Idea: Runtime trust scoring based on actual execution history?

[xkumakichi]

Hey — really interesting approach with static CI scanning for MCP servers. I've been thinking about the same problem from a different angle.

Your approach: Scan the server code/config for risk signals before deployment.
My question: What about runtime behavior? A server might pass all static checks but still fail 20% of the time in production.

I've been experimenting with a lightweight middleware that logs actual tool executions (success/fail, latency) and gives a simple trust verdict based on real history:

can_I_trust("my-server") → { verdict: "yes", success_rate: 99.2% }

It feels like static analysis (what you're doing) + runtime verification could be really complementary.

Curious:

1. Have you thought about incorporating runtime data into trust scoring?
2. Would a "runtime trust score" that feeds into your risk assessment be useful?

Here's my experiment if you want to look: https://github.com/xkumakichi/veridict

No pressure at all — just exploring this space and your project caught my eye.

[aak204]

Hey @xkumakichi! Thanks for reaching out and sharing Veridict. This is a fantastic concept.

You hit the nail on the head: static surface-risk scanning (what MCP Trust Kit does) and runtime observability/execution tracking (what Veridict does) are two halves of the same DevSecOps coin for agentic systems.

To answer your questions:

1. Have I thought about incorporating runtime data?
Yes, but I intentionally scoped MCP Trust Kit out of runtime telemetry for v0.x. My goal was to build a purely deterministic CI gate. The moment you introduce runtime success rates, the score becomes stateful (dependent on a database like your SQLite implementation) and variable (a flaky network call suddenly drops the trust score and blocks a CI pipeline).

2. Would a "runtime trust score" that feeds into risk assessment be useful?
Absolutely. In an enterprise environment, a platform engineer wants to know two things before giving an agent access to a tool:

1. Is the blast radius structurally safe? (Static Trust Score)
2. Is the tool actually reliable and stable? (Runtime Trust Score)

How we could collaborate:
I don't think these two tools should be merged into one monolithic codebase (they solve different problems at different stages of the lifecycle). However, they are highly complementary!

What do you think about a cross-mention? I'd be happy to add a "Complementary Tools" or "Runtime Observability" section to my README.md pointing to Veridict for teams that want post-deployment execution scoring.

Keep up the great work. Building the trust layer for MCP is exactly what the ecosystem needs right now.

[0xbrainkid]

Great thread. Static scanning + runtime observability are both necessary — but there's a third layer that neither captures: cross-organizational trust.

MCP Trust Kit scans what a server could do (static risk). Runtime scoring tracks what it does do (operational history). Neither answers: "should Org B trust this MCP server operated by Org A?"

That's the question every multi-agent deployment faces. When Agent A calls Tool X on an MCP server it's never seen before, it needs:

1. Static risk (your scan) — is the code safe?
2. Runtime history (Veridict's approach) — does it perform reliably?
3. Cross-org attestation — have OTHER agents/orgs used it successfully? What's the behavioral track record across the ecosystem?

Layer 3 is where aggregated trust scoring adds value. If 50 agents across 20 orgs have called this MCP server with 99.5% success rate over 90 days, that's a stronger signal than any single org's runtime logs.

This maps to the architecture emerging across the ecosystem:

Layer	What it answers	Example
Static	Is the code safe?	MCP Trust Kit, AgentAudit
Runtime	Does it work?	Veridict, OpenTelemetry agent metrics
Cross-org	Should I trust it?	SATP behavioral attestation, OATR

The practical integration: MCP Trust Kit scan → initial risk grade. Runtime logs → operational trust. Cross-org attestation → ecosystem-wide reputation. All three feed into a composite trust score that MCP clients can query before tool execution.

OWASP AISVS C10.2 (merged March 2026) already requires "cryptographically bound identity" for autonomous MCP clients. The next step is making trust queryable — so agents can make informed decisions about tools they've never used before.

[aak204]

@0xbrainkid This is a brilliant breakdown. You just perfectly articulated the "Trust Stack" for the agentic web.

I completely agree. MCP Trust Kit is strictly designed to be the foundational Layer 1 (Static Risk) in that exact architecture. It provides the deterministic baseline.

