MCPKernel v0.4 — Roadmap¶
Status: scoped, not yet started. Items inherit risk-rank from THREAT_MODEL.md and gap analysis from OWASP LLM Top-10 mapping.
The release goals: close the three residual gaps explicitly called out at v0.3.0, ship the K8s operator out of stub state, and add multi-tenant isolation primitives needed by managed deployments.
Theme A — Close v0.3.0 residual gaps¶
A.1 Embedding-similarity outlier detection (LLM08 — Vector & Embedding Weaknesses)¶
Why: At v0.3.0 we flag LLM08 as Partial coverage. We can detect
exact taint sources and policy violations, but we cannot detect semantic
drift — e.g. a poisoned vector store returning records that pattern-match
"benign" but cluster far from the legitimate corpus.
Deliverable
- New
src/mcpkernel/taint/embeddings.pymodule. - Pluggable embedder interface (default:
sentence-transformers/all-MiniLM-L6-v2, optional OpenAI/Cohere via config). - Per-tenant rolling centroid computed from the last N trusted responses
(default
N=200). - New policy primitive
embedding_outlier: { threshold: float, action: block|warn }. - New audit event
embedding_outlier_detectedwith cosine distance, centroid version, and DEE envelope hash.
Acceptance
- Synthetic test: ten clean responses + one adversarial paraphrased exfil payload → outlier MUST be flagged at threshold 0.65.
- p95 added latency ≤ 8 ms with on-device MiniLM, ≤ 35 ms with remote embedder.
Owner: taint package. Effort: M.
A.2 Cryptographic signature on policy bundles (T-2 residual risk)¶
Why: THREAT_MODEL.md lists T-2: Policy tampering at rest as a residual risk at v0.3.0 — policies are signed in git history via commit signatures, but the in-memory loaded policy bundle is not verifiable at runtime against a known root of trust.
Deliverable
- New
mcpkernel sign-policy <bundle.yaml>CLI subcommand. - Sigstore Bundle v0.3 + DSSE in-toto attestation (reuse the
audit/attestation.pymachinery from v0.3.0 Section C.4). - Loader change in
src/mcpkernel/policy/loader.py: whenMCPKERNEL_POLICY_REQUIRE_SIGNATURE=1, refuse to load an unsigned bundle. - Trust root: configurable Fulcio CT log + offline-mode allowlist of public keys.
Acceptance
- Tampering a single byte in the policy YAML invalidates the bundle.
- Replay-attack: an old, signed-but-revoked bundle is rejected via the CT-log inclusion proof timestamp window.
- Backwards compatible: unsigned bundles still load when the env var is unset (default).
Owner: policy + audit packages. Effort: M.
A.3 Corpus-level integrity scanning for long-running agents (LLM04)¶
Why: LLM04 (Data and Model Poisoning) is Partial at v0.3.0. We detect taint per-call but cannot answer "has the corpus this agent is reading from drifted from its trusted baseline in the last 24 h?".
Deliverable
- New background
src/mcpkernel/corpus/integrity.pymodule. - Per-corpus Merkle-DAG snapshot computed on schedule (default daily).
- Snapshot stored alongside DEE envelopes; diff against previous snapshot
→ audit event
corpus_driftwith added/removed/changed record hashes. - Optional integration with HashiCorp Vault / GCP Secret Manager (already
supported by
secrets.py) for the snapshot signing key.
Acceptance
- Mutating a single record in a 10 000-row corpus is detected within one scan cycle.
- Scan throughput ≥ 50 000 records/sec on a single core (SHA-256 baseline).
- p99 memory ≤ 256 MB for a 1 M-record corpus.
Owner: new corpus package. Effort: L.
Theme B — Production polish¶
B.1 K8s operator out of stub¶
k8s_operator/ exists at v0.3.0 but is a placeholder. v0.4 should ship a
working CRD + controller:
MCPKernelCRD (proxy spec, policy ref, sandbox backend).PolicyCRD (versioned policy resource, signed via A.2).- Controller reconciles → renders the Helm chart values from CR spec.
- E2E test on
kindcluster in CI.
Effort: L.
B.2 Multi-tenant policy namespacing¶
Today policy is per-process. v0.4 adds:
tenant_idfield on every MCP request (derived from JWTaudor proxy-issued mTLS SPIFFE ID).- Per-tenant policy overlays composed on top of a global base policy.
- Per-tenant rate limits, RU budgets, and audit log routing.
Effort: M.
B.3 Audit log → SIEM connectors¶
DSSE attestations are great but ops teams want events in their existing SIEM. Ship:
- Splunk HEC sink.
- Elastic Common Schema (ECS) JSON formatter.
- Sumo Logic HTTP source.
Each as an optional extra: pip install "mcpkernel[splunk]".
Effort: S.
Theme C — Performance & ergonomics¶
C.1 Replace Python taint propagation hot path with a Rust extension¶
benchmarks/taint_overhead.py shows the full scenario at ~492 µs per
call (Python). A PyO3 module compiled with maturin should bring this
under 50 µs while keeping the public API identical.
Effort: M. Optional — only ship if benchmark numbers justify it.
C.2 mcpkernel init scaffolder¶
Generates a starter policy + docker-compose + helm values + agent manifest in seconds. Reduces "time to first protected request" from ~30 min to <5 min.
Effort: S.
Out of scope for v0.4¶
- Native Windows support (Linux + macOS only).
- GUI / Web dashboard (Grafana templates remain the recommended path).
- Hardware-rooted attestation beyond Sigstore (TPM / SEV-SNP attestation is tracked for v0.5).
Release criteria¶
- All
pytest tests/ -vgreen on Python 3.12 and 3.13. ruff check src/ tests/andruff format --check src/ tests/pass.mypy src/mcpkernel/reports no errors.- Coverage ≥ 80 % overall, ≥ 90 % on new modules (
taint/embeddings.py,corpus/integrity.py). - THREAT_MODEL.md updated; T-2 moved to "mitigated".
- OWASP LLM Top-10 mapping updated; LLM04 and LLM08 moved to "Full".
- CHANGELOG, CycloneDX SBOM 1.6, GitHub Release, PyPI publish — same pipeline as v0.3.0 (post-fix).
Last updated: 2026-05-25, MCPKernel v0.3.0 release day.