mcps-secure 1.0.0__tar.gz

mcps_secure-1.0.0/LICENSE

@@ -0,0 +1,65 @@
+Business Source License 1.1
+
+Licensor: CyberSecAI Ltd
+Licensed Work: mcp-secure v1.0.0 and later
+Change Date: 2030-03-31
+Change License: Apache License, Version 2.0
+
+Additional Use Grant:
+
+You may use the Licensed Work for non-commercial purposes, including:
+  - Personal security research and learning
+  - Academic and educational use
+  - Internal security scanning within your organisation
+  - Contributing to the Licensed Work
+
+For commercial use (including offering the Licensed Work as a
+hosted service, incorporating it into a commercial product, or
+reselling it), you must obtain a commercial license from the
+Licensor. Contact: contact@agentsign.dev
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create
+derivative works, redistribute, and make non-production use of the
+Licensed Work. The Licensor may make an Additional Use Grant, above,
+permitting limited production use.
+
+Effective on the Change Date, or the fourth anniversary of the first
+publicly available distribution of a specific version of the Licensed
+Work under this License, whichever comes first, the Licensor hereby
+grants you rights under the terms of the Change License, and the
+rights granted in the paragraph above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or
+authorized resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative
+works of the Licensed Work, are subject to this License. This License
+applies separately for each version of the Licensed Work and the
+Change Date may vary for each version of the Licensed Work released
+by the Licensor.
+
+You must conspicuously display this License on each original or
+modified copy of the Licensed Work. If you receive the Licensed Work
+in original or modified form from a third party, the terms and
+conditions set forth in this License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will
+automatically terminate your rights under this License for the
+current and all other versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+the Licensor or its affiliates (provided that you may use a trademark
+or logo of the Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS
+PROVIDED ON AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL
+WARRANTIES AND CONDITIONS, EXPRESS OR IMPLIED, INCLUDING (WITHOUT
+LIMITATION) WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+PURPOSE, NON-INFRINGEMENT, AND TITLE.
+
+CyberSecAI Ltd
+cybersecai.co.uk

mcps_secure-1.0.0/PKG-INFO

@@ -0,0 +1,102 @@
+Metadata-Version: 2.4
+Name: mcps-secure
+Version: 1.0.0
+Summary: MCPS -- MCP Secure. Cryptographic identity, message signing, and trust verification for the Model Context Protocol.
+Author: CyberSecAI Ltd
+License: BUSL-1.1
+Project-URL: Homepage, https://mcp-secure.dev
+Project-URL: Repository, https://github.com/razashariff/mcps
+Project-URL: Documentation, https://mcp-secure.dev
+Keywords: mcp,mcps,mcp-secure,model-context-protocol,agent-security,agent-identity,passport,message-signing,ecdsa,trust,revocation,owasp,agentsign,secure-mcp
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: Other/Proprietary License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography>=41.0.0
+Dynamic: license-file
+
+# MCPS -- MCP Secure
+
+**Cryptographic identity, message signing, and trust verification for the Model Context Protocol.**
+
+The HTTPS of the agent era. MCP becomes MCPS.
+
+## Install
+
+```bash
+pip install mcp-secure
+```
+
+## Quick Start
+
+```python
+from mcp_secure import generate_key_pair, create_passport, sign_passport, verify_passport_signature
+from mcp_secure import sign_message, verify_message, sign_tool, verify_tool
+
+# Generate keys
+keys = generate_key_pair()
+
+# Create and sign a passport
+passport = create_passport(
+    name="my-agent",
+    version="1.0.0",
+    public_key=keys["public_key"],
+    capabilities=["read", "write"],
+)
+
+# Trust Authority signs the passport
+ta_keys = generate_key_pair()
+signed = sign_passport(passport, ta_keys["private_key"])
+assert verify_passport_signature(signed, ta_keys["public_key"])
+
+# Sign MCP messages
+envelope = sign_message(
+    {"jsonrpc": "2.0", "method": "tools/list", "id": 1},
+    signed["passport_id"],
+    keys["private_key"],
+)
+
+# Verify
+result = verify_message(envelope, keys["public_key"])
+assert result["valid"]
+
+# Tool integrity
+tool = {"name": "read_file", "description": "Read a file", "inputSchema": {"type": "object"}}
+sig = sign_tool(tool, keys["private_key"])
+assert verify_tool(tool, sig, keys["public_key"])
+```
+
+## What MCPS Adds to MCP
+
+| Feature | Description |
+|---------|-------------|
+| Agent Passports | ECDSA P-256 signed identity credentials |
+| Message Signing | Every JSON-RPC message wrapped in signed envelope |
+| Tool Integrity | Signed tool definitions prevent poisoning |
+| Replay Protection | Nonce + 5-min timestamp window |
+| Revocation | Real-time passport revocation via Trust Authority |
+| Trust Levels | L0 (unsigned) to L4 (audited) |
+
+## OWASP MCP Top 10
+
+Mitigates 8/10 OWASP MCP vulnerabilities: tool poisoning, supply chain attacks, auth bypass, shadow servers, and more.
+
+## Links
+
+- **Website**: [mcp-secure.dev](https://mcp-secure.dev)
+- **npm**: [mcp-secure](https://www.npmjs.com/package/mcp-secure)
+- **Spec**: [SPEC.md](https://github.com/razashariff/mcps/blob/main/SPEC.md)
+
+## License
+
+MIT -- CyberSecAI Ltd