The vision of a composite trust score — where an autonomous agent queries a reputation oracle (combining Layer 1 surface scans, Layer 2 telemetry, and Layer 3 cross-org attestation) before executing an unknown tool — is exactly where the industry needs to go, especially with the new OWASP AISVS requirements.

My goal for MCP Trust Kit is to ensure that when those Layer 3 reputation systems are built, they have a reliable, standardized Layer 1 static score to pull from.

Fascinating stuff. We are literally watching the agent-to-agent security protocols being written in real-time right now.

[xkumakichi]

@aak204 Really appreciate the thoughtful response. You nailed the tradeoff — I deliberately kept Veridict stateful (SQLite) because the runtime signal is inherently stateful. But you're right that mixing it into a CI gate would create unpredictable pipeline behavior. Keeping them separate is the right call.

Cross-mention: absolutely yes. I'd be happy to add a "Complementary Tools" section in Veridict's README pointing to MCP Trust Kit for static scanning too. The combination makes way more sense than either alone:

MCP Trust Kit (pre-deploy) → "Is this server safe to run?"
Veridict (post-deploy)     → "Is this server actually reliable?"

I'll open a small PR or update the README this week.

@0xbrainkid The 3-layer Trust Stack you described is exactly the architecture I've been converging toward. Your Layer 3 (Cross-org attestation) maps directly to something I built earlier — XAIP, which uses DID + Verifiable Credentials on XRPL for agent identity and cross-org reputation.

The original design was:

• Identity (DID) → who is this agent?
• Credentials (VC) → what is it certified to do?
• Reputation → how has it performed across the ecosystem?

At the time I built it, it felt "too early" — no one was asking for agent trust infrastructure. This thread tells me the timing is shifting fast.

The OWASP AISVS C10.2 reference is huge — didn't know that had been merged. That changes the conversation from "nice to have" to "compliance requirement."

Would love to keep exploring this. The Trust Stack framing gives all three projects (MCP Trust Kit, Veridict, XAIP) a clear place in the architecture.

[0xbrainkid]

@xkumakichi The three-project convergence you described is exactly what we have been hoping would emerge from this thread.

Your XAIP design (DID + VC + reputation on XRPL) maps cleanly to Layer 3 of the Trust Stack — and the fact that you built it before anyone was asking for agent trust infrastructure is telling. The timing has shifted because of three simultaneous pressures: OWASP AISVS C10.2 making it a compliance requirement, 30+ MCP CVEs in 60 days making it an operational emergency, and RSAC 2026 proving that every enterprise vendor is building single-org identity while cross-org remains empty.

The Complementary Tools framing is right:

MCP Trust Kit (pre-deploy)  → Layer 1: "Is this server safe to run?"
Veridict (post-deploy)      → Layer 2: "Is this server actually reliable?"
XAIP / SATP (cross-org)     → Layer 3: "Should I trust this agent across boundaries?"

On the SQLite decision for Veridict — stateful runtime signal absolutely needs local state. The architecture question is whether that state should be queryable by external systems (Layer 3 providers pulling Veridict scores into cross-org attestations). If Veridict exposed a lightweight API or standard export format, SATP could consume runtime reliability data as one input into trust scoring — making the layers composable rather than siloed.

Would be interested in exploring how XAIP's VC model and SATP's attestation model could interoperate. Both solve cross-org trust but with different cryptographic approaches (VC presentation vs behavioral attestation chains). A bridge between them would give agents maximum portability.

[xkumakichi]

@0xbrainkid This is exactly the kind of convergence that makes open-source worth doing.

On the API/export question: You're right that Veridict's local SQLite state needs to become queryable. The current design already stores input/output hashes (SHA256) for every execution — these were intentionally designed as future anchoring points. The path I see:

1. Short-term: Expose a lightweight REST/JSON API from Veridict for local queries (GET /trust/:server_name)
2. Medium-term: Standard export format (maybe OpenTelemetry-compatible) so Layer 3 providers can pull runtime data
3. Long-term: On-chain anchoring of execution hashes to XRPL — making runtime trust verifiable without trusting the reporter

On VC vs behavioral attestation interop: This is the key architectural question. My thinking:

• VCs answer: "This agent was certified to do X" (capability claim)
• Behavioral attestation answers: "This agent actually did X successfully 99% of the time" (performance evidence)
• The bridge: VCs that embed behavioral attestation data — a credential that says "Agent Y has a verified 99.2% success rate over 1,247 executions, attested by Veridict runtime logs anchored on-chain"

This turns XAIP credentials from static claims into living, evidence-backed trust signals.

