{"id":34935179,"url":"https://github.com/nshkrdotcom/guardrail","last_synced_at":"2025-12-26T18:01:51.415Z","repository":{"id":281790757,"uuid":"946420161","full_name":"nshkrdotcom/GUARDRAIL","owner":"nshkrdotcom","description":"GUARDRAIL - MCP Security - Gateway for Unified Access, Resource Delegation, and Risk-Attenuating Information Limits","archived":false,"fork":false,"pushed_at":"2025-05-21T21:51:58.000Z","size":2171,"stargazers_count":6,"open_issues_count":0,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-21T22:40:16.475Z","etag":null,"topics":["gateway","gateway-api","gateway-microservice","gateway-services","information-security","information-security-policies","mcp","mcp-client","mcp-host","mcp-server","mcp-servers","mcp-tools","protocol","protocol-specification","protocols","security","security-automation","security-tools","service-mesh"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nshkrdotcom.png","metadata":{"files":{"readme":"README-OLD-ORIG.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-03-11T05:35:43.000Z","updated_at":"2025-05-21T21:52:02.000Z","dependencies_parsed_at":"2025-03-11T07:19:46.055Z","dependency_job_id":"4db0e8c6-deb9-41a7-85df-73f9ae040d9c","html_url":"https://github.com/nshkrdotcom/GUARDRAIL","commit_stats":null,"previous_names":["nshkrdotcom/guardrail"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/nshkrdotcom/GUARDRAIL","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nshkrdotcom%2FGUARDRAIL","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nshkrdotcom%2FGUARDRAIL/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nshkrdotcom%2FGUARDRAIL/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nshkrdotcom%2FGUARDRAIL/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nshkrdotcom","download_url":"https://codeload.github.com/nshkrdotcom/GUARDRAIL/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nshkrdotcom%2FGUARDRAIL/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28057668,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-26T02:00:06.189Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gateway","gateway-api","gateway-microservice","gateway-services","information-security","information-security-policies","mcp","mcp-client","mcp-host","mcp-server","mcp-servers","mcp-tools","protocol","protocol-specification","protocols","security","security-automation","security-tools","service-mesh"],"created_at":"2025-12-26T18:01:50.231Z","updated_at":"2025-12-26T18:01:51.408Z","avatar_url":"https://github.com/nshkrdotcom.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# GUARDRAIL: Gateway for Unified Access, Resource Delegation, and Risk-Attenuating Information Limits\n\n## Executive Summary\n\nGUARDRAIL (Gateway for Unified Access, Resource Delegation, and Risk-Attenuating Information Limits) is a comprehensive security framework designed to protect Large Language Model (LLM) application ecosystems, particularly those built using the Model Context Protocol (MCP). It addresses critical security vulnerabilities inherent in LLM applications, focusing on preventing data exfiltration, data infiltration, unauthorized access, and resource abuse. GUARDRAIL implements a multi-layered, defense-in-depth architecture based on zero-trust principles, providing robust protection without sacrificing performance or usability.\n\n## Project Status\n\nGUARDRAIL is currently in active development. This repository contains the architectural design, technical specifications, implementation documentation, and visual representations of the framework. Production-ready code components will be released incrementally. This README serves as the central hub for understanding the project.\n\n## Table of Contents\n\n- [GUARDRAIL: Gateway for Unified Access, Resource Delegation, and Risk-Attenuating Information Limits](#guardrail-gateway-for-unified-access-resource-delegation-and-risk-attenuating-information-limits)\n - [Executive Summary](#executive-summary)\n - [Project Status](#project-status)\n - [Table of Contents](#table-of-contents)\n - [1. Introduction ](#1-introduction-)\n - [2. Core Principles ](#2-core-principles-)\n - [3. Architecture Overview ](#3-architecture-overview-)\n - [3.1 Security Layers ](#31-security-layers-)\n - [3.2 Deployment Models ](#32-deployment-models-)\n - [4. Key Benefits ](#4-key-benefits-)\n - [5. Integration with MCP ](#5-integration-with-mcp-)\n - [6. New Innovations ](#6-new-innovations-)\n - [6.1 Extensible Security Middleware (ESM) ](#61-extensible-security-middleware-esm-)\n - [6.2 Dynamic Security Context (DSC) ](#62-dynamic-security-context-dsc-)\n - [6.3 Mandatory Message Classification and Tagging (MMCT) ](#63-mandatory-message-classification-and-tagging-mmct-)\n - [6.4 Lightweight Attestation Protocol (LAP) ](#64-lightweight-attestation-protocol-lap-)\n - [6.5 Adaptive Resource Quotas (ARQ) ](#65-adaptive-resource-quotas-arq-)\n - [6.6 Security Event Correlation and Reporting (SECR) ](#66-security-event-correlation-and-reporting-secr-)\n - [6.7 Intelligent Threat Response System ](#67-intelligent-threat-response-system-)\n - [6.8 Advanced Cryptographic Protection Suite ](#68-advanced-cryptographic-protection-suite-)\n - [6.9 Comprehensive Supply Chain Security ](#69-comprehensive-supply-chain-security-)\n - [6.10 Regulatory Compliance Framework ](#610-regulatory-compliance-framework-)\n - [6.11 Distributed Identity and Access Management ](#611-distributed-identity-and-access-management--)\n - [6.12 Quantum-Ready Security Architecture ](#612-quantum-ready-security-architecture-)\n - [7. Visualizations and Diagrams ](#7-visualizations-and-diagrams-)\n - [8. Detailed Documentation ](#8-detailed-documentation-)\n - [9. Emergency Response Framework ](#9-emergency-response-framework-)\n - [10. New Directions: Practical and Incremental MCP Security ](#10-new-directions-practical-and-incremental-mcp-security-)\n - [10.1 Phased Implementation Approach](#101-phased-implementation-approach)\n - [10.2 Practical Security Innovations](#102-practical-security-innovations)\n - [10.3 Extensible Security Middleware (ESM) ](#103-extensible-security-middleware-esm-)\n - [10.4 Dynamic Security Context (DSC) ](#104-dynamic-security-context-dsc-)\n - [10.5 Protocol-Level Security Annotations ](#105-protocol-level-security-annotations-)\n - [10.6 Lightweight Attestation Protocol (LAP) ](#106-lightweight-attestation-protocol-lap-)\n - [10.7 Adaptive Resource Quotas (ARQ) ](#107-adaptive-resource-quotas-arq-)\n - [10.8 Security Event Correlation and Reporting (SECR) ](#108-security-event-correlation-and-reporting-secr-)\n - [99. License ](#99-license-)\n\n## 1. Introduction \u003ca name=\"introduction\"\u003e\u003c/a\u003e\n\nLarge Language Models (LLMs) are rapidly transforming various industries, but their power and complexity introduce significant security risks. The Model Context Protocol (MCP) aims to standardize communication between LLM applications and services, but its initial design lacks the robust security mechanisms necessary to protect sensitive data and prevent abuse. GUARDRAIL addresses these shortcomings by providing a comprehensive security framework specifically tailored for MCP and other LLM application ecosystems.\n\n## 2. Core Principles \u003ca name=\"core-principles\"\u003e\u003c/a\u003e\n\nGUARDRAIL is built on the following core principles:\n\n1. **Information Flow Control:** Strict policies govern the movement of information between security boundaries. This includes data classification, labeling, and fine-grained control over data access and propagation. *Prevention of both exfiltration and infiltration is paramount.*\n\n2. **Contextual Security:** Security decisions are made based on the *dynamic* execution context. This includes continuous trust assessment and environment-aware policies.\n\n3. **Transport-Agnostic Protection:** Security guarantees are provided *regardless* of the underlying transport mechanism used for communication.\n\n4. **Least-Privilege Execution:** All components and operations within the LLM application ecosystem operate with the *minimum* necessary permissions. Privileges are granted just-in-time and automatically revoked when no longer needed.\n\n5. **Zero Trust:** No component or user is inherently trusted. Continuous verification and authentication are required at every interaction.\n\n## 3. Architecture Overview \u003ca name=\"architecture-overview\"\u003e\u003c/a\u003e\n\n### 3.1 Security Layers \u003ca name=\"security-layers\"\u003e\u003c/a\u003e\n\nGUARDRAIL implements a multi-layered architecture, with each layer providing a distinct set of security controls:\n\n```mermaid\nflowchart TB\n subgraph \"MCP Client Environment\"\n MC[MCP Client]\n end\n \n subgraph \"GUARDRAIL\"\n direction TB\n IGL[Information Gateway Layer]\n CVL[Context Verification Layer]\n RCL[Request Control Layer]\n ECL[Execution Containment Layer]\n AML[Audit \u0026 Monitoring Layer]\n \n IGL --\u003e CVL\n CVL --\u003e RCL\n RCL --\u003e ECL\n ECL --\u003e AML\n end\n \n subgraph \"MCP Server Environment\"\n MS[MCP Server]\n end\n \n MC -- \"MCP Protocol\" --\u003e IGL\n ECL -- \"Contained Execution\" --\u003e MS\n```\n\n* **Information Gateway Layer (IGL):** The first line of defense, managing all information flows in and out of the system. It handles content classification, flow policy enforcement, and transport security.\n\n* **Context Verification Layer (CVL):** Establishes the trustworthiness of the execution environment through attestation, client/server verification, and policy discovery.\n\n* **Request Control Layer (RCL):** Implements fine-grained access control to resources and functions, using a capability-based model. Includes request filtering, resource guarding, and action limiting.\n\n* **Execution Containment Layer (ECL):** Ensures that all code execution occurs within secure, isolated boundaries. This includes memory isolation, resource quotas, and call chain tracking.\n\n* **Audit and Monitoring Layer (AML):** Provides comprehensive visibility into system operations and security events. It logs all information flows, detects anomalies, and creates tamper-evident records.\n\n### 3.2 Deployment Models \u003ca name=\"deployment-models\"\u003e\u003c/a\u003e\n\nGUARDRAIL can be deployed in three primary configurations, offering flexibility to suit different infrastructure needs:\n\n1. **Embedded Model:** GUARDRAIL components are integrated directly into the host process (both client and server). This is suitable for standalone applications or development environments.\n\n2. **Gateway Model:** GUARDRAIL operates as a standalone security gateway, mediating *all* MCP traffic between clients and servers. This is ideal for enterprise deployments with strict security requirements.\n\n3. **Service Mesh Model:** GUARDRAIL components are deployed as sidecars within a Kubernetes environment, providing distributed security with a centralized control plane. This is best suited for cloud-native and microservices architectures.