mcps_secure-1.0.0/README.md

@@ -0,0 +1,75 @@
+# MCPS -- MCP Secure
+
+**Cryptographic identity, message signing, and trust verification for the Model Context Protocol.**
+
+The HTTPS of the agent era. MCP becomes MCPS.
+
+## Install
+
+```bash
+pip install mcp-secure
+```
+
+## Quick Start
+
+```python
+from mcp_secure import generate_key_pair, create_passport, sign_passport, verify_passport_signature
+from mcp_secure import sign_message, verify_message, sign_tool, verify_tool
+
+# Generate keys
+keys = generate_key_pair()
+
+# Create and sign a passport
+passport = create_passport(
+    name="my-agent",
+    version="1.0.0",
+    public_key=keys["public_key"],
+    capabilities=["read", "write"],
+)
+
+# Trust Authority signs the passport
+ta_keys = generate_key_pair()
+signed = sign_passport(passport, ta_keys["private_key"])
+assert verify_passport_signature(signed, ta_keys["public_key"])
+
+# Sign MCP messages
+envelope = sign_message(
+    {"jsonrpc": "2.0", "method": "tools/list", "id": 1},
+    signed["passport_id"],
+    keys["private_key"],
+)
+
+# Verify
+result = verify_message(envelope, keys["public_key"])
+assert result["valid"]
+
+# Tool integrity
+tool = {"name": "read_file", "description": "Read a file", "inputSchema": {"type": "object"}}
+sig = sign_tool(tool, keys["private_key"])
+assert verify_tool(tool, sig, keys["public_key"])
+```
+
+## What MCPS Adds to MCP
+
+| Feature | Description |
+|---------|-------------|
+| Agent Passports | ECDSA P-256 signed identity credentials |
+| Message Signing | Every JSON-RPC message wrapped in signed envelope |
+| Tool Integrity | Signed tool definitions prevent poisoning |
+| Replay Protection | Nonce + 5-min timestamp window |
+| Revocation | Real-time passport revocation via Trust Authority |
+| Trust Levels | L0 (unsigned) to L4 (audited) |
+
+## OWASP MCP Top 10
+
+Mitigates 8/10 OWASP MCP vulnerabilities: tool poisoning, supply chain attacks, auth bypass, shadow servers, and more.
+
+## Links
+
+- **Website**: [mcp-secure.dev](https://mcp-secure.dev)
+- **npm**: [mcp-secure](https://www.npmjs.com/package/mcp-secure)
+- **Spec**: [SPEC.md](https://github.com/razashariff/mcps/blob/main/SPEC.md)
+
+## License
+
+MIT -- CyberSecAI Ltd

mcps_secure-1.0.0/mcp_secure/__init__.py

@@ -0,0 +1,76 @@
+"""
+MCPS -- MCP Secure
+Cryptographic identity, message signing, and trust verification for MCP.
+
+Copyright (c) 2026 CyberSecAI Ltd. All rights reserved.
+License: MIT
+"""
+
+from .core import (
+    MCPS_VERSION,
+    SUPPORTED_VERSIONS,
+    TRUST_LEVELS,
+    ERROR_CODES,
+    MAX_ISSUER_CHAIN_DEPTH,
+    MAX_PASSPORT_BYTES,
+    MAX_CAPABILITIES,
+    generate_key_pair,
+    public_key_to_jwk,
+    create_passport,
+    sign_passport,
+    verify_passport_signature,
+    is_passport_expired,
+    validate_passport_format,
+    validate_origin,
+    get_effective_trust_level,
+    verify_issuer_chain,
+    sign_message,
+    verify_message,
+    sign_tool,
+    verify_tool,
+    create_transcript_binding,
+    verify_transcript_binding,
+    create_transcript_mac,
+    verify_transcript_mac,
+    check_revocation,
+    negotiate_version,
+    secure_mcp,
+    secure_mcp_client,
+    NonceStore,
+    canonical_json,
+)
+
+__version__ = "1.0.0"
+__all__ = [
+    "MCPS_VERSION",
+    "SUPPORTED_VERSIONS",
+    "TRUST_LEVELS",
+    "ERROR_CODES",
+    "MAX_ISSUER_CHAIN_DEPTH",
+    "MAX_PASSPORT_BYTES",
+    "MAX_CAPABILITIES",
+    "generate_key_pair",
+    "public_key_to_jwk",
+    "create_passport",
+    "sign_passport",
+    "verify_passport_signature",
+    "is_passport_expired",
+    "validate_passport_format",
+    "validate_origin",
+    "get_effective_trust_level",
+    "verify_issuer_chain",
+    "sign_message",
+    "verify_message",
+    "sign_tool",
+    "verify_tool",
+    "create_transcript_binding",
+    "verify_transcript_binding",
+    "create_transcript_mac",
+    "verify_transcript_mac",
+    "check_revocation",
+    "negotiate_version",
+    "secure_mcp",
+    "secure_mcp_client",
+    "NonceStore",
+    "canonical_json",
+]

