secure-agentic-framework · ryjen · Oct 26, 2025
diff --git a/mitigations/SAFE-M-42/README.md b/mitigations/SAFE-M-42/README.md
@@ -0,0 +1,157 @@
+# SAFE-M-42: Architectural Control – Cross-Server Protection
+
+## Overview  
+**Mitigation ID**: SAFE-M-42  
+**Category**: Architectural Control  
+**Effectiveness**: High (Prevents unauthorized tool propagation and cross-server prompt contamination)  
+**Implementation Complexity**: Medium–High  
+**First Published**: April 2025
+
+## Description  
+Cross-Server Protection is an architectural control that enforces strict boundaries between different MCP servers, agent clusters, and tool registries. It prevents malicious tools, poisoned metadata, or unauthorized context from propagating across environments. This is critical in multi-tenant or federated deployments where agents may interact with tools hosted on external or third-party MCP servers.
+
+Attackers may attempt to bypass local defenses by registering Shadow Tools or injecting prompt context on one server, then triggering execution from another. Cross-Server Protection blocks this by validating tool provenance, enforcing trust boundaries, and controlling dataflow between servers. It also supports integration with agent security platforms like the **Invariant stack**, which monitor inter-server activity and enforce policy compliance.
+
+## Mitigates  
+- [SAFE-T1402](../../techniques/SAFE-T1402/README.md): Instruction Steganography  
+- [SAFE-T1403](../../techniques/SAFE-T1403/README.md): Context Poisoning  
+- [SAFE-T1401](../../techniques/SAFE-T1401/README.md): Direct Prompt Injection  
+- Shadow Tool Propagation  
+- Cross-Server Prompt Contamination  
+
+## Technical Implementation
+
+### Core Principles  
+1. **Trust Boundaries**: Define and enforce which MCP servers can exchange tools, context, or agent workflows.  
+2. **Tool Provenance Validation**: Verify origin, signature, and integrity of tools before cross-server execution.  
+3. **Dataflow Controls**: Restrict prompt context, metadata, and tool calls across server boundaries.  
+4. **Federated Policy Enforcement**: Use shared security platforms (e.g., Invariant stack) to monitor and enforce cross-server rules.
+
+### Architecture Components
+```
++------------------+       +------------------+       +------------------+
+| MCP Server A     | <---> | Boundary Gateway | <---> | MCP Server B     |
++------------------+       +------------------+       +------------------+
+        |                          |                          |
+        |                          v                          v
+        |                 [Validated Exchange]         [Trusted Context Flow]
+        v
+[Agent Security Platform (e.g., Invariant)]
+```
+
+### Prerequisites  
+- MCP servers with versioned tool registries and context isolation  
+- Boundary gateway or proxy layer for inter-server communication  
+- Security platform integration (e.g., Invariant stack, Sigstore, SLSA)
+
+### Implementation Steps  
+1. **Design Phase**:  
+   - Define trust relationships and allowed server interactions  
+   - Specify provenance and signature requirements for cross-server tools  
+
+2. **Development Phase**:  
+   - Implement boundary gateway with validation and filtering logic  
+   - Integrate with agent security platform for monitoring and enforcement  
+
+3. **Deployment Phase**:  
+   - Enable cross-server logging and alerting  
+   - Quarantine or reject tools from untrusted origins  
+   - Audit prompt context flow across server boundaries  
+
+## Benefits  
+- **Blocks Cross-Server Attacks**: Prevents prompt injection and tool poisoning from external sources  
+- **Enforces Tool Provenance**: Ensures only trusted tools are executed across environments  
+- **Supports Multi-Tenant Security**: Enables safe operation in federated or distributed MCP deployments  
+- **Improves Auditability**: Tracks tool origin, context flow, and agent interactions across servers  
+
+## Limitations  
+- **Requires Interoperability Standards**: Servers must support shared validation protocols  
+- **Operational Complexity**: Adds overhead to cross-server workflows  
+- **Latency Tradeoffs**: Validation and logging may impact performance  
+- **Trust Configuration Risk**: Misconfigured boundaries may allow unauthorized access  
+
+## Implementation Examples
+
+### Example 1: Tool Provenance Check
+```json
+{
+  "cross_server_policy": {
+    "trusted_servers": ["mcp.alpha.net", "mcp.beta.org"],
+    "signature_required": true,
+    "origin_verification": true,
+    "context_flow_restrictions": {
+      "allow_prompt_context": false,
+      "allow_tool_metadata": true
+    }
+  }
+}
+```
+
+### Example 2: Invariant Stack Integration
+```yaml
+invariant:
+  agent_monitoring:
+    enabled: true
+    enforce_cross_server_policies: true
+    quarantine_unverified_tools: true
+    log_context_flow: true
+```
+
+## Testing and Validation
+
+1. **Security Testing**:  
+   - Attempt tool registration from untrusted servers  
+   - Inject prompt context across boundaries and verify rejection  
+   - Validate signature and origin enforcement  
+
+2. **Functional Testing**:  
+   - Confirm trusted servers can exchange tools safely  
+   - Ensure boundary gateway filters unauthorized metadata  
+   - Measure latency impact of validation  
+
+3. **Integration Testing**:  
+   - Validate compatibility with agent security platforms  
+   - Confirm logging and alerting across server clusters  
+
+## Deployment Considerations
+
+### Resource Requirements  
+- **CPU**: Moderate (validation and logging)  
+- **Memory**: Moderate  
+- **Storage**: Logs and audit trails  
+- **Network**: Increased inter-server traffic  
+
+### Performance Impact  
+- **Latency**: ~10–20ms per cross-server transaction  
+- **Throughput**: Scales with server volume  
+- **Resource Usage**: Moderate  
+
+### Monitoring and Alerting  
+- Alert on tool execution from untrusted servers  
+- Log prompt context flow across boundaries  
+- Monitor signature and provenance failures  
+- Audit inter-server trust configuration changes  
+
+## Current Status (2025)  
+According to industry reports:  
+- 39% of MCP vendors now implement cross-server validation and provenance checks  
+- Invariant stack adoption is growing for federated agent security  
+- OWASP LLM Top 10 recommends boundary enforcement for multi-agent and multi-server deployments  
+
+## References  
+- [Model Context Protocol Specification](https://modelcontextprotocol.io/specification)  
+- [OWASP Top 10 for LLM Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/)  
+- [Invariant Stack](https://invariantlabs.ai/platform)  
+- [Sigstore Project](https://www.sigstore.dev/)  
+- [MCPTox Benchmark – Arxiv, 2025](https://arxiv.org/abs/2508.14925)
+
+## Related Mitigations  
+- [SAFE-M-41](../SAFE-M-41/README.md): Tool and Package Pinning – Verifies tool integrity before execution  
+- [SAFE-M-39](../SAFE-M-39/README.md): Prompt Context Isolation – Prevents prompt contamination across agents  
+- [SAFE-M-44](../SAFE-M-44/README.md): Behavioral Monitoring – Detects anomalies from cross-server tool execution  
+
+## Version History  
+| Version | Date | Changes | Author |  
+|---------|------|---------|--------|  
+| 1.0 | 2025-10-25 | Initial documentation | Ryan Jennings |
+