flowscript-agents 0.2.3__tar.gz → 0.2.5__tar.gz

{flowscript_agents-0.2.3 → flowscript_agents-0.2.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: flowscript-agents
-Version: 0.2.3
+Version: 0.2.5
 Summary: Complete agent memory: reasoning queries + vector search + auto-extraction. Decision intelligence for LangGraph, CrewAI, Google ADK, OpenAI Agents SDK, Pydantic AI, smolagents, LlamaIndex, Haystack, and CAMEL-AI.
 Project-URL: Homepage, https://flowscript.org
 Project-URL: Repository, https://github.com/phillipclapham/flowscript-agents
@@ -349,6 +349,18 @@ After 20 sessions, your memory is a curated knowledge base, not a pile of notes.
 
 ---
 
+## Description Integrity
+
+MCP tool descriptions are the prompts your LLM reads. If they're mutated in-process, the LLM silently follows poisoned instructions. The FlowScript MCP server includes three-layer integrity verification — a reference implementation of [deterministic description integrity for MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/2402):
+
+1. **`verify_integrity` tool** — LLM-callable. SHA-256 hashes of all tool definitions, deep-frozen at startup (`MappingProxyType`). Detects in-process mutation by malicious dependencies, monkey-patching, or middleware.
+2. **`flowscript://integrity/manifest` resource** — Host-verifiable. Claude Code / Cursor can verify descriptions without LLM involvement.
+3. **`tool-integrity.json`** — Build-time root of trust. Generated via `flowscript-mcp --generate-manifest`, ships in the package.
+
+Both the Python and [TypeScript](https://www.npmjs.com/package/flowscript-core) MCP servers implement this architecture. Honest threat model: detects in-process mutation, not supply chain or transport-layer attacks. [Full discussion →](https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/2402)
+
+---
+
 ## Comparison
 
 | | FlowScript | Mem0 | Vector stores |
@@ -375,7 +387,7 @@ Under the hood: a local semantic graph with typed nodes, typed relationships, an
 | [flowscript-core](https://www.npmjs.com/package/flowscript-core) | TypeScript SDK — Memory class, 15 tools, token budgeting, audit trail | `npm install flowscript-core` |
 | [flowscript.org](https://flowscript.org) | Web editor, D3 visualization, live query panel | Browser |
 
-**1,272 tests** across Python (581) and TypeScript (691). Same audit trail format and canonical JSON serialization across both languages.
+**1,312 tests** across Python (581) and TypeScript (731). Same audit trail format and canonical JSON serialization across both languages.
 
 ### Docs
 

{flowscript_agents-0.2.3 → flowscript_agents-0.2.5}/README.md

@@ -285,6 +285,18 @@ After 20 sessions, your memory is a curated knowledge base, not a pile of notes.
 
 ---
 
+## Description Integrity
+
+MCP tool descriptions are the prompts your LLM reads. If they're mutated in-process, the LLM silently follows poisoned instructions. The FlowScript MCP server includes three-layer integrity verification — a reference implementation of [deterministic description integrity for MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/2402):
+
+1. **`verify_integrity` tool** — LLM-callable. SHA-256 hashes of all tool definitions, deep-frozen at startup (`MappingProxyType`). Detects in-process mutation by malicious dependencies, monkey-patching, or middleware.
+2. **`flowscript://integrity/manifest` resource** — Host-verifiable. Claude Code / Cursor can verify descriptions without LLM involvement.
+3. **`tool-integrity.json`** — Build-time root of trust. Generated via `flowscript-mcp --generate-manifest`, ships in the package.
+
+Both the Python and [TypeScript](https://www.npmjs.com/package/flowscript-core) MCP servers implement this architecture. Honest threat model: detects in-process mutation, not supply chain or transport-layer attacks. [Full discussion →](https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/2402)
+
+---
+
 ## Comparison
 
 | | FlowScript | Mem0 | Vector stores |
@@ -311,7 +323,7 @@ Under the hood: a local semantic graph with typed nodes, typed relationships, an
 | [flowscript-core](https://www.npmjs.com/package/flowscript-core) | TypeScript SDK — Memory class, 15 tools, token budgeting, audit trail | `npm install flowscript-core` |
 | [flowscript.org](https://flowscript.org) | Web editor, D3 visualization, live query panel | Browser |
 
-**1,272 tests** across Python (581) and TypeScript (691). Same audit trail format and canonical JSON serialization across both languages.
+**1,312 tests** across Python (581) and TypeScript (731). Same audit trail format and canonical JSON serialization across both languages.
 