mcps_secure-1.0.0/mcp_secure/core.py

@@ -0,0 +1,847 @@
+"""
+MCPS -- MCP Secure (Core)
+Cryptographic security layer for the Model Context Protocol.
+
+Specification: SEP-2395 (Cryptographic Security Layer for MCP)
+Canonicalization: RFC 8785 (JSON Canonicalization Scheme)
+Signing: ECDSA P-256 (NIST FIPS 186-5, RFC 6979)
+Signature Format: IEEE P1363 r||s fixed-length (RFC 7518 Section 3.4)
+
+Copyright (c) 2026 CyberSecAI Ltd. All rights reserved.
+Patent: GB2604808.2
+License: MIT
+"""
+
+import json
+import hashlib
+import os
+import time
+import threading
+import urllib.request
+import urllib.error
+from datetime import datetime, timezone, timedelta
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.exceptions import InvalidSignature
+import base64
+import math
+from urllib.parse import urlparse
+
+MCPS_VERSION = "1.0"
+SUPPORTED_VERSIONS = ["1.0"]
+NONCE_BYTES = 16
+TIMESTAMP_WINDOW_S = 5 * 60  # 5 minutes
+DEFAULT_TRUST_AUTHORITY = "https://agentsign.dev"
+PASSPORT_PREFIX = "asp_"
+
+# P-256 curve order (FIPS 186-5) for low-S normalization
+P256_ORDER = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551
+P256_HALF_ORDER = P256_ORDER >> 1
+P1363_SIG_LENGTH = 64  # 32 bytes r + 32 bytes s for P-256
+
+# Passport size limits (DoS prevention)
+MAX_ISSUER_CHAIN_DEPTH = 5
+MAX_PASSPORT_BYTES = 8192
+MAX_CAPABILITIES = 64
+
+TRUST_LEVELS = {
+    "UNSIGNED": 0,     # Plain MCP, no MCPS -- self-signed passports capped here
+    "IDENTIFIED": 1,   # Passport signed by any Trust Authority
+    "VERIFIED": 2,     # Passport signed by recognized TA (in verifier's trust store)
+    "SCANNED": 3,      # Verified + TA verified origin ownership
+    "AUDITED": 4,      # Scanned + TA performed security audit + revocation required
+}
+
+# Error codes: string code + JSON-RPC numeric code
+# Numeric codes use -33xxx to avoid collision with JSON-RPC reserved range (-32000 to -32099)
+ERROR_CODES = {
+    "INVALID_PASSPORT":        {"code": "MCPS-001", "jsonrpc_code": -33001, "message": "Invalid passport format"},
+    "PASSPORT_EXPIRED":        {"code": "MCPS-002", "jsonrpc_code": -33002, "message": "Passport expired"},
+    "PASSPORT_REVOKED":        {"code": "MCPS-003", "jsonrpc_code": -33003, "message": "Passport revoked"},
+    "INVALID_SIGNATURE":       {"code": "MCPS-004", "jsonrpc_code": -33004, "message": "Invalid message signature"},
+    "REPLAY_ATTACK":           {"code": "MCPS-005", "jsonrpc_code": -33005, "message": "Replay attack detected"},
+    "TIMESTAMP_OUT_OF_WINDOW": {"code": "MCPS-006", "jsonrpc_code": -33006, "message": "Timestamp out of window"},
+    "AUTHORITY_UNREACHABLE":   {"code": "MCPS-007", "jsonrpc_code": -33007, "message": "Trust authority unreachable"},
+    "TOOL_INTEGRITY_FAILED":   {"code": "MCPS-008", "jsonrpc_code": -33008, "message": "Tool definition signature invalid or hash changed"},
+    "INSUFFICIENT_TRUST":      {"code": "MCPS-009", "jsonrpc_code": -33009, "message": "Insufficient trust level"},
+    "RATE_LIMITED":            {"code": "MCPS-010", "jsonrpc_code": -33010, "message": "Rate limit exceeded"},
+    "ORIGIN_MISMATCH":         {"code": "MCPS-011", "jsonrpc_code": -33011, "message": "Passport origin does not match server URI"},
+    "CAPABILITY_MISMATCH":     {"code": "MCPS-012", "jsonrpc_code": -33012, "message": "Transcript binding verification failed (downgrade detected)"},
+    "PASSPORT_TOO_LARGE":      {"code": "MCPS-013", "jsonrpc_code": -33013, "message": "Passport exceeds maximum size"},
+    "CHAIN_TOO_DEEP":          {"code": "MCPS-014", "jsonrpc_code": -33014, "message": "Issuer chain exceeds maximum depth"},
+    "VERSION_MISMATCH":        {"code": "MCPS-015", "jsonrpc_code": -33015, "message": "No mutually supported MCPS version"},
+}
+
+
+# ── RFC 8785: JSON Canonicalization Scheme ──
+
+
+def canonical_json(obj):
+    """Deterministic JSON serialization per RFC 8785 (JCS).
+
+    Guarantees identical bytes across Python and Node.js for the same logical value.
+
+    Key properties:
+    - Object keys sorted lexicographically (Unicode code point order)
+    - No whitespace between tokens
+    - Numbers: ES2024 Number.toString() semantics (1.0 -> "1", no trailing zeros)
+    - Strings: minimal JSON escaping
+    - Recursive for nested objects
+    """
+    if obj is None:
+        return "null"
+    if isinstance(obj, bool):
+        return "true" if obj else "false"
+    if isinstance(obj, int):
+        return str(obj)
+    if isinstance(obj, float):
+        if math.isinf(obj) or math.isnan(obj):
+            raise ValueError("Infinity/NaN not allowed in JCS")
+        if obj == 0.0:
+            return "0"  # handles -0.0
+        # ES2024 Number.toString(): integers as integers, shortest float representation
+        if obj == int(obj) and abs(obj) < 2**53:
+            return str(int(obj))
+        return repr(obj)
+    if isinstance(obj, str):
+        return json.dumps(obj, ensure_ascii=False)
+    if isinstance(obj, list):
+        return "[" + ",".join(canonical_json(item) for item in obj) + "]"
+    if isinstance(obj, dict):
+        keys = sorted(obj.keys())
+        return "{" + ",".join(
+            json.dumps(k, ensure_ascii=False) + ":" + canonical_json(obj[k]) for k in keys
+        ) + "}"
+    return json.dumps(obj)
+
+
+# ── ECDSA P1363 Signing with Low-S ──
+
+
+def _sign_bytes(data_bytes, private_key_pem):
+    """Sign bytes with ECDSA P-256 SHA-256, IEEE P1363 format with low-S normalization.
+
+    Output: base64-encoded r||s (exactly 64 bytes for P-256).
+    Low-S normalization prevents signature malleability (BIP-0062).
+    Format per RFC 7518 Section 3.4.
+    """
+    private_key = serialization.load_pem_private_key(
+        private_key_pem.encode(), password=None
+    )
+    der_sig = private_key.sign(data_bytes, ec.ECDSA(hashes.SHA256()))
+    r, s = decode_dss_signature(der_sig)
+
+    # Low-S normalization: if s > n/2, replace with n - s
+    if s > P256_HALF_ORDER:
+        s = P256_ORDER - s
+
+    # IEEE P1363: r||s, each 32 bytes for P-256
+    raw_sig = r.to_bytes(32, "big") + s.to_bytes(32, "big")
+    return base64.b64encode(raw_sig).decode()
+
+
+def _verify_bytes(data_bytes, signature_b64, public_key_pem):
+    """Verify ECDSA P1363 signature with low-S normalization.
+
+    Accepts and normalizes high-S signatures for interoperability.
+    """
+    public_key = serialization.load_pem_public_key(public_key_pem.encode())
+    try:
+        raw_sig = base64.b64decode(signature_b64)
+        if len(raw_sig) != P1363_SIG_LENGTH:
+            return False
+
+        # Parse IEEE P1363 format
+        r = int.from_bytes(raw_sig[:32], "big")
+        s = int.from_bytes(raw_sig[32:], "big")
+
+        # Low-S normalization for verification
+        if s > P256_HALF_ORDER:
+            s = P256_ORDER - s
+
+        # Convert to DER for cryptography library
