pith. sign in

arxiv: 2606.18037 · v1 · pith:ZESHNARJnew · submitted 2026-06-16 · 💻 cs.AI · cs.CL· cs.MA

ProvenanceGuard: Source-Aware Factuality Verification for MCP-Based LLM Agents

Pith reviewed 2026-06-27 00:25 UTC · model grok-4.3

classification 💻 cs.AI cs.CLcs.MA
keywords provenancefactuality verificationLLM agentsMCPsource attributioncross-source conflationNLImedical domain
0
0 comments X

The pith

Source attribution forms an independent axis for factuality verification in MCP-based LLM agents.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Tool-using LLM agents answer from multiple heterogeneous sources via the Model Context Protocol, but standard factuality checks pool all evidence and miss cases where a claim is supported somewhere yet attributed to the wrong source. This cross-source conflation creates a distinct failure mode. ProvenanceGuard consumes captured MCP traces with stable tool and source IDs, decomposes answers into atomic claims, routes each claim to its stated source, verifies support via NLI and token alignment, and compares the attributed source against the routed one to produce per-claim verdicts and an answer-level allow or block decision. On 281 medical-domain traces it achieves block F1 of 0.802 and source accuracy of 0.858 while detecting every injected attribution swap in controlled probes; blocked answers are repaired via retrieval-augmented revision and pass re-verification. These outcomes establish source attribution checking as separable from pooled-evidence factuality.

Core claim

ProvenanceGuard is a source-aware verifier that takes MCP traces containing tool IDs, source IDs, and raw outputs, breaks generated answers into atomic claims, routes claims to source-specific evidence, checks support with NLI and token-alignment, compares the stated attribution to the routed source, and outputs per-claim verdicts plus an overall allow/block decision. On a 40-trace held-out medical split it reaches block F1 0.802 and source accuracy 0.858 over 260 claims; on a harder multi-source benchmark block F1 rises to 0.846 while exact source-ownership accuracy falls to 0.229. Repair-and-reverify resolves every blocked answer in the full set, and the system detects all 50 injected attr

What carries the argument

ProvenanceGuard pipeline that routes atomic claims to source-specific evidence using stable IDs from MCP traces and jointly verifies support and attribution match.

If this is right

  • Answers blocked for attribution errors can be repaired with retrieval-augmented revision and then pass re-verification.
  • The method outperforms all source-blind baselines that lack claim-to-source routing.
  • Exact source ownership remains difficult when sources are semantically close, lowering relation accuracy to 0.229.
  • All injected cross-source conflations are caught in 50 controlled clinical probes with no retained wrong attributions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The approach could be inserted into live agent loops so that blocked outputs trigger immediate source correction before user presentation.
  • If stable traces can be captured outside MCP, similar routing-plus-attribution checks might extend to other tool-using agent frameworks.
  • The performance drop on close sources points to a need for finer source distinction methods or richer metadata in future traces.
  • The human-verified claim labels supply a reusable benchmark for testing future provenance verifiers.

Load-bearing premise

The evaluation assumes captured MCP traces supply stable tool IDs, source IDs, and raw outputs that match the evidence the agent actually saw at generation time.

What would settle it

A set of agent traces containing deliberately swapped but semantically similar sources in which ProvenanceGuard fails to block the resulting misattributions would falsify reliable detection.

Figures

Figures reproduced from arXiv: 2606.18037 by Ander Alvarez, Rom\'an Or\'us, Samuel Mugel, Santhiya Rajan.