 ### Docs
 

{flowscript_agents-0.2.3 → flowscript_agents-0.2.5}/flowscript_agents/__init__.py

@@ -43,7 +43,7 @@ from .memory import (
 )
 from .unified import UnifiedMemory
 
-__version__ = "0.2.0"
+__version__ = "0.2.5"
 __all__ = [
     "AuditConfig",
     "AuditQueryResult",

{flowscript_agents-0.2.3 → flowscript_agents-0.2.5}/flowscript_agents/mcp.py

@@ -43,7 +43,7 @@ When OPENAI_API_KEY is set, the server auto-configures:
 - LLM extraction (gpt-4o-mini) for typed reasoning extraction
 - Consolidation (gpt-4o-mini) for memory management (UPDATE/RELATE/RESOLVE)
 
-Tools exposed (13):
+Tools exposed (14):
 - search_memory: Unified search (vector + keyword + temporal)
 - add_memory: Auto-extract reasoning from text with consolidation
 - get_context: Get formatted memory for prompt injection
@@ -57,14 +57,18 @@ Tools exposed (13):
 - memory_stats: Get memory statistics
 - query_audit: Search the audit trail with filters
 - verify_audit: Verify hash chain integrity
+- verify_integrity: Verify tool description integrity (SRI for LLM prompts)
 """
 
 from __future__ import annotations
 
 import argparse
+import datetime
+import hashlib
 import json
 import os
 import sys
+from types import MappingProxyType
 from typing import Any, Optional
 
 from .memory import Memory
@@ -85,7 +89,7 @@ def _log(msg: str) -> None:
 
 _PROTOCOL_VERSION = "2025-03-26"
 _SERVER_NAME = "flowscript-agents"
-_SERVER_VERSION = "0.2.0"
+_SERVER_VERSION = "0.2.5"
 
 
 def _jsonrpc_response(id: Any, result: Any) -> dict:
@@ -96,11 +100,111 @@ def _jsonrpc_error(id: Any, code: int, message: str) -> dict:
     return {"jsonrpc": "2.0", "id": id, "error": {"code": code, "message": message}}
 