\n\n```mermaid\nflowchart TB\n subgraph \"Deployment Models\"\n direction LR\n \n subgraph \"Embedded Model\"\n direction TB\n HC[Host Process]\n \n subgraph \"Client Side\"\n MCC[MCP Client]\n GC[GUARDRAIL Client Module]\n \n MCC --\u003e GC\n end\n \n subgraph \"Server Side\"\n MCS[MCP Server]\n GS[GUARDRAIL Server Module]\n \n GS --\u003e MCS\n end\n \n GC \u003c---\u003e GS\n end\n \n subgraph \"Gateway Model\"\n direction TB\n CL[Client]\n GW[GUARDRAIL Gateway]\n SV[Server]\n \n CL \u003c---\u003e GW\n GW \u003c---\u003e SV\n end\n \n subgraph \"Service Mesh Model\"\n direction TB\n \n subgraph \"Client Pod\"\n CP[Client Container]\n CS[GUARDRAIL Sidecar]\n \n CP \u003c---\u003e CS\n end\n \n subgraph \"Server Pod\"\n SP[Server Container]\n SS[GUARDRAIL Sidecar]\n \n SS \u003c---\u003e SP\n end\n \n subgraph \"Control Plane\"\n PS[Policy Server]\n IS[Identity Service]\n AS[Audit Collector]\n end\n \n CS \u003c---\u003e SS\n CS \u003c-..-\u003e PS\n CS \u003c-..-\u003e IS\n CS \u003c-..-\u003e AS\n SS \u003c-..-\u003e PS\n SS \u003c-..-\u003e IS\n SS \u003c-..-\u003e AS\n end\n end\n```\n\n## 4. Key Benefits \u003ca name=\"key-benefits\"\u003e\u003c/a\u003e\n\nGUARDRAIL provides the following key benefits:\n\n1. **Complete Information Flow Control:** Prevents unauthorized data exfiltration and infiltration. Enforces classification-based rules.\n\n2. **Contextual Security Model:** Security adapts to the execution environment, with dynamic trust assessment and environment-aware policies.\n\n3. **Preservation of MCP Functionality:** Compatible with existing MCP implementations. Minimal performance overhead. Transparent to well-behaved applications.\n\n4. **Defense Against Common Attack Vectors:** Protects against prompt injection, resource abuse, side-channel attacks, and other LLM-specific vulnerabilities.\n\n5. **Comprehensive Audit Trail:** Provides complete visibility into information flows, enabling security investigations and compliance with data protection requirements.\n\n## 5. Integration with MCP \u003ca name=\"integration-with-mcp\"\u003e\u003c/a\u003e\n\nGUARDRAIL is designed for seamless integration with MCP. It provides wrapper classes for both MCP Clients and Servers, adding security without requiring significant changes to existing application code.\n\n```typescript\n// Client Integration Example\nimport { Client } from \"@modelcontextprotocol/sdk/client\";\nimport { GuardrailClient } from \"@guardrail/sdk/client\";\n\n// Initialize standard MCP client\nconst mcpClient = new Client({\n name: \"example-client\",\n version: \"1.0.0\"\n});\n\n// Wrap with Guardrail protection\nconst client = new GuardrailClient(mcpClient, {\n security: {\n classification_level: \"INTERNAL\",\n flow_policies: \"standard\",\n attestation: true\n }\n});\n\n// Normal MCP operations now protected by Guardrail\nawait client.connect(transport);\n```\n\n## 6. New Innovations \u003ca name=\"new-innovations\"\u003e\u003c/a\u003e\n\nBeyond the core architecture, GUARDRAIL incorporates several key innovations to enhance its effectiveness and adaptability:\n\n### 6.1 Extensible Security Middleware (ESM) \u003ca name=\"extensible-security-middleware-esm\"\u003e\u003c/a\u003e\nProvides a pluggable architecture within the Information Gateway Layer, allowing developers to add custom security modules.\n```mermaid\nflowchart LR\n subgraph \"Information Gateway Layer\"\n direction TB\n PM[Plugin Manager]\n \n subgraph \"Security Plugins\"\n SP1[Classification Plugin]\n SP2[Flow Control Plugin]\n SP3[Transformation Plugin]\n SP4[Custom Security Plugins]\n end\n \n PM --\u003e SP1\n PM --\u003e SP2\n PM --\u003e SP3\n PM --\u003e SP4\n end\n \n MC[MCP Client] -- \"Message\" --\u003e PM\n SP4 -- \"Processed Message\" --\u003e MS[MCP Server]\n```\n\n### 6.2 Dynamic Security Context (DSC) \u003ca name=\"dynamic-security-context-dsc\"\u003e\u003c/a\u003e\n A shared, mutable object that holds security-relevant information for the current MCP connection, including a trust score, threat level, and attenuated capabilities.\n\n```mermaid\nsequenceDiagram\n participant MC as MCP Client\n participant TS as Trust Scoring System\n participant CA as Context Analyzer\n participant PM as Policy Manager\n participant MS as MCP Server\n \n MC-\u003e\u003eTS: Connection Request\n TS-\u003e\u003eTS: Initialize Trust Score\n TS-\u003e\u003eCA: Evaluate Initial Context\n CA-\u003e\u003ePM: Apply Baseline Policies\n PM--\u003e\u003eMC: Capability Response\n \n loop Throughout Session\n MC-\u003e\u003eTS: Request/Activity\n TS-\u003e\u003eTS: Update Trust Score\n TS-\u003e\u003eCA: Re-evaluate Context\n \n alt Degraded Trust\n CA-\u003e\u003ePM: Adjust Active Policies\n PM-\u003e\u003eMC: Attenuate Capabilities\n PM-\u003e\u003eMS: Increase Monitoring\n else Improved Trust\n CA-\u003e\u003ePM: Relax Restrictions\n PM-\u003e\u003eMC: Restore Capabilities\n end\n end\n```\n\n### 6.3 Mandatory Message Classification and Tagging (MMCT) \u003ca name=\"mandatory-message-classification-and-tagging-mmct\"\u003e\u003c/a\u003e\nRequires every MCP message to include a `security` field with classification, integrity, source, and sequence information.\n```mermaid\nflowchart TB\n subgraph \"MCP Message\"\n MSG[Message Content]\n \n subgraph \"Security Field\"\n CL[Classification]\n INT[Integrity Hash]\n SRC[Source Identifier]\n SEQ[Sequence Number]\n TR[Transformation Record]\n end\n end\n \n MSG --- CL\n MSG --- INT\n MSG --- SRC\n MSG --- SEQ\n MSG --- TR\n \n CL --\u003e PL[Policy Enforcer]\n INT --\u003e IV[Integrity Verifier]\n SRC --\u003e SA[Source Authenticator]\n SEQ --\u003e RA[Replay Attack Detector]\n TR --\u003e TA[Transformation Auditor]\n```\n\n### 6.4 Lightweight Attestation Protocol (LAP) \u003ca name=\"lightweight-attestation-protocol-lap\"\u003e\u003c/a\u003e\nA simple protocol built on top of MCP for mutual attestation between client and server.