PyPI - agent_os_kernel - Versions diffs - 3.1.0__py3-none-any.whl - Mend

agent_os_kernel 3.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

agent_control_plane/__init__.py +662 -0
agent_control_plane/a2a_adapter.py +543 -0
agent_control_plane/adapter.py +417 -0
agent_control_plane/agent_hibernation.py +394 -0
agent_control_plane/agent_kernel.py +470 -0
agent_control_plane/compliance.py +720 -0
agent_control_plane/constraint_graphs.py +478 -0
agent_control_plane/control_plane.py +854 -0
agent_control_plane/example_executors.py +195 -0
agent_control_plane/execution_engine.py +231 -0
agent_control_plane/flight_recorder.py +846 -0
agent_control_plane/governance_layer.py +435 -0
agent_control_plane/hf_utils.py +563 -0
agent_control_plane/interfaces/__init__.py +55 -0
agent_control_plane/interfaces/kernel_interface.py +361 -0
agent_control_plane/interfaces/plugin_interface.py +497 -0
agent_control_plane/interfaces/protocol_interfaces.py +387 -0
agent_control_plane/kernel_space.py +1009 -0
agent_control_plane/langchain_adapter.py +424 -0
agent_control_plane/lifecycle.py +3113 -0
agent_control_plane/mcp_adapter.py +653 -0
agent_control_plane/ml_safety.py +563 -0
agent_control_plane/multimodal.py +727 -0
agent_control_plane/mute_agent.py +422 -0
agent_control_plane/observability.py +787 -0
agent_control_plane/orchestrator.py +482 -0
agent_control_plane/plugin_registry.py +750 -0
agent_control_plane/policy_engine.py +954 -0
agent_control_plane/process_isolation.py +777 -0
agent_control_plane/shadow_mode.py +310 -0
agent_control_plane/signals.py +493 -0
agent_control_plane/supervisor_agents.py +430 -0
agent_control_plane/time_travel_debugger.py +557 -0
agent_control_plane/tool_registry.py +452 -0
agent_control_plane/vfs.py +697 -0
agent_kernel/__init__.py +69 -0
agent_kernel/analyzer.py +435 -0
agent_kernel/auditor.py +36 -0
agent_kernel/completeness_auditor.py +237 -0
agent_kernel/detector.py +203 -0
agent_kernel/kernel.py +744 -0
agent_kernel/memory_manager.py +85 -0
agent_kernel/models.py +374 -0
agent_kernel/nudge_mechanism.py +263 -0
agent_kernel/outcome_analyzer.py +338 -0
agent_kernel/patcher.py +582 -0
agent_kernel/semantic_analyzer.py +316 -0
agent_kernel/semantic_purge.py +349 -0
agent_kernel/simulator.py +449 -0
agent_kernel/teacher.py +85 -0
agent_kernel/triage.py +152 -0
agent_os/__init__.py +409 -0
agent_os/_adversarial_impl.py +200 -0
agent_os/_circuit_breaker_impl.py +232 -0
agent_os/_mcp_metrics.py +193 -0
agent_os/adversarial.py +20 -0
agent_os/agents_compat.py +490 -0
agent_os/audit_logger.py +135 -0
agent_os/base_agent.py +651 -0
agent_os/circuit_breaker.py +34 -0
agent_os/cli/__init__.py +659 -0
agent_os/cli/cmd_audit.py +128 -0
agent_os/cli/cmd_init.py +152 -0
agent_os/cli/cmd_policy.py +41 -0
agent_os/cli/cmd_policy_gen.py +180 -0
agent_os/cli/cmd_validate.py +258 -0
agent_os/cli/mcp_scan.py +265 -0
agent_os/cli/output.py +192 -0
agent_os/cli/policy_checker.py +330 -0
agent_os/compat.py +74 -0
agent_os/constraint_graph.py +234 -0
agent_os/content_governance.py +140 -0
agent_os/context_budget.py +305 -0
agent_os/credential_redactor.py +224 -0
agent_os/diff_policy.py +89 -0
agent_os/egress_policy.py +159 -0
agent_os/escalation.py +276 -0
agent_os/event_bus.py +124 -0
agent_os/exceptions.py +180 -0
agent_os/execution_context_policy.py +141 -0
agent_os/github_enterprise.py +96 -0
agent_os/health.py +20 -0
agent_os/integrations/__init__.py +279 -0
agent_os/integrations/a2a_adapter.py +279 -0
agent_os/integrations/agent_lightning/__init__.py +30 -0
agent_os/integrations/anthropic_adapter.py +420 -0
agent_os/integrations/autogen_adapter.py +620 -0
agent_os/integrations/base.py +1137 -0
agent_os/integrations/compat.py +229 -0
agent_os/integrations/config.py +98 -0
agent_os/integrations/conversation_guardian.py +957 -0
agent_os/integrations/crewai_adapter.py +467 -0
agent_os/integrations/drift_detector.py +425 -0
agent_os/integrations/dry_run.py +124 -0
agent_os/integrations/escalation.py +582 -0
agent_os/integrations/gemini_adapter.py +364 -0
agent_os/integrations/google_adk_adapter.py +633 -0
agent_os/integrations/guardrails_adapter.py +394 -0
agent_os/integrations/health.py +197 -0
agent_os/integrations/langchain_adapter.py +654 -0
agent_os/integrations/llamafirewall.py +343 -0
agent_os/integrations/llamaindex_adapter.py +188 -0
agent_os/integrations/logging.py +191 -0
agent_os/integrations/maf_adapter.py +631 -0
agent_os/integrations/mistral_adapter.py +365 -0
agent_os/integrations/openai_adapter.py +816 -0
agent_os/integrations/openai_agents_sdk.py +406 -0
agent_os/integrations/policy_compose.py +171 -0
agent_os/integrations/profiling.py +144 -0
agent_os/integrations/pydantic_ai_adapter.py +420 -0
agent_os/integrations/rate_limiter.py +130 -0
agent_os/integrations/rbac.py +143 -0
agent_os/integrations/registry.py +113 -0
agent_os/integrations/scope_guard.py +303 -0
agent_os/integrations/semantic_kernel_adapter.py +769 -0
