APAI.runv0.1
Docs/Security model

Security model

How APAI's Capability Passport, scanner, MCP Gateway, and policy packs combine. Zero Trust for AI agents. Threat model. Honest about what each layer catches and what it does not.

The three-layer model

APAI's security story is three layers stacked. Each works on its own; together they provide the full trust contract.

  1. Verified install: every package has a Capability Passport, a scanner status, and a durable install receipt with the exact rollback command. The Passport is the user-facing contract: what the package CLAIMS it will do.
  2. Agent discovery: automatic llm.txt manifests at /packages/{slug}/llms.txt mean any LLM agent can read the install card and apply the package's protocol consistently. Eliminates hallucinated tool behavior.
  3. Governed execution: the MCP Gateway (Phase 6) is the runtime control plane. RBAC, credential injection, audit logging, rate limiting, threat detection. Zero Trust principles applied to agent tool use.

MCP protocol security: what you get for free

The Model Context Protocol provides a baseline:

  • Transport security: TLS 1.2+ required for all remote (HTTP/SSE) transports.
  • Authorization spec: OAuth 2.1 for HTTP transports.
  • No token passthrough: the spec explicitly discourages insecure token forwarding patterns.

What MCP does NOT provide out of the box:

  • Built-in RBAC or fine-grained access control.
  • Centralized audit logging.
  • Authentication for local (stdio) transports - relies on OS process isolation.

Real security in production deployments is implemented at the application and infrastructure layers, primarily through an MCP Gateway.

Key risks in MCP deployments

RiskDescriptionMitigation
Credential exposureHardcoded or scattered API keys/tokensCentralized credential injection via Gateway
Unauthorized accessAgents calling tools without proper permissionsRBAC + Gateway enforcement
Prompt injectionMalicious input via tool responsesInput validation + heuristic scanner (real classifier in Phase 5)
Confused deputyServer acting on behalf of an attackerStrict authorization + user-context propagation
Audit gapNo visibility into tool usageCentralized logging via Gateway
Rate limit abuseExcessive tool calls inflating costToken-based rate limiting at Gateway
Supply chainUnverified third-party MCP serversCurated registry + Capability Passports + behavioral scanner (Phase 5)

Zero Trust for AI agents

Zero Trust is built on "never trust, always verify." Applied to AI agents using MCP, it means:

  • Every agent request is verified at the Gateway.
  • Access is granted on least-privilege principles per agent + tool.
  • Continuous monitoring and auditing is enforced.
  • System assumes breach: limit blast radius via micro-segmentation.

The MCP Gateway is the enforcement layer. Routing all agent-to-tool traffic through it gives one chokepoint for policy, logging, and revocation.

What the v0.1 scanner actually catches

Be honest: v0.1 scanner is a heuristic stub. It runs two checks:

  • Suspicious-pattern regex (13 patterns): rm -rf /, DROP TABLE, curl | sh, powershell -enc, etc.
  • Hidden Unicode (Cf general category): catches format characters that can disguise instructions.

Status "heuristic-stub-v0" means: the stub did not flag anything. It does NOT mean the package is certified safe.

Real prompt-injection classification, OAuth-scope review, and dependency vulnerability scanning land in Phase 5 (behavioral fingerprint scanner). v0.1 gives you the Passport shape and basic regex sanity check; treat it that way.

Best practices

  1. Always use the Gateway in production. Local MCP connections are for development.
  2. Least privilege. Scope tools and permissions aggressively per agent and per workspace.
  3. Centralize credentials. Never let credentials sit in agent context. Gateway injects at runtime.
  4. Audit every tool call. Log it. Export to your SIEM.
  5. Read the Capability Passport. Before you install. Every time.
  6. Verify the install card checksum. See Honest LLM contract spec when it ships - catches LLMs that lie about which card they loaded.
  7. Defense in depth. Gateway + Passport review + Policy Pack + behavioral scanner.

Corporate and private deployment

For enterprise and private deployments, additional controls:

  • Air-gapped and VPC deployment options for the Gateway.
  • Integration with corporate IdPs (Okta, Entra ID, SAML, OIDC).
  • Data residency and sovereignty controls.
  • Compliance-ready audit trails (SOC 2, GDPR, HIPAA - certifications not yet held, see security page).
  • Team and project-based isolation via private registries.

Reporting issues

For security issues, follow the disclosure path at /security. Do not file public GitHub issues for vulnerabilities.