CTMS: Canonical Tool Manifest Specification

CTMS (Canonical Tool Manifest Specification) defines a signing and verification scheme for MCP (Model Context Protocol) tool metadata. MCP servers declare tool capabilities through descriptions, schemas, and annotations that language models use to discover and invoke tools. Nothing in the MCP protocol verifies that these declarations are accurate or unchanged. CTMS addresses this gap by defining a canonical form for tool metadata, a keyless signing scheme using Sigstore, a versioning model that distinguishes breaking from semantic changes, and a verification procedure that MCP clients perform before passing tool metadata to the language model. The signed artifact is a Sealed Tool Manifest (STM), structured as an in-toto attestation and recorded in a transparency log.

The specification builds on RFC 8785 (JSON Canonicalization Scheme), RFC 7515 (JSON Web Signatures), RFC 7517 (JSON Web Keys), the in-toto attestation format v1, and Sigstore (Fulcio + Rekor). It defines three conformance profiles (Community, Enterprise, Sovereign) to support different deployment contexts from open-source publishers to regulated environments. A Python reference implementation with a command-line tool and 67 offline tests accompanies the specification.

CTMS v1.0 is the first published version.