Binding type · MCP
MCP binding
Bind an MCP server identity, declare its tool inventory, and route high-risk tool calls through a fail-closed Resolver check.
When to use MCP binding
- You operate an MCP server exposing tools to agents.
- You expose at least one high-risk tool that mutates state, moves money, or releases data.
- A relying party needs to verify server identity and tool inventory posture before any high-risk call.
Decision-point sequence
- 1. Agent or tool call is requested.
- 2. Verifier fetches the manifest and tool inventory hash.
- 3. Resolver runs an exact-ID check for the MCP server identity and dependencies.
- 4. If state is BOUND and current, the call proceeds.
- 5. If state is unavailable, MISMATCH, REVOKED, EXPIRED, DEGRADED, or SUSPENDED, the verifier fails closed.
MCP binding fields
| Field | Purpose |
|---|---|
| mcp_server_id | Canonical ECZ-ID for the MCP server. |
| operator_ecz_id | Parent ECZ-ID that owns the server. |
| tool_inventory_hash | sha256 hash of the canonical declared tool set. |
| dangerous_tool_flags | List of tools that mutate state or release sensitive resources. |
| api_dependencies | API Passport ids for any API the tool calls. |
| resolver_check | Posture for verifiers; fail-closed for high-risk tools. |
Tool inventory example
MCP tool inventory
{
"mcp_server_id": "ECZ-GB-XXXXXX::MCP-9K3R7M",
"operator_ecz_id": "ECZ-GB-XXXXXX",
"tool_inventory_hash": "sha256:<hash>",
"tools": [
{ "name": "lookup_order", "risk": "standard" },
{ "name": "issue_refund", "risk": "high" }
],
"dangerous_tool_flags": ["issue_refund"],
"api_dependencies": [
{ "api_passport_id": "ECZ-GB-XXXXXX::API-2Q7X9B" }
],
"resolver_check": "fail-closed",
"resolver_url": "https://resolver.ecocitizenz.org/p/ECZ-GB-XXXXXX/MCP/9K3R7M"
}Fail-closed verifier posture
For high-risk tool calls the verifier is fail-closed: if Resolver does not project a current BOUND state for the MCP server identity and binding posture, the call is blocked. ECZ-ID does not claim MCP tools are safe. ECZ-ID verifies identity, authority, binding posture, and current Resolver state only.
ECZ-ID keeps setup, verification state, and public proof separated by design. TrustOps handles setup. Resolver remains the public proof surface. Re-check before reliance.