\n```mermaid\nsequenceDiagram\n participant Client as MCP Client\n participant GCVL as GUARDRAIL Context Verification\n participant GRCL as GUARDRAIL Request Control\n participant Server as MCP Server\n \n Client-\u003e\u003eGCVL: Initialize Connection\n GCVL-\u003e\u003eClient: Send Attestation Challenge\n Client-\u003e\u003eGCVL: Submit Attestation Data\n GCVL-\u003e\u003eGCVL: Validate Client Environment\n \n GCVL-\u003e\u003eServer: Request Server Attestation\n Server-\u003e\u003eGCVL: Submit Server Attestation\n GCVL-\u003e\u003eGCVL: Validate Server Environment\n \n alt Both Attestations Valid\n GCVL-\u003e\u003eGRCL: Establish Trust Level\n GRCL-\u003e\u003eClient: Complete Connection (with Trust Level)\n else Attestation Failed\n GCVL-\u003e\u003eClient: Terminate Connection\n GCVL-\u003e\u003eServer: Log Attestation Failure\n end\n \n loop Periodic Re-attestation\n GCVL-\u003e\u003eClient: Re-attestation Challenge\n Client-\u003e\u003eGCVL: Updated Attestation\n GCVL-\u003e\u003eGCVL: Verify Consistency\n end\n```\n\n### 6.5 Adaptive Resource Quotas (ARQ) \u003ca name=\"adaptive-resource-quotas-arq\"\u003e\u003c/a\u003e\nDynamically adjusts resource quotas (CPU, memory, network) based on the DSC's trust score and threat level.\n```mermaid\nflowchart TB\n subgraph \"Execution Containment Layer\"\n TS[Trust Score] --\u003e QE[Quota Engine]\n TL[Threat Level] --\u003e QE\n \n QE --\u003e CPU[CPU Quotas]\n QE --\u003e MEM[Memory Quotas]\n QE --\u003e NET[Network Quotas]\n QE --\u003e OPS[Operations Quotas]\n \n subgraph \"Resource Monitoring\"\n RM[Resource Monitor]\n RM --\u003e CPU\n RM --\u003e MEM\n RM --\u003e NET\n RM --\u003e OPS\n end\n \n subgraph \"Enforcement Actions\"\n CPU --\u003e THR[Throttling]\n MEM --\u003e LIM[Limitations]\n NET --\u003e BW[Bandwidth Control]\n OPS --\u003e RL[Rate Limiting]\n end\n end\n```\n\n### 6.6 Security Event Correlation and Reporting (SECR) \u003ca name=\"security-event-correlation-and-reporting-secr\"\u003e\u003c/a\u003e\nBuilds a security-focused event system on top of MCP notifications, allowing for sophisticated monitoring and incident response.\n\n```mermaid\nflowchart TB\n subgraph \"GUARDRAIL Layers\"\n IGL[Information Gateway Layer]\n CVL[Context Verification Layer]\n RCL[Request Control Layer]\n ECL[Execution Containment Layer]\n end\n \n IGL --\u003e ES[Event Stream]\n CVL --\u003e ES\n RCL --\u003e ES\n ECL --\u003e ES\n \n subgraph \"Security Analytics Engine\"\n ES --\u003e EF[Event Filtering]\n EF --\u003e EP[Event Processing]\n EP --\u003e CE[Correlation Engine]\n CE --\u003e AP[Anomaly Processor]\n AP --\u003e AR[Alert Router]\n end\n \n AR --\u003e RT[Real-time Dashboard]\n AR --\u003e SIEM[External SIEM]\n AR --\u003e IR[Incident Response]\n```\n\n### 6.7 Intelligent Threat Response System \u003ca name=\"intelligent-threat-response-system\"\u003e\u003c/a\u003e\nCombines threat intelligence, behavioral analysis, and automated incident response.\n\n```mermaid\nflowchart TB\n subgraph \"Intelligent Threat Response System\"\n direction TB\n \n subgraph \"Data Collection\"\n AL[Audit Logs]\n TI[Threat Intelligence Feeds]\n BA[Behavioral Analytics]\n end\n \n subgraph \"Analysis Engine\"\n ML[Machine Learning Models]\n CB[Correlation Engine]\n RA[Risk Assessment]\n end\n \n subgraph \"Response Orchestration\"\n PB[Playbook Manager]\n AM[Automated Mitigations]\n HR[Human Review Interface]\n end\n \n AL --\u003e ML\n TI --\u003e ML\n BA --\u003e ML\n \n ML --\u003e CB\n CB --\u003e RA\n \n RA --\u003e PB\n PB --\u003e AM\n PB --\u003e HR\n end\n \n AM --\u003e|\"Containment Actions\"| ECL[Execution Containment Layer]\n AM --\u003e|\"Flow Restrictions\"| IGL[Information Gateway Layer]\n AM --\u003e|\"Capability Revocation\"| RCL[Request Control Layer]\n HR --\u003e|\"Analyst Decisions\"| AM\n```\n\n### 6.8 Advanced Cryptographic Protection Suite \u003ca name=\"advanced-cryptographic-protection-suite\"\u003e\u003c/a\u003e\nIncorporates homomorphic encryption, zero-knowledge proofs, secure multi-party computation, and quantum-safe cryptography.\n\n```mermaid\nsequenceDiagram\n participant Client as MCP Client\n participant IGL as Information Gateway Layer\n participant HE as Homomorphic Engine\n participant ZKP as Zero-Knowledge Processor\n participant SMPC as Secure Multi-Party Computation\n participant Server as MCP Server\n \n Client-\u003e\u003eIGL: Request with sensitive data\n IGL-\u003e\u003eIGL: Classify data sensitivity\n \n alt Requires computation privacy\n IGL-\u003e\u003eHE: Encrypt data homomorphically\n HE-\u003e\u003eServer: Process encrypted data\n Server-\u003e\u003eHE: Return encrypted result\n HE-\u003e\u003eIGL: Decrypt result\n IGL-\u003e\u003eClient: Return protected result\n \n else Requires verification without disclosure\n IGL-\u003e\u003eZKP: Generate proof\n ZKP-\u003e\u003eServer: Submit proof without data\n Server-\u003e\u003eZKP: Verify proof validity\n ZKP-\u003e\u003eIGL: Confirmation of verification\n IGL-\u003e\u003eClient: Return verified result\n \n else Requires distributed computation\n IGL-\u003e\u003eSMPC: Distribute computation shares\n SMPC-\u003e\u003eServer: Process partial computations\n Server-\u003e\u003eSMPC: Return partial results\n SMPC-\u003e\u003eIGL: Recombine results securely\n IGL-\u003e\u003eClient: Return combined result\n end\n```\n### 6.9 Comprehensive Supply Chain Security \u003ca name=\"comprehensive-supply-chain-security\"\u003e\u003c/a\u003e\nCombines supply chain security, container security, and network segmentation.\n```mermaid\nflowchart TB\n subgraph \"Supply Chain Security\"\n direction TB\n \n subgraph \"Code Security\"\n SC[Source Code Verification]\n DS[Dependency Scanning]\n CS[Code Signing]\n end\n \n subgraph \"Build Pipeline\"\n SB[Secure Build Process]\n VI[Vulnerability Inspection]\n IA[Image Attestation]\n end\n \n subgraph \"Runtime Protection\"\n IM[Immutable Infrastructure]\n RS[Runtime Scanning]\n IR[Integrity Monitoring]\n end\n \n SC --\u003e SB\n DS --\u003e SB\n CS --\u003e SB\n \n SB --\u003e VI\n VI --\u003e IA\n \n IA --\u003e IM\n IM --\u003e RS\n RS --\u003e IR\n end\n \n subgraph \"Network Controls\"\n NS[Network Segmentation]\n MP[Micro-Perimeters]\n ZT[Zero-Trust Enforcement]\n end\n \n IR --\u003e NS\n NS --\u003e MP\n MP --\u003e ZT\n \n ZT --\u003e GUARDRAIL[GUARDRAIL Deployment]\n```\n\n### 6.10 Regulatory Compliance Framework \u003ca name=\"regulatory-compliance-framework\"\u003e\u003c/a\u003e\n Integrates compliance features, data loss prevention, and backup/recovery.