Unsafe mcp tool extension

An untrusted or unsafe extension to the MCP or tool interface enables new attack paths.

• See attack-chain-template.md for full structure.
• Related: docs/01-threat-model.md, patterns/secure-mcp.md

A capability is added to the agent’s MCP surface without registry review, signing, or scope check, giving an untrusted server a direct path from agent intent to high-impact downstream actions on real systems of record.

• architecture-beta
• group ext[External]
• service mcp(disk)[Untrusted MCP] in ext
• group rt[Agent runtime]
• service agent(server)[Agent] in rt
• group ds[Downstream]
• service db(database)[System of record] in ds
• mcp:R --> L:agent
• agent:R --> L:db

Defence pins every capability in a versioned registry, requires a signed manifest, checks scope before each call, isolates the capability’s context, and validates its responses so that an untrusted or compromised server cannot smuggle authority into the agent.

1. 1Capability registry — with version pinning
2. 2Server authentication — and signed manifest
3. 3Capability — scope check
4. 4Context isolation — filter
5. 5Response validation — and instruction separation