Skip to main content
Glama
ScopeBlind

verify-mcp

by ScopeBlind
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Local

verify_bundle

Verify a ScopeBlind audit bundle offline using embedded verification keys. Provide the bundle as a raw JSON string or a local file path.

Instructions

Verify a ScopeBlind audit bundle offline using the embedded verification keys.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
bundle_jsonNoRaw JSON bundle string.
pathNoPath to a local JSON bundle file.

Implementation Reference

  • server.js:105-130 (handler)
    Core handler function that verifies a ScopeBlind audit bundle by checking each receipt against the bundle's embedded verification keys. Returns aggregate pass/fail statistics.
    function verifyBundle(bundle) {
  if (!bundle?.receipts || !Array.isArray(bundle.receipts)) {
    throw new Error('Invalid bundle: missing receipts array');
  }
  const keyMap = resolveBundleKeyMap(bundle);
  let passed = 0;
  const receipts = bundle.receipts.map((receipt, index) => {
    const key = receipt?.kid ? keyMap.get(receipt.kid) : deriveEmbeddedKey(receipt);
    const result = verifySingle(receipt, key || null);
    if (result.valid) passed += 1;
    return {
      index,
      type: result.type,
      kid: result.kid,
      valid: result.valid,
      error: result.error,
    };
  });
  return {
    valid: passed === bundle.receipts.length,
    total: bundle.receipts.length,
    passed,
    failed: bundle.receipts.length - passed,
    receipts,
  };
}
  • server.js:211-226 (registration)
    MCP tool registration for 'verify_bundle' with optional bundle_json and path parameters. Calls verifyBundle() and returns JSON text result.
    server.tool(
  'verify_bundle',
  'Verify a ScopeBlind audit bundle offline using the embedded verification keys.',
  {
    bundle_json: z.string().optional().describe('Raw JSON bundle string.'),
    path: z.string().optional().describe('Path to a local JSON bundle file.'),
  },
  async (args) => {
    try {
      const bundle = readJsonInput(args.path, args.bundle_json);
      return textResult(verifyBundle(bundle));
    } catch (error) {
      return textResult({ ok: false, error: error.message });
    }
  }
);
  • server.js:214-217 (schema)
    Zod schema for the verify_bundle tool input parameters: either a raw JSON string or a file path.
    {
  bundle_json: z.string().optional().describe('Raw JSON bundle string.'),
  path: z.string().optional().describe('Path to a local JSON bundle file.'),
},
  • server.js:64-73 (helper)
    Helper function that extracts signing keys from the bundle's verification section and maps kid to hex public key, used by verifyBundle.
    function resolveBundleKeyMap(bundle) {
  const keys = bundle?.verification?.signing_keys || [];
  const map = new Map();
  for (const jwk of keys) {
    if (jwk?.kid && jwk?.x) {
      map.set(jwk.kid, bytesToHex(base64urlToBytes(jwk.x)));
    }
  }
  return map;
}

Tool Definition Quality

A3.6/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations, the description carries full burden. It mentions 'offline' and 'embedded keys', but does not disclose what the tool returns (e.g., success/failure, signature validity, error messages) or any limitations. This is insufficient for an agent to predict behavior.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, well-structured sentence that conveys the core purpose without extraneous words. It is appropriately front-loaded and concise.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

The description lacks information about the output or return value (e.g., a boolean, status message) and error handling. Given no output schema, this gap impairs the agent's ability to use the tool effectively.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Input schema covers both parameters (bundle_json and path) with descriptions, achieving 100% coverage. The description does not add meaning beyond the schema, so the baseline score of 3 is appropriate.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly identifies the verb 'Verify', the resource 'ScopeBlind audit bundle', and the method 'offline using embedded verification keys'. It distinguishes from sibling tools like 'explain_artifact' and 'verify_receipt'.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies this tool is for offline verification, but does not explicitly state when to prefer it over alternatives or when not to use it. The context is clear enough for an agent to infer appropriate usage.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/ScopeBlind/verify-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server