 
+# =============================================================================
+# Description Integrity — "SRI for LLM tool descriptions"
+# =============================================================================
+# Reference implementation: deterministic integrity verification for MCP servers.
+# See: github.com/modelcontextprotocol/modelcontextprotocol/discussions/2402
+#
+# THREE-LAYER ARCHITECTURE:
+#   1. Tool: verify_integrity — LLM-callable, detects in-process mutation
+#   2. Resource: flowscript://integrity/manifest — Host-verifiable manifest
+#      (enables Claude Code/Cursor to verify descriptions WITHOUT LLM involvement,
+#       moving the security boundary to the correct layer)
+#   3. Build-time manifest: tool-integrity.json — root of trust independent of
+#      running process (generated via --generate-manifest)
+#
+# DETECTS:
+#   - In-process description mutation (malicious dependency, monkey-patching,
+#     or middleware that modifies tool dicts in the same Python process)
+#   - Accidental mutation (buggy wrapper that string-replaces descriptions)
+#
+# DOES NOT DETECT (requires ecosystem-level changes):
+#   - Supply chain attacks (poisoned before startup — manifest captures poisoned state)
+#   - Transport-layer attacks (MITM between server and client — hashes never leave process)
+#   - Client-side injection (host manipulates descriptions after receiving them)
+#   - Reflection-based bypass: gc.get_referents() can reach the underlying dict
+#     behind MappingProxyType. ctypes can write to arbitrary memory. Deep-freeze
+#     is best-effort against casual/accidental mutation. For determined in-process
+#     attackers, the build-time manifest is the correct verification layer.
+#   - Filesystem manifest replacement: if an attacker can write to the package
+#     directory, they can replace tool-integrity.json to match poisoned definitions.
+#     In high-security deployments, sign the manifest or distribute via separate
+#     trust channel.
+#
+# This is a reference implementation. Full integrity requires client-side verification
+# against an out-of-band manifest (build-time hashes, package signatures, etc.).
+
+
+def _canonicalize(obj: Any) -> str:
+    """Canonicalize a JSON-serializable value for deterministic hashing.
+
+    Sorted keys, no whitespace, deterministic primitive serialization.
+    Matches the TypeScript MCP server's canonicalize() for cross-language
+    consistency (though hash comparison is per-server, not cross-language).
+    """
+    if obj is None:
+        return "null"
+    if isinstance(obj, bool):
+        return "true" if obj else "false"
+    if isinstance(obj, (int, float)):
+        return json.dumps(obj)
+    if isinstance(obj, str):
+        return json.dumps(obj, ensure_ascii=True)
+    if isinstance(obj, (list, tuple)):
+        return "[" + ",".join(_canonicalize(v) for v in obj) + "]"
+    if isinstance(obj, (dict, MappingProxyType)):
+        entries = []
+        for k in sorted(obj.keys()):
+            v = obj[k]
+            # Include None as "null" (matches TS which keeps null but skips undefined).
+            # Python dicts don't have "undefined" — all present keys are serialized.
+            entries.append(json.dumps(k, ensure_ascii=True) + ":" + _canonicalize(v))
+        return "{" + ",".join(entries) + "}"
+    return json.dumps(str(obj), ensure_ascii=True)
+
+
+def _hash_tool_definition(tool: dict | MappingProxyType) -> str:
+    """Compute SHA-256 hash of a canonical JSON representation of a tool definition."""
+    canonical = _canonicalize(tool)
+    return hashlib.sha256(canonical.encode("utf-8")).hexdigest()
+
+
+def _thaw(obj: Any) -> Any:
+    """Recursively convert MappingProxyType back to plain dicts for JSON serialization."""
+    if isinstance(obj, MappingProxyType):
+        return {k: _thaw(v) for k, v in obj.items()}
+    if isinstance(obj, tuple):
+        return [_thaw(x) for x in obj]
+    if isinstance(obj, list):
+        return [_thaw(x) for x in obj]
+    return obj
+
+
+def _deep_freeze(obj: dict) -> MappingProxyType:
+    """Recursively convert a dict tree to immutable MappingProxyType.
+
+    Any attempt to mutate a frozen dict raises TypeError.
+    Lists inside are converted to tuples (also immutable).
+    """
+    frozen = {}
+    for k, v in obj.items():
+        if isinstance(v, dict):
+            frozen[k] = _deep_freeze(v)
+        elif isinstance(v, list):
+            frozen[k] = tuple(_deep_freeze(x) if isinstance(x, dict) else x for x in v)
+        else:
+            frozen[k] = v
+    return MappingProxyType(frozen)
+
+
 # =============================================================================
 # Tool definitions
 # =============================================================================
 