+        der_sig = encode_dss_signature(r, s)
+        public_key.verify(der_sig, data_bytes, ec.ECDSA(hashes.SHA256()))
+        return True
+    except (InvalidSignature, Exception):
+        return False
+
+
+# ── Key Generation ──
+
+
+def generate_key_pair():
+    """Generate an ECDSA P-256 key pair for MCPS signing."""
+    private_key = ec.generate_private_key(ec.SECP256R1())
+    private_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption(),
+    ).decode()
+    public_pem = private_key.public_key().public_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PublicFormat.SubjectPublicKeyInfo,
+    ).decode()
+    return {"public_key": public_pem, "private_key": private_pem}
+
+
+def _int_to_base64url(n, length):
+    """Convert integer to base64url-encoded bytes of given length."""
+    b = n.to_bytes(length, byteorder="big")
+    return base64.urlsafe_b64encode(b).rstrip(b"=").decode()
+
+
+def public_key_to_jwk(public_key_pem):
+    """Export public key as compact JWK for passport embedding."""
+    pub_key = serialization.load_pem_public_key(public_key_pem.encode())
+    numbers = pub_key.public_numbers()
+    return {
+        "kty": "EC",
+        "crv": "P-256",
+        "x": _int_to_base64url(numbers.x, 32),
+        "y": _int_to_base64url(numbers.y, 32),
+    }
+
+
+# ── Passport ──
+
+
+def create_passport(name, version="1.0.0", public_key=None, origin=None,
+                     capabilities=None, scan_results=None, ttl_days=365,
+                     issuer="self", issuer_chain=None, previous_key_hash=None):
+    """Create an agent passport with origin binding.
+
+    Args:
+        name: Agent name
+        version: Agent version
+        public_key: PEM public key string
+        origin: URI of the authorized server (e.g. https://api.example.com)
+        capabilities: List of agent capabilities (max 64)
+        scan_results: SDLC scan results dict
+        ttl_days: Days until expiration
+        issuer: Issuer identifier
+        issuer_chain: Chain of base64url-encoded intermediate TA passports (max depth 5)
+        previous_key_hash: SHA-256 hash of previous public key (for key rotation)
+    """
+    passport_id = PASSPORT_PREFIX + os.urandom(16).hex()
+    now = datetime.now(timezone.utc)
+    expires = now + timedelta(days=ttl_days)
+
+    # Self-signed passports are ALWAYS L0 per SEP-2395 Section 6.1
+    is_self_signed = not issuer or issuer == "self"
+    if is_self_signed:
+        trust_level = TRUST_LEVELS["UNSIGNED"]
+    elif scan_results:
+        trust_level = TRUST_LEVELS["SCANNED"]
+    else:
+        trust_level = TRUST_LEVELS["IDENTIFIED"]
+
+    passport = {
+        "mcps_version": MCPS_VERSION,
+        "passport_id": passport_id,
+        "agent": {
+            "name": name,
+            "version": version,
+            "capabilities": (capabilities or [])[:MAX_CAPABILITIES],
+        },
+        "public_key": public_key_to_jwk(public_key) if public_key else None,
+        "origin": origin,
+        "scan": scan_results,
+        "trust_level": trust_level,
+        "issued_at": now.isoformat().replace("+00:00", "Z"),
+        "expires_at": expires.isoformat().replace("+00:00", "Z"),
+        "issuer": issuer,
+        "issuer_chain": (issuer_chain or [])[:MAX_ISSUER_CHAIN_DEPTH],
+    }
+
+    # Key rotation: link to previous key for compromise recovery
+    if previous_key_hash:
+        passport["key_rotation"] = {
+            "previous_key_hash": previous_key_hash,
+            "rotated_at": now.isoformat().replace("+00:00", "Z"),
+        }
+
+    return passport
+
+
+def sign_passport(passport, authority_private_key):
+    """Sign a passport with the Trust Authority's private key.
+    Uses RFC 8785 (JCS) for canonical serialization before signing.
+    Signature: IEEE P1363 r||s with low-S normalization."""
+    payload = canonical_json(passport).encode()
+    signature = _sign_bytes(payload, authority_private_key)
+    return {**passport, "signature": signature}
+
+
+def verify_passport_signature(passport, authority_public_key):
+    """Verify a passport's signature against the Trust Authority's public key."""
+    sig = passport.get("signature")
+    if not sig:
+        return False
+    rest = {k: v for k, v in passport.items() if k != "signature"}
+    payload = canonical_json(rest).encode()
+    return _verify_bytes(payload, sig, authority_public_key)
+
+
+def is_passport_expired(passport):
+    """Check if a passport has expired."""
+    expires = passport.get("expires_at", "")
+    if not expires:
+        return True
+    exp_dt = datetime.fromisoformat(expires.replace("Z", "+00:00"))
+    return exp_dt < datetime.now(timezone.utc)
+
+
+def validate_passport_format(passport):
+    """Validate passport format including size limits."""
+    if not passport:
+        return {"valid": False, "error": ERROR_CODES["INVALID_PASSPORT"]}
+    pid = passport.get("passport_id", "")
+    if not pid or not pid.startswith(PASSPORT_PREFIX):
+        return {"valid": False, "error": ERROR_CODES["INVALID_PASSPORT"]}
+    if not passport.get("public_key"):
+        return {"valid": False, "error": ERROR_CODES["INVALID_PASSPORT"]}
+    if not passport.get("issued_at") or not passport.get("expires_at"):
+        return {"valid": False, "error": ERROR_CODES["INVALID_PASSPORT"]}
+    if is_passport_expired(passport):
+        return {"valid": False, "error": ERROR_CODES["PASSPORT_EXPIRED"]}
+
+    # Size limits (DoS prevention)
+    chain = passport.get("issuer_chain", [])
+    if len(chain) > MAX_ISSUER_CHAIN_DEPTH:
+        return {"valid": False, "error": ERROR_CODES["CHAIN_TOO_DEEP"]}
+    serialized = canonical_json(passport)
+    if len(serialized.encode("utf-8")) > MAX_PASSPORT_BYTES:
+        return {"valid": False, "error": ERROR_CODES["PASSPORT_TOO_LARGE"]}
+
+    return {"valid": True, "error": None}
+
+
+def validate_origin(passport, expected_origin):
+    """Validate that a passport's origin matches the expected server URI.
+    Origin comparison uses scheme + authority (host + port) per RFC 6454."""
+    passport_origin = passport.get("origin")
+    if not passport_origin:
+        return {"valid": False, "error": ERROR_CODES["ORIGIN_MISMATCH"]}
+    if not expected_origin:
+        return {"valid": True, "error": None}
+
+    try:
+        p = urlparse(passport_origin)
+        e = urlparse(expected_origin)
+        match = (p.scheme == e.scheme and p.hostname == e.hostname
+                 and (p.port or "") == (e.port or ""))
+        if match:
+            return {"valid": True, "error": None}
+        return {"valid": False, "error": ERROR_CODES["ORIGIN_MISMATCH"]}
+    except Exception:
+        return {"valid": False, "error": ERROR_CODES["ORIGIN_MISMATCH"]}
+
+
+def get_effective_trust_level(passport, trusted_issuers=None):
+    """Get the effective trust level for a passport.
