INDEPENDENT / LOCAL-ONLY / PUBLIC-SAFE

MCP authorization proofs, with the limits left in.

Public reference fixtures for inspecting resource, audience, scope, session, token-handling, and selected signed-agent boundaries around synthetic MCP-shaped tool calls.

CLAIM BOUNDARYControlled fixture mechanics only. This is not complete MCP or OAuth conformance, a production audit, an external-server assessment, independent certification, or a guarantee about unknown defects.
ORIGINAL LOCAL TESTS42
ORIGINAL MCP TESTS9
ORIGINAL SCENARIOS8
ORIGINAL MUTATIONS CAUGHT13/13

THE BOUNDARY

Make the allowed path boring. Make the denied path explicit.

The fixture holds one synthetic clean control beside negative paths. It records what is allowed, what is refused, and which assumptions the verifier itself is challenged to catch.

01 / ALLOW

Minimal read

A synthetic subject with the exact resource and records:read scope can initialize and read fixture data.

02 / DENY

Binding failures

Missing bearer, wrong resource, and wrong audience refuse before a tool result is returned.

03 / DENY

Authority failures

Insufficient scope, session replay by another subject, and downstream-token passthrough are refused.

04 / VERIFY

Evidence challenge

Known-bad mutations such as scope bypass and audience bypass must fail the verifier rather than become a pass.

OBSERVED FIXTURE OUTCOMES

clean minimally scoped read
missing bearer
resource mismatch
audience mismatch
insufficient scope
session replay
token passthrough
external host preflight

SECOND IMPLEMENTATION BOUNDARY

FastMCP native middleware, under the same narrow contract.

A separate operator-owned FastMCP 3.4.4 fixture carries a synthetic Ed25519 signed-agent envelope through native on_call_tool middleware on stateless JSON Streamable HTTP. It initializes, discovers one static read-only tool, and records a clean control beside explicit refusals.

FASTMCP TESTS7
FASTMCP SCENARIOS6
LOCAL GATE TESTS31
SEEDED MUTATIONS CAUGHT40/40
clean signed read and discovery
missing signed envelope
forged agent signature
replayed operation
revoked key
non-loopback host before fetch
REPRODUCTION BOUNDARYThe source below reproduces the seven FastMCP integration tests and six-scenario contract. The evidence snapshot also records a broader local suite of 114 passing tests, including 107 Node tests and 7 FastMCP Python tests. It does not establish cross-framework interoperability, FastMCP-wide security, an MCP identity standard, or HTTP authorization-status behavior: denied FastMCP tool calls are MCP tool errors, and report statuses are fixture-policy classifications.

RECOVERY-BOUNDARY REFERENCE

Replay state must fail closed when it cannot be trusted.

A small local filesystem fixture records a SHA-256 operation digest in an exclusively created JSON file. A valid existing record is a replay; a malformed record is not silently forgiven. Both paths refuse the synthetic operation without calling an external service.

PUBLIC REPLAY TESTS6
LOCAL PROCESS CONTROLS3
IDENTITY SCENARIOS16
SEEDED MUTATIONS CAUGHT48/48
first digest-only claim
valid persisted replay
twelve-process contention
fresh-process replay
malformed marker
interrupted marker
REPRODUCTION BOUNDARYThe source below reproduces six replay-record tests, including local child-process checks. The evidence snapshot separately records the broader local signed-agent fixture: 25 identity/replay tests, a 16-scenario contract, 38 evidence-gate tests, and 48 planted mutations detected. Neither result establishes forced process-kill or power-loss recovery, distributed coordination, replication, backup/retention behavior, or production replay safety.

ENGAGEMENT MODEL

Start with the boundary, then leave a testable handoff.

This work is scoped as an authorization-control assessment and reproducible test-fixture engagement. It is not presented as certification, a complete audit, or a guarantee about a production system.

01 / SCOPE

Map the allowed surface

Agree the owned system, authorization questions, safe test method, out-of-bounds areas, and the decision-maker for external action.

02 / REPRODUCE

Build the smallest useful proof

Turn the agreed boundary into clean controls, negative paths, and a local receipt a team can run again.

03 / VERIFY

Challenge the evidence

Test the verifier with known-bad mutations, record limitations, and separate a lead from a supported result.

04 / HAND OFF

Leave usable artifacts

Deliver the reproduction command, evidence notes, limitations, and a prioritized next-control plan for the owner.

ENGAGEMENT BOUNDARYNo client credentials, live production access, external scanning, deployment, or publication is assumed. Those require explicit written scope and a separate approval gate.

RUN THE REFERENCE

One self-contained local test file.

node --test mcp-assurance/lab/mcp-authz-reference.test.mjs

The public reference fixture binds only to an ephemeral localhost server and uses synthetic labels. See the evidence snapshot and source before drawing a stronger conclusion.