Technical
MCP Bridge and Infrastructure v10.1.5
New governance infrastructure - MCP Bridge, Policy DSL, Agent Identity, Rate Limiter, Python SDK
Infrastructure Release Notes v10.1.5
The v10.1.5 release introduces 5 new infrastructure modules that complete the ABS Core governance pipeline for MCP tool calls.
1. MCP Bridge - Tool Call Interception
The MCP Bridge intercepts Model Context Protocol (MCP) tool calls before execution, applying the same governance pipeline as the LLM Proxy.
Endpoints
| Method | Endpoint | Description |
|---|---|---|
POST | /v1/mcp/tool-call | Evaluate a single tool call |
POST | /v1/mcp/batch | Evaluate up to 50 tool calls in batch |
GET | /v1/mcp/capabilities | List active policies and categories |
Evaluation Pipeline
Tool Call -> DSL Policy Engine -> Regex Policy Engine -> Entropy Analysis -> Bond/Slash -> WAL Log -> VerdictUsage Example
curl -X POST https://api.abscore.app/v1/mcp/tool-call \
-H "Content-Type: application/json" \
-d '{"name":"fs.write","arguments":{"path":"/etc/passwd","content":"test"}}'
# Response (403):
# {"verdict":{"decision":"DENY","policyResult":{"status":"DENIED","reason":"Access to system-critical paths is forbidden"}}}Invariants
- MCP-I1: Every tool call is evaluated before execution
- MCP-I2: DENIED calls never reach the tool server
- MCP-I3: All decisions are logged in the WAL (hash-chain)
- MCP-I4: Entropy above threshold triggers automatic FLAG
2. Declarative Policy Language (DSL)
Replaces hardcoded regex with declarative JSON policies, similar to OPA/Rego but optimized for AI.
Format
{
"version": "1.0",
"policies": [
{
"name": "block_credential_access",
"match": {
"tools": ["fs.write", "fs.delete"],
"args_contain": [".env", ".pem", ".key"]
},
"action": "DENY",
"risk": 1.0,
"reason": "Modification of credential files is forbidden"
}
]
}SYSTEM_POLICIES (built-in, v10.1.5)
| Policy | Action | Detects |
|---|---|---|
sys:block_audit_modification | DENY | Modification of audit tables |
sys:block_credential_files | DENY | .env, .pem, .key, .secrets |
sys:flag_shell_execution | FLAG | shell., exec., subprocess.* |
sys:flag_network_exfil | DENY | pastebin, ngrok, transfer.sh |
sys:block_pii_access | FLAG | cpf, ssn, passport, credit_card |
sys:block_sensitive_paths | DENY | /etc/passwd, /etc/shadow, ~/.ssh/ |
sys:block_path_traversal | DENY | ../ path traversal |
Invariants
- DSL-I1: First DENY wins (evaluation in order)
- DSL-I2: No match = ALLOW (default open)
- DSL-I3: Policies are stateless
- DSL-I4: Definition errors are rejected at parse time, not runtime
3. Agent Identity (JWT)
Cryptographic authentication for AI agents via JWT HMAC-SHA256, with claims describing permissions and risk budget.
Claims
| Claim | Type | Description |
|---|---|---|
sub | string | Agent ID |
tid | string | Tenant ID |
tools | string[] | Allowed tool patterns (glob) |
riskBudget | number | Maximum risk budget (0-100) |
bonded | boolean | Whether the agent has an active bond |
iat / exp | number | Issue/expiration timestamps |
API
import { generateAgentToken, verifyAgentToken, isToolAllowed } from './security/agent-identity';
// Generate token (1h TTL)
const token = await generateAgentToken({
agentId: 'agent-abc',
tenantId: 'tenant-123',
tools: ['fs.read', 'llm.*'],
riskBudget: 50,
bonded: true,
}, process.env.ABS_SECRET_KEY);
// Verify (sub-1ms, no external calls)
const { valid, claims } = await verifyAgentToken(token, secret);
// Check tool permission
const allowed = isToolAllowed(claims, 'fs.write'); // falseInvariants
- AID-I1: HMAC-SHA256 (Web Crypto API, edge-compatible)
- AID-I2: Expired tokens are always rejected
- AID-I3: Claims are immutable for the token lifetime
- AID-I4: Verification sub-1ms (no external calls)
4. Proxy Rate Limiter
Native per-agent rate limiting with sliding window in-memory.
Default Limits
| Endpoint | Limit | Window |
|---|---|---|
| Standard API | 200 req | 1 min |
| MCP Bridge | 100 calls | 1 min |
| LLM Proxy | 60 req | 1 min |
| Auth | 10 attempts | 1 min |
| Token Gen | 5 req | 1 min |
HTTP Headers
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 87
X-RateLimit-Reset: 1708266790
Retry-After: 42 (only on 429)Key Extraction (priority)
- Agent JWT
subclaim - API Key (first 16 chars)
CF-Connecting-IP/X-Forwarded-For
Invariants
- RL-I1: Rate limits are enforced before any processing
- RL-I2: Memory is bounded (max 10k tracked identities)
- RL-I3: Expired entries are garbage collected periodically
5. Python SDK
Official SDK for Python 3.10+ with zero dependencies (stdlib only).
Installation
pip install abs-sdkQuick Start
from abs_sdk import ABSClient
client = ABSClient(
dsn="abs://my-workspace.abscore.app",
token="abs_pat_xxx"
)
# Evaluate tool call
verdict = client.evaluate_tool("fs.write", {"path": "/etc/passwd"})
if verdict.decision == "DENY":
raise PermissionError(f"Blocked: {verdict.policy_result.reason}")
# Heartbeat
client.heartbeat("agent-123")
# Bond
bond = client.get_bond("agent-123")
print(f"Balance: ${bond.balance}")Features
evaluate_tool()/evaluate_batch()- MCP evaluationheartbeat()/get_agent()/register_agent()- agent managementcreate_bond()/get_bond()/release_bond()- bond/slashaudit_export()- audit trail exportcalculate_entropy()- local Shannon entropy (offline)
Evaluation Architecture v10.1.5
Each tool call passes through the following layers in sequence:
- MCP Bridge - receives
POST /v1/mcp/tool-call - DSL Policy Engine (primary) - evaluates SYSTEM_POLICIES (7 rules) + tenant policies
- Regex Policy Engine (secondary) - financial and complementary rules
- Entropy Analysis - Shannon entropy above 4.5 triggers automatic FLAG
- Bond/Slash - on DENY, slashes the agent bond
- WAL Audit Log - all decisions recorded in immutable hash-chain
All modules are live in production at api.abscore.app since v10.1.5.