docs(security): add OWASP normative references to SAFE-MCP advisory
Sourced from Research Lead synthesis 2026-04-18 22:52 UTC.
Changes:
- G-02 long-term mitigation: replaced vague "Ed25519" with MCPS
Tool Definition Signing (ECDSA P-256, schema hash pinning, rug pull
protection, targeting MCPS L3 trust level)
- Added "Normative References" section citing:
- MCP04:2025 — Software Supply Chain Attacks & Dependency Tampering
(signed components, version pinning, SBOM/CBOM, dependency scanning)
- MCP09:2025 — Shadow MCP Servers
(central governance, discovery/scanning, baseline configs)
- MCPS — Cryptographic Security Layer for MCP
(tool definition signing, trust levels L0–L4)
- Annotated each remediation checklist item with the OWASP control
that motivates it
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Molecule AI Documentation Specialist
451a2cca1a