[2026.4.1-beta] β
Sixth Public Beta Release β
The AI Security Gateway is a unified security platform providing real-time monitoring, policy enforcement, and threat detection for Large Language Model (LLM) APIs and Model Context Protocol (MCP) servers. This release introduces Session Quarantine (kill switch), Accumulated Session Risk Scoring, Scope Change Auto-Pause, Cross-Chain Trace Correlation, Guardrail Confidence Thresholds, Skill Package Registry & Distribution, and Skill Version Diff Analysis, implementing key controls from the AWARE Framework for AI agent governance and expanding the Skill Security Hub into a curated skill distribution platform.
π Session Quarantine (Kill Switch) β
A surgical kill switch that blocks individual user sessions without stopping the entire proxy. Administrators can quarantine specific OAuth users, API keys, or IP addresses, and all further requests from that session are immediately rejected with HTTP 403.
- Per-session blocking across HTTP, WebSocket, and SSE transports for both MCP and LLM proxies
- Active session discovery: The quarantine modal shows all sessions that made requests in the last 24 hours, with API key name, masked key prefix, request count, and last seen time
- TTL support: Quarantine entries can auto-expire after a configurable duration, or persist permanently until manually released
- Bulk release: Release all quarantined sessions for a proxy in one action
- Audit logging: All quarantine and release actions are logged with full admin attribution
- Alert deduplication: Blocked request alerts are rate-limited to one per session per minute to prevent alert floods
π Accumulated Session Risk Scoring β
Tracks cumulative risk per user session across multiple requests. Each request's risk score is added to a running total that decays over time, with escalating responses as thresholds are exceeded.
- Time-decaying accumulation: Risk halves every 30 minutes, preventing normal activity from permanently accumulating
- Four escalation thresholds: Warn (100), Rate Limit (200), Escalate (300), Block (500)
- Auto-quarantine: Sessions exceeding the block threshold are automatically quarantined without manual intervention
- Risk visibility: The quarantine modal shows per-session risk levels with colour-coded badges (green/yellow/orange/red) and a "Reset Risk" action per session
- Severity-based alerts: Each new escalation generates an alert at the appropriate severity level
βΈοΈ Scope Change Auto-Pause β
When rug-pull detection identifies significant tool or agent card changes, the proxy can be automatically paused, requiring administrator re-approval before resuming.
- Severity-based decision logic: Critical/High severity changes trigger immediate pause; 3+ Medium severity changes trigger pause; Low severity generates alerts only
- Manual pause: Administrators can manually pause any proxy for security review with a reason
- Review modal: Shows the pause reason, timestamp, detected changes with severity badges, and an "Approve & Resume" button
- Opt-in per proxy: Controlled via the
scope_change_auto_pauseproxy setting (disabled by default)
π Cross-Chain Trace Correlation β
W3C trace context is now propagated through Agent-to-Agent (A2A) invocations, enabling multi-hop agent workflows to appear as a single distributed trace in Jaeger, Langfuse, or any OTLP-compatible backend.
- Automatic header injection: Outgoing A2A HTTP requests include
traceparentandtracestateheaders via OpenTelemetry-instrumented transport - Audit trail enrichment:
trace_idandspan_idare recorded in every agent invocation audit log for cross-reference - Zero configuration: Works automatically when tracing is enabled (
TRACING_ENABLED=true)
π― Guardrail Confidence Thresholds β
Guardrail providers can now be configured with a minimum confidence threshold. Violations reported below the threshold are downgraded from block to monitor, reducing false positives while still logging the finding for review.
- Per-provider threshold: Set
min_confidence_threshold(0.0β1.0) on any guardrail provider configuration - Backward compatible: Default threshold of 0 preserves existing behaviour (all violations processed at face value)
- Transparent downgrade logging: Downgraded violations are logged with provider name, reported confidence, and configured threshold
π¦ Skill Package Registry & Distribution β
The Skill Security Hub now includes a Package Registry: admins upload skill packages (ZIP files) that are scanned, stored, and made available for download by AI agents via MCP. This transforms the Hub from analysis-only into a curated skill distribution platform.
- Persistent package storage: Uploaded ZIP files are stored on disk in a content-hash-based directory structure, configurable via
SKILL_PACKAGE_STORAGE_PATH(defaults to./data/skill-packages) - Automatic package creation: ZIP uploads via the admin UI now persist the file and create a
SkillPackagerecord linked to the registry entry, no separate upload step needed - MCP
download_skilltool: AI agents can download approved skill packages directly via MCP. Only skills with statusapprovedand an uploaded package are downloadable. Returns base64-encoded ZIP content with filename, size, and content hash - MCP
search_skillstool: Rich search across the registry with filters for query text, category, risk level, author, and package availability (has_package). Returns download counts per skill, richer than the existinglist_approved_skills - Download audit trail: Every package download is recorded with agent name, IP address, and timestamp in a dedicated
skill_downloadstable for compliance tracking - Packages tab: New tab in the Skill Security Hub UI showing all uploaded packages with file name, size, download count, skill.json status, uploader, and date. Includes download and delete actions for admins
- skill.json manifest support: When a ZIP contains a
skill.jsonfile, the Gateway stores its contents for future manifest validation and capability declaration
π Skill Version Comparison & Diff Analysis β
When a skill is re-submitted with changed source code, reviewers can now instantly see what changed, no more reviewing all findings from scratch.
- Finding diff: Shows new findings (added risks), resolved findings (improvements), and unchanged count between two versions of the same skill
- Risk score delta: Displays the net risk score change with breakdown, so reviewers see at a glance whether an update improved or worsened security posture
- Automated recommendations: Generates human-readable review guidance (e.g., "This update resolved 2 High findings and added none. Recommend re-approval.")
- Compare Versions button: Appears in the Registry tab for skills with more than one submission. Opens a diff modal with colour-coded findings and the recommendation
- MCP
compare_skill_versionstool: AI agents can programmatically compare two versions of a skill, useful for automated CI/CD pipelines and agent-driven security reviews - REST endpoint:
GET /api/v1/security/skills/registry/{id}/diffwith optionalprevious_idparameter (auto-detected if omitted)