agent_os/integrations/smolagents_adapter.py +629 -0
agent_os/integrations/templates.py +178 -0
agent_os/integrations/token_budget.py +134 -0
agent_os/integrations/tool_aliases.py +190 -0
agent_os/integrations/webhooks.py +177 -0
agent_os/lite.py +208 -0
agent_os/mcp_gateway.py +385 -0
agent_os/mcp_message_signer.py +273 -0
agent_os/mcp_protocols.py +161 -0
agent_os/mcp_response_scanner.py +232 -0
agent_os/mcp_security.py +924 -0
agent_os/mcp_session_auth.py +231 -0
agent_os/mcp_sliding_rate_limiter.py +184 -0
agent_os/memory_guard.py +409 -0
agent_os/metrics.py +134 -0
agent_os/mute.py +428 -0
agent_os/mute_agent.py +209 -0
agent_os/policies/__init__.py +77 -0
agent_os/policies/async_evaluator.py +275 -0
agent_os/policies/backends.py +670 -0
agent_os/policies/bridge.py +169 -0
agent_os/policies/budget.py +85 -0
agent_os/policies/cli.py +294 -0
agent_os/policies/conflict_resolution.py +270 -0
agent_os/policies/data_classification.py +252 -0
agent_os/policies/evaluator.py +239 -0
agent_os/policies/policy_schema.json +228 -0
agent_os/policies/rate_limiting.py +145 -0
agent_os/policies/schema.py +115 -0
agent_os/policies/shared.py +331 -0
agent_os/prompt_injection.py +694 -0
agent_os/providers.py +182 -0
agent_os/py.typed +0 -0
agent_os/retry.py +81 -0
agent_os/reversibility.py +251 -0
agent_os/sandbox.py +432 -0
agent_os/sandbox_provider.py +140 -0
agent_os/secure_codegen.py +525 -0
agent_os/security_skills.py +538 -0
agent_os/semantic_policy.py +422 -0
agent_os/server/__init__.py +15 -0
agent_os/server/__main__.py +25 -0
agent_os/server/app.py +277 -0
agent_os/server/models.py +104 -0
agent_os/shift_left_metrics.py +130 -0
agent_os/stateless.py +742 -0
agent_os/supervisor.py +148 -0
agent_os/task_outcome.py +148 -0
agent_os/transparency.py +181 -0
agent_os/trust_root.py +128 -0
agent_os_kernel-3.1.0.dist-info/METADATA +1269 -0
agent_os_kernel-3.1.0.dist-info/RECORD +337 -0
agent_os_kernel-3.1.0.dist-info/WHEEL +4 -0
agent_os_kernel-3.1.0.dist-info/entry_points.txt +2 -0
agent_os_kernel-3.1.0.dist-info/licenses/LICENSE +21 -0
agent_os_observability/__init__.py +27 -0
agent_os_observability/dashboards.py +898 -0
agent_os_observability/metrics.py +398 -0
agent_os_observability/server.py +223 -0
agent_os_observability/tracer.py +232 -0
agent_primitives/__init__.py +24 -0
agent_primitives/failures.py +84 -0
agent_primitives/py.typed +0 -0
amb_core/__init__.py +177 -0
amb_core/adapters/__init__.py +57 -0
amb_core/adapters/aws_sqs_broker.py +376 -0
amb_core/adapters/azure_servicebus_broker.py +340 -0
amb_core/adapters/kafka_broker.py +260 -0
amb_core/adapters/nats_broker.py +285 -0
amb_core/adapters/rabbitmq_broker.py +235 -0
amb_core/adapters/redis_broker.py +262 -0
amb_core/broker.py +145 -0
amb_core/bus.py +481 -0
amb_core/cloudevents.py +509 -0
amb_core/dlq.py +345 -0
amb_core/hf_utils.py +536 -0
amb_core/memory_broker.py +410 -0
amb_core/models.py +141 -0
amb_core/persistence.py +529 -0
amb_core/schema.py +294 -0
amb_core/tracing.py +358 -0
atr/__init__.py +640 -0
atr/access.py +348 -0
atr/composition.py +645 -0
atr/decorator.py +357 -0
atr/executor.py +384 -0
atr/health.py +557 -0
atr/hf_utils.py +449 -0
atr/injection.py +422 -0
atr/metrics.py +440 -0
atr/policies.py +403 -0
atr/py.typed +2 -0
atr/registry.py +452 -0
atr/schema.py +480 -0
atr/tools/safe/__init__.py +75 -0
atr/tools/safe/calculator.py +467 -0
atr/tools/safe/datetime_tool.py +443 -0
atr/tools/safe/file_reader.py +402 -0
atr/tools/safe/http_client.py +316 -0
atr/tools/safe/json_parser.py +374 -0
atr/tools/safe/text_tool.py +537 -0
atr/tools/safe/toolkit.py +175 -0
caas/__init__.py +162 -0
caas/api/__init__.py +7 -0
caas/api/server.py +1328 -0
caas/caching.py +834 -0
caas/cli.py +210 -0
caas/conversation.py +223 -0
caas/decay.py +72 -0
caas/detection/__init__.py +9 -0
caas/detection/detector.py +238 -0
caas/enrichment.py +130 -0
caas/gateway/__init__.py +27 -0
caas/gateway/trust_gateway.py +474 -0
caas/hf_utils.py +479 -0
caas/ingestion/__init__.py +23 -0
caas/ingestion/processors.py +253 -0
caas/ingestion/structure_parser.py +188 -0
caas/models.py +356 -0
caas/pragmatic_truth.py +444 -0
caas/routing/__init__.py +10 -0
caas/routing/heuristic_router.py +58 -0
caas/storage/__init__.py +9 -0
caas/storage/store.py +389 -0
caas/triad.py +213 -0
caas/tuning/__init__.py +9 -0
caas/tuning/tuner.py +329 -0
caas/vfs/__init__.py +14 -0
caas/vfs/filesystem.py +452 -0
cmvk/__init__.py +218 -0
cmvk/audit.py +402 -0
cmvk/benchmarks.py +478 -0
cmvk/constitutional.py +904 -0
cmvk/hf_utils.py +301 -0
cmvk/metrics.py +473 -0
cmvk/profiles.py +300 -0
cmvk/py.typed +0 -0
cmvk/types.py +12 -0
cmvk/verification.py +956 -0
emk/__init__.py +89 -0
emk/causal.py +352 -0
emk/hf_utils.py +421 -0
emk/indexer.py +83 -0
emk/py.typed +0 -0
emk/schema.py +204 -0
emk/sleep_cycle.py +347 -0
emk/store.py +281 -0
iatp/__init__.py +166 -0
iatp/attestation.py +461 -0
