Verifiable Manifest Signing and Transparency Enforcement for Secure MCP-Based LLM Pipelines

Researchers propose a cryptographic framework for securing Model Context Protocol (MCP) tool-use manifests in LLM pipelines, adding digital signatures, freshness validation, and tamper-evident audit logs. Testing across GPT-5.3, LLaMA-3.5, and DeepSeek-V3 demonstrates near-linear scalability with sub-10ms verification latency and 98.7%+ rejection rates for non-compliant manifests.

This research addresses a critical gap in LLM infrastructure security. As large language models increasingly orchestrate external tools across healthcare, finance, and multi-agent systems, the baseline Model Context Protocol lacks cryptographic protections for tool manifests—the specifications governing how LLMs invoke external functions. Without manifest authentication and freshness validation, production pipelines face risks of tampering, unauthorized invocation, and stale request replay attacks with weak audit trails.

The proposed enforcement layer treats manifests as first-class security objects requiring canonical form validation, digital signatures, and policy binding before execution. By separating user-visible parameters from execution metadata and maintaining Merkle-based transparency logs, the framework creates tamper-evident accountability. The evaluation demonstrates practical viability: sub-9.4 millisecond verification latency on edge devices and near-perfect scalability across 50,000 test instances satisfy production requirements where overhead directly impacts inference cost.

The framework's applicability across three major LLM families (OpenAI, Meta, DeepSeek) and diverse domains suggests broad relevance as tool-use becomes standard in enterprise LLM deployments. Rejection rates exceeding 98.7% for malformed, expired, and policy-violating manifests indicate the system successfully filters threat categories that existing MCP implementations cannot address.

For infrastructure providers and enterprises deploying LLM agents, this work establishes a reference architecture for cryptographic enforcement without sacrificing performance. The next phase involves standardization efforts—whether this approach influences official MCP specifications or becomes adopted through third-party middleware will determine its market impact on LLM supply chain security.

• →Manifest-level cryptographic signing and verification adds <9.4ms overhead while rejecting 98.7%+ of non-compliant tool invocations
• →Framework maintains tamper-evident audit logs via Merkle trees, enabling independent verification of LLM-to-tool execution chains
• →Near-linear scalability (R²=0.998) across 50,000 manifest instances indicates production-ready performance for enterprise deployments
• →Approach separates user-visible request parameters from execution metadata, preventing authorization bypass via manifest injection
• →Multi-model validation (GPT-5.3, LLaMA-3.5, DeepSeek-V3) demonstrates vendor-agnostic applicability to heterogeneous LLM pipelines