Summary
Follow-up to #4326 (which adds request_signing.protocol_methods_{supported,warn,required}_for and wires test-agent enforcement on /<tenant>/mcp-strict). The new wire field is enforced by the test-agent but not graded by the conformance suite.
What's missing
static/compliance/source/universal/signed-requests.yaml and the negative test vectors at static/compliance/source/test-vectors/request-signing/negative/ enumerate 20 vectors covering every checklist step. None of them target a JSON-RPC protocol method — every vector is tools/call-shaped. So a verifier that:
- advertises
protocol_methods_required_for: ["tasks/cancel"]
- but doesn't actually enforce it on the JSON-RPC
method path
passes the conformance suite. The wire field is declared-but-not-graded.
Proposed vector
Add static/compliance/source/test-vectors/request-signing/negative/021-unsigned-protocol-method-required-for.json:
{
"id": "021-unsigned-protocol-method-required-for",
"expected_outcome": {
"kind": "reject",
"error_code": "request_signature_required",
"failed_step": "pre-check"
},
"request": {
"method": "POST",
"url": "<agent-url>/mcp-strict",
"headers": { "content-type": "application/json" },
"body": {
"jsonrpc": "2.0",
"method": "tasks/cancel",
"params": { "taskId": "task-conformance-001" },
"id": 1
}
}
}
Gating: only run when request_signing.protocol_methods_required_for is non-empty AND contains tasks/cancel (skip otherwise — agent has not opted into the namespace).
Cross-namespace match guard (optional)
Worth considering a positive vector that signs tools/call with params.name: "tasks/cancel" and asserts the verifier rejects/refuses to satisfy protocol_methods_required_for via the AdCP envelope (the "MUST NOT cross-namespace match" rule from the new normative text in security.mdx). Test-agent's mcpOperationResolver already implements this defense; storyboard would lock it in for every implementor.
Tracking
Summary
Follow-up to #4326 (which adds
request_signing.protocol_methods_{supported,warn,required}_forand wires test-agent enforcement on/<tenant>/mcp-strict). The new wire field is enforced by the test-agent but not graded by the conformance suite.What's missing
static/compliance/source/universal/signed-requests.yamland the negative test vectors atstatic/compliance/source/test-vectors/request-signing/negative/enumerate 20 vectors covering every checklist step. None of them target a JSON-RPC protocol method — every vector istools/call-shaped. So a verifier that:protocol_methods_required_for: ["tasks/cancel"]methodpathpasses the conformance suite. The wire field is declared-but-not-graded.
Proposed vector
Add
static/compliance/source/test-vectors/request-signing/negative/021-unsigned-protocol-method-required-for.json:{ "id": "021-unsigned-protocol-method-required-for", "expected_outcome": { "kind": "reject", "error_code": "request_signature_required", "failed_step": "pre-check" }, "request": { "method": "POST", "url": "<agent-url>/mcp-strict", "headers": { "content-type": "application/json" }, "body": { "jsonrpc": "2.0", "method": "tasks/cancel", "params": { "taskId": "task-conformance-001" }, "id": 1 } } }Gating: only run when
request_signing.protocol_methods_required_foris non-empty AND containstasks/cancel(skip otherwise — agent has not opted into the namespace).Cross-namespace match guard (optional)
Worth considering a positive vector that signs
tools/callwithparams.name: "tasks/cancel"and asserts the verifier rejects/refuses to satisfyprotocol_methods_required_forvia the AdCP envelope (the "MUST NOT cross-namespace match" rule from the new normative text insecurity.mdx). Test-agent'smcpOperationResolveralready implements this defense; storyboard would lock it in for every implementor.Tracking
protocol_methods_*schema + test-agent enforcement