-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathcontext7.json
More file actions
73 lines (73 loc) · 2.67 KB
/
context7.json
File metadata and controls
73 lines (73 loc) · 2.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
{
"$schema": "https://context7.com/schema/context7.json",
"url": "https://context7.com/thirdkeyai/schemapin",
"public_key": "pk_Ehy7QXQTu2Keb0e5BNeyx",
"projectTitle": "SchemaPin",
"description": "Cryptographic tool schema verification to prevent MCP Rug Pull attacks — ECDSA P-256 signing, SHA-256 hashing, TOFU key pinning, and .well-known discovery. Implementations in Python, JavaScript, Rust, and Go. Part of the ThirdKey trust stack.",
"folders": [
"SKILL.md",
"README.md",
"TECHNICAL_SPECIFICATION.md",
"python/README.md",
"javascript/README.md",
"rust/README.md",
"go/README.md",
"docs/index.md",
"docs/getting-started.md",
"docs/api-reference.md",
"docs/skill-signing.md",
"docs/trust-bundles.md",
"docs/deployment.md",
"docs/troubleshooting.md"
],
"excludeFolders": [
"**/node_modules",
"**/dist",
"**/__pycache__",
"**/*.egg-info",
"**/target",
"**/build",
"**/coverage",
"**/tests",
"**/examples",
"**/src",
"server",
"scripts",
"integration_demo",
"python/schemapin",
"python/tools",
"javascript/src",
"rust/src",
"go/pkg",
"go/internal",
"go/cmd"
],
"excludeFiles": [
"**/*.pem",
"**/*_signed.json",
"**/*.rs",
"**/*.py",
"**/*.ts",
"**/*.js",
"**/*.go",
"**/*.lock",
"**/*.toml",
"**/*.cfg",
"CHANGELOG.md",
"ROADMAP.md",
"SECURITY.md",
"CODE_OF_CONDUCT.md",
"schemapin_mcp_demo.ipynb"
],
"rules": [
"SchemaPin uses ECDSA P-256 (secp256r1) for signing and SHA-256 for hashing — no other algorithms accepted",
"Schema canonicalization is required before signing: deterministic JSON with sorted keys, no whitespace, UTF-8 encoding",
"TOFU key pinning: on first schema verification for a developer, their public key is pinned — subsequent verifications reject different keys for the same developer domain",
"Public key discovery uses RFC 8615 .well-known endpoints: /.well-known/schemapin.json contains developer public keys",
"Four language implementations with identical verification guarantees: Python (schemapin), JavaScript (schemapin), Rust (schemapin), Go (schemapin)",
"Core classes: KeyManager (key generation/serialization), SignatureManager (sign/verify), SchemaPinCore (canonicalization), PinningManager (TOFU store)",
"Verification flow: canonicalize schema → fetch/resolve public key → verify ECDSA signature → check TOFU pin → return result",
"Never hardcode or embed private keys — use KeyManager to generate and PEM files for storage",
"SchemaPin protects MCP tool schemas from tampering — sign on publish, verify on load"
]
}