Figure 1
Figure 1. Figure 1: FIG. 1. Why source-aware factuality is stricter than source-blind support. A claim can be supported by one MCP source while [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: FIG. 2. Sequential source-aware verification pipeline. The agent core calls MCP tools and produces a draft answer; [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: FIG. 3. Calibration layer. The calibrator receives only verifier-internal routing, NLI, lexical, token-alignment, and protected [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: FIG. 4. Evaluation datasets and units used in the paper. The primary captured-trace corpus supports claim-level scoring, [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
read the original abstract

Tool-using LLM agents increasingly use the Model Context Protocol (MCP) to answer from heterogeneous evidence sources, including search, APIs, databases, clinical records, and formulary tools. Standard factuality metrics usually test whether an answer is supported by pooled evidence, missing a provenance-sensitive failure mode: a claim may be supported somewhere while being attributed to the wrong source. We call this cross-source conflation. We introduce ProvenanceGuard, a source-aware verifier for MCP-grounded answers. It consumes captured MCP traces with stable tool IDs, source IDs, and raw outputs; decomposes answers into atomic claims; routes claims to source-specific evidence; checks support with NLI and a token-alignment proxy; compares stated attribution with the routed source; and returns per-claim verdicts plus an answer-level allow/block decision. Blocked answers can be repaired with retrieval-augmented answer revision and re-verified. We evaluate on 281 medical-domain MCP-agent traces. A 266-trace adjudicated subset yields 2,325 LLM-assisted claim labels split by trace; 361 held-out labels are human-verified. On the 40-trace held-out split, ProvenanceGuard achieves block F1 0.802 and source accuracy 0.858 over 260 source-eligible claims, outperforming source-blind baselines that do not emit claim-to-source IDs. On a harder multi-source benchmark it reaches block F1 0.846, while source-plus-relation accuracy drops to 0.229, showing that exact source ownership remains difficult with semantically close sources. Repair-and-reverify resolves all blocked answers in the full trace set, often via conservative fallback. In 50 controlled clinical conflation probes, ProvenanceGuard detects all injected attribution swaps with no retained wrong attribution. These results show that source attribution is an independent axis for factuality verification in MCP-based agents.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 0 minor

Summary. The paper introduces ProvenanceGuard, a source-aware factuality verifier for MCP-based LLM agents. It consumes captured traces with tool/source IDs and raw outputs, decomposes answers into atomic claims, routes claims to source-specific evidence, verifies support via NLI plus token-alignment proxy, compares against stated attribution, and outputs per-claim verdicts plus an allow/block decision (with optional repair-and-reverify). On 281 medical-domain traces (266 adjudicated yielding 2,325 LLM-assisted labels; 361 human-verified), the 40-trace held-out split yields block F1 0.802 and source accuracy 0.858 over 260 claims, outperforming source-blind baselines; a harder multi-source benchmark gives block F1 0.846 but source-plus-relation accuracy 0.229; all 50 controlled conflation probes are detected.

Significance. If the trace-fidelity assumption holds, the work demonstrates that source attribution constitutes an independent verification axis beyond pooled-evidence factuality checks, with direct implications for reliability in heterogeneous tool-using agents (especially medical). Credit is given for the parameter-free direct evaluation on a held-out split, the controlled probe set that detects all injected errors, and the practical repair mechanism.

major comments (3)
  1. [Abstract] Abstract (evaluation on 281 traces and 40-trace held-out split): the central claim that source attribution is an independent axis rests on the unvalidated assumption that captured MCP traces supply stable tool IDs, source IDs, and raw outputs that exactly match the evidence the agent conditioned on at generation time. No description of capture mechanics, no fidelity validation (e.g., replay comparison), and no discussion of dynamic retrieval/caching is provided; if IDs or outputs diverge, the routing step and attribution comparison become ungrounded.
  2. [Abstract] Abstract (block F1 0.802 and source accuracy 0.858): the evaluation provides no details on NLI model selection, implementation of the token-alignment proxy, or how the 40-trace split was constructed, all of which are required to assess whether the reported outperformance over source-blind baselines is reproducible and robust.
  3. [Abstract] Abstract (361 held-out human-verified labels): inter-annotator agreement is not reported for the human verification of the 361 labels, which directly affects the soundness of the 2,325 LLM-assisted claim labels used to support the main metrics.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback on the evaluation assumptions, reproducibility details, and annotation process. We address each major comment below and will incorporate clarifications and expansions in the revised manuscript.

read point-by-point responses
  1. Referee: [Abstract] Abstract (evaluation on 281 traces and 40-trace held-out split): the central claim that source attribution is an independent axis rests on the unvalidated assumption that captured MCP traces supply stable tool IDs, source IDs, and raw outputs that exactly match the evidence the agent conditioned on at generation time. No description of capture mechanics, no fidelity validation (e.g., replay comparison), and no discussion of dynamic retrieval/caching is provided; if IDs or outputs diverge, the routing step and attribution comparison become ungrounded.