iatp/cli.py +317 -0
iatp/hf_utils.py +472 -0
iatp/ipc_pipes.py +580 -0
iatp/main.py +412 -0
iatp/models/__init__.py +447 -0
iatp/policy_engine.py +337 -0
iatp/py.typed +2 -0
iatp/recovery.py +321 -0
iatp/security/__init__.py +270 -0
iatp/sidecar/__init__.py +519 -0
iatp/telemetry/__init__.py +164 -0
iatp/tests/__init__.py +1 -0
iatp/tests/test_attestation.py +370 -0
iatp/tests/test_cli.py +131 -0
iatp/tests/test_ed25519_attestation.py +211 -0
iatp/tests/test_models.py +130 -0
iatp/tests/test_policy_engine.py +347 -0
iatp/tests/test_recovery.py +281 -0
iatp/tests/test_security.py +222 -0
iatp/tests/test_sidecar.py +167 -0
iatp/tests/test_telemetry.py +175 -0
mcp_kernel_server/__init__.py +28 -0
mcp_kernel_server/cli.py +274 -0
mcp_kernel_server/resources.py +217 -0
mcp_kernel_server/server.py +564 -0
mcp_kernel_server/tools.py +1174 -0
mute_agent/__init__.py +68 -0
mute_agent/core/__init__.py +1 -0
mute_agent/core/execution_agent.py +166 -0
mute_agent/core/handshake_protocol.py +201 -0
mute_agent/core/reasoning_agent.py +238 -0
mute_agent/knowledge_graph/__init__.py +1 -0
mute_agent/knowledge_graph/graph_elements.py +65 -0
mute_agent/knowledge_graph/multidimensional_graph.py +170 -0
mute_agent/knowledge_graph/subgraph.py +224 -0
mute_agent/listener/__init__.py +43 -0
mute_agent/listener/adapters/__init__.py +31 -0
mute_agent/listener/adapters/base_adapter.py +189 -0
mute_agent/listener/adapters/caas_adapter.py +344 -0
mute_agent/listener/adapters/control_plane_adapter.py +436 -0
mute_agent/listener/adapters/iatp_adapter.py +332 -0
mute_agent/listener/adapters/scak_adapter.py +251 -0
mute_agent/listener/listener.py +610 -0
mute_agent/listener/state_observer.py +436 -0
mute_agent/listener/threshold_config.py +313 -0
mute_agent/super_system/__init__.py +1 -0
mute_agent/super_system/router.py +204 -0
mute_agent/visualization/__init__.py +10 -0
mute_agent/visualization/graph_debugger.py +502 -0
nexus/README.md +60 -0
nexus/__init__.py +51 -0
nexus/arbiter.py +359 -0
nexus/client.py +466 -0
nexus/dmz.py +444 -0
nexus/escrow.py +430 -0
nexus/exceptions.py +286 -0
nexus/pyproject.toml +36 -0
nexus/registry.py +393 -0
nexus/reputation.py +425 -0
nexus/schemas/__init__.py +51 -0
nexus/schemas/compliance.py +276 -0
nexus/schemas/escrow.py +251 -0
nexus/schemas/manifest.py +225 -0
nexus/schemas/receipt.py +208 -0
nexus/tests/__init__.py +0 -0
nexus/tests/conftest.py +146 -0
nexus/tests/test_arbiter.py +192 -0
nexus/tests/test_dmz.py +194 -0
nexus/tests/test_escrow.py +276 -0
nexus/tests/test_exceptions.py +225 -0
nexus/tests/test_registry.py +232 -0
nexus/tests/test_reputation.py +328 -0
nexus/tests/test_schemas.py +295 -0

agent_os/mcp_security.py ADDED Viewed

@@ -0,0 +1,924 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+"""MCP Security — defense against tool poisoning, rug pulls, and protocol attacks.
+Screens MCP tool definitions for adversarial manipulation where attackers
+embed hidden instructions in tool descriptions/metadata that are invisible
+to users but executed by LLMs.
+Public Preview protections:
+    - **Tool poisoning detection**: Catches hidden instructions, invisible
+      unicode, markdown/HTML comments, and encoded payloads in tool
+      descriptions.
+    - **Description injection**: Detects prompt injection patterns
+      embedded within MCP tool metadata.
+    - **Schema abuse**: Flags overly permissive schemas, hidden required
+      fields, and instruction-bearing default values.
+    - **Rug pull detection**: Fingerprints registered tools and alerts
+      when descriptions or schemas change silently between sessions.
+    - **Cross-server attacks**: Detects tool impersonation and
+      typosquatting across MCP server boundaries.
+    - **Audit trail**: Logs every scan with timestamp and tool identity
+      for forensic review.
+Architecture:
+    MCPSecurityScanner
+        ├─ scan_tool()       — scan a single tool definition
+        ├─ scan_server()     — batch-scan all tools from a server
+        ├─ register_tool()   — fingerprint a tool for rug-pull detection
+        ├─ check_rug_pull()  — compare current definition to fingerprint
+        └─ audit_log         — inspection trail
+"""
+from __future__ import annotations
+import base64
+import hashlib
+import json
+import logging
+import os
+import re
+import time
+import warnings
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from enum import Enum
+from typing import Any, Callable
+from agent_os._mcp_metrics import MCPMetrics, MCPMetricsRecorder
+from agent_os.mcp_protocols import InMemoryAuditSink, MCPAuditSink
+from agent_os.prompt_injection import PromptInjectionDetector
+logger = logging.getLogger(__name__)
+_SAMPLE_DISCLAIMER = (
+    "\u26a0\ufe0f  These are SAMPLE MCP security rules provided as a starting point. "
+    "You MUST review, customise, and extend them for your specific use case "
+    "before deploying to production."
