AgentX-Phase2: Zero-Trust Security for MCP Servers
Rust Middleware + JWT RBAC + Istio AuthorizationPolicy
Author: Venkateshwar Rao Nagala | Founder & CEO
Company: For the Cloud By the Cloud | Hyderabad, India
Submission: Solo.io MCP_HACK//26 — Secure & Govern MCP
GitHub: https://github.com/tenalirama2005/AgentX-Phase2
Demo Video: https://youtu.be/F7xWzoQ3e3M
Full Demo (4:44): https://youtu.be/k4Xzbp-M2fc
The Security Problem in Multi-Agent Systems
When AI agents communicate with MCP servers, the default
assumption is trust. Agents call tools, tools return data,
and nothing enforces whether that agent should have access
in the first place. Prompt-based guardrails are not enough
— they can be bypassed by prompt injection, jailbreaking,
or simply a misconfigured agent.
AgentX-Phase2 solves this with three independent
programmatic security layers enforced at the code,
gateway, and network layers respectively. No single
layer failure can compromise the system.
What is AgentX-Phase2?
AgentX-Phase2 is a production-grade Kubernetes
multi-agent pipeline that automatically modernizes
legacy COBOL programs to memory-safe Rust using 49
AI models with Byzantine fault-tolerant FBA consensus.
The pipeline:
COBOL Source (AWS S3: interest_calc.cbl + loan_data.json)
→ AgentGateway (JWT + RBAC)
→ 4 MCP Servers (s3_mcp, cobol_mcp, rust_mcp, ai_mcp)
→ 49 AI Models (FBA Consensus)
→ Validated Memory-Safe Rust Output
The founder personally wrote and maintained
HomeComm/LifeComm — P&C and Life Insurance Policy
Administration (80% HLASM Assembler, 20% COBOL) at
major US insurance carriers, and core banking DDA
systems at a major North American bank. AgentX-Phase2
is built from the inside out.
The Three Security Layers
Layer 1 — Rust GatewayAuth Middleware
The first line of defense is a custom Rust middleware
component called GatewayAuth. Every request to any
MCP server must carry a valid X-AgentGateway-Token
header. Without it — immediate 401 rejection at
the code layer.
This is not a prompt instruction. It is not a
guideline. It is compiled Rust code running as
a middleware gate. No agent prompt can override it.
// GatewayAuth middleware — simplified
async fn auth_middleware(req: Request) -> Result<Response> {
let token = req.headers()
.get("X-AgentGateway-Token")
.ok_or(Error::Unauthorized)?;
validate_token(token)?;
Ok(next(req).await)
}
Why Rust? The same reason Solo.io built AgentGateway
in Rust — performance, memory safety, and zero runtime
overhead. Security enforcement should never be the
bottleneck.
Layer 2 — JWT + Role-Based Access Control
AgentGateway enforces role-based routing between agents
and MCP servers:
| Agent | Role | Access |
|---|---|---|
| Green agent (orchestrator) | orchestrator | All 4 MCP servers |
| Purple agent (FBA coordinator) | modernizer | Restricted |
JWT tokens are issued per agent with embedded role
claims. The gateway validates the token, extracts the
role, and routes — or rejects — accordingly. Wrong
role for the requested resource = immediate block,
regardless of what the agent prompt says.
Layer 3 — Istio AuthorizationPolicy
The third layer operates at the network layer via
Istio service mesh. Even if the application layer
is compromised, unauthorized inter-service traffic
is blocked at the network level.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: agentx-zero-trust
namespace: mainframe-modernization
spec:
rules:
- from:
- source:
principals: ["cluster.local/ns/mainframe-modernization/sa/green-agent"]
to:
- operation:
methods: ["POST"]
paths: ["/mcp/*"]
Every inter-agent communication is authenticated,
encrypted via mTLS, and logged. Kiali visualizes
the live traffic graph — every arrow is a real
authenticated call.
Security Test Results
AgentX-Phase2 runs 4 automated security tests on
every deployment via ./deploy.sh --test-security:
| Test | Scenario | Result |
|---|---|---|
| TEST 1 | Purple agent hits s3_mcp directly — no gateway token | BLOCKED ✅ |
| TEST 2 | JWT token issued for correct role | ISSUED ✅ |
| TEST 3 | Wrong role attempts gateway access | BLOCKED ✅ |
| TEST 4 | Correct role, correct path | ALLOWED ✅ |
All four pass in production. Every deployment.
Automated. No manual verification needed.
Production Infrastructure
./deploy.sh --status
Namespace: mainframe-modernization
Pods: 7/7 running
Istio sidecars: 2/2 on every pod
Service mesh: Active
7 pods, all running with Istio sidecars injected.
The 2/2 means both the application container and
the Istio proxy are running on every pod — full
mesh coverage.
Why This Matters for MCP Security
The Model Context Protocol gives agents powerful
tool access. That power requires governance.
AgentX-Phase2 demonstrates that enterprise-grade
MCP security is achievable with:
- Rust middleware for code-layer enforcement
- JWT RBAC for identity-based routing
- Istio for network-layer zero-trust
- Automated tests for continuous validation
Solo.io's AgentGateway addresses the same problem
at scale. AgentX-Phase2 implements these principles
in a production multi-agent system — proving the
pattern works end-to-end.
FBA Consensus — Security at the Output Layer
Security is not just about access control. It extends
to output quality. AgentX-Phase2 applies Byzantine
fault-tolerant FBA consensus (arxiv:2507.11768) to
LLM output validation:
- 49 models vote independently
- Consensus threshold: 39 models (49-10)
- Production results: 44/49 above 85% confidence
- FBA confidence: 94%
- Semantic similarity: 1.0 — perfect agreement
A single compromised or hallucinating model cannot
corrupt the output. The Byzantine threshold ensures
mathematical output quality guarantees.
Demo Video
1:59 minutes — AWS S3 source files → cluster status
→ 4 security tests → Kiali service mesh → GitHub
Production Results Summary
| Metric | Result |
|---|---|
| Security tests | 4/4 passing |
| AI models | 49 (48 Nebius + 1 Claude Opus 4.6) |
| Models above 85% confidence | 44/49 |
| FBA confidence | 94% |
| Semantic similarity | 1.0 |
| Kubernetes pods | 7/7 running |
| Istio sidecars | 2/2 on every pod |
Founder Background
Venkateshwar Rao Nagala — 30+ years production
systems experience:
- GATE 1994 AIR 444 (top 0.4%)
- HLASM expert — HomeComm/LifeComm at major US insurance carriers
- Core banking DDA — major North American bank
- Manager Big Data Analytics — AIG Fortune 500
- Chainlink FBA oracle — 2 LLM models (2026 Q1)
- Solo.io Velocity Award 2026
- Cilium / Isovalent Certified
- AgentBeats Sprint 1 — March 22, 2026
Links
- GitHub: https://github.com/tenalirama2005/AgentX-Phase2
- Security Demo (1:59): https://youtu.be/F7xWzoQ3e3M
- Full Demo (4:44): https://youtu.be/k4Xzbp-M2fc
- AgentBeats: https://agentbeats.dev/tenalirama2005/purple_agent
- LinkedIn: https://www.linkedin.com/in/tenalirama
- Solo.io Hackathon: https://aihackathon.dev
Built solo, bootstrapped, from Hyderabad India.
Vandemataram 🙏
Top comments (0)