{"id":51160674,"url":"https://github.com/hassard0/vcp","last_synced_at":"2026-06-26T13:01:51.207Z","repository":{"id":364455733,"uuid":"1267972859","full_name":"hassard0/vcp","owner":"hassard0","description":"VCP — Verifiable Capability Protocol: zero-trust capability execution for AI agents. A stricter sibling of MCP where models plan and a signed gateway enforces. Signed content-addressed capabilities, proof-bound single-use grants, plan/apply, taint-aware policy.","archived":false,"fork":false,"pushed_at":"2026-06-13T04:02:49.000Z","size":103,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-13T05:22:21.188Z","etag":null,"topics":["ai-agents","capability-security","llm","mcp","model-context-protocol","protocol","specification","zero-trust"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hassard0.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-13T02:59:52.000Z","updated_at":"2026-06-13T04:02:52.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/hassard0/vcp","commit_stats":null,"previous_names":["hassard0/vcp"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/hassard0/vcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hassard0%2Fvcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hassard0%2Fvcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hassard0%2Fvcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hassard0%2Fvcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hassard0","download_url":"https://codeload.github.com/hassard0/vcp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hassard0%2Fvcp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34817641,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-26T02:00:06.560Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","capability-security","llm","mcp","model-context-protocol","protocol","specification","zero-trust"],"created_at":"2026-06-26T13:01:50.804Z","updated_at":"2026-06-26T13:01:51.184Z","avatar_url":"https://github.com/hassard0.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# VCP — Verifiable Capability Protocol\n\n\u003e **Zero-trust capability execution for AI agents.** A model may *propose* a tool\n\u003e call, but it can never *authorize* one. Authorization comes from a signed,\n\u003e content-addressed manifest, a mandatory policy decision, explicit consent, and a\n\u003e single-use, proof-bound grant minted by an enforcing **Gateway**.\n\n[![Spec status: Draft RFC](https://img.shields.io/badge/spec-Draft%20RFC-orange)](./SPECIFICATION.md)\n[![Protocol revision](https://img.shields.io/badge/revision-2026--06--13-blue)](./CHANGELOG.md)\n[![Spec license: CC BY 4.0](https://img.shields.io/badge/spec-CC%20BY%204.0-green)](./LICENSE-SPEC)\n[![Code license: Apache 2.0](https://img.shields.io/badge/code-Apache%202.0-green)](./LICENSE)\n\nVCP is a stricter sibling of the [Model Context Protocol](https://modelcontextprotocol.io)\n(MCP). MCP's breakthrough is ecosystem simplicity — and that same easy\ncomposability is its security weakness. The MCP spec itself states it cannot enforce\nmany security principles at the protocol level, and that authorization is optional.\n\n**VCP flips that:** security, provenance, policy, and determinism are *protocol\nrequirements*, not implementation advice.\n\n```\nModel proposes plan\n  → Gateway validates manifests \u0026 plan\n    → Policy authorizes a bounded grant\n      → Provider executes within the grant (sandboxed)\n        → Gateway validates the signed attestation\n          → Model receives a tainted result (never authority)\n```\n\n## Why VCP exists — the MCP failure modes it eliminates\n\n| MCP failure mode | VCP control |\n|---|---|\n| **Tool poisoning** — hidden instructions in tool descriptions | Descriptions are never authority. The Planner gets a Gateway-compiled affordance from a **signed manifest**, never raw Provider text. |\n| **Rug pulls** — tool definitions mutate after approval | Identity is the **contract hash**. Any change ⇒ a new capability id ⇒ rejected until re-approved. A silent mutation becomes a visible diff. |\n| **Over-trusted local servers** — STDIO runs with the host's privileges | **VCP-Local** sandbox: signed launcher, no inherited env, filesystem/network allowlists, secret broker. Ambient authority only in `dev`. |\n| **Token passthrough / confused deputy** | The unit of authority is a **single-use, proof-bound grant** bound to capability + arguments + plan + scope + budget + a holder key. No reusable bearer token to pass through. |\n| **SSRF, session