+)
+# ---------------------------------------------------------------------------
+# Data models
+# ---------------------------------------------------------------------------
+class MCPThreatType(Enum):
+    """Classification of an MCP-layer threat."""
+    TOOL_POISONING = "tool_poisoning"
+    RUG_PULL = "rug_pull"
+    CROSS_SERVER_ATTACK = "cross_server_attack"
+    CONFUSED_DEPUTY = "confused_deputy"
+    HIDDEN_INSTRUCTION = "hidden_instruction"
+    DESCRIPTION_INJECTION = "description_injection"
+class MCPSeverity(Enum):
+    """Severity of an MCP threat."""
+    INFO = "info"
+    WARNING = "warning"
+    CRITICAL = "critical"
+@dataclass
+class MCPThreat:
+    """A single threat finding from an MCP tool scan."""
+    threat_type: MCPThreatType
+    severity: MCPSeverity
+    tool_name: str
+    server_name: str
+    message: str
+    matched_pattern: str | None = None
+    details: dict[str, Any] = field(default_factory=dict)
+@dataclass
+class ToolFingerprint:
+    """Cryptographic fingerprint of a tool definition."""
+    tool_name: str
+    server_name: str
+    description_hash: str
+    schema_hash: str
+    first_seen: float
+    last_seen: float
+    version: int
+@dataclass
+class ScanResult:
+    """Aggregate outcome of scanning one or more tools."""
+    safe: bool
+    threats: list[MCPThreat]
+    tools_scanned: int
+    tools_flagged: int
+# ---------------------------------------------------------------------------
+# Detection patterns (compiled at import time, following memory_guard.py style)
+# ---------------------------------------------------------------------------
+# Invisible unicode characters used to hide instructions
+_INVISIBLE_UNICODE_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(r"[\u200b\u200c\u200d\ufeff]"),  # zero-width spaces/joiners/BOM
+    re.compile(r"[\u202a-\u202e]"),  # bidi embedding/override
+    re.compile(r"[\u2066-\u2069]"),  # bidi isolates
+    re.compile(r"[\u00ad]"),  # soft hyphen
+    re.compile(r"[\u2060\u180e]"),  # word joiner, mongolian vowel separator
+]
+# Markdown/HTML comments that hide text from users
+_HIDDEN_COMMENT_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(r"<!--.*?-->", re.DOTALL),  # HTML comments
+    re.compile(r"\[//\]:\s*#\s*\(.*?\)", re.DOTALL),  # Markdown reference comments
+    re.compile(r"\[comment\]:\s*<>\s*\(.*?\)", re.DOTALL),  # alternative MD comment
+]
+# Instruction-like patterns hidden in descriptions
+_HIDDEN_INSTRUCTION_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(r"ignore\s+(all\s+)?previous", re.IGNORECASE),
+    re.compile(r"override\s+(the\s+)?(previous|above|original)", re.IGNORECASE),
+    re.compile(r"instead\s+of\s+(the\s+)?(above|previous|described)", re.IGNORECASE),
+    re.compile(r"actually\s+do", re.IGNORECASE),
+    re.compile(r"\bsystem\s*:", re.IGNORECASE),
+    re.compile(r"\bassistant\s*:", re.IGNORECASE),
+    re.compile(r"do\s+not\s+follow", re.IGNORECASE),
+    re.compile(r"disregard\s+(all\s+)?(above|prior|previous)", re.IGNORECASE),
+]
+# Encoded payload patterns
+_ENCODED_PAYLOAD_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(r"[A-Za-z0-9+/]{40,}={0,2}"),  # long base64 strings
+    re.compile(r"(?:\\x[0-9a-fA-F]{2}){4,}"),  # hex sequences
+]
+# Data exfiltration patterns
+_EXFILTRATION_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(r"\bcurl\b", re.IGNORECASE),
+    re.compile(r"\bwget\b", re.IGNORECASE),
+    re.compile(r"\bfetch\s*\(", re.IGNORECASE),
+    re.compile(r"https?://", re.IGNORECASE),
+    re.compile(r"\bsend\s+email\b", re.IGNORECASE),
+    re.compile(r"\bsend\s+to\b", re.IGNORECASE),
+    re.compile(r"\bpost\s+to\b", re.IGNORECASE),
+    re.compile(r"include\s+the\s+contents?\s+of\b", re.IGNORECASE),
+]
+# Privilege escalation in descriptions
+_PRIVILEGE_ESCALATION_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(r"\bsudo\b", re.IGNORECASE),
+    re.compile(r"\badmin\s+access\b", re.IGNORECASE),
+    re.compile(r"\broot\s+access\b", re.IGNORECASE),
+    re.compile(r"\belevate\s+privile", re.IGNORECASE),
+    re.compile(r"\bexec\s*\(", re.IGNORECASE),
+    re.compile(r"\beval\s*\(", re.IGNORECASE),
+]
+# Role override patterns
+_ROLE_OVERRIDE_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(r"you\s+are\b", re.IGNORECASE),
+    re.compile(r"your\s+task\s+is\b", re.IGNORECASE),
+    re.compile(r"respond\s+with\b", re.IGNORECASE),
+    re.compile(r"always\s+return\b", re.IGNORECASE),
+    re.compile(r"you\s+must\b", re.IGNORECASE),
+    re.compile(r"your\s+role\s+is\b", re.IGNORECASE),
+]
+# Content after excessive whitespace (hidden instructions at the end)
+_EXCESSIVE_WHITESPACE_PATTERN: re.Pattern[str] = re.compile(r"\n{5,}.+", re.DOTALL)
+# Suspicious keywords in decoded base64
+_SUSPICIOUS_DECODED_KEYWORDS: list[str] = [
+    "ignore",
+    "override",
+    "system",
+    "password",
+    "secret",
+    "admin",
+    "root",
+    "exec",
+    "eval",
+    "import os",
+    "send",
+    "curl",
+    "fetch",
+]
+# ---------------------------------------------------------------------------
+# Externalised configuration dataclass
+# ---------------------------------------------------------------------------
+@dataclass
+class MCPSecurityConfig:
+    """Structured configuration for MCP security scanning, loadable from YAML.
