Problem
If MCP tool names resolve ambiguously or by loose matching, a typosquatted or shadowing tool can intercept a call the agent intended for a legitimate tool. A related case: a server keeps the same tool name and version but silently swaps the tool's input/output contract underneath the agent.
Current state
Egress and denied_tools/max_tool_count policy strongly bound tool use (forge-core/security/platform_policy_enforce.go:194,228), and tool calls are audited (tool_exec). But MCP tool names are not version-pinned, ambiguous resolution is not proven to fail closed, and there is no check that a resolved tool's capability schema is the one the agent was built/authorized against. See docs/security/owasp-asi-conformance.md (ASI02 #7).
Proposed control
- Fully-qualified, version-pinned MCP tool identifiers, expressed as a structured resolution record (
{server, namespace, name, version, capability_schema_hash}) rather than a single URI scheme — to avoid format-parsing/versioning overhead and stay aligned with MCP's own tool-identity conventions.
- Ambiguous resolution (more than one candidate) fails closed with an audit event rather than picking a candidate.
- Capability-schema-hash pinning: fail closed when a resolved tool's input/output schema hash drifts from the pinned value — catches the same-name/same-version contract-swap case, not just differently-named shadow tools. (Thanks to @0xbrainkid for this addition — see discussion below.)
Acceptance criteria
Conformance test
TestASI02_AmbiguousMCPToolFailsClosed — multi-candidate resolution fails closed.
TestASI02_MCPToolSchemaDriftFailsClosed — same name+version, changed schema hash, fails closed.
Out of scope
- Server/issuer identity + attestation — that is the ASI04 supply-chain lane; the pinned identifier here deliberately does NOT carry issuer/server-identity material. Cross-reference, don't merge.
- Per-agent authority scope — authorization is ASI03 (identity & privilege abuse), not tool-name resolution. Cross-reference, don't merge.
- MCP server trust/attestation generally; non-MCP builtins.
Guideline reference
ASI02 mitigation #7 (OWASP Agentic Top 10 2026).
Problem
If MCP tool names resolve ambiguously or by loose matching, a typosquatted or shadowing tool can intercept a call the agent intended for a legitimate tool. A related case: a server keeps the same tool name and version but silently swaps the tool's input/output contract underneath the agent.
Current state
Egress and
denied_tools/max_tool_countpolicy strongly bound tool use (forge-core/security/platform_policy_enforce.go:194,228), and tool calls are audited (tool_exec). But MCP tool names are not version-pinned, ambiguous resolution is not proven to fail closed, and there is no check that a resolved tool's capability schema is the one the agent was built/authorized against. Seedocs/security/owasp-asi-conformance.md(ASI02 #7).Proposed control
{server, namespace, name, version, capability_schema_hash}) rather than a single URI scheme — to avoid format-parsing/versioning overhead and stay aligned with MCP's own tool-identity conventions.Acceptance criteria
{server, namespace, name, version, capability_schema_hash}).Conformance test
TestASI02_AmbiguousMCPToolFailsClosed— multi-candidate resolution fails closed.TestASI02_MCPToolSchemaDriftFailsClosed— same name+version, changed schema hash, fails closed.Out of scope
Guideline reference
ASI02 mitigation #7 (OWASP Agentic Top 10 2026).