OWASP Agentic Top 10 Coverage

Goal hijack is the failure mode that prompt-level defenses cannot fully close. The agent reads adversarial content from a retrieved document, a tool response or an email thread, and the planner is steered into actions the operator never intended. Ferentin's posture treats the planner as untrusted. The application layer is where authority lives, not the prompt.

Defense runs in three places. At the agent loop, per-call policy evaluation enforces the action classification model. Forbidden actions are structurally impossible to dispatch. At the tool surface, per-role allowlists decide which connectors the planner can even see. At the data plane, the service edge enforces egress allowlists so a hijacked plan cannot reach an unsanctioned domain.

At the catalog ingestion seam: server-card upload now runs the MCP catalog scanner end-to-end before persistence. A deterministic evidence pass (regex, Levenshtein typosquat distance, NFKC Unicode-confusable matching, base64 detection) feeds an LLM-based judge against the mcp-catalog-v1 rubric. Verdicts of BLOCK or SCANNER_INTEGRITY_ERROR refuse the import with structured findings. WARN verdicts persist alongside the findings for admin review. The same structural normalization (zero-width Unicode strip plus canonical Unicode form) runs on every card before either the deterministic pass or the LLM judge sees it, so attackers cannot smuggle invisible-instruction payloads past the scanner.

Shift-left scanning at card-generation time also ships in the integrator workflow: `ferentin mcp discover` runs the same deterministic evidence pass on the synthesized card and (when present) the raw upstream card, writes a versioned scan-report.json next to server-card.json, and fails the build with a non-zero exit on a BLOCK verdict (with an explicit --skip-scan-gate escape hatch for documented overrides). Patterns, reserved-slug list and structural normalization are byte-for-byte mirrors of the platform-side pass, so a card that passes the CLI gate will not be re-blocked at upload for the same evidence class. The third ingestion path — admin-triggered live re-discovery on an already-imported tenant catalog entry — routes through the same `McpCatalogScanOrchestrator` tagged as the `LIVE_DISCOVERY` checkpoint in the audit trail. An async background scheduler running this same loop on a cadence is a separate workstream gated on the Notification primitive (so detected drift surfaces to admin asynchronously rather than blocking inflight tool calls).

Identity is the family where most agentic platforms ship the smallest answer and call it solved. A shared API key with a name attached is not scoping. Ferentin separates intent from authority on the token itself: a macro claim records what the client asked for, a fine-grained claim records what RBAC actually granted at issuance. Downstream code checks authority, not intent.

Two identity modes anchor in customer-held systems. For human-in-the-loop sessions, the enterprise IdP is the source of truth via SAML, OIDC and SCIM. For headless agents, workload identity federation exchanges a workload assertion (OIDC trust from your cloud provider, SPIFFE or equivalent) for a short-lived token bound to that workload. No parallel user directory in the vendor.

Short TTLs are non-negotiable. Admin grants expire in fifteen minutes, not eight hours. A platform-wide synthetic principal pattern lets agents act on behalf of a Slack channel, team or other group identity, with the original actor recorded in the audit trail. The token never re-credentials its way past the role bound to its workload.

Ferentin's architecture splits execution responsibility deliberately. The service edge runs inside the customer perimeter, which means the execution environment for any tool that runs code is the customer's own infrastructure with the customer's own sandbox and the customer's own observability. Ferentin enforces the network and policy boundary around the execution; the customer enforces the process boundary inside it.

For MCP Apps tool views (the in-iframe UI surface for tool results), origin isolation is enforced by the MCP Apps proxy. Each tool view runs on a per-tool subdomain with a hash-derived origin. A strict CSP declares connect domains and resource domains explicitly. A tool view cannot reach a domain it did not declare, cannot execute inline scripts and cannot read another tool view's state.

Egress allowlists bound the network reachability of every tool invocation. The traditional defense (a forward proxy on the host) cannot tell which agent or sub-agent is making the call. Ferentin's per-tool allowlist is enforced at the data plane and bound to the calling identity, not the host process.

Ferentin is MCP-native, not A2A-native. We model multi-agent flows as agent-to-tool calls through the gateway, which means the same per-call policy, the same identity boundary and the same audit shape apply to a call where the "tool" happens to be another agent. There is no separate A2A wire surface that bypasses gateway controls.

This is a deliberate scoping choice, not a feature gap. Ferentin's thesis is that A2A is solved by treating "agent" and "tool" uniformly at the policy layer. Two agents that need to cooperate do so by one calling the other as a tool, with the calling agent's identity on the request and the called agent's response running through the same elicitation, audit and egress controls as any other tool result.

If A2A as a first-class protocol becomes a meaningful enterprise pattern, Ferentin will model it through the same MCP transport rather than a parallel surface. The thesis would not change: authority is in the application layer; the transport is incidental.

This is the family where technical controls cannot do all the work. A confident agent saying confident things is a social engineering surface that no policy engine fully closes. Ferentin's posture is to make the most-exploited preconditions of trust attacks structurally absent — no password to phish, no upstream credential to leak, no sensitive data flowing through the conversation surface.

Platform identity is passwordless and signature-brokered. There is no human-typed shared secret that the platform exposes at runtime. Human authentication anchors in the enterprise IdP with passkeys (WebAuthn) supported as a phishing-resistant primary factor. Service-to-service trust is brokered by short-lived signed tokens (JWT) and mTLS, not by API keys floating in environment variables. A confident agent that tries to social-engineer a credential out of a user is asking for something the platform itself does not handle as a typed secret — there is nothing to paste back into the chat.

Upstream credentials follow a PAM-style design. API keys, OAuth tokens and provider credentials for upstream MCP servers and LLM providers live in a tenant-scoped vault. Ephemeral, scope-limited tokens are the only way to unlock them, and the unlock happens at the data plane at request time — the credential is brokered into the outbound call and never returned to the agent loop, the tool view or the human conversation surface. An agent cannot exfiltrate an upstream credential it has never been handed; a user cannot be tricked into sharing one they have never seen.

URL-mode elicitation routes any remaining sensitive data entry (credentials the platform legitimately needs to bootstrap an integration, financial confirmation, OAuth handoffs) to a domain the user already trusts, outside the conversation. The agent learns the outcome (yes / no / completed); it never sees the sensitive data. This is the technical version of "do not type your password into a chat window."

Step-up approval for high-blast-radius actions adds friction proportional to risk. A reasoning-class model handles the high-stakes decisions where defending against social-engineering prompts matters. A human approver gates the destructive ones. The audit trail records both the agent's suggestion and the user's response, which is what makes accountability traceable after the fact.