\n```mermaid\nflowchart TB\n subgraph \"Regulatory Compliance Framework\"\n direction TB\n \n subgraph \"Policy Management\"\n RM[Regulatory Mapping]\n PS[Policy Sets]\n CV[Compliance Verification]\n end\n \n subgraph \"Data Protection\"\n DLP[Data Loss Prevention]\n WM[Watermarking \u0026 Tracking]\n BAR[Backup \u0026 Archiving]\n end\n \n subgraph \"Reporting\"\n AD[Audit Dashboards]\n CR[Compliance Reports]\n EA[Evidence Archive]\n end\n \n RM --\u003e PS\n PS --\u003e CV\n \n CV --\u003e DLP\n DLP --\u003e WM\n WM --\u003e BAR\n \n CV --\u003e AD\n BAR --\u003e CR\n CR --\u003e EA\n end\n \n PS --\u003e|\"Security Policies\"| IGL[Information Gateway Layer]\n DLP --\u003e|\"Content Controls\"| IGL\n WM --\u003e|\"Tracking\"| AML[Audit \u0026 Monitoring Layer]\n BAR --\u003e|\"Data Protection\"| AML\n AD --\u003e|\"Visibility\"| AML\n```\n\n### 6.11 Distributed Identity and Access Management \u003ca name=\"distributed-identity-and-access-management\"\u003e\u003c/a\u003e\nCombines decentralized identity, API security, and dynamic trust assessment.\n\n```mermaid\nflowchart TB\n subgraph \"Distributed Identity Framework\"\n direction TB\n \n subgraph \"Identity Sources\"\n WDI[W3C Decentralized IDs]\n VA[Verifiable Attributes]\n VC[Verifiable Credentials]\n end\n \n subgraph \"Trust Establishment\"\n VP[Verification Protocols]\n TS[Trust Scoring]\n CR[Credential Repository]\n end\n \n subgraph \"Access Management\"\n API[API Security Controls]\n GAC[Granular Access Control]\n CAT[Contextual Authentication]\n end\n \n WDI --\u003e VP\n VA --\u003e VP\n VC --\u003e VP\n \n VP --\u003e TS\n TS --\u003e CR\n \n CR --\u003e API\n CR --\u003e GAC\n TS --\u003e CAT\n end\n \n CAT --\u003e CVL[Context Verification Layer]\n GAC --\u003e RCL[Request Control Layer]\n API --\u003e IGL[Information Gateway Layer]\n```\n\n### 6.12 Quantum-Ready Security Architecture \u003ca name=\"quantum-ready-security-architecture\"\u003e\u003c/a\u003e\nPrepares GUARDRAIL for the post-quantum era.\n```mermaid\nflowchart TB\n subgraph \"Quantum-Ready Security Architecture\"\n direction TB\n \n subgraph \"Cryptographic Transition\"\n CA[Crypto Agility]\n DP[Dual-Path Processing]\n QC[Quantum-Safe Cryptography]\n end\n \n subgraph \"Key Management\"\n KT[Key Type Diversity]\n KR[Key Rotation Automation]\n HC[Hybrid Cryptosystems]\n end\n \n subgraph \"Future Proofing\"\n CM[Cryptographic Monitoring]\n AE[Algorithm Evolution]\n SE[Security Estimation]\n end\n \n CA --\u003e DP\n DP --\u003e QC\n \n CA --\u003e KT\n KT --\u003e KR\n KR --\u003e HC\n \n QC --\u003e CM\n CM --\u003e AE\n AE --\u003e SE\n end\n \n CA --\u003e|\"Transport Security\"| IGL[Information Gateway Layer]\n HC --\u003e|\"Signature Verification\"| CVL[Context Verification Layer]\n QC --\u003e|\"Capability Protection\"| RCL[Request Control Layer]\n CM --\u003e|\"Crypto Health Monitoring\"| AML[Audit \u0026 Monitoring Layer]\n```\n\n## 7. Visualizations and Diagrams \u003ca name=\"visualizations-and-diagrams\"\u003e\u003c/a\u003e\n\nThe following diagrams provide visual representations of GUARDRAIL's architecture, deployment models, and internal components:\n\n- **Embedded Deployment Model:**\n ![Embedded Deployment Model](svgImages/3-EmbeddedDeploymentModel.png)\n\n- **Gateway Deployment Model:**\n ![Gateway Deployment Model](svgImages/4-GatewayDeploymentModel.png)\n\n- **Service Mesh Deployment Model:**\n ![Gateway Deployment Model](svgImages/5-ServiceMeshDeploymentModel.png)\n\n- **Gateway - Internal Architecture:**\n ![Service - Internal Architecture:**](svgImages/6-Gateway-InternalArchitecture.png)\n\n- **Gateway - 19\" Rack Appliance**\n ![Gateway - 19\" Rack Appliance](svgImages/10-Gateway-RackAppliance.png)\n\n- **Gateway - Data Flow Architecture:**\n ![Gateway - Data Flow Architecture](svgImages/11-Gateway-DataFlowArchitecture.png)\n\n- **Service Mesh - Containerized Architecture:**\n ![Service Mesh - Containerized Architecture](svgImages/12-ServiceMesh-ContainerizedArchitecture.png)\n\n- **Service Mesh Sidecar - Internal Architecture:**\n ![Service Mesh Sidecar - Internal Architecture](svgImages/13-ServiceMesh-Sidecar-InternalArchitecture.png)\n\n- **Service Mesh - Control Plane Architecture:**\n ![Service Mesh - Control Plane Architecture](svgImages/14-ServiceMesh-ControlPlaneArchitcture.png)\n\n## 8. Detailed Documentation \u003ca name=\"detailed-documentation\"\u003e\u003c/a\u003e\n\nFor a deeper understanding of GUARDRAIL, refer to the following documents:\n\n* [**Technical Specification (2-technical-spec.md)**](./2-technical-spec.md): Provides a comprehensive technical description of all GUARDRAIL components, configurations, and protocols.\n* [**Architecture Diagrams (6-diags-mermaid.md)**](./6-diags-mermaid.md): Contains Mermaid diagrams illustrating various aspects of the GUARDRAIL architecture and workflows.\n\n## 9. Emergency Response Framework \u003ca name=\"emergency-response-framework\"\u003e\u003c/a\u003e\n\nGUARDRAIL incorporates an Emergency Response Framework providing comprehensive procedures to detect, respond to, and recover from security incidents. For more information, see [Emergency Response Framework](./SHIELD-7-emergency-response-framework.md).