Security Policies & Firewalls

AgentSoap employs a multi-layered security architecture designed to protect against both traditional and agent-specific threats.

1. HMAC Verification

Every request to the AgentSoap API must be signed with a valid HMAC-SHA256 signature. This ensures that the telemetry data is authentic and hasn't been tampered with in transit.

• Header: X-Soap-Signature
• Payload: The entire JSON body of the request.
• Key: Your unique API Key Secret.

2. Semantic Firewall

Our Semantic Interceptor uses advanced LLM-based analysis (High-Performance Gemma 4 Engine) to detect "Indirect Prompt Injections" (IPI).

How it works:

• Stateful Analysis: We maintain a sliding window of recent agent interactions to detect context-manipulation attacks.
• Fail-Closed Logic: If the semantic scanner times out or fails, the request is automatically BLOCKED to ensure maximum safety.
• Base64 Detection: We automatically decode and scan any base64-encoded instructions hidden within the payload.

3. Data Loss Prevention (DLP)

4. Hybrid Edge Architecture

AgentSoap utilizes an "Edge-First" approach to minimize latency and maximize privacy.

• Local Scanner: The MCP client performs regex-based heuristic checks and hash-matching locally (0ms decision time).
• Cloud Escalation: Complex semantic analysis and high-value transaction verification are escalated to the Laravel Security API.

5. Enforcement Profiles

Control how the MCP server handles connectivity issues or timeouts via the FALLBACK_STRATEGY configuration:

• STRICT: Fail-Closed on all timeouts. Recommended for production financial environments.
• LENIENT: Fail-Open allowed only for READ_ONLY tools (e.g., policy lookups). WRITE_ACTION tools remain Fail-Closed.

6. Blind Mode (Privacy-First)

When BLIND_MODE is enabled, the MCP server hashes sensitive identifiers (SHA-256) before transmission. The backend matches these hashes against synced threat intelligence without ever seeing the raw PII.