The MCP integration in this toolkit routes agent tool calls to Mastercard APIs. When an LLM makes a call, the only record of what happened is in the agent framework's own logs. That record is not independently recomputable: a downstream auditor cannot verify the call parameters, the authorization context, or the outcome without replaying the original session.
For payment agents this is a compliance gap. PSD2 Article 95 requires audit trails for payment operations. EU AI Act Article 12 requires logging for automated decisions with legal or financial effects.
The SEP-2828 fallback projection (modelcontextprotocol/modelcontextprotocol#2828) defines a portable digest that addresses this. Before the agent calls a Mastercard API endpoint, the toolkit projects the tool call to:
{
"arguments": <params.arguments>,
"authBinding": <params._meta["authorization_binding"] if present>,
"toolName": "<params.name>"
}SHA-256 over the JCS-canonical bytes (RFC 8785). This is the preimage rule. The receipt envelope (issuer identity, signature, timestamp anchors) is in draft-sirkkavaara-vaara-receipt-01. The digest is stable across agent frameworks and providers because transport artifacts like progress tokens are excluded from the projection.
Conformance vectors and a stdlib-only checker at github.com/vaaraio/vaara (conformance/sep2828/fallback_projection_v0/). The receipt can be stored alongside the API response and verified without access to the original session or any Vaara library.
The MCP integration in this toolkit routes agent tool calls to Mastercard APIs. When an LLM makes a call, the only record of what happened is in the agent framework's own logs. That record is not independently recomputable: a downstream auditor cannot verify the call parameters, the authorization context, or the outcome without replaying the original session.
For payment agents this is a compliance gap. PSD2 Article 95 requires audit trails for payment operations. EU AI Act Article 12 requires logging for automated decisions with legal or financial effects.
The SEP-2828 fallback projection (modelcontextprotocol/modelcontextprotocol#2828) defines a portable digest that addresses this. Before the agent calls a Mastercard API endpoint, the toolkit projects the tool call to:
{ "arguments": <params.arguments>, "authBinding": <params._meta["authorization_binding"] if present>, "toolName": "<params.name>" }SHA-256 over the JCS-canonical bytes (RFC 8785). This is the preimage rule. The receipt envelope (issuer identity, signature, timestamp anchors) is in draft-sirkkavaara-vaara-receipt-01. The digest is stable across agent frameworks and providers because transport artifacts like progress tokens are excluded from the projection.
Conformance vectors and a stdlib-only checker at github.com/vaaraio/vaara (
conformance/sep2828/fallback_projection_v0/). The receipt can be stored alongside the API response and verified without access to the original session or any Vaara library.