\n\n\n\n\n \n## 10. New Directions: Practical and Incremental MCP Security \u003ca name=\"new-directions\"\u003e\u003c/a\u003e\n\nWhile the innovations in Section 6 provide a comprehensive, long-term vision for GUARDRAIL, practical considerations for the Model Context Protocol (MCP) ecosystem necessitate a more incremental and adaptable approach to security. This section outlines a series of practical innovations that can be implemented *independently* and *progressively*, allowing MCP deployments to enhance their security posture without the overhead of the full GUARDRAIL framework. These innovations prioritize ease of adoption, performance, and compatibility with existing MCP implementations. They build towards a more secure MCP ecosystem in a modular fashion, allowing developers to choose the components that best suit their current needs and resources.\n\n### 10.1 Phased Implementation Approach\n\nWe recommend a four-phase implementation strategy:\n\n1. **Secure Server Foundation:** Focus on building security directly into MCP server implementations with automated configuration hardening, context-aware input validation, and least-privilege execution sandboxing.\n\n2. **Protocol-Level Security:** Enhance the MCP protocol with capability-based security tokens, federated identity with attestation, and graduated encryption options.\n\n3. **Plugin Ecosystem:** Develop a standard plugin interface allowing developers to add security modules as needed, supported by a security plugin certification program.\n\n4. **Enhanced GUARDRAIL:** Position a refined version of the full GUARDRAIL architecture for organizations with high-security requirements in regulated industries.\n\n### 10.2 Practical Security Innovations\n\nThese lightweight innovations can be implemented incrementally:\n\n- **Extensible Security Middleware (ESM):** A pluggable middleware layer with a standardized interface for security modules that can be selectively incorporated into MCP implementations.\n\n- **Dynamic Security Context (DSC):** A shared, mutable object that tracks security states across an MCP connection, including a \"trust score\" that adapts based on observed behavior.\n\n- **Protocol-Level Security Annotations:** Standard security metadata fields for MCP messages including classification labels and integrity verification without redesigning the protocol.\n\n- **Lightweight Attestation Protocol (LAP):** A simplified challenge-response verification process for mutual validation of MCP endpoints.\n\n- **Adaptive Resource Controls:** Dynamic resource limitations that adjust based on trust score and observed behavior.\n\n- **Security Event Correlation and Reporting (SECR):** A standardized event system for security monitoring that enables sophisticated analysis and incident response.\n\nThese practical innovations provide immediate security benefits while allowing for incremental adoption, making them suitable for a wider range of MCP implementations than the full GUARDRAIL architecture.\n\n\n\n\n\n\n\n### 10.3 Extensible Security Middleware (ESM) \u003ca name=\"esm-new\"\u003e\u003c/a\u003e\n\nThe ESM provides a pluggable architecture *within* MCP client and server implementations, allowing for customized security processing of MCP messages. It sits between the MCP protocol layer and the transport layer, intercepting messages for validation, transformation, and other security operations.\n\n```mermaid\nflowchart LR\n subgraph \"MCP Client/Server\"\n direction TB\n MP[MCP Protocol Layer]\n ESM[Extensible Security Middleware]\n TL[Transport Layer]\n\n MP -- \"MCP Message\" --\u003e ESM\n ESM -- \"Processed Message\" --\u003e TL\n end\n\n subgraph \"ESM Internals\"\n direction TB\n PM[Plugin Manager]\n subgraph \"Security Plugins\"\n SP1[Validation Plugin]\n SP2[Classification Plugin]\n SP3[Encryption Plugin]\n SP4[Custom Plugins...]\n end\n PM --\u003e SP1\n PM --\u003e SP2\n PM --\u003e SP3\n PM --\u003e SP4\n end\n MC[MCP Client/Server] -- \"Config\" --\u003e PM\n```\n\n* **Key Features:**\n * **Pluggable Modules:** Security functions are implemented as independent modules that conform to a standard interface (e.g., `validate`, `transform`, `preSend`, `postReceive`).\n * **Module Chaining:** Modules can be chained together in a configurable sequence, allowing for complex security workflows.\n * **Asynchronous Operation:** Middleware operations are asynchronous to avoid blocking the main MCP thread.\n * **Context-Aware:** Modules have access to the MCP context (client/server IDs, capabilities, etc.) and the Dynamic Security Context (see below).\n * **Policy-Driven:** Module behavior is controlled by declarative policies (e.g., JSON-based) that can be updated dynamically.\n\n* **Benefits:**\n * **Flexibility:** Allows organizations to tailor security to their specific needs.\n * **Extensibility:** New security features can be added easily without modifying core MCP code.\n * **Performance:** Only necessary modules are loaded and executed.\n * **Testability:** Individual modules and chains can be thoroughly tested in isolation.\n\n### 10.4 Dynamic Security Context (DSC) \u003ca name=\"dsc-new\"\u003e\u003c/a\u003e\n\nThe DSC is a *shared, mutable* object that maintains security-relevant information about an MCP connection. It enables *adaptive security* by dynamically adjusting access controls and security policies based on observed behavior and environmental factors.\n\n```mermaid\nsequenceDiagram\n participant Client as MCP Client\n participant Server as MCP Server\n participant DSC as Dynamic Security Context\n participant ESM as Extensible Security Middleware\n\n Client-\u003e\u003eServer: MCP Request\n activate Server\n Server-\u003e\u003eDSC: Get Initial DSC (Trust Score, etc.)