Large language models are increasingly used as orchestrators of external tools via the Model Context Protocol (MCP), but MCP is built for software services with megabytes of memory and does not descend to the microcontrollers that dominate the long tail of physical devices. Recent work (IoT-MCP) ports MCP to edge gateways at 74 KB peak memory; this still excludes the smallest commodity MCUs and, critically, does not address the safety problem of giving an unreliable caller (an LLM that may hallucinate or be prompt-injected) direct control of physical hardware. We present the Device Context Protocol (DCP): a sub-50-byte typical frame (6-byte header + CBOR payload + optional 16-byte HMAC), a manifest schema in which capability scoping, range and type checks, dry-run evaluation, and units-as-types are protocol-layer primitives, and a host-side Bridge that rejects malformed or hallucinated calls before any byte reaches the device. Reference firmware measures 27.6 KB flash / 0.6 KB RAM on ESP32; the Python Bridge, ESP32 firmware, and a language-neutral conformance suite are MIT-licensed and public. An empirical study -- 675 tool calls produced by five LLMs across four vendors (DeepSeek, Alibaba, Zhipu, MiniMax) against six categories of adversarial prompts, with the injection category instantiating AgentDojo's attack templates -- shows DCP rejects 100% of capability-escalation attempts and 78% of prompt-injection attempts, versus 0--1% for Raw MCP and IoT-MCP, matching the expressiveness of a well-formed OpenAPI 3 schema at three orders of magnitude less firmware footprint. We position DCP as the missing layer between MCP (which is moving toward enterprise SaaS connectivity) and the physical devices it does not reach.

翻译：大型语言模型通过模型上下文协议（MCP）作为外部工具编排器的应用日益广泛，但MCP专为具备兆字节级内存的软件服务设计，无法覆盖构成物理设备长尾的微控制器。最新研究（IoT-MCP）将MCP移植到边缘网关时，峰值内存占用为74KB，这仍排除了最小型商用MCU，且关键问题在于：未解决将具有不可靠性的调用者（可能产生幻觉或受提示注入攻击的大语言模型）直接控制物理硬件时的安全问题。我们提出设备上下文协议（DCP）：典型帧尺寸小于50字节（6字节报头+CBOR载荷+可选的16字节HMAC），其清单模式将能力范围界定、范围与类型检查、预演评估及单位即类型作为协议层原语，同时配备可拒绝任何畸变或幻觉调用（在字节到达设备前）的主机端桥接器。参考固件在ESP32上的占用空间为27.6KB闪存/0.6KB RAM；Python桥接器、ESP32固件及语言无关的一致性测试套件均采用MIT许可协议开源。实证研究——基于来自DeepSeek、阿里巴巴、智谱、MiniMax四家供应商的五种大语言模型，针对六类对抗性提示生成的675次工具调用（其中注入类别实例化AgentDojo攻击模板）——表明DCP可100%拒绝能力升级尝试，78%拒绝提示注入尝试，而原始MCP和IoT-MCP的相应拒绝率仅为0-1%，在固件占用空间减少三个数量级的前提下达到格式良好的OpenAPI 3模式的表达能力。我们将DCP定位为MCP（正转向企业SaaS连接性）与其未覆盖的物理设备之间缺失的协议层。