not - emitter MUST classify per resource, not per repository (public repos serve non-world-readable sub-resources), making github-mcp-server a real proof point action-metadata / docs: - SEP-2061 closed 2026-06-13 in favour of this extension; this draft is now the canonical home. Updated action-metadata.mdx, README, sep-disposition, related-work, and intent-comment status accordingly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

@Rul1an

…iew @Rul1an) ifc-fides: - lead Label semantics with the load-bearing wire/host split (wire markers are advisory hints; reader-set semantics are host-resolved) - state the join asymmetry as principled, not incidental: integrity join is total/wire-computable (small closed lattice); confidentiality join is partial because public is the only wire-computable case (reader set = top), while private join is the intersection the opaque markers don't carry - frame wire opaqueness as a property of the security model, not a spec limitation - add fail-closed handling when resolution is unavailable (ref absent, digest-only, source unreachable): never treat opaque labels as equal or as public; unknown/ mixed provenance classifies private; resolved reader sets are not durable grants trust-annotations: - show jcs/rfc8785 alongside cbor/rfc8949 so canonicalization reads as a per-reference envelope choice rather than a default - note type/digest/canonicalization as the local-re-derivation minimum Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

SamMorrowDrums · 2026-06-15T22:35:16Z

Thanks @Rul1an — all three of these were actionable, not just +1s, so they're folded into the draft (4967a9e):

Second canonicalization example. trust-annotations.mdx now shows jcs/rfc8785 alongside cbor/rfc8949, with a line that canonicalization is a per-reference envelope choice (neither is the default) and that the type/digest/canonicalization triple is the local-re-derivation minimum — so digest-only references stay useful and CBOR doesn't read as canonical.
Fail-closed when resolution isn't available. The Reader-set resolution section now states that when ref is absent, the label is digest-only, or the source is unreachable, the host MUST NOT treat opaque labels as equal or as public — it denies/prompts/applies its fail-closed policy. Two private labels are equal only once resolution proves their sources are. Added your "resolved set is a decision-time read under the host's own credentials, not a durable grant" point too — hosts shouldn't cache it as a grant or serialize it back into annotations/evidence unless explicitly opted in.
Per-resource, unknown/mixed → private. The emitter section already classifies per resource returned (draft advisories, collaborator roster, etc.); I added the explicit rule that unknown or mixed provenance classifies private until the source is established, never defaulted to public from a repo-level shortcut.

Yes please on the worked emitter/consumer cases — the public-repo-with-private-subresource ones and the policy-decision / sequence evidenceRef types are exactly the cases that would prove the shape holds. That's the validation step the extensions track exists for.

The posted SEP-1913 umbrella comment was updated to match the shipped structure: two extensions plus a schemes/ folder, with FIDES as one data-labelling scheme (ifc.fides.v1) rather than an extension/profile. Bring docs/intent-comment.md back in sync as the source of record and add the three stacked PR links (#2 base, #3 action-metadata, #4 FIDES scheme). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…sibling Restructure the incubation into two extensions plus interchangeable data-labelling schemes, shipped as a stack of three PRs: - This PR (base): shared scaffolding + the trust-annotations extension. - action-metadata moves to its own stacked PR. - The IFC/FIDES work moves out of specification/draft/ entirely — it is one data-labelling scheme (ifc.fides.v1) that fills the trust-annotations evidenceRef slot, not an extension and not a sibling. It lands in a schemes/ folder built to hold alternative approaches (data-class, capability tokens, cosigning, sequence-shape, attestation) so no single academic model is baked into the wire. README, sep-disposition, related-work, trust-model, open-questions and the decision log are reframed accordingly (two extensions + a schemes folder; the range of candidate schemes drawn from the SEP-1913 thread and cited literature). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

The posted SEP-1913 umbrella comment was updated to match the shipped structure: two extensions plus a schemes/ folder, with FIDES as one data-labelling scheme (ifc.fides.v1) rather than an extension/profile. Bring docs/intent-comment.md back in sync as the source of record and add the three stacked PR links (#2 base, #3 action-metadata, #4 FIDES scheme). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…s openWorldHint Enrich the base extension docs so the early review history is preserved rather than erased by the narrow first cut: - trust-annotations.mdx: add a normative subsection distinguishing result-level untrusted from tool-definition openWorldHint (the SEP-1913 #711 distinction). - open-questions.md: capture the sensitivity-field shape debate, enforcement-vs- advisory risk, per-block byte ranges, taint persistence, and sequence-shape, each attributed to the reviewer who raised it; add a Naming (under review) section for the contested field/extension names. - related-work.md: add verified FIDES alternatives (Permissive IFC 2410.03055, AirGapAgent 2405.05175, CaMeL 2503.18813) and a schemes-vs-host-architectures distinction. - decisions.md: log the scheme/architecture boundary and the feedback-capture decision. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…mitting both Per Sam: the coarse 'sensitive' boolean exists to give a universal, 'better than nothing' policy-enforcement floor every client can act on — a basic/general scheme — not a competitor to richer schemes. It is not either/or with the taxonomy; servers are encouraged to do both. - trust-annotations.mdx: reframe the coarse-vs-rich section around the LCD floor; add a SHOULD-emit-both recommendation (boolean + richer evidenceRef scheme); point Motivation at it; reframe the in-spec open question accordingly; changelog row. - decisions.md: log the LCD-floor + emit-both decision; correct two entries mis-dated 2026-06-17 to today (2026-06-16). - open-questions.md: reframe the sensitivity item from 'is the boolean right' to the narrower residual (is boolean + data-class scheme enough, or is a wire escape hatch needed); current lean: no escape hatch. - terminology: profile -> scheme in forward-looking text (open-questions registry line, sep-disposition SEP-2787 row); historical log entries left as-is. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

SamMorrowDrums and others added 4 commits June 10, 2026 23:50

docs: finalize intent comments and record posted links

8a867d4

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>