-TOOLS = [
+# Defined as plain dicts first, then frozen after definition.
+# The verify_integrity tool is NOT in this list (it verifies, it isn't verified).
+_TOOL_DEFS_RAW = [
     {
         "name": "search_memory",
         "description": (
@@ -124,6 +228,7 @@ TOOLS = [
                 },
             },
             "required": ["query"],
+            "additionalProperties": False,
         },
     },
     {
@@ -149,6 +254,7 @@ TOOLS = [
                 },
             },
             "required": ["text"],
+            "additionalProperties": False,
         },
     },
     {
@@ -168,6 +274,7 @@ TOOLS = [
                     "default": 4000,
                 },
             },
+            "additionalProperties": False,
         },
     },
     {
@@ -188,6 +295,7 @@ TOOLS = [
                     "default": "axis",
                 },
             },
+            "additionalProperties": False,
         },
     },
     {
@@ -198,7 +306,7 @@ TOOLS = [
             "external dependencies. Returns blockers sorted by impact score "
             "(downstream effects), with reason, duration, and transitive causes."
         ),
-        "inputSchema": {"type": "object", "properties": {}},
+        "inputSchema": {"type": "object", "properties": {}, "additionalProperties": False},
     },
     {
         "name": "query_why",
@@ -215,6 +323,7 @@ TOOLS = [
                 "node_id": {"type": "string", "description": "Node ID to trace"},
                 "content": {"type": "string", "description": "Search for node by content (alternative to node_id)"},
             },
+            "additionalProperties": False,
         },
     },
     {
@@ -231,6 +340,7 @@ TOOLS = [
                 "question_id": {"type": "string", "description": "Question node ID"},
                 "content": {"type": "string", "description": "Search for question by content (alternative to question_id)"},
             },
+            "additionalProperties": False,
         },
     },
     {
@@ -247,6 +357,7 @@ TOOLS = [
                 "node_id": {"type": "string", "description": "Node ID to analyze"},
                 "content": {"type": "string", "description": "Search for node by content (alternative to node_id)"},
             },
+            "additionalProperties": False,
         },
     },
     {
@@ -263,6 +374,7 @@ TOOLS = [
                 "node_id": {"type": "string", "description": "ID of the node to remove"},
             },
             "required": ["node_id"],
+            "additionalProperties": False,
         },
     },
     {
@@ -272,7 +384,7 @@ TOOLS = [
             "save to disk. Call this at the end of a work session to keep memory "
             "healthy. Dormant nodes (not accessed recently) are archived, not deleted."
         ),
-        "inputSchema": {"type": "object", "properties": {}},
+        "inputSchema": {"type": "object", "properties": {}, "additionalProperties": False},
     },
     {
         "name": "memory_stats",
@@ -280,7 +392,7 @@ TOOLS = [
             "Get memory statistics: node count, tier distribution, garden health, "
             "embedding status. Call this to understand the current state of memory."
         ),
-        "inputSchema": {"type": "object", "properties": {}},
+        "inputSchema": {"type": "object", "properties": {}, "additionalProperties": False},
     },
     {
         "name": "query_audit",
@@ -315,6 +427,7 @@ TOOLS = [
                     "default": False,
                 },
             },
+            "additionalProperties": False,
         },
     },
     {
@@ -324,10 +437,61 @@ TOOLS = [
             "confirm the audit trail has not been tampered with. Returns chain "
             "validity status, total entries verified, and location of any break."
         ),
-        "inputSchema": {"type": "object", "properties": {}},
+        "inputSchema": {"type": "object", "properties": {}, "additionalProperties": False},
     },
 ]
 
+# Deep-freeze all tool definitions — any in-process mutation raises TypeError.
+TOOLS: list[MappingProxyType] = [_deep_freeze(t) for t in _TOOL_DEFS_RAW]
+
+# Compute integrity manifest at startup — captures the "intended" state.
+_INTEGRITY_MANIFEST: dict[str, str] = {}
+_EXPECTED_TOOL_COUNT = len(TOOLS)
+for _t in TOOLS:
+    _INTEGRITY_MANIFEST[_t["name"]] = _hash_tool_definition(_t)
+_INTEGRITY_MANIFEST = MappingProxyType(_INTEGRITY_MANIFEST)  # type: ignore[assignment]
+
+# Load build-time manifest if available (generated via --generate-manifest).
+_BUILD_TIME_MANIFEST: dict[str, str] | None = None
+try:
+    _manifest_path = os.path.join(os.path.dirname(__file__), "tool-integrity.json")
+    with open(_manifest_path) as _f:
+        _BUILD_TIME_MANIFEST = json.load(_f)
+    _log(f"Integrity: loaded build-time manifest ({len(_BUILD_TIME_MANIFEST)} tools)")
+except (FileNotFoundError, json.JSONDecodeError):
+    pass  # No build-time manifest — startup-only verification
+
+# The verify_integrity tool — separate from the verified tools.
+_VERIFY_INTEGRITY_TOOL = _deep_freeze({
+    "name": "verify_integrity",
+    "description": (
+        "Verify that tool descriptions have not been mutated in-process since "
+        "server startup. Detects description modifications by malicious dependencies, "
+        "middleware, or monkey-patching. Returns per-tool SHA-256 hashes (expected vs "
+        "current) and a pass/fail verdict. NOTE: This verifies the server's own state "
+        "— transport-layer integrity requires host-level verification via the "
+        "flowscript://integrity/manifest resource. "
+        "Reference implementation: "
+        "github.com/modelcontextprotocol/modelcontextprotocol/discussions/2402"
+    ),
+    "inputSchema": {"type": "object", "properties": {}, "additionalProperties": False},
+})
+
+# Full tool list exposed to clients: verified tools + the verifier
+ALL_TOOLS: list[MappingProxyType] = [*TOOLS, _VERIFY_INTEGRITY_TOOL]
+
+# Integrity resource definition (frozen for consistency)
+_INTEGRITY_RESOURCE = _deep_freeze({
+    "uri": "flowscript://integrity/manifest",
+    "name": "Tool Integrity Manifest",
+    "description": (
+        "SHA-256 hashes of all tool definitions for client-side integrity "
+        "verification. Compare these hashes against the tool definitions you "
+        "received to detect transport-layer description mutation."
+    ),
+    "mimeType": "application/json",
+})
+
 
