feat(mcp): ADOPT-1 Slice 2 — extend firmware-text fencing to remaining categories

eastmadc · eastmadc · commit 5ff07a697abd · 2026-06-13T11:09:05.000-06:00
Extends UNTRUSTED_OUTPUT_TOOLS 36 -&gt; 81, fencing the remaining MCP tools whose
output carries adversary-authored firmware/device/network-derived text:
android (APK), network (pcap), uefi (volumes/modules/NVRAM), hardware_firmware
(blobs/drivers/DTB/HBOM), comparison (firmware diffs), uart (device serial
OUTPUT), security (tools that echo extracted certs/scripts/config/policy/yara
matches), sbom (component inventory parsed from firmware).

Principle: fence raw firmware/adversary-derived text; deliberately leave
wairz-computed verdicts, NVD/CVE data, external threat-intel (VT/MB/ThreatFox),
CRA-authoring, and control/status tools UNFENCED (the model must act on
wairz-authored guidance). The drift-guard test confirms all 81 names exist in
the real registry; no per-handler edits (single frozenset source of truth).
diff --git a/backend/app/utils/untrusted.py b/backend/app/utils/untrusted.py
@@ -69,6 +69,62 @@
         "list_binary_capabilities",
         "analyze_raw_binary",
         "detect_rtos",
+        # --- Slice 2: remaining firmware/adversary-derived-text categories ---
+        # android — the APK IS the firmware artifact
+        "analyze_apk",
+        "list_apk_permissions",
+        "check_apk_signatures",
+        "scan_apk_manifest",
+        "scan_apk_bytecode",
+        "scan_apk_sast",
+        # network — pcap contents are attacker-authored traffic
+        "analyze_network_traffic",
+        "get_protocol_breakdown",
+        "identify_insecure_protocols",
+        "get_dns_queries",
+        "get_network_conversations",
+        # uefi — firmware volumes / modules / NVRAM
+        "list_firmware_volumes",
+        "list_uefi_modules",
+        "extract_nvram_variables",
+        "identify_uefi_module",
+        "read_uefi_module",
+        # hardware firmware — blobs / drivers / DTB / HBOM
+        "lookup_similar_blobs_across_firmwares",
+        "list_hardware_firmware",
+        "analyze_hardware_firmware",
+        "list_firmware_drivers",
+        "find_unsigned_firmware",
+        "export_hardware_firmware_hbom",
+        "extract_dtb",
+        # comparison — firmware/binary/decompilation diffs
+        "list_firmware_versions",
+        "diff_firmware",
+        "diff_binary",
+        "diff_decompilation",
+        # uart — device serial OUTPUT (adversarial for a compromised device)
+        "uart_read",
+        "uart_get_transcript",
+        "uart_send_command",
+        "uart_send_raw",
+        # security — tools that echo extracted firmware text (certs, scripts,
+        # config, policy, yara matches). Pure wairz verdicts / NVD / external
+        # threat-intel / CRA-authoring tools are deliberately NOT fenced.
+        "analyze_config_security",
+        "check_setuid_binaries",
+        "analyze_init_scripts",
+        "check_filesystem_permissions",
+        "analyze_certificate",
+        "scan_with_yara",
+        "extract_kernel_config",
+        "analyze_selinux_policy",
+        "scan_scripts",
+        "shellcheck_scan",
+        "bandit_scan",
+        # sbom — component inventory (names/versions parsed from firmware)
+        "generate_sbom",
+        "get_sbom_components",
+        "export_sbom",
     }
 )
 
