The Provenance Gap
A forensic audit of Claude Desktop on macOS shows that MCP has no provenance primitive. The absence is not a gap in tooling — it is a gap in the protocol.
On April 18, 2026, the privacy researcher Alexander Hanff published a forensic audit of Claude Desktop on macOS. The audit is unambiguous, reproducible, and — for anyone writing about the Model Context Protocol — consequential. The full post is worth reading on its own terms.
What this essay argues is narrower: the audit is the clearest public demonstration yet that MCP has no provenance primitive, and that the absence is not a gap in tooling. It is a gap in the protocol.
What the Audit Found
Claude Desktop writes Chromium Native Messaging manifests into seven browser configuration directories on macOS — Chrome, Brave, Edge, Chromium, Arc, Vivaldi, and Opera — regardless of whether those browsers are installed. The manifests pre-authorise three Chrome extension IDs to spawn an out-of-sandbox helper binary at user privilege. The files are byte-identical across all seven browsers, re-written on every launch of Claude Desktop, and survive deletion. There is no UI that lists them, no consent screen that introduced them, and no public documentation that names the subsystem that installs them.
There is, however, a log line:
[Chrome Extension MCP] Installed native host manifest for Brave at ...
That is Anthropic's own application, on Anthropic's own customer's machine, recording that an MCP-branded subsystem wrote state into seven trust boundaries the user never crossed. The subsystem shares a name — Chrome Extension MCP — with the protocol Anthropic originated. It ships outside the surface the protocol declares.
How We Found Out
The audit works because of a single primitive: com.apple.provenance, the extended attribute macOS writes automatically to every file, tying the file to the application bundle that created it. The attribute is kernel-enforced. The writing application cannot forge it. Hanff confirmed that the provenance bytes on the manifests are byte-identical to the provenance bytes on Claude Desktop's own log. The same app, unforgeably, wrote both.
That is an attestation primitive at the operating system layer. It is the reason accountability is possible at all. Without it, the investigation collapses to “Anthropic's log says Anthropic did it” — vendor self-report — which is exactly the thing that cannot be trusted when the question is whether a vendor did something it didn't advertise.
The OS has this primitive. The protocol does not.
What MCP Actually Specifies
MCP defines a transport, a capability schema, and a set of message types for model-to-tool communication. It assumes that the declared tool surface is the real tool surface — that a server which advertises a filesystem read tool reads files, that a server which advertises a web fetch tool fetches web pages, that installation of the server is scoped to what the server documents.
It does not specify:
There is no protocol-level mechanism for the client to record, before a call, what it believed the tool surface and execution context were. Post hoc, the client has no signed artifact to compare against.
There is no protocol-level mechanism for the server to return a signed, third-party-attested receipt describing what it actually did, against what input, at what time, with what state mutations.
There is no protocol-level mechanism to declare the full set of state mutations an MCP server installation performs on the host, and no client-verifiable record after the fact.
All three gaps are visible in the Hanff audit. The client — the user, in this case — had no pre-commitment to “Claude Desktop will install browser bridges into these N directories.” The server — Claude Desktop's Chrome Extension MCP subsystem — returned no signed receipts for the seven manifest writes and thirty-one re-install events recorded in its own logs. The installation was undocumented. The only record that survived was the one the operating system wrote, unforgeably, at a layer below the protocol.
The Failure Mode This Creates
Dormant capability with no provenance is the worst of both worlds. The capability is installed. The trust relationship is established. The attestation trail exists only at the host OS level, which most users will never inspect, and which does not exist on Linux, iOS, Android, or any non-Apple platform where MCP servers also run.
The user cannot answer the question: what did this install do?
The vendor's own logs can answer it, if the vendor chooses to write them, if the vendor chooses to make them user-visible, and if the user trusts that the vendor did not redact them.
Three conditional trust assumptions stacked in sequence. Each one is a surface the vendor controls. None is client-verifiable.
The analogue in agent execution — not just install-time, but every tool call, every memory write, every context mutation — is identical. An agent running under MCP today emits no client-verifiable receipt of what it did. If the tool server logged the call, the log is the tool server's word. If the client logged the input, the log is the client's word. Neither is pre-committed, neither is third-party-attested, neither survives a motivated operator.
The Primitive
What the audit needed, and what MCP lacks, is the same primitive agents need for every action that mutates state a user cares about.
Before a call, the client signs what it expects — the tool name, the input digest, the declared surface. The signature is binding. If the server executes something different, the pre-commit becomes a wedge, not a rumor. At Nukez, this is ADR-4, operator-excluded verification.
After execution, the server returns a receipt signed jointly by the server's keypair and an independent attestor whose root the operator does not control. Verification is public. The attestor's involvement is what defeats “the vendor's log says so.” At Nukez, the attestor is Switchboard, with Ed25519 and secp256k1 as equal first-class primitives so that chain of execution is provable regardless of which signing algorithm the agent's payment rail used.
Given the pre-commit, the attested receipt, and the envelope, any third party can reconstruct what the agent saw and did, byte-for-byte, without trusting either the client or the server.
These are the three things macOS does implicitly for file writes, in miniature, at the kernel layer. An agent protocol that aspires to execute arbitrary capability on behalf of a user — across filesystem, browser, payments, memory — cannot ship without their protocol-level equivalent. Agents care about traceability, receipt binding, state invariance, and secure recomputation, because without them there is no way to reason about verifiable memory, and without verifiable memory there is no way to reason about anything an agent claims it did.
The Pattern the Audit Sits Inside
The Hanff audit is the third MCP-adjacent incident of its class to surface publicly in recent weeks. The Anthropic Mythos model card, published April 7, documented agent-initiated deception, credential exfiltration, and git history manipulation — adversarial agent behavior. The April 23 Claude Code postmortem documented, among other issues, a caching bug that silently dropped prior reasoning from agent sessions for more than two weeks before detection — operator-side memory corruption of the agent itself. The Hanff audit documents silent operator pre-staging of capability on user hardware — a shadow subsystem outside the protocol's declared surface.
Three incidents, three dimensions of failure, one protocol.
The common structural feature is not that the vendor is bad. Anthropic has been unusually forthcoming about all three. The common structural feature is that the protocol has no primitive for the user, the agent, or an independent third party to verify what happened. In all three cases, the evidence that surfaced did so because someone — a red team, a bug investigator, a privacy researcher — reconstructed it from logs the vendor happened to write. None of the three is replicable by an ordinary user. None is continuous. None is protocol-level.
Where This Goes
The protocol layer is the correct layer to fix this. Application-level logs and OS-level provenance do not compose across vendors or platforms, respectively. By definition, an effective verification primitive has to live inside the protocol the agent uses to act.
Fortunately, Nukez does. It is a robust option for satisfying the necessary and sufficient conditions to handle the job.