Agentic Protocol Conformance Pack

Why this page exists. MCP and A2A make agent systems composable. Enterprise trust depends on proving those protocol boundaries are current, reviewed, and enforced before context, authority, tools, or remote-agent delegation crosses them.

SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. The secure context layer cannot stop at content provenance. It also needs protocol conformance: the evidence that MCP authorization metadata, tool annotations, tool-surface drift, A2A Agent Cards, authenticated extended cards, identity, handoff, egress, and prompt-injection source to sink controls are current and fail closed.

The Agentic Protocol Conformance Pack turns fast-moving protocol and agent-security guidance into a generated artifact that a platform team, procurement reviewer, or reviewer can inspect through MCP.

What was added

  • Source profile: data/assurance/agentic-protocol-conformance-profile.json
  • Generator:
  • Evidence pack: data/evidence/agentic-protocol-conformance-pack.json
  • Runtime evaluator:
  • MCP tools: recipes_agentic_protocol_conformance_pack and

Regenerate and validate:

Evaluate an MCP authorization boundary:

Decision model

Decision Meaning
allow_with_protocol_receipt Protocol evidence is current enough to proceed and can be attached to the run receipt.
hold_for_protocol_evidence Required metadata, identity, consent, Agent Card, approval, or evidence-pack state is missing.
hold_for_protocol_drift_review The observed protocol version, tool surface, annotations, or schema drift requires review.
deny_unbound_protocol_authority MCP authority is not bound to the expected protected resource, audience, or PKCE evidence.
deny_untrusted_protocol_surface A protocol path combines unsafe trust boundaries such as untrusted content, private data, external egress, or unauthenticated remote-agent delegation.
kill_session_on_protocol_violation The request includes token passthrough, secret movement, or an explicit runtime kill signal.

What the pack proves

The generated pack joins existing SecurityRecipes evidence into four protocol profiles:

  • MCP Authorization Conformance for protected-resource metadata, audience and resource binding, PKCE, token-passthrough denial, client metadata review, and incremental consent evidence.
  • MCP Tool Annotation, Schema, and Drift Safety for trusted annotations, pinned tool descriptions and schemas, tool-output validation, and private-data plus untrusted-content plus external-send risk.
  • A2A Agent Discovery and Delegation for Agent Card completeness, authenticated extended cards, HTTPS transport, version headers, signed card evidence, skill trust, and handoff minimization.
  • Agent Identity, Protocol Handoff, and Prompt-Injection Boundary for non-human identity, run receipts, egress policy, source-to-sink prompt injection defenses, and standards-drift review.

Industry alignment

This feature tracks current primary guidance:

Trusted-source path

The open pack is the proof model. The reviewed production surface is hosted MCP and A2A protocol conformance:

  • live MCP protected-resource metadata checks,
  • client metadata and redirect-policy review,
  • resource, audience, PKCE, consent, and scope-drift monitoring,
  • signed tool-surface baselines and annotation drift alerts,
  • A2A Agent Card monitoring, signature verification, and skill allowlists,
  • source-to-sink prompt-injection policy across protocol boundaries,
  • signed protocol receipts attached to agent run receipts,
  • procurement and trust review diligence exports.

That turns SecurityRecipes from a static knowledge base into a protocol control plane a model lab, AI platform vendor, or security team can inspect and operate.

MCP examples

Inspect the overall pack:

recipes_agentic_protocol_conformance_pack()

Review one protocol profile:

recipes_agentic_protocol_conformance_pack(
  protocol_id="mcp-tooling-safety"
)

Evaluate one A2A boundary:

See also