AgentX-Phase2: Zero-Trust Security for MCP Servers — Rust Middleware + JWT + Istio AuthorizationPolicy

VenkateshwarRao Nagala — Tue, 31 Mar 2026 21:56:11 +0000

AgentX-Phase2: Zero-Trust Security for MCP Servers

Rust Middleware + JWT RBAC + Istio AuthorizationPolicy

Author: Venkateshwar Rao Nagala | Founder & CEO

Company: For the Cloud By the Cloud | Hyderabad, India

Submission: Solo.io MCP_HACK//26 — Secure & Govern MCP

GitHub: https://github.com/tenalirama2005/AgentX-Phase2

Demo Video: https://youtu.be/F7xWzoQ3e3M
Full Demo (4:44): https://youtu.be/k4Xzbp-M2fc

The Security Problem in Multi-Agent Systems

When AI agents communicate with MCP servers, the default
assumption is trust. Agents call tools, tools return data,
and nothing enforces whether that agent should have access
in the first place. Prompt-based guardrails are not enough
— they can be bypassed by prompt injection, jailbreaking,
or simply a misconfigured agent.

AgentX-Phase2 solves this with three independent
programmatic security layers enforced at the code,
gateway, and network layers respectively. No single
layer failure can compromise the system.

What is AgentX-Phase2?

AgentX-Phase2 is a production-grade Kubernetes
multi-agent pipeline that automatically modernizes
legacy COBOL programs to memory-safe Rust using 49
AI models with Byzantine fault-tolerant FBA consensus.

The pipeline:

COBOL Source (AWS S3: interest_calc.cbl + loan_data.json)
  → AgentGateway (JWT + RBAC)
    → 4 MCP Servers (s3_mcp, cobol_mcp, rust_mcp, ai_mcp)
      → 49 AI Models (FBA Consensus)
        → Validated Memory-Safe Rust Output

The founder personally wrote and maintained
HomeComm/LifeComm — P&C and Life Insurance Policy
Administration (80% HLASM Assembler, 20% COBOL) at
major US insurance carriers, and core banking DDA
systems at a major North American bank. AgentX-Phase2
is built from the inside out.

The Three Security Layers

Layer 1 — Rust GatewayAuth Middleware

The first line of defense is a custom Rust middleware
component called GatewayAuth. Every request to any
MCP server must carry a valid X-AgentGateway-Token
header. Without it — immediate 401 rejection at
the code layer.

This is not a prompt instruction. It is not a
guideline. It is compiled Rust code running as
a middleware gate. No agent prompt can override it.

// GatewayAuth middleware — simplified
async fn auth_middleware(req: Request) -> Result<Response> {
    let token = req.headers()
        .get("X-AgentGateway-Token")
        .ok_or(Error::Unauthorized)?;

    validate_token(token)?;
    Ok(next(req).await)
}

Why Rust? The same reason Solo.io built AgentGateway
in Rust — performance, memory safety, and zero runtime
overhead. Security enforcement should never be the
bottleneck.

Layer 2 — JWT + Role-Based Access Control

AgentGateway enforces role-based routing between agents
and MCP servers:

Agent	Role	Access
Green agent (orchestrator)	orchestrator	All 4 MCP servers
Purple agent (FBA coordinator)	modernizer	Restricted

JWT tokens are issued per agent with embedded role
claims. The gateway validates the token, extracts the
role, and routes — or rejects — accordingly. Wrong
role for the requested resource = immediate block,
regardless of what the agent prompt says.

Layer 3 — Istio AuthorizationPolicy

The third layer operates at the network layer via
Istio service mesh. Even if the application layer
is compromised, unauthorized inter-service traffic
is blocked at the network level.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: agentx-zero-trust
  namespace: mainframe-modernization
spec:
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/mainframe-modernization/sa/green-agent"]
    to:
    - operation:
        methods: ["POST"]
        paths: ["/mcp/*"]

Every inter-agent communication is authenticated,
encrypted via mTLS, and logged. Kiali visualizes
the live traffic graph — every arrow is a real
authenticated call.

Security Test Results

AgentX-Phase2 runs 4 automated security tests on
every deployment via ./deploy.sh --test-security:

Test	Scenario	Result
TEST 1	Purple agent hits s3_mcp directly — no gateway token	BLOCKED ✅
TEST 2	JWT token issued for correct role	ISSUED ✅
TEST 3	Wrong role attempts gateway access	BLOCKED ✅
TEST 4	Correct role, correct path	ALLOWED ✅

All four pass in production. Every deployment.
Automated. No manual verification needed.

Production Infrastructure

./deploy.sh --status

Namespace: mainframe-modernization
Pods: 7/7 running
Istio sidecars: 2/2 on every pod
Service mesh: Active

7 pods, all running with Istio sidecars injected.
The 2/2 means both the application container and
the Istio proxy are running on every pod — full
mesh coverage.

Why This Matters for MCP Security

The Model Context Protocol gives agents powerful
tool access. That power requires governance.
AgentX-Phase2 demonstrates that enterprise-grade
MCP security is achievable with:

Rust middleware for code-layer enforcement
JWT RBAC for identity-based routing
Istio for network-layer zero-trust
Automated tests for continuous validation

Solo.io's AgentGateway addresses the same problem
at scale. AgentX-Phase2 implements these principles
in a production multi-agent system — proving the
pattern works end-to-end.

FBA Consensus — Security at the Output Layer

Security is not just about access control. It extends
to output quality. AgentX-Phase2 applies Byzantine
fault-tolerant FBA consensus (arxiv:2507.11768) to
LLM output validation:

49 models vote independently
Consensus threshold: 39 models (49-10)
Production results: 44/49 above 85% confidence
FBA confidence: 94%
Semantic similarity: 1.0 — perfect agreement

A single compromised or hallucinating model cannot
corrupt the output. The Byzantine threshold ensures
mathematical output quality guarantees.

Demo Video

1:59 minutes — AWS S3 source files → cluster status
→ 4 security tests → Kiali service mesh → GitHub

Production Results Summary

Metric	Result
Security tests	4/4 passing
AI models	49 (48 Nebius + 1 Claude Opus 4.6)
Models above 85% confidence	44/49
FBA confidence	94%
Semantic similarity	1.0
Kubernetes pods	7/7 running
Istio sidecars	2/2 on every pod

Founder Background

Venkateshwar Rao Nagala — 30+ years production
systems experience:

GATE 1994 AIR 444 (top 0.4%)
HLASM expert — HomeComm/LifeComm at major US insurance carriers
Core banking DDA — major North American bank
Manager Big Data Analytics — AIG Fortune 500
Chainlink FBA oracle — 2 LLM models (2026 Q1)
Solo.io Velocity Award 2026
Cilium / Isovalent Certified
AgentBeats Sprint 1 — March 22, 2026

DEV Community: VenkateshwarRao Nagala