From Connectors to Containers — A secure, portable protocol for AI tool distribution.
Specification • Getting Started • Contributing • Discussions
The Model Package Protocol (MPP) is an open standard that redefines how AI tools are distributed, verified, and executed. Where the Model Context Protocol (MCP) treats tools as live server connections ("cables"), MPP treats them as signed, sandboxed, portable packages ("containers").
An .mpp package is a single, compressed artifact containing:
- Executable logic — compiled to WebAssembly (WASM) for cross-platform, sandboxed execution
- JSON-schema definitions — describing the tool's inputs, outputs, and capabilities
- A security manifest — declaring required permissions and trust level
- Cryptographic signatures — proving origin and integrity
| Requirement | MCP (Connector) | MPP (Package) |
|---|---|---|
| Delivery | Live server (always on) | Portable package (on-demand) |
| Security | Firewall / network-based | Cryptographic signatures & WASM sandboxing |
| State | Stateless (mostly) | Stateful: built-in local KV store |
| Offline Use | Requires a running local server | Works offline like a local app |
| Version Control | Manual / brittle | Semantic versioning built into the package |
| Enterprise Compliance | Hard to audit live traffic | Easy to audit static .mpp files |
| Identity | Human / app credentials | Agent-identity: tools verify which agent calls them |
| Portability | Requires Node / Python environment | Runs anywhere with a WASM runtime |
- Zero-Trust Execution — Tools run in a capability-based sandbox. The host must explicitly grant permission tokens for specific folders, network domains, or hardware.
- Supply Chain Security — Every MPP package is digitally signed. Agents refuse to load unverified packages.
- Ephemeral Attestation — One-time proof that the user authorized a specific action.
- Privacy Filters — Protocol-level PII redaction before data leaves the sandbox.
- Human-in-the-Loop Manifest — High-sensitivity actions trigger mandatory UI confirmation automatically.
┌──────────┐ ┌──────────┐ ┌─────────────┐ ┌──────────────┐ ┌───────────┐
│ Package │───▶│ Sign │───▶│ Distribute │───▶│ Fetch+Verify │───▶│ Execute │
│ (Build) │ │ (Key) │ │ (Registry) │ │ (Gatekeeper) │ │ (Sandbox) │
└──────────┘ └──────────┘ └─────────────┘ └──────────────┘ └───────────┘
- Package — A developer builds a tool and compiles it into an
.mppartifact. - Sign — The developer signs the package with a private key.
- Distribute — The package is hosted on a registry (like an "NPM for AI").
- Fetch & Verify — The AI Agent Host downloads and verifies the signature before opening the sandbox.
- Execute — The tool runs with least-privilege access in an isolated WASM sandbox.
mpp/
├── spec/ # The MPP Specification (normative documents)
├── sdk/ # Reference SDK (Rust) & CLI; TypeScript & Python SDKs planned
├── runtime/ # Reference Host runtime (verify, sandbox, execute)
├── registry/ # Public package registry (API + web frontend)
├── rfcs/ # Community proposals (RFC process)
├── tests/ # Conformance & security test suites
└── docs/ # User-facing documentation & guides
# Install the MPP CLI
cargo install --path sdk/cli
# Create a new MPP tool project
mpp init my-tool
cd tools/my-tool
# Build the .mpp package
mpp build
# Run it locally in a sandbox
mpp run my-tool.mpp
# Sign and publish to a registry
mpp sign --key mpp-private.key
mpp publish
# Manage installed packages
mpp list
mpp update my-tool
mpp uninstall my-tool
⚠️ Research Preview — MPP is feature-complete but not yet production-hardened. It is suitable for evaluation, prototyping, and contribution — not for production workloads. APIs and formats may change before a stable v1.0 release.
MPP has completed all 8 stages of its development plan, with 123 passing tests across 5 crates and a full CLI with 14 subcommands.
| Stage | Status |
|---|---|
| Stage 1 — Project Skeleton & Specification | ✅ Complete |
| Stage 2 — Core Data Types & Cryptography | ✅ Complete |
| Stage 3 — Archive Format & Gatekeeper | ✅ Complete |
| Stage 4 — Permission System & Human-in-the-Loop | ✅ Complete |
| Stage 5 — WASM Sandbox & KV Store | ✅ Complete |
| Stage 6 — Attestation, Agent Identity & Privacy Filters | ✅ Complete |
| Stage 7 — SDK & CLI | ✅ Complete |
| Stage 8 — Registry API & Web Frontend | ✅ Complete |
We welcome contributions from everyone! Please read our Contributing Guide to get started.
- Report bugs — Open an issue
- Propose features — Open an RFC
- Join the discussion — GitHub Discussions
MPP is governed by a transparent, community-driven process. See GOVERNANCE.md for details on decision-making, the Technical Steering Committee, and the RFC process.
To report a security vulnerability, please follow the process described in SECURITY.md. Do not open a public issue for security vulnerabilities.
This project is licensed under the Apache License 2.0.
MPP — Because AI tools deserve the same supply-chain security as the software that runs them.