 # =============================================================================
 # Tool handlers
@@ -355,6 +519,7 @@ class MCPHandler:
             "memory_stats": self._memory_stats,
             "query_audit": self._query_audit,
             "verify_audit": self._verify_audit,
+            "verify_integrity": self._verify_integrity,
         }
         handler = handlers.get(name)
         if handler is None:
@@ -591,6 +756,71 @@ class MCPHandler:
                     "status": "no_audit_trail",
                     "note": "No audit trail file found — auditing may not be configured"}
 
+    def _verify_integrity(self, args: dict) -> dict:
+        """Verify in-process description integrity of all tool definitions."""
+        results = []
+        all_passed = True
+
+        # Check: has the tool count changed? (detect additions/removals)
+        count_match = len(TOOLS) == _EXPECTED_TOOL_COUNT
+        if not count_match:
+            all_passed = False
+
+        # Per-tool hash verification
+        for tool in TOOLS:
+            tool_name = tool["name"]
+            expected = _INTEGRITY_MANIFEST[tool_name]
+            current = _hash_tool_definition(tool)
+            passed = expected == current
+            if not passed:
+                all_passed = False
+
+            entry: dict[str, Any] = {
+                "tool": tool_name,
+                "expected_hash": expected,
+                "current_hash": current,
+                "status": "pass" if passed else "fail",
+            }
+
+            # Compare against build-time manifest if available
+            if _BUILD_TIME_MANIFEST:
+                build_hash = _BUILD_TIME_MANIFEST.get(tool_name)
+                if build_hash:
+                    build_match = build_hash == current
+                    if not build_match:
+                        all_passed = False
+                    entry["build_time_status"] = "pass" if build_match else "fail"
+                else:
+                    entry["build_time_status"] = "no_manifest"
+
+            results.append(entry)
+
+        verdict = "PASS" if all_passed else "FAIL"
+        return {
+            "success": True,
+            "verdict": verdict,
+            "tool_count": len(TOOLS),
+            "expected_tool_count": _EXPECTED_TOOL_COUNT,
+            "count_match": count_match,
+            "algorithm": "SHA-256",
+            "canonicalization": "deterministic sorted-keys JSON",
+            "build_time_manifest": "verified" if _BUILD_TIME_MANIFEST else "not available",
+            "tools": results,
+            "scope": (
+                "Verifies in-process description integrity (detects mutation by "
+                "dependencies, middleware, or monkey-patching). Transport-layer "
+                "integrity requires host-side verification via "
+                "flowscript://integrity/manifest resource."
+            ),
+            "description": (
+                "All tool descriptions match their startup hashes. "
+                "No in-process mutation detected."
+                if all_passed else
+                "WARNING: Tool description integrity violation detected. "
+                "One or more definitions have been modified since server startup."
+            ),
+        }
+
 