\n activate DSC\n DSC--\u003e\u003eServer: Initial DSC Data\n deactivate DSC\n Server-\u003e\u003eESM: Process Request (Pre-Processing)\n activate ESM\n\n loop Security Checks\n ESM-\u003e\u003eDSC: Update DSC (e.g., Trust Score)\n activate DSC\n DSC--\u003e\u003eESM: Updated DSC Data\n deactivate DSC\n ESM-\u003e\u003eESM: Apply Policies based on DSC\n end\n \n ESM--\u003e\u003eServer: Modified MCP Request\n deactivate ESM\n\n Server-\u003e\u003eServer: Process Request (Application Logic)\n\n Server-\u003e\u003eESM: Process Response (Post-Processing)\n activate ESM\n loop Security Checks\n ESM-\u003e\u003eDSC: Update DSC (e.g., Audit Event)\n activate DSC\n DSC--\u003e\u003eESM: Updated DSC Data\n deactivate DSC\n ESM-\u003e\u003eESM: Apply Policies based on DSC\n end\n ESM--\u003e\u003eServer: Modified MCP Response\n\n Server-\u003e\u003eClient: MCP Response\n deactivate Server\n```\n\n* **Key Features:**\n * **Trust Score:** A numerical representation of the trustworthiness of the client/server, adjusted based on events (e.g., successful authentication increases the score, security violations decrease it).\n * **Threat Level:** A categorical indicator of the current risk level (e.g., \"low,\" \"medium,\" \"high,\" \"critical\").\n * **Capability Attenuation:** The capabilities initially granted to a client/server can be dynamically restricted based on the trust score and threat level.\n * **Session Data:** Securely stores session-specific information, such as encryption keys.\n * **Event History:** Maintains a limited history of security-relevant events for auditing and decision-making.\n\n* **Benefits:**\n * **Adaptive Security:** Enables real-time adjustments to security posture.\n * **Zero-Trust Foundation:** Continuously verifies trust rather than assuming it.\n * **Fine-Grained Control:** Allows for nuanced responses to security events.\n * **Improved Resilience:** Limits the impact of compromised components.\n\n### 10.5 Protocol-Level Security Annotations \u003ca name=\"protocol-security\"\u003e\u003c/a\u003e\n\nThis innovation introduces *optional* security metadata fields *within* the MCP message structure itself, providing standardized information for security processing. This is *not* a replacement for transport-layer security (like TLS), but complements it.\n\n```json\ncode[json]\n{\n \"jsonrpc\": \"2.0\",\n \"method\": \"someMethod\",\n \"params\": {\n \"data\": \"...\"\n },\n \"security\": { // OPTIONAL security metadata\n \"classification\": \"INTERNAL\", // PUBLIC, INTERNAL, SENSITIVE, RESTRICTED\n \"integrity\": \"sha256:...\", // Hash of the message content (excluding 'security')\n \"source\": \"client:123\", // Identifier of the sender\n \"sequence\": 42, // Monotonically increasing sequence number\n \"transformations\": [ // OPTIONAL array of applied transformations\n \"redacted:pii\"\n ]\n },\n \"id\": 1\n}\n```\n\n* **Key Features:**\n * **`classification`:** Indicates the sensitivity level of the message content. This informs data handling policies.\n * **`integrity`:** A cryptographic hash or HMAC of the message content (excluding the `security` field itself), allowing recipients to verify that the message has not been tampered with.\n * **`source`:** Identifies the sender of the message (client or server).\n * **`sequence`:** A monotonically increasing sequence number (per sender) to prevent replay attacks.\n * **`transformations` (optional):** An array of strings describing any transformations that have been applied to the message content by ESM modules (e.g., \"redacted:pii,\" \"encrypted:aes256\").\n\n* **Benefits:**\n * **Increased Transparency:** Makes security-relevant information explicit within the protocol.\n * **Simplified Security Processing:** ESM modules can easily access and act upon the security annotations.\n * **Improved Interoperability:** Provides a standard way to communicate security metadata between different MCP implementations.\n * **Defense in Depth:** Complements transport-layer security by providing message-level protection.\n\n### 10.6 Lightweight Attestation Protocol (LAP) \u003ca name=\"lap-new\"\u003e\u003c/a\u003e\n\nLAP provides a mechanism for MCP clients and servers to *verify each other's identity and environment integrity* before establishing a secure connection. It's a simplified attestation protocol built on top of MCP, using custom message types.\n\n```mermaid\nsequenceDiagram\n participant Client as \"MCP Client\"\n participant Server as \"MCP Server\"\n\n Client-\u003e\u003eServer: initialize Request\n Server--\u003e\u003eClient: initialize Response + attestation_challenge (nonce)\n\n Client-\u003e\u003eServer: attest_client Request {\u003cbr\u003e os: \"...\",\u003cbr\u003e mcp_sdk_version: \"...\",\u003cbr\u003e esm_modules: [...],\u003cbr\u003e signature: \"...\", // Signature over the above data + nonce\u003cbr\u003e nonce: \"...\" // Server's nonce\u003cbr\u003e}\n Server-\u003e\u003eServer: Verify client attestation\n\n Server-\u003e\u003eClient: attest_server Response {\u003cbr\u003e os: \"...\",\u003cbr\u003e mcp_sdk_version: \"...\",\u003cbr\u003e esm_modules: [...],\u003cbr\u003e signature: \"...\",\u003cbr\u003e client_nonce: \"...\" // Client's original nonce (if provided)\u003cbr\u003e}\n\n Client-\u003e\u003eClient: Verify server attestation\n```\n\n* **Key Features:**\n * **Mutual Attestation:** Both the client and server verify each other's integrity.\n * **Challenge-Response:** Uses nonces to prevent replay attacks.\n * **Environment Information:** Exchanges information about the operating system, MCP SDK version, and loaded ESM modules.\n * **Cryptographic Signatures:** Uses digital signatures to ensure the authenticity of the attestation data.