diff --git a/README.md b/README.md index 46adb9c..05fd263 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ MCP Guard solves this with: | **@guard decorator** | Protect tools with trust-level requirements | | **Evidence logging** | Cryptographic audit trail for every invocation | | **Server identity** | Verify MCP servers before connecting | -| **Trust levels** | 0 (self-signed) → 4 (continuous validation) | +| **Trust levels** | 0 (self-signed) → 4 (extended validation) | ## Quickstart 1: Server-Side (Tool Guarding) @@ -164,13 +164,15 @@ export CAPISCIO_CORE_ADDR="localhost:50051" ## Trust Levels -| Level | Name | Description | -|-------|------|-------------| -| 0 | Self-Signed | `did:key` issuer, cryptographic identity only | -| 1 | Domain Validated (DV) | Domain ownership verified | -| 2 | Organization Validated (OV) | Organization identity verified | -| 3 | Extended Validation (EV) | Legal entity verification | -| 4 | Continuous Validation (CV) | Runtime attestation | +Per RFC-002 v1.4: + +| Level | Name | Validation | Use Case | +|-------|------|------------|----------| +| 0 | Self-Signed (SS) | None, `did:key` issuer | Local dev, testing, demos | +| 1 | Registered (REG) | Account registration | Development, internal agents | +| 2 | Domain Validated (DV) | DNS/HTTP challenge | Production, B2B agents | +| 3 | Organization Validated (OV) | DUNS/legal entity | High-trust production | +| 4 | Extended Validated (EV) | Manual review + legal | Regulated industries | ## Evidence Logging diff --git a/capiscio_mcp/types.py b/capiscio_mcp/types.py index eed182a..c786978 100644 --- a/capiscio_mcp/types.py +++ b/capiscio_mcp/types.py @@ -71,19 +71,21 @@ class DenyReason(str, Enum): class TrustLevel(IntEnum): """ - Trust levels per RFC-002. - - - LEVEL_0: Self-signed (did:key issuer) - - LEVEL_1: Domain Validated (DV) - - LEVEL_2: Organization Validated (OV) - - LEVEL_3: Extended Validation (EV) - - LEVEL_4: Continuous Validation (CV) - """ - LEVEL_0 = 0 # Self-signed - LEVEL_1 = 1 # DV - LEVEL_2 = 2 # OV - LEVEL_3 = 3 # EV - LEVEL_4 = 4 # CV + Trust levels per RFC-002 v1.4. + + - LEVEL_0: Self-Signed (SS) - did:key issuer, no external validation + - LEVEL_1: Registered (REG) - Account registration with CapiscIO Registry + - LEVEL_2: Domain Validated (DV) - DNS/HTTP challenge proving domain control + - LEVEL_3: Organization Validated (OV) - DUNS/legal entity verification + - LEVEL_4: Extended Validated (EV) - Manual review + legal agreement + + See: https://docs.capisc.io/rfcs/002-trust-badge/#5-trust-levels + """ + LEVEL_0 = 0 # Self-Signed (SS) + LEVEL_1 = 1 # Registered (REG) + LEVEL_2 = 2 # Domain Validated (DV) + LEVEL_3 = 3 # Organization Validated (OV) + LEVEL_4 = 4 # Extended Validated (EV) # ============================================================================= diff --git a/docs/getting-started/quickstart.md b/docs/getting-started/quickstart.md index 8ceca92..efc5a1e 100644 --- a/docs/getting-started/quickstart.md +++ b/docs/getting-started/quickstart.md @@ -76,13 +76,15 @@ elif result.state == ServerState.UNVERIFIED_ORIGIN: ## Trust Levels -| Level | Name | Who Issues | Use Case | +Per RFC-002 v1.4: + +| Level | Name | Validation | Use Case | |-------|------|------------|----------| -| 0 | Self-Signed | Agent itself (`did:key`) | Development, testing | -| 1 | Domain Validated (DV) | CapiscIO Registry | Production agents | -| 2 | Organization Validated (OV) | CapiscIO Registry | Business agents | -| 3 | Extended Validation (EV) | CapiscIO Registry | Financial, healthcare | -| 4 | Continuous Validation (CV) | CapiscIO Registry | Critical infrastructure | +| 0 | Self-Signed (SS) | None, `did:key` issuer | Local dev, testing, demos | +| 1 | Registered (REG) | Account registration | Development, internal agents | +| 2 | Domain Validated (DV) | DNS/HTTP challenge | Production, B2B agents | +| 3 | Organization Validated (OV) | DUNS/legal entity | High-trust production | +| 4 | Extended Validated (EV) | Manual review + legal | Regulated industries | ## Next Steps diff --git a/docs/guides/server-side.md b/docs/guides/server-side.md index eeccbbe..4b95422 100644 --- a/docs/guides/server-side.md +++ b/docs/guides/server-side.md @@ -97,12 +97,12 @@ async def read_file(path: str) -> str: @guard(min_trust_level=3) async def write_file(path: str, content: str) -> None: - """High-risk: Write files (EV required).""" + """High-risk: Write files (OV required).""" pass @guard(min_trust_level=4) async def execute_command(cmd: str) -> str: - """Critical: Execute shell commands (CV required).""" + """Critical: Execute shell commands (EV required).""" pass ``` diff --git a/docs/index.md b/docs/index.md index 22132c4..8bc1ccf 100644 --- a/docs/index.md +++ b/docs/index.md @@ -22,7 +22,7 @@ MCP Guard solves this with: | **@guard decorator** | Protect tools with trust-level requirements | | **Evidence logging** | Cryptographic audit trail for every invocation | | **Server identity** | Verify MCP servers before connecting | -| **Trust levels** | 0 (self-signed) → 4 (continuous validation) | +| **Trust levels** | 0 (self-signed) → 4 (extended validation) | ## Quick Example @@ -54,13 +54,15 @@ if result.state == ServerState.VERIFIED_PRINCIPAL: ## Trust Levels -| Level | Name | Description | -|-------|------|-------------| -| 0 | Self-Signed | `did:key` issuer, cryptographic identity only | -| 1 | Domain Validated (DV) | Domain ownership verified | -| 2 | Organization Validated (OV) | Organization identity verified | -| 3 | Extended Validation (EV) | Legal entity verification | -| 4 | Continuous Validation (CV) | Runtime attestation | +Per RFC-002 v1.4: + +| Level | Name | Validation | Use Case | +|-------|------|------------|----------| +| 0 | Self-Signed (SS) | None, `did:key` issuer | Local dev, testing, demos | +| 1 | Registered (REG) | Account registration | Development, internal agents | +| 2 | Domain Validated (DV) | DNS/HTTP challenge | Production, B2B agents | +| 3 | Organization Validated (OV) | DUNS/legal entity | High-trust production | +| 4 | Extended Validated (EV) | Manual review + legal | Regulated industries | ## Next Steps