Cloud Scoring Integration

The proxy performs local risk scoring first (pattern matching, keyword detection, behavior tracking), then optionally enriches the score via the cloud scoring API which provides graph-based analysis, GNN inference, compliance matching, and LLM-assisted reasoning.

Scoring Flow

Remote scoring never downgrades the local score. The final score is always max(local, remote). This ensures local safety checks are never bypassed by the cloud API.

Configuration

{
  "risk_api": {
    "url": "https://api-production-56df.up.railway.app",
    "api_key": "sk-acme-...",
    "customer_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "enabled": true,
    "timeout_ms": 15000
  }
}

Remote scoring is non-blocking — if the cloud API times out or errors, the proxy falls back to the local score with zero impact on the tool call.

Enriched Event Payload

The proxy sends the full AgentEventCreate schema to the cloud API:

{
  "event_id": "uuid",
  "customer_id": "a1b2c3d4-...",
  "action": "mcp:github:list_repos.list",
  "timestamp": "2025-03-05T10:30:00Z",
  "agent": {
    "agent_id": "anthropic:bold-amber-falcon",
    "agent_type": "claude",
    "framework": "claude-code",
    "model": "claude-sonnet-4-20250514"
  },
  "session": {
    "session_id": "sess-uuid",
    "user_id": "user-123"
  },
  "target": {
    "resource_type": "repository",
    "resource_id": "org/repo",
    "sensitivity_level": 2
  },
  "mcp_context": {
    "server_name": "github",
    "transport": "stdio",
    "is_verified": true,
    "tool_name": "list_repos"
  },
  "parameters": {"org": "acme-corp"},
  "preceding_actions": [
    "mcp:filesystem:read_file.read",
    "mcp:github:search_repos.search"
  ],
  "data_fields_accessed": [
    {"field": "email", "classification": "pii"},
    {"field": "repo_name", "classification": "internal"}
  ],
  "metadata": {
    "local_score": 25,
    "local_level": "low"
  }
}

Automatic Field Extraction

The proxy automatically extracts and classifies data fields from tool call arguments:

Classification	Matched Patterns
`pii_sensitive`	ssn, passport, tax_id, national_id, drivers_license
`pii`	email, phone, name, address, date_of_birth, ip_address
`financial`	credit_card, cvv, bank_account, iban, swift
`health`	medical, diagnosis, prescription, patient, hipaa
`auth`	password, api_key, secret, token, private_key
`legal`	contract, nda, legal_hold, subpoena, litigation

Sensitivity levels: 0 (public) → 1 (internal) → 2 (PII) → 3 (sensitive PII/financial/health) → 4 (auth credentials).

Target Resource Inference

The proxy infers target.resource_type from the MCP server name:

Server Names	Resource Type
postgres, mysql, sqlite, mongo, redis	`database`
filesystem, fs, file	`file`
github, gitlab, bitbucket	`repository`
slack, discord, teams	`channel`
vault, secrets	`secret_store`
aws, gcp, azure	`cloud_service`
s3	`object_store`
fetch, http	`external_api`

Session Tracker

The proxy tracks the last 20 actions per session in a 30-minute sliding window, providing behavioral context to the cloud API.

Session key: agent's subject ID (or "default")
Max actions: 20
Window: 30 minutes

The session tracker also provides local behavioral signals:

Signal	Threshold	Description
Delegation burst	5+ actions in 10s	Rapid-fire tool calls suggest automated sub-agent spawning
Action rate	actions/second	High rates may indicate automated scanning
Temporal correlation	0.0-0.50	Timing similarity between two sessions suggests shared origin

Action Classification

Tool calls are classified into canonical domain:scope:verb format:

MCP Method	Action Format	Example
`tools/call`	`mcp:{server}:{tool}.{verb}`	`mcp:github:list_repos.list`
`resources/read`	`mcp:{server}:resource.read`	`mcp:postgres:resource.read`
`prompts/get`	`mcp:{server}:prompt.get`	`mcp:slack:prompt.get`

Verbs are inferred from tool name prefixes:

Prefix	Verb
`list`	`list`
`get`, `read`, `fetch`, `query`	`read`
`search`, `find`	`search`
`create`, `add`, `insert`	`create`
`update`, `edit`, `modify`, `patch`	`update`
`delete`, `remove`, `destroy`	`delete`
`send`, `post`, `publish`	`send`
`execute`, `run`, `exec`	`execute`

In forward proxy (HTTP) mode: http:{domain}:{method}.{path_slug}.

Score Response

The cloud API returns a 4-layer score decomposition:

{
  "event_id": "uuid",
  "score": 72,
  "risk_level": "high",
  "violations": ["PII access without justification"],
  "reasoning": "Agent accessed SSN field in customer database...",
  "scoring_source": "graph+gnn+llm",
  "compliance_refs": ["SOC2-CC6.1", "GDPR-Art.32"],
  "mitigations": ["Require approval for PII access", "Enable field-level encryption"],
  "behavioral_flags": ["escalation_pattern", "new_resource_access"],
  "score_decomposition": {
    "intrinsic": 45,
    "gnn": 68,
    "policy": 72,
    "temporal": 55
  },
  "gnn_score": 0.68,
  "confidence": 0.92
}

All enrichment fields (compliance refs, behavioral flags, score decomposition, GNN score, confidence) are persisted to the audit log for dashboard display.

Depth & Burst Penalties

The local scoring engine applies additional penalties for nested agents and burst behavior:

Condition	Penalty	Cap
Agent depth > 0	`depth * 5`	25
Delegation burst (5+ actions in 10s)	`10 + (count - 5) * 2`	—

Architecture & Workflows

​Cloud Scoring Integration

​Scoring Flow

​Configuration

​Enriched Event Payload

​Automatic Field Extraction

​Target Resource Inference

​Session Tracker

​Action Classification

​Score Response

​Depth & Burst Penalties

Cloud Scoring Integration

Scoring Flow

Configuration

Enriched Event Payload

Automatic Field Extraction

Target Resource Inference

Session Tracker

Action Classification

Score Response

Depth & Burst Penalties