Skip to content

MCPKernel v0.4 — Roadmap

Status: scoped, not yet started. Items inherit risk-rank from THREAT_MODEL.md and gap analysis from OWASP LLM Top-10 mapping.

The release goals: close the three residual gaps explicitly called out at v0.3.0, ship the K8s operator out of stub state, and add multi-tenant isolation primitives needed by managed deployments.


Theme A — Close v0.3.0 residual gaps

A.1 Embedding-similarity outlier detection (LLM08 — Vector & Embedding Weaknesses)

Why: At v0.3.0 we flag LLM08 as Partial coverage. We can detect exact taint sources and policy violations, but we cannot detect semantic drift — e.g. a poisoned vector store returning records that pattern-match "benign" but cluster far from the legitimate corpus.

Deliverable

  • New src/mcpkernel/taint/embeddings.py module.
  • Pluggable embedder interface (default: sentence-transformers/all-MiniLM-L6-v2, optional OpenAI/Cohere via config).
  • Per-tenant rolling centroid computed from the last N trusted responses (default N=200).
  • New policy primitive embedding_outlier: { threshold: float, action: block|warn }.
  • New audit event embedding_outlier_detected with cosine distance, centroid version, and DEE envelope hash.

Acceptance

  • Synthetic test: ten clean responses + one adversarial paraphrased exfil payload → outlier MUST be flagged at threshold 0.65.
  • p95 added latency ≤ 8 ms with on-device MiniLM, ≤ 35 ms with remote embedder.

Owner: taint package. Effort: M.


A.2 Cryptographic signature on policy bundles (T-2 residual risk)

Why: THREAT_MODEL.md lists T-2: Policy tampering at rest as a residual risk at v0.3.0 — policies are signed in git history via commit signatures, but the in-memory loaded policy bundle is not verifiable at runtime against a known root of trust.

Deliverable

  • New mcpkernel sign-policy <bundle.yaml> CLI subcommand.
  • Sigstore Bundle v0.3 + DSSE in-toto attestation (reuse the audit/attestation.py machinery from v0.3.0 Section C.4).
  • Loader change in src/mcpkernel/policy/loader.py: when MCPKERNEL_POLICY_REQUIRE_SIGNATURE=1, refuse to load an unsigned bundle.
  • Trust root: configurable Fulcio CT log + offline-mode allowlist of public keys.

Acceptance

  • Tampering a single byte in the policy YAML invalidates the bundle.
  • Replay-attack: an old, signed-but-revoked bundle is rejected via the CT-log inclusion proof timestamp window.
  • Backwards compatible: unsigned bundles still load when the env var is unset (default).

Owner: policy + audit packages. Effort: M.


A.3 Corpus-level integrity scanning for long-running agents (LLM04)

Why: LLM04 (Data and Model Poisoning) is Partial at v0.3.0. We detect taint per-call but cannot answer "has the corpus this agent is reading from drifted from its trusted baseline in the last 24 h?".

Deliverable

  • New background src/mcpkernel/corpus/integrity.py module.
  • Per-corpus Merkle-DAG snapshot computed on schedule (default daily).
  • Snapshot stored alongside DEE envelopes; diff against previous snapshot → audit event corpus_drift with added/removed/changed record hashes.
  • Optional integration with HashiCorp Vault / GCP Secret Manager (already supported by secrets.py) for the snapshot signing key.

Acceptance

  • Mutating a single record in a 10 000-row corpus is detected within one scan cycle.
  • Scan throughput ≥ 50 000 records/sec on a single core (SHA-256 baseline).
  • p99 memory ≤ 256 MB for a 1 M-record corpus.

Owner: new corpus package. Effort: L.


Theme B — Production polish

B.1 K8s operator out of stub

k8s_operator/ exists at v0.3.0 but is a placeholder. v0.4 should ship a working CRD + controller:

  • MCPKernel CRD (proxy spec, policy ref, sandbox backend).
  • Policy CRD (versioned policy resource, signed via A.2).
  • Controller reconciles → renders the Helm chart values from CR spec.
  • E2E test on kind cluster in CI.

Effort: L.

B.2 Multi-tenant policy namespacing

Today policy is per-process. v0.4 adds:

  • tenant_id field on every MCP request (derived from JWT aud or proxy-issued mTLS SPIFFE ID).
  • Per-tenant policy overlays composed on top of a global base policy.
  • Per-tenant rate limits, RU budgets, and audit log routing.

Effort: M.

B.3 Audit log → SIEM connectors

DSSE attestations are great but ops teams want events in their existing SIEM. Ship:

  • Splunk HEC sink.
  • Elastic Common Schema (ECS) JSON formatter.
  • Sumo Logic HTTP source.

Each as an optional extra: pip install "mcpkernel[splunk]".

Effort: S.


Theme C — Performance & ergonomics

C.1 Replace Python taint propagation hot path with a Rust extension

benchmarks/taint_overhead.py shows the full scenario at ~492 µs per call (Python). A PyO3 module compiled with maturin should bring this under 50 µs while keeping the public API identical.

Effort: M. Optional — only ship if benchmark numbers justify it.

C.2 mcpkernel init scaffolder

Generates a starter policy + docker-compose + helm values + agent manifest in seconds. Reduces "time to first protected request" from ~30 min to <5 min.

Effort: S.


Out of scope for v0.4

  • Native Windows support (Linux + macOS only).
  • GUI / Web dashboard (Grafana templates remain the recommended path).
  • Hardware-rooted attestation beyond Sigstore (TPM / SEV-SNP attestation is tracked for v0.5).

Release criteria

  • All pytest tests/ -v green on Python 3.12 and 3.13.
  • ruff check src/ tests/ and ruff format --check src/ tests/ pass.
  • mypy src/mcpkernel/ reports no errors.
  • Coverage ≥ 80 % overall, ≥ 90 % on new modules (taint/embeddings.py, corpus/integrity.py).
  • THREAT_MODEL.md updated; T-2 moved to "mitigated".
  • OWASP LLM Top-10 mapping updated; LLM04 and LLM08 moved to "Full".
  • CHANGELOG, CycloneDX SBOM 1.6, GitHub Release, PyPI publish — same pipeline as v0.3.0 (post-fix).

Last updated: 2026-05-25, MCPKernel v0.3.0 release day.