+    Self-signed passports are ALWAYS capped at L0.
+    Unknown issuers are treated as L0."""
+    issuer = passport.get("issuer", "self")
+    if not issuer or issuer == "self":
+        return TRUST_LEVELS["UNSIGNED"]
+    if trusted_issuers is not None and issuer not in trusted_issuers:
+        return TRUST_LEVELS["UNSIGNED"]
+    return passport.get("trust_level", TRUST_LEVELS["UNSIGNED"])
+
+
+def verify_issuer_chain(passport, trust_store):
+    """Verify an issuer chain from agent passport up to a trusted root.
+
+    Each issuer_chain entry is a base64-encoded JSON intermediate TA passport
+    containing its own signature, public_key, issuer, and other standard fields.
+
+    Chain verification walks: agent -> intermediate(s) -> root TA.
+    Max chain depth: MAX_ISSUER_CHAIN_DEPTH (5).
+    """
+    issuer = passport.get("issuer")
+    if not issuer:
+        return {"valid": False, "chain_length": 0, "root_issuer": None}
+
+    chain = passport.get("issuer_chain", [])
+    if len(chain) > MAX_ISSUER_CHAIN_DEPTH:
+        return {"valid": False, "chain_length": len(chain), "root_issuer": None, "error": "chain_too_deep"}
+
+    # Direct trust: issuer is in trust store
+    if issuer in trust_store:
+        is_valid = verify_passport_signature(passport, trust_store[issuer])
+        return {"valid": is_valid, "chain_length": 1,
+                "root_issuer": issuer if is_valid else None}
+
+    if not chain:
+        return {"valid": False, "chain_length": 0, "root_issuer": None}
+
+    # Decode chain entries: each is base64-encoded JSON intermediate TA passport
+    intermediates = []
+    for entry in chain:
+        try:
+            decoded = base64.b64decode(entry).decode("utf-8")
+            intermediates.append(json.loads(decoded))
+        except Exception:
+            return {"valid": False, "chain_length": len(chain),
+                    "root_issuer": None, "error": "invalid_chain_entry"}
+
+    # Walk chain: verify each link from agent passport up to root
+    current = passport
+    for i, intermediate in enumerate(intermediates):
+        pub_key_jwk = intermediate.get("public_key")
+        if not pub_key_jwk:
+            return {"valid": False, "chain_length": i,
+                    "root_issuer": None, "error": "intermediate_missing_key"}
+
+        # Convert intermediate's JWK to PEM
+        try:
+            from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicNumbers, SECP256R1
+            x = int.from_bytes(base64.urlsafe_b64decode(pub_key_jwk["x"] + "=="), "big")
+            y = int.from_bytes(base64.urlsafe_b64decode(pub_key_jwk["y"] + "=="), "big")
+            pub_numbers = EllipticCurvePublicNumbers(x, y, SECP256R1())
+            pub_obj = pub_numbers.public_key()
+            intermediate_pem = pub_obj.public_bytes(
+                serialization.Encoding.PEM,
+                serialization.PublicFormat.SubjectPublicKeyInfo
+            ).decode()
+        except Exception:
+            return {"valid": False, "chain_length": i,
+                    "root_issuer": None, "error": "invalid_intermediate_key"}
+
+        # Verify current passport was signed by this intermediate
+        if not verify_passport_signature(current, intermediate_pem):
+            return {"valid": False, "chain_length": i,
+                    "root_issuer": None, "error": "signature_verification_failed"}
+
+        # Check if this intermediate's issuer is a trusted root
+        int_issuer = intermediate.get("issuer")
+        if int_issuer and int_issuer in trust_store:
+            if verify_passport_signature(intermediate, trust_store[int_issuer]):
+                return {"valid": True, "chain_length": i + 2,
+                        "root_issuer": int_issuer}
+
+        current = intermediate
+
+    return {"valid": False, "chain_length": len(intermediates),
+            "root_issuer": None, "error": "no_trusted_root"}
+
+
+# ── Message Signing ──
+
+
+def sign_message(mcp_message, passport_id, private_key, channel_binding=None):
+    """Wrap an MCP JSON-RPC message in an MCPS signed envelope.
+
+    Uses SHA-256 hash of JCS(message) to avoid double-canonicalization
+    fragility (embedding one JCS string inside another JCS object).
+
+    Args:
+        mcp_message: The original MCP JSON-RPC message dict
+        passport_id: The agent's passport ID
+        private_key: PEM private key string
+        channel_binding: Optional TLS channel binding token (RFC 9266 tls-exporter)
+    """
+    nonce = os.urandom(NONCE_BYTES).hex()
+    timestamp = datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
+
+    # Hash message instead of nesting JCS strings (prevents double-canonicalization fragility)
+    message_hash = hashlib.sha256(canonical_json(mcp_message).encode()).hexdigest()
+
+    sig_payload_obj = {
+        "message_hash": message_hash,
+        "nonce": nonce,
+        "passport_id": passport_id,
+        "timestamp": timestamp,
+    }
+
+    # Optional TLS channel binding (RFC 9266 tls-exporter)
+    if channel_binding:
+        sig_payload_obj["channel_binding"] = channel_binding
+
+    sig_payload = canonical_json(sig_payload_obj).encode()
+    signature = _sign_bytes(sig_payload, private_key)
+
+    return {
+        "mcps": {
+            "version": MCPS_VERSION,
+            "passport_id": passport_id,
+            "timestamp": timestamp,
+            "nonce": nonce,
+            "signature": signature,
+        },
+        **mcp_message,
+    }
+
+
+def verify_message(envelope, public_key_pem, channel_binding=None):
+    """Verify an MCPS envelope's signature."""
+    if not envelope or not isinstance(envelope.get("mcps"), dict):
+        return {"valid": False, "error": ERROR_CODES["INVALID_SIGNATURE"]}
+
+    mcps_field = envelope["mcps"]
+    if not mcps_field.get("signature"):
+        return {"valid": False, "error": ERROR_CODES["INVALID_SIGNATURE"]}
+
+    jsonrpc_message = {k: v for k, v in envelope.items() if k != "mcps"}
+
+    # Check timestamp window
+    try:
+        msg_time = datetime.fromisoformat(
+            mcps_field["timestamp"].replace("Z", "+00:00")
+        ).timestamp()
+    except (KeyError, ValueError):
+        return {"valid": False, "error": ERROR_CODES["TIMESTAMP_OUT_OF_WINDOW"]}
+
+    now = time.time()
+    if abs(now - msg_time) > TIMESTAMP_WINDOW_S:
+        return {"valid": False, "error": ERROR_CODES["TIMESTAMP_OUT_OF_WINDOW"]}
+
+    # Reconstruct signing payload (message hash, not nested JCS)
+    message_hash = hashlib.sha256(canonical_json(jsonrpc_message).encode()).hexdigest()
+
+    sig_payload_obj = {
+        "message_hash": message_hash,
+        "nonce": mcps_field["nonce"],
+        "passport_id": mcps_field["passport_id"],
+        "timestamp": mcps_field["timestamp"],
+    }
+
+    if channel_binding:
+        sig_payload_obj["channel_binding"] = channel_binding
+
+    sig_payload = canonical_json(sig_payload_obj).encode()
+
+    if _verify_bytes(sig_payload, mcps_field["signature"], public_key_pem):
+        return {"valid": True, "error": None}
+    return {"valid": False, "error": ERROR_CODES["INVALID_SIGNATURE"]}
+
+
+# ── Nonce Store (Replay Protection) ──
+
+
+class NonceStore:
+    """Thread-safe nonce store for replay attack detection."""
+
+    def __init__(self, window_s=TIMESTAMP_WINDOW_S):
+        self._nonces = {}
+        self._window_s = window_s
+        self._lock = threading.Lock()
+        self._timer = threading.Timer(window_s, self._gc)
+        self._timer.daemon = True
+        self._timer.start()
+
+    def check(self, nonce):
+        """Return True if nonce is fresh (not a replay)."""
+        with self._lock:
+            if nonce in self._nonces:
+                return False
+            self._nonces[nonce] = time.time()
+            return True
+
+    def _gc(self):
+        cutoff = time.time() - self._window_s
+        with self._lock:
+            self._nonces = {n: t for n, t in self._nonces.items() if t >= cutoff}
+        self._timer = threading.Timer(self._window_s, self._gc)
+        self._timer.daemon = True
+        self._timer.start()
+
+    def destroy(self):
+        self._timer.cancel()
+        with self._lock:
+            self._nonces.clear()
+
+
+# ── Tool Integrity ──
+
+
+def sign_tool(tool, private_key, author_origin=None):
+    """Sign an MCP tool definition.
+    Hashes the ENTIRE tool object (name + description + inputSchema) using JCS.
+    Optionally binds to author_origin to prevent tool relaying attacks.
+
+    Args:
+        tool: MCP tool dict with name, description, inputSchema
+        private_key: PEM private key string
+        author_origin: Author's server origin (binds tool to serving origin)
+    """
+    canonical = canonical_json({
+        "author_origin": author_origin,
+        "description": tool["description"],
+        "inputSchema": tool.get("inputSchema", {}),
+        "name": tool["name"],
+    })
+
+    tool_hash = hashlib.sha256(canonical.encode()).hexdigest()
+    signature = _sign_bytes(canonical.encode(), private_key)
+
+    return {"signature": signature, "tool_hash": tool_hash}
+
+
+def verify_tool(tool, signature, public_key_pem, pinned_hash=None, author_origin=None):
+    """Verify an MCP tool definition's signature.
+
+    Args:
+        tool: MCP tool dict
+        signature: Base64 P1363 signature string
+        public_key_pem: PEM public key string
+        pinned_hash: Previously pinned tool_hash for change detection
+        author_origin: Expected author origin
+    """
+    canonical = canonical_json({
+        "author_origin": author_origin,
+        "description": tool["description"],
+        "inputSchema": tool.get("inputSchema", {}),
+        "name": tool["name"],
+    })
+
+    tool_hash = hashlib.sha256(canonical.encode()).hexdigest()
+    hash_changed = (pinned_hash is not None) and (tool_hash != pinned_hash)
+
+    valid = _verify_bytes(canonical.encode(), signature, public_key_pem)
+    return {"valid": valid, "tool_hash": tool_hash, "hash_changed": hash_changed}
+
+
+# ── Transcript Binding (Anti-Downgrade) ──
+
+
+def create_transcript_binding(client_init_params, server_init_result, private_key):
+    """Create a transcript binding (formerly "transcript MAC").
+    Uses ECDSA signatures (asymmetric), NOT MAC (symmetric) -- hence the rename.
+
+    Both parties sign the agreed-upon security parameters to prevent an active
+    attacker from stripping MCPS capability during handshake.
+
+    IMPORTANT: transcript covers initialize `params` (client) and `result` (server),
+    NOT the full JSON-RPC envelope. This is the security-relevant boundary.
+
+    Args:
+        client_init_params: Client's initialize params (capabilities, clientInfo)
+        server_init_result: Server's initialize result (capabilities, serverInfo)
+        private_key: Signer's PEM private key
+    """
+    client_jcs = canonical_json(client_init_params)
+    server_jcs = canonical_json(server_init_result)
+    transcript_hash = hashlib.sha256((client_jcs + server_jcs).encode()).hexdigest()
+
+    signature = _sign_bytes(transcript_hash.encode(), private_key)
+
+    return {"transcript_hash": transcript_hash, "transcript_signature": signature}
+
+
+def verify_transcript_binding(transcript_hash, transcript_signature, public_key_pem,
+                               client_init_params, server_init_result):
+    """Verify a transcript binding from the other party."""
+    client_jcs = canonical_json(client_init_params)
+    server_jcs = canonical_json(server_init_result)
+    expected_hash = hashlib.sha256((client_jcs + server_jcs).encode()).hexdigest()
+
+    if transcript_hash != expected_hash:
+        return {"valid": False, "error": ERROR_CODES["CAPABILITY_MISMATCH"]}
+
+    if _verify_bytes(transcript_hash.encode(), transcript_signature, public_key_pem):
+        return {"valid": True, "error": None}
+    return {"valid": False, "error": ERROR_CODES["CAPABILITY_MISMATCH"]}
+
+
+# Backwards-compatible aliases (renamed from MAC to Binding)
+create_transcript_mac = create_transcript_binding
+verify_transcript_mac = verify_transcript_binding
+
+
+# ── Version Negotiation ──
+
+
+def negotiate_version(client_versions, server_versions=None):
+    """Negotiate the highest mutually supported MCPS version.
+
+    Args:
+        client_versions: Client's supported version(s) -- string or list
+        server_versions: Server's supported versions (defaults to SUPPORTED_VERSIONS)
+
+    Returns:
+        str or None: Highest mutual version, or None if none
+    """
+    if isinstance(client_versions, str):
+        client_versions = [client_versions]
+    if server_versions is None:
+        server_versions = SUPPORTED_VERSIONS
+    if isinstance(server_versions, str):
+        server_versions = [server_versions]
+
+    mutual = [v for v in client_versions if v in server_versions]
+    if not mutual:
+        return None
+
+    # Sort by version descending (highest first)
+    def version_key(v):
+        parts = v.split(".")
+        return tuple(int(p) for p in parts)
+
+    mutual.sort(key=version_key, reverse=True)
+    return mutual[0]
+
+
+# ── Revocation Client ──
+
+
+def check_revocation(passport_id, trust_authority=DEFAULT_TRUST_AUTHORITY, ta_public_key=None):
+    """Check passport revocation status against the Trust Authority.
+    Revocation endpoint is discovered from TA metadata, NOT from the verified party."""
+    url = f"{trust_authority.rstrip('/')}/api/verify/{passport_id}"
+    try:
+        req = urllib.request.Request(url, headers={"User-Agent": "mcps-python/1.0"})
+        with urllib.request.urlopen(req, timeout=5) as resp:
+            data = json.loads(resp.read().decode())