+    Attributes:
+        invisible_unicode_patterns: Regex strings for invisible unicode detection.
+        hidden_comment_patterns: Regex strings for hidden comments.
+        hidden_instruction_patterns: Regex strings for instruction-like text.
+        encoded_payload_patterns: Regex strings for encoded payloads.
+        exfiltration_patterns: Regex strings for data exfiltration.
+        privilege_escalation_patterns: Regex strings for privilege escalation.
+        role_override_patterns: Regex strings for role overrides.
+        excessive_whitespace_pattern: Regex string for excessive whitespace.
+        suspicious_decoded_keywords: Keywords to check in decoded payloads.
+        disclaimer: Disclaimer text shown in logs.
+    """
+    invisible_unicode_patterns: list[str] = field(
+        default_factory=lambda: [p.pattern for p in _INVISIBLE_UNICODE_PATTERNS]
+    )
+    hidden_comment_patterns: list[str] = field(
+        default_factory=lambda: [p.pattern for p in _HIDDEN_COMMENT_PATTERNS]
+    )
+    hidden_instruction_patterns: list[str] = field(
+        default_factory=lambda: [p.pattern for p in _HIDDEN_INSTRUCTION_PATTERNS]
+    )
+    encoded_payload_patterns: list[str] = field(
+        default_factory=lambda: [p.pattern for p in _ENCODED_PAYLOAD_PATTERNS]
+    )
+    exfiltration_patterns: list[str] = field(
+        default_factory=lambda: [p.pattern for p in _EXFILTRATION_PATTERNS]
+    )
+    privilege_escalation_patterns: list[str] = field(
+        default_factory=lambda: [p.pattern for p in _PRIVILEGE_ESCALATION_PATTERNS]
+    )
+    role_override_patterns: list[str] = field(
+        default_factory=lambda: [p.pattern for p in _ROLE_OVERRIDE_PATTERNS]
+    )
+    excessive_whitespace_pattern: str = field(
+        default_factory=lambda: _EXCESSIVE_WHITESPACE_PATTERN.pattern
+    )
+    suspicious_decoded_keywords: list[str] = field(
+        default_factory=lambda: list(_SUSPICIOUS_DECODED_KEYWORDS)
+    )
+    disclaimer: str = ""
+def load_mcp_security_config(path: str) -> MCPSecurityConfig:
+    """Load MCP security configuration from a YAML file.
+    Args:
+        path: Path to a YAML file with a ``detection_patterns`` section.
+    Returns:
+        MCPSecurityConfig populated from the YAML data.
+    Raises:
+        FileNotFoundError: If the config file does not exist.
+        ValueError: If the YAML is missing the ``detection_patterns`` section.
+    """
+    import yaml
+    if not os.path.exists(path):
+        raise FileNotFoundError(f"MCP security config not found: {path}")
+    with open(path, "r", encoding="utf-8") as fh:
+        data = yaml.safe_load(fh.read())
+    if not isinstance(data, dict) or "detection_patterns" not in data:
+        raise ValueError(f"YAML file must contain a 'detection_patterns' section: {path}")
+    dp = data["detection_patterns"]
+    return MCPSecurityConfig(
+        invisible_unicode_patterns=dp.get(
+            "invisible_unicode", [p.pattern for p in _INVISIBLE_UNICODE_PATTERNS]
+        ),
+        hidden_comment_patterns=dp.get(
+            "hidden_comments", [p.pattern for p in _HIDDEN_COMMENT_PATTERNS]
+        ),
+        hidden_instruction_patterns=dp.get(
+            "hidden_instructions", [p.pattern for p in _HIDDEN_INSTRUCTION_PATTERNS]
+        ),
+        encoded_payload_patterns=dp.get(
+            "encoded_payloads", [p.pattern for p in _ENCODED_PAYLOAD_PATTERNS]
+        ),
+        exfiltration_patterns=dp.get("exfiltration", [p.pattern for p in _EXFILTRATION_PATTERNS]),
+        privilege_escalation_patterns=dp.get(
+            "privilege_escalation", [p.pattern for p in _PRIVILEGE_ESCALATION_PATTERNS]
+        ),
+        role_override_patterns=dp.get(
+            "role_override", [p.pattern for p in _ROLE_OVERRIDE_PATTERNS]
+        ),
+        excessive_whitespace_pattern=dp.get(
+            "excessive_whitespace", _EXCESSIVE_WHITESPACE_PATTERN.pattern
+        ),
+        suspicious_decoded_keywords=data.get(
+            "suspicious_decoded_keywords", list(_SUSPICIOUS_DECODED_KEYWORDS)
+        ),
+        disclaimer=data.get("disclaimer", ""),
+    )
+# ---------------------------------------------------------------------------
+# MCPSecurityScanner
+# ---------------------------------------------------------------------------
+class MCPSecurityScanner:
+    """Scans MCP tool definitions for poisoning, rug pulls, and protocol attacks.
+    Usage::
+        scanner = MCPSecurityScanner()
+        threats = scanner.scan_tool(
+            "search", "Search the web for information",
+            server_name="web-tools"
+        )
+        if threats:
+            print(f"Found {len(threats)} threat(s)")
+    """
+    def __init__(
+        self,
+        metrics: MCPMetricsRecorder | None = None,
+        *,
+        audit_sink: MCPAuditSink | None = None,
+        clock: Callable[[], float] = time.time,
+    ) -> None:
+        warnings.warn(
+            "MCPSecurityScanner() uses built-in sample rules that may not "
+            "cover all MCP tool poisoning techniques. For production use, load an "
+            "explicit config with load_mcp_security_config(). "
+            "See examples/policies/mcp-security.yaml for a sample configuration.",
+            stacklevel=2,
+        )
+        self._tool_registry: dict[str, ToolFingerprint] = {}
+        self._audit_log: list[dict[str, Any]] = []
+        self._injection_detector = PromptInjectionDetector()
+        self._metrics = metrics or MCPMetrics()
+        self._audit_sink = audit_sink or InMemoryAuditSink()
+        self._clock = clock
+    # -- public API ---------------------------------------------------------
+    def scan_tool(
+        self,
+        tool_name: str,
+        description: str,
+        schema: dict[str, Any] | None = None,
+        server_name: str = "unknown",
+    ) -> list[MCPThreat]:
+        """Scan a single MCP tool definition for threats.
