fix: address 18 MEDIUM/LOW security findings from deep audit

Identity (V04, V05, V07):
- Block ':*' empty-prefix wildcard acting as hidden superuser
- Catch specific crypto exceptions instead of bare except
- Guard reactivation of security-suspended identities

Handshake (V06, V10):
- Use registry trust score over self-reported value
- Cap pending challenges at 1000 with expired-challenge cleanup

Transport (V19, V20, V21):
- Default use_tls=True for all transports
- Bound asyncio.Queue to 10k for gRPC and WebSocket

MCP (V18, V22, V25):
- SSRF guard: validate URL scheme, block loopback/internal hosts
- Evict expired entries from _verified_clients cache (cap 10k)
- UUID4 for call_id instead of timestamp

Governance (V23, V31, V32):
- Evict oldest rate limiter buckets at 100k cap
- ReDoS guard: reject complex regex patterns, catch re.error
- OPA URL injection: validate query path chars, URL-encode segments

Remaining (V08, V09, V24, V33):
- Reject unsigned plugins when verify=True
- Replace unsafe eval() in docstring example
- Generic 403 response (no trust score/threshold leak)
- Rate-limit InMemoryTrustStore updates (10/min per agent)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

packages/agent-mesh/src/agentmesh/governance/opa.py

@@ -140,10 +140,24 @@ def evaluate(self, query: str, input_data: dict) -> OPADecision:
     def _evaluate_remote(self, query: str, input_data: dict) -> OPADecision:
         """Query a remote OPA server via REST API."""
         import urllib.request
+        from urllib.parse import quote
+
+        # V32: Sanitise query path to prevent URL injection
+        # Only allow alphanumeric, dots, underscores, hyphens in query
+        import re as _re
+        if not _re.fullmatch(r"[a-zA-Z0-9._\-]+", query):
+            return OPADecision(
+                allowed=False,
+                query=query,
+                source="remote",
+                error=f"Invalid OPA query path: {query}",
+            )
 
         # Convert query path to URL: "data.agentmesh.allow" -> "/v1/data/agentmesh/allow"
         path_parts = query.replace("data.", "", 1).replace(".", "/") if query.startswith("data.") else query.replace(".", "/")
-        url = f"{self.opa_url}/v1/data/{path_parts}"
+        # URL-encode each segment as a safety net
+        safe_path = "/".join(quote(seg, safe="") for seg in path_parts.split("/"))
+        url = f"{self.opa_url}/v1/data/{safe_path}"
 
         payload = json.dumps({"input": input_data}).encode("utf-8")
         req = urllib.request.Request(

packages/agent-mesh/src/agentmesh/governance/trust_policy.py

@@ -92,7 +92,14 @@ def _apply_operator(actual: Any, operator: ConditionOperator, expected: Any) ->
         elif operator == ConditionOperator.not_in:
             return actual not in expected
         elif operator == ConditionOperator.matches:
-            return bool(re.search(str(expected), str(actual)))
+            pattern = str(expected)
+            # V31: Reject overly complex regex patterns to prevent ReDoS
+            if len(pattern) > 200 or any(c in pattern for c in ['{', '(+', '(.*)*', '(.+)+']):
+                return False
+            try:
+                return bool(re.search(pattern, str(actual), flags=re.DOTALL))
+            except re.error:
+                return False
         return False
 
 

packages/agent-mesh/src/agentmesh/identity/agent_id.py

@@ -210,8 +210,11 @@ def verify_signature(self, data: bytes, signature: str) -> bool:
             signature_bytes = base64.b64decode(signature)
             public_key.verify(signature_bytes, data)
             return True
-        except Exception:
-            logger.debug("Signature verification failed", exc_info=True)
+        except (ValueError, TypeError) as exc:
+            logger.debug("Malformed key or signature data: %s", exc)
+            return False
+        except Exception as exc:
+            logger.warning("Signature verification failed: %s", exc)
             return False
 