 def _serialize_query_result(result: Any, _seen: set | None = None) -> dict:
     """Best-effort serialization of query result dataclasses."""
@@ -861,7 +1091,7 @@ def run_server(
                 client_version = params.get("protocolVersion", _PROTOCOL_VERSION)
                 resp = _jsonrpc_response(msg_id, {
                     "protocolVersion": client_version if client_version >= _PROTOCOL_VERSION else _PROTOCOL_VERSION,
-                    "capabilities": {"tools": {}},
+                    "capabilities": {"tools": {}, "resources": {}},
                     "serverInfo": {
                         "name": _SERVER_NAME,
                         "version": _SERVER_VERSION,
@@ -870,9 +1100,35 @@ def run_server(
             elif method == "notifications/initialized":
                 continue  # notification, no response
             elif method == "tools/list":
-                resp = _jsonrpc_response(msg_id, {"tools": TOOLS})
+                resp = _jsonrpc_response(msg_id, {"tools": [json.loads(json.dumps(_thaw(t))) for t in ALL_TOOLS]})
             elif method == "resources/list":
-                resp = _jsonrpc_response(msg_id, {"resources": []})
+                resp = _jsonrpc_response(msg_id, {"resources": [_thaw(_INTEGRITY_RESOURCE)]})
+            elif method == "resources/read":
+                uri = params.get("uri", "")
+                if uri == "flowscript://integrity/manifest":
+                    manifest = {
+                        "version": _SERVER_VERSION,
+                        "algorithm": "SHA-256",
+                        "canonicalization": "deterministic sorted-keys JSON",
+                        "generated_at": datetime.datetime.now(datetime.timezone.utc).isoformat(),
+                        "tool_count": _EXPECTED_TOOL_COUNT,
+                        "tools": dict(_INTEGRITY_MANIFEST),
+                        "build_time_manifest": "available" if _BUILD_TIME_MANIFEST else "not generated",
+                        "usage": (
+                            "Hash each tool definition (sorted keys, no whitespace, SHA-256) "
+                            "and compare against the hashes in this manifest. Mismatches "
+                            "indicate description mutation between server and client."
+                        ),
+                    }
+                    resp = _jsonrpc_response(msg_id, {
+                        "contents": [{
+                            "uri": uri,
+                            "mimeType": "application/json",
+                            "text": json.dumps(manifest, indent=2),
+                        }],
+                    })
+                else:
+                    resp = _jsonrpc_error(msg_id, -32602, f"Unknown resource: {uri}")
             elif method == "prompts/list":
                 resp = _jsonrpc_response(msg_id, {"prompts": []})
             elif method == "tools/call":
@@ -927,8 +1183,8 @@ def main() -> None:
         ),
     )
     parser.add_argument(
-        "--memory", required=True,
-        help="Path to memory JSON file (created if doesn't exist)",
+        "--memory",
+        help="Path to memory JSON file (created if doesn't exist). Required unless --generate-manifest.",
     )
     parser.add_argument(
         "--embedder", choices=["openai", "sentence-transformers", "ollama"],
@@ -948,8 +1204,26 @@ def main() -> None:
         action="store_true",
         help="Disable auto-configuration from OPENAI_API_KEY",
     )
+    parser.add_argument(
+        "--generate-manifest",
+        action="store_true",
+        help="Generate tool-integrity.json and exit (build-time integrity manifest)",
+    )
     args = parser.parse_args()
 
+    # Generate build-time manifest and exit (no --memory needed)
+    if args.generate_manifest:
+        manifest = dict(_INTEGRITY_MANIFEST)
+        out_path = os.path.join(os.path.dirname(__file__), "tool-integrity.json")
+        with open(out_path, "w") as f:
+            json.dump(manifest, f, indent=2, sort_keys=True)
+            f.write("\n")
+        print(f"Generated {out_path} ({len(manifest)} tools)")
+        sys.exit(0)
+
+    if not args.memory:
+        parser.error("--memory is required (unless using --generate-manifest)")
+
     embedder = None
     llm = None
     consolidation = None