+        Args:
+            tool_name: Name of the tool.
+            description: Tool description (primary attack surface).
+            schema: Optional JSON Schema for tool inputs.
+            server_name: Name of the MCP server providing this tool.
+        Returns:
+            List of ``MCPThreat`` findings (empty if clean).
+        """
+        try:
+            threats: list[MCPThreat] = []
+            threats.extend(self._check_hidden_instructions(description, tool_name, server_name))
+            threats.extend(self._check_description_injection(description, tool_name, server_name))
+            if schema is not None:
+                threats.extend(self._check_schema_abuse(schema, tool_name, server_name))
+            threats.extend(self._check_cross_server(tool_name, server_name))
+            rug_pull = self.check_rug_pull(tool_name, description, schema, server_name)
+            if rug_pull is not None:
+                threats.append(rug_pull)
+            self._record_audit("scan_tool", tool_name, server_name, threats)
+            self._metrics.record_scan(
+                operation="scan_tool",
+                tool_name=tool_name,
+                server_name=server_name,
+            )
+            self._metrics.record_threats_detected(
+                len(threats),
+                tool_name=tool_name,
+                server_name=server_name,
+            )
+            return threats
+        except Exception:
+            logger.error(
+                "MCP tool scan failed closed | tool=%s server=%s",
+                tool_name,
+                server_name,
+                exc_info=True,
+            )
+            return [
+                MCPThreat(
+                    threat_type=MCPThreatType.TOOL_POISONING,
+                    severity=MCPSeverity.CRITICAL,
+                    tool_name=tool_name,
+                    server_name=server_name,
+                    message="Scan error \u2014 fail closed",
+                )
+            ]
+    def scan_server(
+        self,
+        server_name: str,
+        tools: list[dict[str, Any]],
+    ) -> ScanResult:
+        """Scan all tools from an MCP server.
+        Args:
+            server_name: Name of the MCP server.
+            tools: List of tool dicts with keys: ``name``, ``description``,
+                and optionally ``inputSchema``.
+        Returns:
+            Aggregate ``ScanResult``.
+        """
+        all_threats: list[MCPThreat] = []
+        flagged_tools: set[str] = set()
+        for tool in tools:
+            name = tool.get("name", "unknown")
+            description = tool.get("description", "")
+            schema = tool.get("inputSchema")
+            tool_threats = self.scan_tool(name, description, schema, server_name)
+            if tool_threats:
+                flagged_tools.add(name)
+                all_threats.extend(tool_threats)
+        self._metrics.record_scan(
+            operation="scan_server",
+            tool_name="*",
+            server_name=server_name,
+        )
+        return ScanResult(
+            safe=len(all_threats) == 0,
+            threats=all_threats,
+            tools_scanned=len(tools),
+            tools_flagged=len(flagged_tools),
+        )
+    def register_tool(
+        self,
+        tool_name: str,
+        description: str,
+        schema: dict[str, Any] | None,
+        server_name: str,
+    ) -> ToolFingerprint:
+        """Register a tool with a cryptographic fingerprint.
+        If already registered, updates last_seen and increments version
+        only when the definition changed.
+        Returns:
+            The ``ToolFingerprint`` for this tool.
+        """
+        key = f"{server_name}::{tool_name}"
+        now = self._clock()
+        desc_hash = hashlib.sha256(description.encode("utf-8")).hexdigest()
+        schema_hash = hashlib.sha256(
+            json.dumps(schema, sort_keys=True, default=str).encode("utf-8") if schema else b""
+        ).hexdigest()
+        existing = self._tool_registry.get(key)
+        if existing is not None:
+            if existing.description_hash != desc_hash or existing.schema_hash != schema_hash:
+                existing.description_hash = desc_hash
+                existing.schema_hash = schema_hash
+                existing.last_seen = now
+                existing.version += 1
+            else:
+                existing.last_seen = now
+            return existing
+        fp = ToolFingerprint(
+            tool_name=tool_name,
+            server_name=server_name,
+            description_hash=desc_hash,
+            schema_hash=schema_hash,
+            first_seen=now,
+            last_seen=now,
+            version=1,
+        )
+        self._tool_registry[key] = fp
+        return fp
+    def check_rug_pull(
+        self,
+        tool_name: str,
+        description: str,
+        schema: dict[str, Any] | None,
+        server_name: str,
+    ) -> MCPThreat | None:
+        """Check if a tool definition changed since registration (rug pull).
+        Returns:
+            An ``MCPThreat`` if a rug pull is detected, else ``None``.
+        """
+        key = f"{server_name}::{tool_name}"
+        existing = self._tool_registry.get(key)
+        if existing is None:
+            return None
+        desc_hash = hashlib.sha256(description.encode("utf-8")).hexdigest()
+        schema_hash = hashlib.sha256(
+            json.dumps(schema, sort_keys=True, default=str).encode("utf-8") if schema else b""
+        ).hexdigest()
+        changes: list[str] = []
+        if existing.description_hash != desc_hash:
+            changes.append("description")
+        if existing.schema_hash != schema_hash:
+            changes.append("schema")
+        if changes:
+            return MCPThreat(
+                threat_type=MCPThreatType.RUG_PULL,
+                severity=MCPSeverity.CRITICAL,
+                tool_name=tool_name,
+                server_name=server_name,
+                message=(
+                    f"Tool definition changed since registration: "
+                    f"{', '.join(changes)} modified (version {existing.version})"
+                ),
+                details={"changed_fields": changes, "version": existing.version},
+            )
+        return None
+    @property
+    def audit_log(self) -> list[dict[str, Any]]:
+        """Return a copy of the scan audit history."""
+        return list(self._audit_log)
+    # -- private detection methods ------------------------------------------
+    def _check_hidden_instructions(
+        self,
+        description: str,
+        tool_name: str,
+        server_name: str,
+    ) -> list[MCPThreat]:
+        """Detect hidden instructions in tool descriptions."""