    Authors: We agree that the manuscript would benefit from an explicit statement of the trace-fidelity assumption. ProvenanceGuard is designed to operate on MCP traces that by protocol design include stable tool and source IDs along with raw outputs; the evaluation uses such traces from a deployed medical agent. We will add a methods paragraph describing the capture assumption, note the absence of replay-based fidelity validation as a scope limitation, and discuss implications of dynamic retrieval/caching. This clarifies the operating conditions without changing the core contribution that source attribution forms an independent verification axis when traces are faithful. revision: yes

  2. Referee: [Abstract] Abstract (block F1 0.802 and source accuracy 0.858): the evaluation provides no details on NLI model selection, implementation of the token-alignment proxy, or how the 40-trace split was constructed, all of which are required to assess whether the reported outperformance over source-blind baselines is reproducible and robust.

    Authors: We concur that these specifics are required for reproducibility. The full paper outlines the NLI-plus-alignment pipeline in Section 3 but omits exact model choice, alignment implementation, and split details. We will expand the experimental setup to specify the NLI model, the token-alignment procedure (including any hyperparameters), and confirm that the 40-trace held-out split was formed by random selection stratified to preserve source diversity from the 281-trace pool. These additions will be placed in the main text and appendix. revision: yes

  3. Referee: [Abstract] Abstract (361 held-out human-verified labels): inter-annotator agreement is not reported for the human verification of the 361 labels, which directly affects the soundness of the 2,325 LLM-assisted claim labels used to support the main metrics.

    Authors: This point is well taken. The 361 labels were verified by a single medical-domain expert because of the specialized knowledge required; consequently no inter-annotator agreement statistic was computed. We will revise the evaluation section to describe the single-expert verification protocol in full and explicitly list the lack of multi-annotator agreement as a limitation. This provides necessary context for interpreting the human-verified subset. revision: yes

Circularity Check

0 steps flagged

No circularity; empirical evaluation on held-out traces

full rationale

The paper describes ProvenanceGuard as a system that consumes MCP traces, decomposes claims, routes them, and applies NLI checks, then reports direct evaluation metrics (block F1 0.802, source accuracy 0.858) on a 40-trace held-out split and 50 probes. No equations, fitted parameters, or derived predictions appear. No self-citations are invoked as load-bearing uniqueness theorems or ansatzes. The central claim that source attribution is an independent axis rests on measured performance differences versus baselines, which are independent outcomes rather than reductions to the system's own inputs by construction. The trace-fidelity assumption is an external validity concern, not a circularity in the derivation chain.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides no explicit free parameters, axioms, or invented entities; the approach relies on standard NLI and the existence of stable MCP trace metadata whose reliability is assumed but not derived.

pith-pipeline@v0.9.1-grok · 5891 in / 1086 out tokens · 34611 ms · 2026-06-27T00:25:01.267889+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

29 extracted references · 5 canonical work pages

  1. [1]

    We introduceProvenanceGuard, a calibrated source-aware Router+NLI verifier that decomposes answers into claims, preserves stable MCP tool IDs and source IDs from raw tool outputs, routes claims to source-specific evidence, and detects cross-source conflation

  2. [2]

    We report a frozen captured medical-domain agent benchmark built from 281 captured MCP-agent traces, a 266-trace claim subset with 2,325 LLM- assisted labels, and a 40-trace held-out packet with complete MCP tool outputs and human-expert- reviewed labels

  3. [3]

    We compareProvenanceGuardagainst MiniCheck, RAGAS Faithfulness, AlignScore, and SummaC-ZS on the same held-out claim packet, while separately evaluating RARR-style repair on full captured traces and targeted source-conflation probes. The central claim is limited to source-attribution factu- ality in MCP-grounded answers; we do not claim to solve open-doma...