The 30+ MCP CVEs in 60 days stat is alarming. That kind of velocity means the trust infrastructure gap isn't theoretical anymore — it's actively being exploited. The compliance pressure (OWASP) plus operational pressure (CVEs) plus market pressure (RSAC vendors) creates a window where open standards can establish themselves before proprietary solutions lock in.

Happy to start concrete work on the composability layer. Would a shared spec document (even just a GitHub gist) for the Trust Stack interface contracts be a useful first step? Define what Layer 1 outputs, what Layer 2 exposes, what Layer 3 consumes.

[0xbrainkid]

The three-phase roadmap for Veridict's queryability is exactly right — local REST → OTel export → on-chain anchoring. Each step makes the runtime trust data more useful to Layer 3 consumers without breaking the existing local-first architecture.

The OTel export path (medium-term) is particularly interesting because OpenTelemetry already has semantic conventions for agent identity under discussion — open-telemetry/semantic-conventions #3582 is defining trust provenance attributes. If Veridict exports in OTel format, any Layer 3 provider (SATP, XAIP, or future systems) can consume it through standard collectors rather than custom integrations.

On VCs embedding behavioral attestation data: This is the bridge architecture we've been looking for. A VC that says "Agent Y has a verified 99.2% success rate over 1,247 executions, attested by Veridict runtime logs anchored on-chain" collapses the static/dynamic distinction into a single verifiable credential. The key design question: credential refresh cadence. If behavioral data changes continuously but VCs are issued on-chain, what's the right issuance frequency? Options:

1. Epoch-based (hourly/daily) — VC re-issued at fixed intervals with latest aggregated stats
2. Threshold-based — new VC only when behavioral metrics cross a significance boundary (e.g., score drops below tier threshold)
3. Event-driven — new VC on material events (first failure, recovery from drift, attestation count milestones)

Option 3 seems most efficient for on-chain cost, but option 2 gives consuming agents the most predictable refresh semantics.

On shared spec document: Yes — let's do it. A GitHub repo or gist for the Trust Stack interface contracts. I'll draft the Layer 2→3 interface (what runtime data SATP/XAIP consumes from Veridict, schema, refresh semantics). You draft Layer 1→2 (what MCP Trust Kit outputs that Veridict consumes). @aak204 can define the Layer 1 output schema.

Three authors, three layers, one spec. This is how open standards should get built.

[xkumakichi]

@0xbrainkid The OTel semantic conventions #3582 is a great find — if trust provenance attributes land in OTel, Veridict's export path becomes plug-and-play for the entire observability ecosystem. Standard collectors instead of custom integrations. Will follow that thread closely.

On credential refresh cadence: Option 2 (threshold-based) makes the most sense to me. A VC refresh only triggers when the trust verdict actually changes — e.g., an agent crosses from "yes" to "caution." This maps naturally to Veridict's existing verdict tiers and gives the best signal-to-cost ratio for on-chain writes.

I'm in for the shared spec. Happy to take Layer 1→2.

That said — before we go deep into formalizing, I'd love to ground this in real usage first. Would you and @aak204 be open to trying Veridict in an actual setup? Even a rough integration would give us real signals to shape the spec against.

import { withVeridict } from "veridict";
withVeridict(server, { name: "your-server" });

The spec should describe what we observe, not what we imagine. Real Layer 1→2 data from MCP-Trust-Kit + Veridict running together would be worth more than any design doc.

[0xbrainkid]

Completely agree — spec should describe what we observe, not what we imagine. Let's ground it in real integration first.

I'll set up Veridict against our agentfolio-mcp-server this week. The withVeridict(server, { name: "agentfolio-mcp" }) wrapper should give us real Layer 2 data (execution reliability, response times, failure patterns) that we can then pipe into SATP as Layer 3 input.