flowscript_agents-0.2.5/flowscript_agents/tool-integrity.json

@@ -0,0 +1,15 @@
+{
+  "add_memory": "c98f233ffc441c2e672687f446a9e2ee4104c954e1a8f3d8300e6c29bf5d92af",
+  "get_context": "e3069a73a874311e817094e0dc1c9a4d4f2fb0761db6e266400ebb0e30843878",
+  "memory_stats": "38d352ee7e5396135125efa47473c74e9ac9908df7414996f55395c520128a32",
+  "query_alternatives": "a8b055c266a741b5006263e0372ec55d39adbcc7cb8b8e14369f148a1dbe9460",
+  "query_audit": "906e1aa27b0a9757cdf379dcc96e43e9b832495ea888b273bc604d41b4926e4b",
+  "query_blocked": "32ba5402add1f14fa6d42e3de95f8abc0eb411ef1e485e5f5640cc65adfce6a2",
+  "query_tensions": "39361a228e90da2fae52f44563670528505f77ff55c76e34027c139f3071434a",
+  "query_what_if": "583a203a17c21f73bc0abe83fbad3b1195be4051e11a9eea2376e169ef4f795b",
+  "query_why": "4eac8ed68ca419cbe02fad7a948951f8aae7ee86301f8bc3d80c3b3004b1860e",
+  "remove_memory": "ee604c8f87855e32b4509162048168d0c941da79339f907d7d921a55780de830",
+  "search_memory": "7e91e30bc03b5a2c990b83a33c00cf512c5c7c2a2e204c546206ffe606010064",
+  "session_wrap": "669c9ed43617001776a70c142d589d53b6da541bc65b2ce00613ebef04368323",
+  "verify_audit": "2e93d3118ebeed1a1113e423ec915b8dd987c5d2c4adf6fefcd93fa0c931483f"
+}

{flowscript_agents-0.2.3 → flowscript_agents-0.2.5}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "flowscript-agents"
-version = "0.2.3"
+version = "0.2.5"
 description = "Complete agent memory: reasoning queries + vector search + auto-extraction. Decision intelligence for LangGraph, CrewAI, Google ADK, OpenAI Agents SDK, Pydantic AI, smolagents, LlamaIndex, Haystack, and CAMEL-AI."
 readme = "README.md"
 license = "MIT"

{flowscript_agents-0.2.3 → flowscript_agents-0.2.5}/tests/test_mcp.py

@@ -258,13 +258,14 @@ class TestMCPStdioProtocol:
         if method == "initialize":
             return _jsonrpc_response(msg_id, {
                 "protocolVersion": "2025-03-26",
-                "capabilities": {"tools": {}},
-                "serverInfo": {"name": "flowscript-agents", "version": "0.2.0"},
+                "capabilities": {"tools": {}, "resources": {}},
+                "serverInfo": {"name": "flowscript-agents", "version": "0.2.5"},
             })
         elif method == "notifications/initialized":
             return None  # notification, no response
         elif method == "tools/list":
-            return _jsonrpc_response(msg_id, {"tools": TOOLS})
+            from flowscript_agents.mcp import ALL_TOOLS, _thaw
+            return _jsonrpc_response(msg_id, {"tools": [_thaw(t) for t in ALL_TOOLS]})
         elif method == "tools/call":
             tool_name = params.get("name", "")
             tool_args = params.get("arguments", {})
@@ -273,7 +274,8 @@ class TestMCPStdioProtocol:
                 "content": [{"type": "text", "text": json.dumps(result)}],
             })
         elif method == "resources/list":
-            return _jsonrpc_response(msg_id, {"resources": []})
+            from flowscript_agents.mcp import _INTEGRITY_RESOURCE
+            return _jsonrpc_response(msg_id, {"resources": [_INTEGRITY_RESOURCE]})
         elif method == "prompts/list":
             return _jsonrpc_response(msg_id, {"prompts": []})
         elif method == "ping":
@@ -295,10 +297,11 @@ class TestMCPStdioProtocol:
             "jsonrpc": "2.0", "id": 2, "method": "tools/list",
         })
         tools = resp["result"]["tools"]
-        assert len(tools) == 13
+        assert len(tools) == 14  # 13 verified + verify_integrity
         names = {t["name"] for t in tools}
         assert "search_memory" in names
         assert "query_what_if" in names
+        assert "verify_integrity" in names
 
     def test_tools_call(self):
         resp = self._simulate_message({
@@ -321,7 +324,9 @@ class TestMCPStdioProtocol:
         resp = self._simulate_message({
             "jsonrpc": "2.0", "id": 4, "method": "resources/list",
         })
-        assert resp["result"]["resources"] == []
+        resources = resp["result"]["resources"]
+        assert len(resources) == 1
+        assert resources[0]["uri"] == "flowscript://integrity/manifest"
 