+        threats: list[MCPThreat] = []
+        # 1. Invisible unicode characters
+        for pattern in _INVISIBLE_UNICODE_PATTERNS:
+            match = pattern.search(description)
+            if match:
+                threats.append(
+                    MCPThreat(
+                        threat_type=MCPThreatType.HIDDEN_INSTRUCTION,
+                        severity=MCPSeverity.CRITICAL,
+                        tool_name=tool_name,
+                        server_name=server_name,
+                        message="Invisible unicode characters detected in tool description",
+                        matched_pattern=pattern.pattern,
+                        details={"char_ord": ord(match.group()[0])},
+                    )
+                )
+                break  # one finding per category is enough
+        # 2. Markdown/HTML comments hiding text
+        for pattern in _HIDDEN_COMMENT_PATTERNS:
+            match = pattern.search(description)
+            if match:
+                threats.append(
+                    MCPThreat(
+                        threat_type=MCPThreatType.HIDDEN_INSTRUCTION,
+                        severity=MCPSeverity.CRITICAL,
+                        tool_name=tool_name,
+                        server_name=server_name,
+                        message="Hidden comment detected in tool description",
+                        matched_pattern=pattern.pattern,
+                        details={"comment_preview": match.group()[:80]},
+                    )
+                )
+        # 3. Encoded instructions (base64, hex)
+        for pattern in _ENCODED_PAYLOAD_PATTERNS:
+            match = pattern.search(description)
+            if match:
+                candidate = match.group()
+                # For base64, try to decode and check for suspicious content
+                is_suspicious = False
+                if len(candidate) >= 40 and not candidate.startswith("\\x"):
+                    try:
+                        decoded = base64.b64decode(candidate).decode("utf-8", errors="ignore")
+                        decoded_lower = decoded.lower()
+                        for keyword in _SUSPICIOUS_DECODED_KEYWORDS:
+                            if keyword in decoded_lower:
+                                is_suspicious = True
+                                break
+                    except Exception:
+                        pass
+                    if not is_suspicious:
+                        # Long base64 in a tool description is suspicious regardless
+                        is_suspicious = True
+                if is_suspicious or candidate.startswith("\\x"):
+                    threats.append(
+                        MCPThreat(
+                            threat_type=MCPThreatType.HIDDEN_INSTRUCTION,
+                            severity=MCPSeverity.WARNING,
+                            tool_name=tool_name,
+                            server_name=server_name,
+                            message="Encoded payload detected in tool description",
+                            matched_pattern=pattern.pattern,
+                        )
+                    )
+        # 4. Hidden instructions after excessive whitespace/newlines
+        if _EXCESSIVE_WHITESPACE_PATTERN.search(description):
+            threats.append(
+                MCPThreat(
+                    threat_type=MCPThreatType.HIDDEN_INSTRUCTION,
+                    severity=MCPSeverity.WARNING,
+                    tool_name=tool_name,
+                    server_name=server_name,
+                    message="Instructions hidden after excessive whitespace",
+                    matched_pattern=_EXCESSIVE_WHITESPACE_PATTERN.pattern,
+                )
+            )
+        # 5. Instruction-like patterns
+        for pattern in _HIDDEN_INSTRUCTION_PATTERNS:
+            if pattern.search(description):
+                threats.append(
+                    MCPThreat(
+                        threat_type=MCPThreatType.HIDDEN_INSTRUCTION,
+                        severity=MCPSeverity.CRITICAL,
+                        tool_name=tool_name,
+                        server_name=server_name,
+                        message=f"Instruction-like pattern in tool description: {pattern.pattern}",
+                        matched_pattern=pattern.pattern,
+                    )
+                )
+        return threats
+    def _check_description_injection(
+        self,
+        description: str,
+        tool_name: str,
+        server_name: str,
+    ) -> list[MCPThreat]:
+        """Detect prompt injection patterns in tool descriptions."""
+        threats: list[MCPThreat] = []
+        # Reuse prompt_injection.py detector
+        result = self._injection_detector.detect(
+            description, source=f"mcp:{server_name}:{tool_name}"
+        )
+        if result.is_injection:
+            threats.append(
+                MCPThreat(
+                    threat_type=MCPThreatType.DESCRIPTION_INJECTION,
+                    severity=MCPSeverity.CRITICAL,
+                    tool_name=tool_name,
+                    server_name=server_name,
+                    message=f"Prompt injection detected in description: {result.explanation}",
+                    matched_pattern=result.matched_patterns[0] if result.matched_patterns else None,
+                    details={
+                        "injection_type": result.injection_type.value
+                        if result.injection_type
+                        else None
+                    },
+                )
+            )
+        # Role assignment patterns
+        for pattern in _ROLE_OVERRIDE_PATTERNS:
+            if pattern.search(description):
+                threats.append(
+                    MCPThreat(
+                        threat_type=MCPThreatType.DESCRIPTION_INJECTION,
+                        severity=MCPSeverity.WARNING,
+                        tool_name=tool_name,
+                        server_name=server_name,
+                        message=f"Role override pattern in description: {pattern.pattern}",
+                        matched_pattern=pattern.pattern,
+                    )
+                )
+        # Data exfiltration patterns
+        for pattern in _EXFILTRATION_PATTERNS:
+            if pattern.search(description):
+                threats.append(
+                    MCPThreat(
+                        threat_type=MCPThreatType.DESCRIPTION_INJECTION,
+                        severity=MCPSeverity.CRITICAL,
+                        tool_name=tool_name,
+                        server_name=server_name,
+                        message=f"Data exfiltration pattern in description: {pattern.pattern}",
+                        matched_pattern=pattern.pattern,
+                    )
+                )
+        return threats
+    def _check_schema_abuse(
+        self,
+        schema: dict[str, Any],
+        tool_name: str,
+        server_name: str,
+    ) -> list[MCPThreat]:
+        """Check tool input schemas for suspicious patterns."""