     # Maximum delegation depth to prevent Sybil attacks via infinite chains.
@@ -296,10 +299,25 @@ def suspend(self, reason: str) -> None:
         self.revocation_reason = reason
         self.updated_at = datetime.utcnow()
 
-    def reactivate(self) -> None:
-        """Reactivate a suspended identity."""
+    def reactivate(self, *, override_reason: bool = False) -> None:
+        """Reactivate a suspended identity.
+
+        Args:
+            override_reason: If True, bypass the security-suspension guard.
+                Must be explicitly set when reactivating an identity that was
+                suspended for security reasons.
+        """
         if self.status == "revoked":
             raise ValueError("Cannot reactivate a revoked identity")
+        if self.status != "suspended":
+            raise ValueError(f"Cannot reactivate identity in '{self.status}' state")
+        # Guard against blind reactivation of security suspensions
+        if self.revocation_reason and "security" in self.revocation_reason.lower():
+            if not override_reason:
+                raise ValueError(
+                    "Identity was suspended for security reasons — "
+                    "pass override_reason=True to force reactivation"
+                )
         self.status = "active"
         self.revocation_reason = None
         self.updated_at = datetime.utcnow()
@@ -314,14 +332,13 @@ def is_active(self) -> bool:
 
     def has_capability(self, capability: str) -> bool:
         """Check if this agent has a specific capability."""
-        # Support wildcard matching
         for cap in self.capabilities:
             if cap == "*":
                 return True
             if cap == capability:
                 return True
-            # Support prefix matching (e.g., "read:*" matches "read:data")
-            if cap.endswith(":*"):
+            # Prefix matching: "read:*" matches "read:data" but ":*" is rejected
+            if cap.endswith(":*") and len(cap) > 2:
                 prefix = cap[:-2]
                 if capability.startswith(prefix + ":"):
                     return True

packages/agent-mesh/src/agentmesh/integrations/crewai/agent.py

@@ -47,9 +47,13 @@ class InteractionRecord:
 class InMemoryTrustStore:
     """Simple in-memory trust store for testing and development."""
 
+    # V33: Rate-limit trust updates to prevent inflation via rapid success spam
+    MAX_UPDATES_PER_MINUTE = 10
+
     def __init__(self, default_score: int = 500) -> None:
         self._scores: Dict[str, int] = {}
         self._default_score = default_score
+        self._update_times: Dict[str, list] = {}
 
     def get_trust_score(self, agent_did: str) -> int:
         return self._scores.get(agent_did, self._default_score)
@@ -58,6 +62,16 @@ def set_trust_score(self, agent_did: str, score: int) -> None:
         self._scores[agent_did] = max(0, min(1000, score))
 
     def record_interaction(self, agent_did: str, *, success: bool) -> None:
+        from datetime import datetime as _dt
+        now = _dt.utcnow()
+        # V33: Enforce rate limit on score updates
+        times = self._update_times.setdefault(agent_did, [])
+        cutoff = now.timestamp() - 60
+        times[:] = [t for t in times if t > cutoff]
+        if len(times) >= self.MAX_UPDATES_PER_MINUTE:
+            return  # silently drop — rate limited
+        times.append(now.timestamp())
+
         current = self.get_trust_score(agent_did)
         delta = 5 if success else -10
         self.set_trust_score(agent_did, current + delta)

packages/agent-mesh/src/agentmesh/integrations/django_middleware/middleware.py

@@ -151,16 +151,7 @@ def __call__(self, request: HttpRequest) -> HttpResponse:
                 min_score,
             )
             return JsonResponse(
-                {
-                    "error": "Trust verification failed",
-                    "detail": (
-                        f"Agent trust score ({trust_score}) is below the "
-                        f"required threshold ({min_score})."
-                    ),
-                    "agent_did": agent_did,
-                    "trust_score": trust_score,
-                    "required_score": min_score,
-                },
+                {"error": "Trust verification failed"},
                 status=403,
             )
 