The integration sequence:

1. MCP Trust Kit scans agentfolio-mcp-server statically → Layer 1 baseline
2. Veridict wraps it at runtime → Layer 2 reliability data
3. SATP consumes both → Layer 3 cross-org trust score

Real data from all three layers running together will tell us exactly what the interface contracts need to carry. Then we spec what we observed.

On threshold-based refresh (Option 2) — agreed. Verdict tier crossings as VC refresh triggers are the most natural mapping. A "yes → caution" transition is the exact moment when consuming agents need updated trust data, and skipping redundant re-issuance when the verdict is stable saves on-chain cost.

Will report back when the Veridict integration is running.

[xkumakichi]

Looking forward to seeing the results. If anything breaks or feels off during integration, happy to iterate quickly.

[aak204]

@xkumakichi @0xbrainkid This is exactly how open standards should be born—from working code, not ivory-tower committees. Count me in.

I love the pragmatic approach of observing the integration first.

Regarding the Layer 1 → Layer 2 handoff: MCP Trust Kit already emits a structured, deterministic JSON report (--json-out). It contains the aggregate score, the specific capability penalties (e.g., dangerous_fs_write), and a breakdown of schema hygiene.

You can see the exact schema of the output here in the repo: sample-reports/insecure-server.report.json.

For the experiment with agentfolio-mcp-server, you can literally pipe my scanner's JSON output directly into Veridict's initialization if you want to set a baseline trust threshold before runtime begins.

Let me know how the test run goes. If we need to tweak the Layer 1 JSON schema to make it easier for Veridict or SATP to ingest, I can ship those changes in v0.5.0 this week. Let's build this.

[0xbrainkid]

@aak204 Perfect — the --json-out with aggregate score + capability penalties + schema hygiene is exactly what Layer 2 and Layer 3 need to consume. That structured output is already a de facto interface contract for Layer 1.

Here's the concrete integration plan:

# Step 1: Layer 1 scan → baseline
npx mcp-trust-kit scan agentfolio-mcp-server --json-out > layer1-baseline.json

# Step 2: Layer 2 wraps with Veridict (runtime monitoring)
# @xkumakichi — Veridict reads layer1-baseline.json as initial trust context
withVeridict(server, { 
  name: "agentfolio-mcp",
  baseline: require("./layer1-baseline.json") 
});

# Step 3: Layer 3 (SATP) consumes both
# Veridict runtime data + MCP Trust Kit static scan → SATP trust score

The pipe-through architecture means each layer adds signal without blocking the others. If Layer 1 finds a dangerous_fs_write capability, Layer 2 can set a tighter monitoring threshold for that specific tool, and Layer 3 can weight its trust score accordingly.

One request for v0.5.0 if you're shipping changes: a scan_timestamp field in the JSON output. Layer 3 needs to know when the static scan happened to apply temporal decay — a scan from 2 hours ago is more trustworthy than one from 2 weeks ago.

I'll run the scan against agentfolio-mcp-server this week and share the full three-layer results here. Three authors, three layers, one integration test. Let's ship it.

[aak204]

@0xbrainkid That integration pipeline is beautiful in its simplicity. Using the static findings to set dynamic monitoring thresholds in Layer 2 is exactly why we need these layers to talk to each other.

Consider scan_timestamp done. I will add an ISO 8601 timestamp to the root of the JSON and SARIF outputs. I'll ship v0.5.0 today/tomorrow so you have it ready for the agentfolio-mcp-server integration run. Let's make it happen.

[xkumakichi]

@aak204 v0.5.0 shipped — nice. scan_timestamp is exactly what we needed.

Veridict now consumes MCP Trust Kit output directly. Published v0.1.3 with a parseLayer1Report() helper:

import { withVeridict, parseLayer1Report } from "veridict";
import report from "./layer1-baseline.json";

withVeridict(server, {
  name: "agentfolio-mcp",
  baseline: parseLayer1Report(report),
});

It maps scan_timestamp (with generated_at fallback), extracts risk signals from findings, and carries the full report through for Layer 3.

Runtime effect: static risks now influence the verdict — high-risk tools get "caution" even at high success rates.

@0xbrainkid The pipe-through is live:

npx mcp-trust-kit scan --json-out layer1-baseline.json --cmd node agentfolio-mcp-server.js

Ready for the integration test. If anything feels off, I can iterate quickly.