+        threats: list[MCPThreat] = []
+        # 1. Overly permissive: top-level type is "object" with no properties
+        if schema.get("type") == "object" and not schema.get("properties"):
+            if schema.get("additionalProperties") is not False:
+                threats.append(
+                    MCPThreat(
+                        threat_type=MCPThreatType.TOOL_POISONING,
+                        severity=MCPSeverity.WARNING,
+                        tool_name=tool_name,
+                        server_name=server_name,
+                        message="Overly permissive schema: object type with no defined properties",
+                    )
+                )
+        properties = schema.get("properties", {})
+        required = schema.get("required", [])
+        for prop_name, prop_def in properties.items():
+            if not isinstance(prop_def, dict):
+                continue
+            # 2. Hidden required fields with suspicious names
+            suspicious_field_names = [
+                "system_prompt",
+                "instructions",
+                "override",
+                "command",
+                "exec",
+                "eval",
+                "callback_url",
+                "webhook",
+                "target_url",
+            ]
+            if prop_name in required:
+                for sus_name in suspicious_field_names:
+                    if sus_name in prop_name.lower():
+                        threats.append(
+                            MCPThreat(
+                                threat_type=MCPThreatType.TOOL_POISONING,
+                                severity=MCPSeverity.CRITICAL,
+                                tool_name=tool_name,
+                                server_name=server_name,
+                                message=f"Suspicious required field: '{prop_name}'",
+                                details={"field_name": prop_name},
+                            )
+                        )
+            # 3. Default values containing instructions
+            default_val = prop_def.get("default")
+            if isinstance(default_val, str) and len(default_val) > 10:
+                for pattern in _HIDDEN_INSTRUCTION_PATTERNS:
+                    if pattern.search(default_val):
+                        threats.append(
+                            MCPThreat(
+                                threat_type=MCPThreatType.TOOL_POISONING,
+                                severity=MCPSeverity.CRITICAL,
+                                tool_name=tool_name,
+                                server_name=server_name,
+                                message=f"Instruction in default value for field '{prop_name}'",
+                                matched_pattern=pattern.pattern,
+                                details={"field_name": prop_name},
+                            )
+                        )
+                        break
+            # 4. Hidden instructions in property descriptions
+            prop_desc = prop_def.get("description", "")
+            if isinstance(prop_desc, str):
+                for pattern in _HIDDEN_INSTRUCTION_PATTERNS:
+                    if pattern.search(prop_desc):
+                        threats.append(
+                            MCPThreat(
+                                threat_type=MCPThreatType.TOOL_POISONING,
+                                severity=MCPSeverity.CRITICAL,
+                                tool_name=tool_name,
+                                server_name=server_name,
+                                message=f"Hidden instruction in property '{prop_name}' description",
+                                matched_pattern=pattern.pattern,
+                                details={"field_name": prop_name},
+                            )
+                        )
+                        break
+        return threats
+    def _check_cross_server(
+        self,
+        tool_name: str,
+        server_name: str,
+    ) -> list[MCPThreat]:
+        """Check for cross-server attack patterns."""
+        threats: list[MCPThreat] = []
+        for _key, fp in self._tool_registry.items():
+            # Same tool name from a different server
+            if fp.tool_name == tool_name and fp.server_name != server_name:
+                threats.append(
+                    MCPThreat(
+                        threat_type=MCPThreatType.CROSS_SERVER_ATTACK,
+                        severity=MCPSeverity.CRITICAL,
+                        tool_name=tool_name,
+                        server_name=server_name,
+                        message=(
+                            f"Tool '{tool_name}' already registered from server "
+                            f"'{fp.server_name}' — potential impersonation"
+                        ),
+                        details={"original_server": fp.server_name},
+                    )
+                )
+            # Typosquatting: similar name from a different server
+            if fp.server_name != server_name and fp.tool_name != tool_name:
+                if self._is_typosquat(tool_name, fp.tool_name):
+                    threats.append(
+                        MCPThreat(
+                            threat_type=MCPThreatType.CROSS_SERVER_ATTACK,
+                            severity=MCPSeverity.WARNING,
+                            tool_name=tool_name,
+                            server_name=server_name,
+                            message=(
+                                f"Tool name '{tool_name}' resembles "
+                                f"'{fp.tool_name}' from server '{fp.server_name}' "
+                                f"— potential typosquatting"
+                            ),
+                            details={
+                                "similar_tool": fp.tool_name,
+                                "similar_server": fp.server_name,
+                            },
+                        )
+                    )
+        return threats
+    # -- helpers ------------------------------------------------------------
+    @staticmethod
+    def _is_typosquat(name_a: str, name_b: str) -> bool:
+        """Check if two tool names are suspiciously similar (edit distance ≤ 2)."""
+        if name_a == name_b:
+            return False
+        # Simple Levenshtein check for short names
+        la, lb = name_a.lower(), name_b.lower()
+        if abs(len(la) - len(lb)) > 2:
+            return False
+        # Compute Levenshtein distance
+        dist = _levenshtein(la, lb)
+        # Typosquat if 1-2 edits on names of length ≥ 4
+        return 1 <= dist <= 2 and min(len(la), len(lb)) >= 4
+    def _record_audit(
+        self,
+        action: str,
+        tool_name: str,
+        server_name: str,
+        threats: list[MCPThreat],
+    ) -> None:
+        record = {
+            "timestamp": datetime.fromtimestamp(
+                self._clock(),
+                timezone.utc,
+            ).isoformat(),
+            "action": action,
+            "tool_name": tool_name,
+            "server_name": server_name,
+            "threats_found": len(threats),
+            "threat_types": [t.threat_type.value for t in threats],
+        }
+        self._audit_log.append(record)
+        self._audit_sink.record(record)
+        if threats:
+            logger.warning(
+                "MCP scan found %d threat(s) | tool=%s server=%s",
+                len(threats),
+                tool_name,
+                server_name,
+            )
+        else:
+            logger.debug(
+                "MCP scan clean | tool=%s server=%s",
+                tool_name,
+                server_name,
+            )
+def _levenshtein(s: str, t: str) -> int:
+    """Compute Levenshtein edit distance between two strings."""
+    if len(s) < len(t):
+        return _levenshtein(t, s)
+    if len(t) == 0:
+        return len(s)
+    prev = list(range(len(t) + 1))
+    for i, cs in enumerate(s):
+        curr = [i + 1]
+        for j, ct in enumerate(t):
+            cost = 0 if cs == ct else 1
+            curr.append(min(curr[j] + 1, prev[j + 1] + 1, prev[j] + cost))
+        prev = curr
+    return prev[-1]