hijacking, replay** | **Stateless VCP-HTTP**: one request = one decision, guarded metadata discovery, single-use grants, no implicit sessions. |\n| **Stateful-session ambiguity** | No implicit protocol sessions. State is an **explicit, typed, expiring handle**. |\n| **Prompt injection via resources** | **Taint labels**: authority never flows from `untrusted_*` data, even when the model is tricked into proposing a bad plan. |\n| **Cross-server shadowing / confused deputy** (multi-provider) | **Per-provider scoped credentials** via token exchange + an **on-behalf-of delegation chain** in every grant and audit event; one user approval covers the whole cross-service action (§26). |\n\n## The shape of the idea\n\n```\nCapabilities are signed.\nDescriptions are not authority.\nModels plan; gateways enforce.\nEvery side effect needs a bounded grant.\nEvery write has plan/apply semantics.\nEvery output is tainted until policy says otherwise.\nEvery state handle is explicit.\nEvery sensitive call is replayable or explicitly non-deterministic.\nEvery manifest change is a new identity.\nEvery production provider is sandboxed, authenticated, and auditable.\n```\n\n## Repository layout\n\n```\nSPECIFICATION.md   The normative v0.1 spec (RFC-2119). Start here.\nschemas/           Normative JSON Schemas for every envelope (manifest, grant, plan,\n                   policy request/response, invocation, attestation, audit, discovery).\nrfcs/              Open RFCs — the deferred/large ideas, open for discussion.\ndocs/design/       Design rationale behind v0.1.\nCHANGELOG.md       Dated protocol revisions (Keep a Changelog).\nGOVERNANCE.md      How VCP is governed and how the RFC process works.\nSECURITY.md        Threat model + responsible disclosure.\n```\n\n## Conformance ladder\n\n| Level | What it adds |\n|---|---|\n| **VCP-L0** | MCP-compatible bridge: wraps MCP servers, signs observed schemas, adds policy + audit, marks trust `legacy`. |\n| **VCP-L1** | Signed, content-addressed manifests; strict schema validation; no hidden metadata changes. |\n| **VCP-L2** | Mandatory auth; per-call proof-bound grants; sandboxing; network/file/secret isolation; policy interface. |\n| **VCP-L3** | Plan/apply; dry-run for writes; idempotency keys; replay logs; result attestations; snapshot refs. |\n| **VCP-L4** | Transparency registry; reproducible-build provenance; formal policy verification; DLP/data-flow proofs. |\n\nEach level has a **normative security test suite** (12 attack scenarios; see\n[SPECIFICATION.md §18](./SPECIFICATION.md#18-normative-security-test-suite)).\n\n## Reference implementations\n\nReference SDKs and gateways live in\n**[`vcp-servers`](https://github.com/hassard0/vcp-servers)** — a **lightweight\nclient/SDK + MCP bridge** and a **heavy enforcing gateway**, in TypeScript, Python,\nGo, and Rust, all driven by shared, language-agnostic conformance vectors.\n\n## Ecosystem\n\nVCP is designed to compose with existing building blocks rather than reinvent them:\n\n- **[`cani`](https://github.com/hassard0/cani)** — a local-first Policy Decision\n  Point; a conformant **Policy Authority** for the §6 decision interface.\n- **[`mcp-ledger`](https://github.com/hassard0/mcp-ledger)** — append-only audit +\n  budget enforcement; a conformant **audit and budget substrate** (grants carry a\n  budget; the ledger enforces it).\n- **[`prosecco-ai-standards`](https://github.com/hassard0/prosecco-ai-standards)** —\n  the AI-interoperability standards directory where VCP is listed.\n- **Sigstore / SLSA** inform manifest signing and the L4 transparency registry.\n- **OPA / Cedar** satisfy the §6 policy decision shape.\n- **OpenTelemetry** is the observability substrate for §20.\n\n## Status \u0026 contributing\n\nVCP is a **Draft RFC** — it may change incompatibly until it reaches `Stable`.\nDiscussion happens in this repo's **Discussions**; normative changes go through the\n**[RFC process](./rfcs/README.md)**. See [CONTRIBUTING.md](./CONTRIBUTING.md) and\n[GOVERNANCE.md](./GOVERNANCE.md). Found a security-relevant gap? See\n[SECURITY.md](./SECURITY.md).\n\n## License\n\nThe prose specification (`SPECIFICATION.md`, `docs/`, `rfcs/`) is licensed\n**CC BY 4.0**; the `schemas/` directory and any code are **Apache-2.0**. See\n[LICENSE-SPEC](./LICENSE-SPEC) and [LICENSE](./LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhassard0%2Fvcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhassard0%2Fvcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhassard0%2Fvcp/lists"}