INDEPENDENT / LOCAL-ONLY / PUBLIC-SAFE
MCP authorization proofs, with the limits left in.
Public reference fixtures for inspecting resource, audience, scope, session, token-handling, and selected signed-agent boundaries around synthetic MCP-shaped tool calls.
THE BOUNDARY
Make the allowed path boring. Make the denied path explicit.
The fixture holds one synthetic clean control beside negative paths. It records what is allowed, what is refused, and which assumptions the verifier itself is challenged to catch.
01 / ALLOW
Minimal readA synthetic subject with the exact resource and records:read scope can initialize and read fixture data.
02 / DENY
Binding failuresMissing bearer, wrong resource, and wrong audience refuse before a tool result is returned.
03 / DENY
Authority failuresInsufficient scope, session replay by another subject, and downstream-token passthrough are refused.
04 / VERIFY
Evidence challengeKnown-bad mutations such as scope bypass and audience bypass must fail the verifier rather than become a pass.
OBSERVED FIXTURE OUTCOMES
SECOND IMPLEMENTATION BOUNDARY
FastMCP native middleware, under the same narrow contract.
A separate operator-owned FastMCP 3.4.4 fixture carries a synthetic Ed25519 signed-agent envelope through native on_call_tool middleware on stateless JSON Streamable HTTP. It initializes, discovers one static read-only tool, and records a clean control beside explicit refusals.
RECOVERY-BOUNDARY REFERENCE
Replay state must fail closed when it cannot be trusted.
A small local filesystem fixture records a SHA-256 operation digest in an exclusively created JSON file. A valid existing record is a replay; a malformed record is not silently forgiven. Both paths refuse the synthetic operation without calling an external service.
ENGAGEMENT MODEL
Start with the boundary, then leave a testable handoff.
This work is scoped as an authorization-control assessment and reproducible test-fixture engagement. It is not presented as certification, a complete audit, or a guarantee about a production system.
01 / SCOPE
Map the allowed surfaceAgree the owned system, authorization questions, safe test method, out-of-bounds areas, and the decision-maker for external action.
02 / REPRODUCE
Build the smallest useful proofTurn the agreed boundary into clean controls, negative paths, and a local receipt a team can run again.
03 / VERIFY
Challenge the evidenceTest the verifier with known-bad mutations, record limitations, and separate a lead from a supported result.
04 / HAND OFF
Leave usable artifactsDeliver the reproduction command, evidence notes, limitations, and a prioritized next-control plan for the owner.
RUN THE REFERENCE
One self-contained local test file.
node --test mcp-assurance/lab/mcp-authz-reference.test.mjs
The public reference fixture binds only to an ephemeral localhost server and uses synthetic labels. See the evidence snapshot and source before drawing a stronger conclusion.