MCP has no identity layer. No message signing. No tool integrity. 41% of MCP servers have zero authentication (TapAuth research). CVE-2025-6514 scored CVSS 9.6.
MCPS adds a cryptographic security layer on top of MCP – like TLS for HTTP:
- Agent Passports (ECDSA P-256 signed identity) - Message signing (every JSON-RPC call wrapped in signed envelope) - Tool integrity (signed definitions prevent poisoning) - Replay protection (nonce + timestamp window) - Trust levels L0-L4 (enforce minimum per server) - Real-time revocation via Trust Authority
Mitigates 8/10 OWASP MCP risks. Zero dependencies.
npm install mcp-secure pip install mcp-secure
Background: I filed OWASP security assessments against LangChain (github.com/langchain-ai/langchain/issues/35803) and other frameworks. The LangChain community implemented AST filtering fixes based on the findings. That work led to building MCPS as the protocol-level fix.
Full spec: github.com/razashariff/mcps/blob/main/SPEC.md Scan results for all 39 agents: mcp-secure.dev/#registry