Complete below:
Even if the HMAC token is compromised on Agent B, Agent A dedupes results by tool_use_id: the first callback for a tool call is accepted and every subsequent one is ignored. A forged or replayed callback can therefore only race a result A already has, which significantly lowers the chance of compromising the workflow.
Complete below: