Fixes #4871: Add SchemaPin support to prevent supply chain attacks on tool schemas

[roomote]

Summary

This PR implements SchemaPin support to prevent supply chain attacks on MCP tool schemas, addressing issue #4871.

Changes Made

Core Implementation

• SchemaPinService: Main service class for schema verification and key pinning
• SchemaPinValidator: Handles cryptographic verification of schema signatures
• KeyPinningManager: Manages storage and retrieval of pinned public keys
• Integration with McpHub: Schema verification integrated into MCP tool loading process

Configuration

• Added VSCode settings for SchemaPin configuration:
  • : Enable/disable SchemaPin verification
  • : Reject tools without valid signatures
  • : Automatically pin keys for new tools
  • : Timeout for verification operations
  • : Domains that bypass verification
  • : Domains that are never allowed

Features

• Backward Compatibility: Unsigned schemas continue to work as before
• Signed Schema Support: Looks for files with detached signatures
• Public Key Pinning: Pins developer public keys on first use to prevent key substitution
• Developer Key Discovery: Fetches public keys from endpoints
• Key Revocation: Support for revoking compromised developer keys
• Flexible Verification: Optional verification that doesn't break existing workflows

Security Benefits

• Protection against MCP Rug Pull attacks: Prevents malicious actors from altering schemas after trust
• Cryptographic Integrity: Ensures schemas haven't been tampered with
• Developer Authentication: Verifies schemas are signed by trusted developers
• Supply Chain Security: Adds integrity checks to the MCP tool ecosystem

Testing

• Comprehensive test suite covering all major functionality
• Tests for both signed and unsigned schema scenarios
• Proper error handling and edge case coverage
• All existing tests continue to pass

Acceptance Criteria ✅

Given a tool provides a signed schema with a valid and known pinned public key
When an agent loads the tool
Then Roo Code verifies the signature before accepting the schema
And logs an error and blocks the tool if the signature is invalid or the public key is unpinned
But if no signature is present, the system behaves as it does today

Technical Implementation

The implementation follows the SchemaPin protocol specification and integrates seamlessly with the existing MCP infrastructure. The service is initialized alongside the MCP hub and performs verification during tool loading.

Key design decisions:

• Optional by default: SchemaPin is enabled but doesn't break existing workflows
• Graceful degradation: Network failures don't prevent tool usage
• Minimal performance impact: Verification only occurs when signatures are present
• Extensible architecture: Easy to add new verification methods in the future

Related Issues

Fixes #4871

Type of Change

• New feature (non-breaking change which adds functionality)
• Security enhancement
• Bug fix (non-breaking change which fixes an issue)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[ellipsis-dev]

⚠️ This PR is too big for Ellipsis, but support for larger PRs is coming soon. If you want us to prioritize this feature, let us know at [email protected]

---

Generated with ❤️ by ellipsis.dev

[daniel-lxs]

Closing, see #4871 (comment)