     def test_prompts_list(self):
         resp = self._simulate_message({
@@ -493,3 +498,94 @@ class TestVersionNegotiation:
         """Server should accept newer client versions (tools-only, compatible)."""
         from flowscript_agents.mcp import _PROTOCOL_VERSION
         assert _PROTOCOL_VERSION >= "2025-03-26"
+
+
+class TestDescriptionIntegrity:
+    """Tests for the three-layer MCP description integrity system."""
+
+    def test_tools_are_frozen(self):
+        """Tool definitions should be immutable MappingProxyType."""
+        from types import MappingProxyType
+        from flowscript_agents.mcp import TOOLS
+        for tool in TOOLS:
+            assert isinstance(tool, MappingProxyType), f"{tool['name']} is not frozen"
+
+    def test_mutation_blocked(self):
+        """Attempting to mutate a frozen tool should raise TypeError."""
+        from flowscript_agents.mcp import TOOLS
+        import pytest
+        with pytest.raises(TypeError):
+            TOOLS[0]["name"] = "hacked"
+
+    def test_verify_integrity_returns_pass(self):
+        """verify_integrity should return PASS on unmodified tools."""
+        handler, _ = _make_handler()
+        result = handler.handle_tool("verify_integrity", {})
+        assert result["verdict"] == "PASS"
+        assert result["count_match"] is True
+        assert result["tool_count"] == 13  # verified tools (not counting verify_integrity itself)
+
+    def test_verify_integrity_per_tool_status(self):
+        """Each tool should have pass status with matching hashes."""
+        handler, _ = _make_handler()
+        result = handler.handle_tool("verify_integrity", {})
+        for tool_result in result["tools"]:
+            assert tool_result["status"] == "pass", f"{tool_result['tool']} failed integrity check"
+            assert tool_result["expected_hash"] == tool_result["current_hash"]
+
+    def test_hash_determinism(self):
+        """Same tool should produce same hash across calls."""
+        from flowscript_agents.mcp import TOOLS, _hash_tool_definition
+        h1 = _hash_tool_definition(TOOLS[0])
+        h2 = _hash_tool_definition(TOOLS[0])
+        assert h1 == h2
+        assert len(h1) == 64  # SHA-256 hex length
+
+    def test_manifest_matches_runtime(self):
+        """Build-time manifest should match runtime hashes."""
+        from flowscript_agents.mcp import TOOLS, _INTEGRITY_MANIFEST, _hash_tool_definition
+        for tool in TOOLS:
+            name = tool["name"]
+            assert name in _INTEGRITY_MANIFEST
+            assert _INTEGRITY_MANIFEST[name] == _hash_tool_definition(tool)
+
+    def test_integrity_resource_exists(self):
+        """The integrity resource should be listed."""
+        from flowscript_agents.mcp import _INTEGRITY_RESOURCE
+        assert _INTEGRITY_RESOURCE["uri"] == "flowscript://integrity/manifest"
+        assert _INTEGRITY_RESOURCE["mimeType"] == "application/json"
+
+    def test_integrity_resource_frozen(self):
+        """The integrity resource metadata should be frozen."""
+        from types import MappingProxyType
+        from flowscript_agents.mcp import _INTEGRITY_RESOURCE
+        assert isinstance(_INTEGRITY_RESOURCE, MappingProxyType)
+
+    def test_canonicalize_none_as_null(self):
+        """None should canonicalize as 'null', not be skipped."""
+        from flowscript_agents.mcp import _canonicalize
+        result = _canonicalize({"a": None, "b": 1})
+        assert '"a":null' in result
+        assert '"b":1' in result
+
+    def test_canonicalize_bool_not_int(self):
+        """Booleans should serialize as true/false, not 1/0."""
+        from flowscript_agents.mcp import _canonicalize
+        assert _canonicalize(True) == "true"
+        assert _canonicalize(False) == "false"
+        assert _canonicalize(1) == "1"
+
+    def test_canonicalize_sorted_keys(self):
+        """Keys should be sorted alphabetically."""
+        from flowscript_agents.mcp import _canonicalize
+        result = _canonicalize({"z": 1, "a": 2, "m": 3})
+        assert result == '{"a":2,"m":3,"z":1}'
+
+    def test_all_schemas_have_additional_properties(self):
+        """All tool inputSchemas should have additionalProperties: false."""
+        from flowscript_agents.mcp import TOOLS
+        for tool in TOOLS:
+            schema = tool["inputSchema"]
+            assert schema.get("additionalProperties") is False, (
+                f"{tool['name']} missing additionalProperties: false"
+            )