  4. [4]

    evaluates whether LLM-generated citations point to the correct supporting passage, which is the closest existing task to source attribution. However, ALCE operates at the passage or chunk level within a single retrieved set, whereas MCP traces expose stable tool- level source IDs that require a routing step to identify which tool output is responsible for...

  5. [5]

    takes a generated passage, researches evidence, and revises unsupported claims while preserving the original style and structure. In our setting, RARR-style repair is evaluated after source-aware blocking: the verifier rejects an answer, repair attempts to produce a source-grounded revision or conservative fallback, and the same verifier rechecks the revi...

  6. [6]

    S. Min, K. Krishna, X. Lyu, M. Lewis, W.-t. Yih, P. W. Koh, M. Iyyer, L. Zettlemoyer, and H. Hajishirzi, inPro- ceedings of the 2023 Conference on Empirical Methods in 17 System Claims Block P Block R Block F1 Verdict acc. Verdict macro F1 ProvenanceGuard (ours) 361 0.673 0.993 0.802 0.812 0.406 MiniCheck 361 0.655 0.971 0.783 0.792 0.396 RAGAS Faithfulne...

  7. [7]

    L. Tang, P. Laban, and G. Durrett, inProceedings of the 2024 Conference on Empirical Methods in Natural Lan- guage Processing(Association for Computational Lin- guistics, Miami, Florida, USA, 2024) pp. 8818–8847

  8. [8]

    Laban, T

    P. Laban, T. Schnabel, P. N. Bennett, and M. A. Hearst, SummaC: Re-visiting nli-based models for inconsistency detection in summarization (2021), arXiv:2111.09525

  9. [9]

    Y. Zha, Y. Yang, R. Li, and Z. Hu, inProceedings of the 61st Annual Meeting of the Association for Compu- tational Linguistics(Association for Computational Lin- guistics, Toronto, Canada, 2023) pp. 11328–11348

  10. [10]

    Y. Song, Y. Kim, and M. Iyyer, inFindings of the Asso- ciation for Computational Linguistics: EMNLP(2024)

  11. [11]

    Goyal and G

    T. Goyal and G. Durrett, inFindings of the Association for Computational Linguistics: EMNLP 2020(2020)

  12. [12]

    Cattan, P

    A. Cattan, P. Roit, S. Zhang, D. Wan, R. Aharoni, I. Szpektor, M. Bansal, and I. Dagan, Transactions of the Association for Computational Linguistics (2026)

  13. [13]

    Harary, E

    S. Harary, E. Hirsch, A. Slobodkin, D. Wan, M. Bansal, and I. Dagan, PrefixNLI: Detecting factual inconsisten- cies as soon as they arise (2025), arXiv:2511.01359

  14. [14]

    S. Es, J. James, L. Espinosa-Anke, and S. Schockaert, inProceedings of the 18th Conference of the European Chapter of the Association for Computational Linguis- tics: System Demonstrations(Association for Computa- tional Linguistics, St. Julian’s, Malta, 2024) pp. 150–158

  15. [15]

    T. Gao, H. Yen, J. Yu, and D. Chen, inProceedings of the 2023 Conference on Empirical Methods in Natural Language Processing (EMNLP)(Association for Compu- tational Linguistics, Singapore, 2023) pp. 10355–10377

  16. [16]

    arXiv preprint arXiv:2212.08037 , year=

    B. Bohnet, V. Q. Tran, P. Verga, R. Aharoni, D. Andor, L. B. Soares, M. Ciaramita, J. Eisenstein, K. Ganchev, J. Herzig, K. Hui, T. Kwiatkowski, J. Ma, J. Ni, L. Sestorain Saralegui, T. Schuster, W. W. Cohen, M. Collins, D. Das, D. Metzler, S. Petrov, and K. Web- ster, Attributed question answering: Evaluation and modeling for attributed large language mo...

  17. [17]

    X. Yue, B. Wang, Z. Chen, K. Zhang, Y. Su, and H. Sun, inFindings of the Association for Computational Lin- guistics: EMNLP 2023(Association for Computational Linguistics, Singapore, 2023) pp. 4615–4635

  18. [18]

    Rashkin, V

    H. Rashkin, V. Nikolaev, M. Lamm, L. Aroyo, M. Collins, D. Das, S. Petrov, G. S. Tomar, I. Turc, and D. Reitter, Computational Linguistics49, 777 (2023)

  19. [19]

    Honovich, R

    O. Honovich, R. Aharoni, J. Herzig, H. Taitelbaum, D. Kukliansy, V. Cohen, T. Scialom, I. Szpektor, A. Has- sidim, and Y. Matias, inProceedings of the 2022 Confer- ence of the North American Chapter of the Association 18 for Computational Linguistics: Human Language Tech- nologies (NAACL)(Association for Computational Lin- guistics, Seattle, United States...

  20. [20]

    Hirsch, A

    E. Hirsch, A. Slobodkin, D. Wan, E. Stengel-Eskin, M. Bansal, and I. Dagan, inProceedings of the 63rd An- nual Meeting of the Association for Computational Lin- guistics(2025) pp. 15355–15370

  21. [21]

    D. Wan, E. Hirsch, E. Stengel-Eskin, I. Dagan, and M. Bansal, GenerationPrograms: Fine-grained attribu- tion with executable programs (2025), arXiv:2506.14580

  22. [22]

    J. Gao, J. Zhou, Q. Sun, R. Huang, and S. Yoo, Atomic information flow: A network flow model for tool attribu- tions in RAG systems (2026), arXiv:2602.04912

  23. [23]

    Zhang, Z

    Q. Zhang, Z. Xiang, Y. Xiao, L. Wang, J. Li, X. Wang, and J. Su, inProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics(2025)

  24. [24]

    Filice, E

    S. Filice, E. Haramaty, G. Horowitz, Z. Karnin, L. Lewin- Eytan, and A. Shtoff, inProceedings of the 14th Interna- tional Joint Conference on Natural Language Processing and the 4th Conference of the Asia-Pacific Chapter of the Association for Computational Linguistics(2025) pp. 1017–1037

  25. [25]

    L. Gao, Z. Dai, P. Pasupat, A. Chen, A. T. Chaganty, Y. Fan, V. Y. Zhao, N. Lao, H. Lee, D.-C. Juan, and K. Guu, inProceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)(Association for Computational Linguis- tics, Toronto, Canada, 2023) pp. 16477–16508

  26. [26]

    P. Roit, J. Ferret, L. Shani, R. Aharoni, G. Cideron, R. Dadashi, M. Geist, S. Girgin, L. Hussenot, O. Keller, N. Momchev, S. Ramos Garea, P. Stanczyk, N. Vieillard, O. Bachem, G. Elidan, A. Hassidim, O. Pietquin, and I. Szpektor, inProceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)(Association ...

  27. [27]

    Kry´ sci´ nski, B

    W. Kry´ sci´ nski, B. McCann, C. Xiong, and R. Socher, in Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing (EMNLP)(Association for Computational Linguistics, 2020) pp. 9332–9346

  28. [28]

    I. Poey, J. Liu, and Q. Zhong, inProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing: Industry Track(2025) pp. 1057–1071

  29. [29]

    question_id

    ThoughtProof, Reasoning verification capability — veri- fying ai output correctness through MCP, MCP GitHub Discussion #2574 (2026). 19 Appendix A: Illustrative Escaped JSON Schema Fragments { "question_id": "clin-real-v2-shuf-003", "user_question": "Summarize beta blockers in heart failure with atrial fibrillation.", "category": "literature_review", "rou...