feat(security): cross-tool injection correlation + AgentRFC protocol audit#2603
Merged
feat(security): cross-tool injection correlation + AgentRFC protocol audit#2603
Conversation
github-actions
bot
added
documentation
bug-ops
force-pushed
the
agentrfc-security-audit
branch
from
a5e858a to
ec3deef
Compare
…audit (#2480, #2509) - Add cross-tool injection correlation in MCP sanitizer: detect when a tool description references another tool by name. High severity when the source tool also has an injection pattern flagged; Info severity otherwise. Deduplication per (source, target) pair; short names (< 4 chars) excluded. - Add FlaggedParameter to ToolSecurityMeta: JSON pointer path + pattern name for precise forensic attribution of schema-level injection matches. - Apply trust-score penalty for High-severity cross-references in apply_injection_penalties. - Add SECURITY(layer-2) annotation in zeph-acp stdio transport documenting session binding limitation (AgentRFC layer 2 gap). - Add SECURITY(layer-6) annotation in zeph-a2a jsonrpc handler documenting audit completeness gap (AgentRFC layer 6 gap). - Add full 6-layer security audit document at .local/specs/security/. - 7 new tests (415 total in zeph-mcp; 7683 workspace-wide). Closes #2480, #2509
bug-ops
force-pushed
the
agentrfc-security-audit
branch
from
ec3deef to
fa8e78c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CrossRefSeverity::Highand incurs an additional trust-score penalty. Pure cross-references (no injection) areInfo-severity and logged atdebuglevel.FlaggedParameter { path, pattern_name }stored inToolSecurityMeta.flagged_parameters, enabling precise forensic attribution.SECURITY:gap annotations (research(security): AgentRFC — 6-layer agent protocol security model + conformance checker, 11 formalized principles (arXiv:2603.23801) #2509): two architectural gaps annotated inline — layer-6 audit log gap inhandlers.rsand layer-2 stdio session binding limitation instdio.rs. Full audit document at.local/specs/security/agentrfc-audit.md.Changed files
crates/zeph-mcp/src/sanitize.rs—detect_cross_tool_references,SchemaWalkCtx,name_referenced_in,MIN_CROSS_REF_NAME_LEN, 6 new testscrates/zeph-mcp/src/tool.rs—FlaggedParameterstruct added toToolSecurityMetacrates/zeph-mcp/src/manager.rs— High-severity cross-ref penalty loop inapply_injection_penalties; test fixtures updatedcrates/zeph-acp/src/transport/stdio.rs—SECURITY(layer-2)annotationcrates/zeph-a2a/src/server/handlers.rs—SECURITY(layer-6)annotationTest plan
cargo +nightly fmt --checkPASScargo clippy --workspace --features full -- -D warningsPASScargo nextest run --config-file .github/nextest.toml --workspace --features full --lib --bins— 7683/7683 PASSCloses
Closes #2480
Closes #2509