Capability 1 + 2: hash an MCP tool descriptor (Q3 semantics — full descriptor INCLUDING protocolVersion) and compare against the user-approved baseline. Returns the current hash and a change_detected flag. Hosts SHOULD call this before forwarding a tool call to detect post-approval descriptor drift (tool poisoning / rug pull defense per arXiv:2512.06556).

Capability 4 + 7: record a tool call (input + output hashes) as a signed RGE v0.2 envelope with the mcp_tool_audit block populated. Appends to the trace's audit chain and returns the new envelope's integrity hash. The envelope is persisted under ~/.phionyx/mcp_audit//.json by default (configurable via PHIONYX_MCP_AUDIT_ROOT).

Capability 8: walk the persisted envelope chain for trace_id and verify every link. Refuses mixed-schema chains. Returns {valid, checked, broken_at, reason}.

Read the audit chain for trace_id as a list of envelopes (most-recent first by default). Companion to verify_chain_integrity for replay and post-incident review.

Capability 5 (stub in v0.1.0-dev): capture user approval state for a tool. Full implementation lands when the host-side UX surface is defined; current returns a structured 'not_implemented' marker that callers can detect.

Capability 6 (stub in v0.1.0-dev): forward an anomaly observation from the host into the audit envelope's runtime_anomaly_flag field. Will pull live scores from phionyx_core.pipeline.blocks.behavioral_drift_detection in v0.5.

Catch-all decision logger — append a runtime decision (release/block/defer/redact) to the audit chain without populating mcp_tool_audit. Useful for non-MCP policy events the host wants to record alongside MCP calls.