MPPDOCS
Contact Us →
OverviewWhy MPP?Getting StartedSecurity & TrustBuild with MPPIntegrate MPPComing from MCPFAQGlossary
Security

Security & Trust

Why Security Has to Be the Foundation

AI agents that can take actions, querying databases, browsing the web, reading documents, calling services — are only as trustworthy as the tools they use. If a tool can be tampered with, over-permissioned, or swapped for a malicious alternative, the agent becomes a liability rather than an asset.

MPP treats security not as a feature layer to be added on top, but as the structural foundation of how tools exist and operate.

Verified Before It Runs

Every MPP package carries a cryptographic signature from its publisher. Before any tool is allowed to execute, the MPP runtime verifies:

  • The package was created by the declared author and has not been modified since.
  • The package's contents match their recorded fingerprint exactly.
  • The publisher is recognised either previously approved or subject to a first-use confirmation flow.

If any check fails, execution is blocked. The user is informed. Nothing runs.

Isolated During Execution

Approved tools run inside a contained execution environment. This environment enforces hard boundaries: the tool cannot read host memory, access the filesystem outside approved paths, make network requests to undeclared destinations, or spawn additional processes.

Each tool invocation runs in its own clean environment. State from one run cannot affect another. Once execution completes, transient data is discarded.

Permission by Declaration

Every MPP tool must declare upfront exactly what it needs: which file paths it may read, which external services it may contact, which environment variables it requires. This declaration is part of the signed package, it cannot be changed after publication.

Users see these declarations before approving a tool. Hosts enforce them at runtime. The gap between what a tool claims and what it can actually do is closed by design.

Human-in-the-Loop Controls

Some tool operations are sensitive, deleting records, sending messages, making changes that are hard to reverse. MPP includes a security classification system that allows tool authors to flag these operations explicitly.

When a user or agent triggers a sensitive action, the host surfaces a confirmation step. The user retains decision authority. Automation cannot bypass this gate.

Privacy by Default

Tools that process or return data can declare automatic redaction rules. Personally identifiable information, names, email addresses, phone numbers, identification numbers — can be filtered from tool outputs before they ever reach the AI model.

This means organisations can deploy data-processing tools without the risk that sensitive information leaks into model context or logs.

Persistent Storage, Safely Scoped

Tools that need to remember state between invocations, a cache, user preferences, run history — can use a scoped storage layer built into the protocol. This storage is:

  • Isolated to the specific tool, no other tool can read it.
  • Subject to size limits declared in the package.
  • Cleared when the user uninstalls the tool.

The Trust Chain at a Glance

Author signs the package → Registry stores and serves it → Host verifies the signature → User approves permissions → Tool runs in isolation → Output is filtered → State is scoped.

Every step is enforced. No step can be skipped.