GitHub MCP Server exposes 83 tools including write and destructive operations (create_issue, push_files, delete_file, merge_pull_request). Currently, there is no mechanism to verify that a tool call request has not been modified between the agent and the server.

The gap

TLS protects the transport, but a compromised proxy, middleware, or MCP relay between the agent and this server can modify JSON-RPC payloads after TLS termination. For destructive operations like delete_file or merge_pull_request, this is a meaningful risk.

The OWASP MCP Security Cheat Sheet Section 7 recommends message-level signing as a baseline control for MCP servers handling sensitive operations:

• Sign each MCP message with an asymmetric key bound to the sender identity
• Include a unique nonce and timestamp per request
• Reject duplicate nonces and messages outside a bounded time window
• Fail closed when verification fails

Reference: https://cheatsheetseries.owasp.org/cheatsheets/MCP_Security_Cheat_Sheet.html

What this would look like

Request includes signature headers:

X-MCP-Signature: <hmac-sha256-hex>
X-MCP-Nonce: <unique-per-request>
X-MCP-Timestamp: <iso8601>

Server verifies before processing. Invalid or missing signatures on write/destructive operations are rejected.

This would complement the existing PAT authentication (#132) by adding per-message integrity on top of per-session identity.

Happy to contribute.