\n * **Periodic Re-attestation:** Attestation can be performed periodically to detect changes in the environment.\n * **Trust Score Integration**: Integrates the attestation into the trust score\n\n* **Benefits:**\n * **Enhanced Trust:** Establishes a higher level of confidence in the communicating parties.\n * **Reduced Attack Surface:** Helps prevent connections to compromised or malicious clients/servers.\n * **Improved Security Posture:** Provides a foundation for stronger security policies.\n * **Relatively Lightweight:** Compared to hardware-based attestation, LAP is easier to implement and deploy.\n\n### 10.7 Adaptive Resource Quotas (ARQ) \u003ca name=\"arq-new\"\u003e\u003c/a\u003e\n\nARQ allows MCP servers to *dynamically adjust resource quotas* (CPU, memory, network bandwidth, requests per second) for each client, based on the client's trust score (from the DSC) and the overall threat level.\n\n```mermaid\nflowchart LR\n subgraph \"MCP Server\"\n DSC[Dynamic Security Context]\n RQ[Resource Quota Manager]\n RM[Resource Monitor]\n MC[MCP Client]\n\n DSC -- \"Trust Score \u0026 Threat Level\" --\u003e RQ\n MC -- \"Resource Usage\" --\u003e RM\n RM -- \"Current Usage\" --\u003e RQ\n RQ -- \"Quota Limits\" --\u003e MC\n MC -- \"MCP Requests\" --\u003e MS[MCP Server Logic]\n RQ --\"Enforce Limits\"--\u003e MS\n end\n```\n\n* **Key Features:**\n * **Baseline Quotas:** Each resource has a default quota.\n * **Dynamic Adjustment:** Quotas are adjusted in real-time based on the DSC.\n * **Per-Client Quotas:** Quotas are tracked and enforced individually for each connected client.\n * **Graduated Enforcement:** Instead of simply blocking requests, ARQ can use techniques like throttling and rate limiting.\n * **Feedback to Clients:** Clients can be informed about their current quota limits and usage.\n\n* **Benefits:**\n * **Resource Protection:** Prevents denial-of-service attacks and resource exhaustion.\n * **Adaptive Security:** Tightens resource restrictions when threats are detected.\n * **Fairness:** Ensures that well-behaved clients are not impacted by malicious ones.\n * **Improved Stability:** Protects the overall stability of the MCP server.\n\n### 10.8 Security Event Correlation and Reporting (SECR) \u003ca name=\"secr-new\"\u003e\u003c/a\u003e\n\nSECR builds upon MCP's notification system to create a comprehensive security event reporting and analysis framework.\n\n```mermaid\nflowchart TB\n subgraph \"MCP Client/Server\"\n ESM[Extensible Security Middleware]\n DSC[Dynamic Security Context]\n ARQ[Adaptive Resource Quotas]\n LAP[Lightweight Attestation Protocol]\n\n ESM -- \"Security Events\" --\u003e SECR[Security Event Correlation \u0026 Reporting]\n DSC -- \"Security Events\" --\u003e SECR\n ARQ -- \"Security Events\" --\u003e SECR\n LAP -- \"Security Events\" --\u003e SECR\n end\n\n subgraph \"External Systems\"\n SIEM[SIEM/SOAR]\n DB[(Security Event Database)]\n AA[Alerting \u0026 Analytics]\n end\n\n SECR -- \"Filtered Events\" --\u003e SIEM\n SECR -- \"Aggregated Events\" --\u003e DB\n SECR -- \"Correlated Events \u0026 Alerts\" --\u003e AA\n```\n\n* **Key Features:**\n * **Standardized Event Formats:** Defines a common schema for security events generated by different components (ESM modules, DSC, ARQ, LAP). Examples: `event.security.authentication.failed`, `event.security.flow_control.blocked`, `event.security.resource_quota.exceeded`.\n * **Event Filtering and Routing:** Allows clients and servers to subscribe to specific event types and severities.\n * **Event Correlation:** Identifies patterns of suspicious activity by correlating events from multiple sources.\n * **External Integration:** Exports security events to external SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) systems.\n * **Auditing and Reporting:** Provides a centralized view of security events for auditing and compliance purposes.\n\n* **Benefits:**\n * **Improved Visibility:** Provides a comprehensive view of the security posture of the MCP ecosystem.\n * **Faster Incident Response:** Enables quicker detection and response to security threats.\n * **Proactive Threat Hunting:** Facilitates the identification of subtle attack patterns.\n * **Compliance Reporting:** Simplifies the process of generating audit trails and compliance reports.\n\n**10.9 Integration Diagram**\nAn overall integration diagram for all these new directions.\n\n```mermaid\nflowchart TB\n subgraph \"MCP Client\"\n MC[MCP Client Logic]\n ESM1[Extensible Security Middleware]\n DSC1[Dynamic Security Context]\n PSA1[Protocol-Level Security Annotations]\n\n MC -- \"MCP Messages\" --\u003e ESM1\n ESM1 -- \"Security Events\" --\u003e SECR[Security Event Correlation \u0026 Reporting]\n end\n\n subgraph \"MCP Server\"\n MS[MCP Server Logic]\n ESM2[Extensible Security Middleware]\n DSC2[Dynamic Security Context]\n PSA2[Protocol-Level Security Annotations]\n ARQ[Adaptive Resource Quotas]\n LAP[Lightweight Attestation Protocol]\n\n MS -- \"MCP Messages\" --\u003e ESM2\n ESM2 -- \"Security Events\" --\u003e SECR\n DSC2 -- \"Trust Score/Threat Level\" --\u003e ARQ\n ARQ -- \"Resource Limits\" --\u003e MS\n end\n \n MC \u003c--\u003e MS\n ESM1 \u003c--\u003e ESM2\n DSC1 \u003c--\u003e DSC2\n PSA1 \u003c--\u003e PSA2\n LAP \u003c--\u003e LAP\n \n subgraph \"External Systems\"\n SIEM[SIEM/SOAR]\n end\n\n SECR -- \"Alerts \u0026 Reports\" --\u003e SIEM\n```\n\n\n\n\n\n\n\n\n\n\n\n\n\n## 99. License \u003ca name=\"license\"\u003e\u003c/a\u003e\n\nThis project is licensed under the [MIT License](./LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnshkrdotcom%2Fguardrail","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnshkrdotcom%2Fguardrail","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnshkrdotcom%2Fguardrail/lists"}