Looking at the LTI implementation from a tool provider stand point I have some suggestions for the tool_consumer_instance_guid value in the LTI consumer code.

Currently the tool_consumer_instance_guid is set to the be the host domain of the Moodle system that sends the request to the tool provider. Generally this would be ok but there are some use cases where this is not unique enough. For instance say an institution migrates their LMS each year starting from a new install but reusing the same URL. In that case two different Moodle installs would be identified using the same tool_consumer_instance_guid

The tool_consumer_instance_guid value could be made more unique by using the mdl_config value for 'siteidentifier'

If the instance guid was unique in this way a tool provider could know that the requests are coming from two different systems. The reason I say this is the user_id and context_id values are database keys and are likely to collide in the two systems in the scenario I described above, differentiating by looking at the oauth_consumer_key would not be enough as that too would likely be the same value as previous placements, by supplying a unique tool_consumer_instance_guid value the provider could act appropriately because they know the values are describing separate placements.