READ-ONLY firmware-pinning check (issue #325 P3). Reads the connected Ledger's Secure Element firmware version + MCU bootloader version + device target_id via the dashboard-level getDeviceInfo APDU (CLA=0xE0 INS=0x01), asserts them against a hardcoded canonical manifest covering Nano S Plus / Nan...
AI agents call verify_ledger_firmware to retrieve information from VaultPilot MCP without modifying anything — typically the context-gathering step in research, monitoring, and reporting workflows, before the agent takes action elsewhere.
Even though verify_ledger_firmware only reads data, uncontrolled read access leaks sensitive information and racks up API costs — an agent caught in a retry loop can make thousands of calls a minute without anyone noticing.
Risk signalsBulk/mass operation — affects multiple targets
Attacks that exploit this kind of access
READ-ONLY firmware-pinning check (issue #325 P3). Reads the connected Ledger's Secure Element firmware version + MCU bootloader version + device target_id via the dashboard-level getDeviceInfo APDU (CLA=0xE0 INS=0x01), asserts them against a hardcoded canonical manifest covering Nano S Plus / Nano X / Stax / Flex. REQUIRES the device to be in DASHBOARD MODE — no app open. Ask the user to close every Ledger app (return to the dashboard / home menu) before calling. Returns one of: verified (firmware in known-good list), warn (at or above floor but not in known-good — likely a fresh Ledger release we haven't manifest-bumped; surface to user but proceed), below-floor (firmware below the supported floor — refuse signing until upgraded via Ledger Live Manager), unknown-device (target_id doesn't match any known model — too-new MCP / discontinued / counterfeit), wrong-mode (an app is open — close apps and retry), no-device (no Ledger over USB), error (unexpected failure). One USB round-trip; never throws — surfaces every failure as a structured verdict for the agent to relay. It is categorised as a Read tool in the VaultPilot MCP MCP Server, which means it retrieves data without modifying state.
Register the VaultPilot MCP server in PolicyLayer and add a rule for verify_ledger_firmware: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches VaultPilot MCP. Nothing to install.
verify_ledger_firmware is a Read tool with low risk. Read-only tools are generally safe to allow by default.
Yes. Add a rate_limit block to the verify_ledger_firmware rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for verify_ledger_firmware. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
verify_ledger_firmware is provided by the VaultPilot MCP server (vaultpilot-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.