+
+            verified = False
+            if ta_public_key and data.get("signature"):
+                sig = data["signature"]
+                rest = {k: v for k, v in data.items() if k != "signature"}
+                payload = canonical_json(rest).encode()
+                verified = _verify_bytes(payload, sig, ta_public_key)
+
+            return {
+                "status": data.get("status", "UNKNOWN"),
+                "revoked": data.get("status") == "REVOKED",
+                "reason": data.get("reason"),
+                "revoked_at": data.get("revoked_at"),
+                "verified": verified,
+            }
+    except Exception:
+        return {"status": "UNREACHABLE", "revoked": False, "reason": "network_error", "verified": False}
+
+
+# ── MCPS Middleware ──
+
+
+def secure_mcp(mcp_server, passport=None, private_key=None,
+               trust_authority=DEFAULT_TRUST_AUTHORITY, min_trust_level=2,
+               origin=None, trusted_issuers=None, trust_authorities=None,
+               on_revoked=None, on_audit=None):
+    """Create an MCPS-secured wrapper around an MCP server.
+    Implements fail-closed by default when Trust Authority is unreachable.
+    Supports multiple Trust Authorities via trust_authorities list."""
+    return MCPSServer(mcp_server, passport, private_key, trust_authority,
+                      min_trust_level, origin, trusted_issuers, trust_authorities,
+                      on_revoked, on_audit)
+
+
+class MCPSServer:
+    def __init__(self, mcp_server, passport, private_key, trust_authority,
+                 min_trust_level, origin, trusted_issuers, trust_authorities,
+                 on_revoked, on_audit):
+        self._mcp_server = mcp_server
+        self._nonce_store = NonceStore()
+        self._passport_cache = {}
+        self._passport = passport
+        self._private_key = private_key
+        self._trust_authorities = trust_authorities or [trust_authority]
+        self._min_trust_level = min_trust_level
+        self._origin = origin
+        self._trusted_issuers = trusted_issuers
+        self._on_revoked = on_revoked
+        self._on_audit = on_audit
+        self.mcps_version = MCPS_VERSION
+
+    def _audit(self, event, data):
+        if self._on_audit:
+            entry = {"timestamp": datetime.now(timezone.utc).isoformat(), "event": event, **data}
+            self._on_audit(entry)
+
+    def handle_message(self, envelope):
+        if not envelope or not isinstance(envelope.get("mcps"), dict):
+            self._audit("rejected", {"reason": "invalid_format"})
+            return {"error": ERROR_CODES["INVALID_SIGNATURE"]}
+
+        mcps_field = envelope["mcps"]
+        passport_id = mcps_field.get("passport_id", "")
+
+        if not self._nonce_store.check(mcps_field.get("nonce", "")):
+            self._audit("rejected", {"reason": "replay_attack", "passport_id": passport_id})
+            return {"error": ERROR_CODES["REPLAY_ATTACK"]}
+
+        passport = self._passport_cache.get(passport_id)
+        if not passport:
+            # Try each trust authority (multi-TA support)
+            rev = None
+            for ta in self._trust_authorities:
+                rev = check_revocation(passport_id, ta)
+                if rev["status"] != "UNREACHABLE":
+                    break
+
+            if rev["revoked"]:
+                self._audit("rejected", {"reason": "revoked", "passport_id": passport_id})
+                if self._on_revoked:
+                    self._on_revoked(passport_id, rev["reason"])
+                return {"error": ERROR_CODES["PASSPORT_REVOKED"]}
+            if rev["status"] == "UNREACHABLE":
+                self._audit("rejected", {"reason": "authority_unreachable_fail_closed", "passport_id": passport_id})
+                return {"error": ERROR_CODES["AUTHORITY_UNREACHABLE"]}
+            passport = {"passport_id": passport_id, "trust_level": TRUST_LEVELS["VERIFIED"]}
+            self._passport_cache[passport_id] = passport
+
+        effective_level = get_effective_trust_level(passport, self._trusted_issuers)
+        if effective_level < self._min_trust_level:
+            self._audit("rejected", {"reason": "insufficient_trust", "passport_id": passport_id})
+            return {"error": ERROR_CODES["INSUFFICIENT_TRUST"]}
+
+        if self._origin and passport.get("origin"):
+            origin_result = validate_origin(passport, self._origin)
+            if not origin_result["valid"]:
+                self._audit("rejected", {"reason": "origin_mismatch", "passport_id": passport_id})
+                return {"error": ERROR_CODES["ORIGIN_MISMATCH"]}
+
+        jsonrpc_message = {k: v for k, v in envelope.items() if k != "mcps"}
+
+        self._audit("accepted", {"passport_id": passport_id, "method": jsonrpc_message.get("method")})
+
+        if self._mcp_server and hasattr(self._mcp_server, "handle_message"):
+            return self._mcp_server.handle_message(jsonrpc_message)
+        return {"result": "ok"}
+
+    def sign(self, mcp_message):
+        return sign_message(mcp_message, self._passport, self._private_key)
+
+    def destroy(self):
+        self._nonce_store.destroy()
+        self._passport_cache.clear()
+
+
+def secure_mcp_client(mcp_client, trust_authority=DEFAULT_TRUST_AUTHORITY, on_revoked=None):
+    """Create an MCPS client wrapper for verifying server responses."""
+    return MCPSClient(mcp_client, trust_authority, on_revoked)
+
+
+class MCPSClient:
+    def __init__(self, mcp_client, trust_authority, on_revoked):
+        self._mcp_client = mcp_client
+        self._nonce_store = NonceStore()
+        self._trust_authority = trust_authority
+        self._on_revoked = on_revoked
+        self.mcps_version = MCPS_VERSION
+
+    def send(self, mcp_message, passport_id, private_key):
+        envelope = sign_message(mcp_message, passport_id, private_key)
+        if self._mcp_client and hasattr(self._mcp_client, "send"):
+            return self._mcp_client.send(envelope)
+        return envelope
+
+    def verify(self, envelope):
+        if not envelope or not isinstance(envelope.get("mcps"), dict):
+            return {"valid": False, "error": ERROR_CODES["INVALID_SIGNATURE"]}
+        mcps_field = envelope["mcps"]
+        passport_id = mcps_field.get("passport_id", "")
+        rev = check_revocation(passport_id, self._trust_authority)
+        if rev["revoked"]:
+            if self._on_revoked:
+                self._on_revoked(passport_id, rev["reason"])
+            return {"valid": False, "error": ERROR_CODES["PASSPORT_REVOKED"]}
+        if not self._nonce_store.check(mcps_field.get("nonce", "")):
+            return {"valid": False, "error": ERROR_CODES["REPLAY_ATTACK"]}
+        return {"valid": True, "passport_id": passport_id}
+
+    def destroy(self):
+        self._nonce_store.destroy()

mcps_secure-1.0.0/mcps_secure.egg-info/PKG-INFO

@@ -0,0 +1,102 @@
+Metadata-Version: 2.4
+Name: mcps-secure
+Version: 1.0.0
+Summary: MCPS -- MCP Secure. Cryptographic identity, message signing, and trust verification for the Model Context Protocol.
+Author: CyberSecAI Ltd
+License: BUSL-1.1
+Project-URL: Homepage, https://mcp-secure.dev
+Project-URL: Repository, https://github.com/razashariff/mcps
+Project-URL: Documentation, https://mcp-secure.dev
+Keywords: mcp,mcps,mcp-secure,model-context-protocol,agent-security,agent-identity,passport,message-signing,ecdsa,trust,revocation,owasp,agentsign,secure-mcp
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: Other/Proprietary License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography>=41.0.0
+Dynamic: license-file
+
+# MCPS -- MCP Secure
+
+**Cryptographic identity, message signing, and trust verification for the Model Context Protocol.**
+
+The HTTPS of the agent era. MCP becomes MCPS.
+
+## Install
+
+```bash
+pip install mcp-secure
+```
+
+## Quick Start
+
+```python
+from mcp_secure import generate_key_pair, create_passport, sign_passport, verify_passport_signature
+from mcp_secure import sign_message, verify_message, sign_tool, verify_tool
+
+# Generate keys
+keys = generate_key_pair()
+
+# Create and sign a passport
+passport = create_passport(
+    name="my-agent",
+    version="1.0.0",
+    public_key=keys["public_key"],
+    capabilities=["read", "write"],
+)
+
+# Trust Authority signs the passport
+ta_keys = generate_key_pair()
+signed = sign_passport(passport, ta_keys["private_key"])
+assert verify_passport_signature(signed, ta_keys["public_key"])
+
+# Sign MCP messages
+envelope = sign_message(
+    {"jsonrpc": "2.0", "method": "tools/list", "id": 1},
+    signed["passport_id"],
+    keys["private_key"],
+)
+
+# Verify
+result = verify_message(envelope, keys["public_key"])
+assert result["valid"]
+
+# Tool integrity
+tool = {"name": "read_file", "description": "Read a file", "inputSchema": {"type": "object"}}
+sig = sign_tool(tool, keys["private_key"])
+assert verify_tool(tool, sig, keys["public_key"])
+```
+
+## What MCPS Adds to MCP
+
+| Feature | Description |
+|---------|-------------|
+| Agent Passports | ECDSA P-256 signed identity credentials |
+| Message Signing | Every JSON-RPC message wrapped in signed envelope |
+| Tool Integrity | Signed tool definitions prevent poisoning |
+| Replay Protection | Nonce + 5-min timestamp window |
+| Revocation | Real-time passport revocation via Trust Authority |
+| Trust Levels | L0 (unsigned) to L4 (audited) |
+
+## OWASP MCP Top 10
+
+Mitigates 8/10 OWASP MCP vulnerabilities: tool poisoning, supply chain attacks, auth bypass, shadow servers, and more.
+
+## Links
+
+- **Website**: [mcp-secure.dev](https://mcp-secure.dev)
+- **npm**: [mcp-secure](https://www.npmjs.com/package/mcp-secure)
+- **Spec**: [SPEC.md](https://github.com/razashariff/mcps/blob/main/SPEC.md)
+
+## License
+
+MIT -- CyberSecAI Ltd

mcps_secure-1.0.0/mcps_secure.egg-info/SOURCES.txt

@@ -0,0 +1,10 @@
+LICENSE
+README.md
+pyproject.toml
+mcp_secure/__init__.py
+mcp_secure/core.py
+mcps_secure.egg-info/PKG-INFO
+mcps_secure.egg-info/SOURCES.txt
+mcps_secure.egg-info/dependency_links.txt
+mcps_secure.egg-info/requires.txt
+mcps_secure.egg-info/top_level.txt

mcps_secure-1.0.0/mcps_secure.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

mcps_secure-1.0.0/mcps_secure.egg-info/requires.txt

@@ -0,0 +1 @@
+cryptography>=41.0.0

mcps_secure-1.0.0/mcps_secure.egg-info/top_level.txt

@@ -0,0 +1 @@
+mcp_secure

mcps_secure-1.0.0/pyproject.toml

@@ -0,0 +1,42 @@
+[build-system]
+requires = ["setuptools>=68.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "mcps-secure"
+version = "1.0.0"
+description = "MCPS -- MCP Secure. Cryptographic identity, message signing, and trust verification for the Model Context Protocol."
+readme = "README.md"
+license = {text = "BUSL-1.1"}
+requires-python = ">=3.9"
+authors = [{name = "CyberSecAI Ltd"}]
+keywords = [
+    "mcp", "mcps", "mcp-secure", "model-context-protocol",
+    "agent-security", "agent-identity", "passport",
+    "message-signing", "ecdsa", "trust", "revocation",
+    "owasp", "agentsign", "secure-mcp",
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "License :: Other/Proprietary License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: Security :: Cryptography",
+    "Topic :: Software Development :: Libraries",
+]
+dependencies = [
+    "cryptography>=41.0.0",
+]
+
+[project.urls]
+Homepage = "https://mcp-secure.dev"
+Repository = "https://github.com/razashariff/mcps"
+Documentation = "https://mcp-secure.dev"
+
+[tool.setuptools.packages.find]
+include = ["mcp_secure*"]

mcps_secure-1.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+