packages/agent-mesh/src/agentmesh/integrations/langchain/tools.py

@@ -122,7 +122,7 @@ class TrustVerifiedTool(BaseTool):  # type: ignore[misc]
             description="Performs arithmetic",
             agent_did="did:mesh:abc123",
             min_trust_score=500,
-            inner_fn=lambda q: eval(q),
+            inner_fn=lambda q: str(eval(q, {"__builtins__": {}}, {})),  # noqa: S307 — example only; use ast.literal_eval in production
         )
         result = tool.run("2 + 2")
     """

packages/agent-mesh/src/agentmesh/integrations/mcp/__init__.py

@@ -31,6 +31,7 @@
 from __future__ import annotations
 
 import logging
+import uuid
 from dataclasses import dataclass, field
 from datetime import datetime, timedelta
 from typing import Any, Callable, Dict, List, Optional, Awaitable
@@ -115,6 +116,7 @@ def __init__(
         self._call_history: List[MCPToolCall] = []
         self._verified_clients: Dict[str, datetime] = {}
         self._verification_ttl = timedelta(minutes=10)
+        self._max_verified_clients = 10_000
 
     def register_tool(
         self,
@@ -160,6 +162,12 @@ async def verify_client(
             cached_time = self._verified_clients[client_did]
             if datetime.utcnow() - cached_time < self._verification_ttl:
                 return True
+            # Expired — remove stale entry
+            del self._verified_clients[client_did]
+
+        # V22: Evict expired entries when cache grows too large
+        if len(self._verified_clients) >= self._max_verified_clients:
+            self._evict_expired_clients()
 
         # Use TrustBridge if available
         if self.trust_bridge:
@@ -182,6 +190,16 @@ async def verify_client(
         logger.warning(f"Client {client_did} failed trust verification")
         return False
 
+    def _evict_expired_clients(self) -> None:
+        """Remove expired entries from the verified clients cache."""
+        now = datetime.utcnow()
+        expired = [
+            did for did, ts in self._verified_clients.items()
+            if now - ts >= self._verification_ttl
+        ]
+        for did in expired:
+            del self._verified_clients[did]
+
     def _check_capability(
         self,
         client_capabilities: List[str],
@@ -224,7 +242,7 @@ async def invoke_tool(
         Returns:
             MCPToolCall with result or error
         """
-        call_id = f"{tool_name}-{datetime.utcnow().timestamp()}"
+        call_id = f"{tool_name}-{uuid.uuid4().hex}"
 
         call = MCPToolCall(
             call_id=call_id,
@@ -348,6 +366,21 @@ def __init__(
 
     async def connect(self, server_url: str) -> bool:
         """Connect to MCP server with trust verification."""
+        # V18: Validate server URL scheme
+        from urllib.parse import urlparse
+        parsed = urlparse(server_url)
+        if parsed.scheme not in ("http", "https", "ws", "wss"):
+            logger.warning("Rejected server URL with invalid scheme: %s", server_url)
+            return False
+        if not parsed.hostname:
+            logger.warning("Rejected server URL with missing host: %s", server_url)
+            return False
+        # Block common internal/loopback targets
+        _blocked_hosts = {"localhost", "127.0.0.1", "::1", "0.0.0.0", "169.254.169.254"}
+        if parsed.hostname.lower() in _blocked_hosts:
+            logger.warning("Rejected internal/loopback server URL: %s", server_url)
+            return False
+
         # Verify server identity if TrustBridge available
         if self.trust_bridge:
             # Extract server DID from URL or discovery

packages/agent-mesh/src/agentmesh/marketplace/installer.py

@@ -96,7 +96,17 @@ def install(
         manifest = self._registry.get_plugin(name, version)
 
         # Signature verification (first check)
-        if verify and manifest.signature and manifest.author in self._trusted_keys:
+        if verify:
+            if not manifest.signature:
+                raise MarketplaceError(
+                    f"Plugin {name}@{manifest.version} has no signature; "
+                    "install with verify=False to bypass (not recommended)"
+                )
+            if manifest.author not in self._trusted_keys:
+                raise MarketplaceError(
+                    f"Plugin {name}@{manifest.version} signed by untrusted "
+                    f"author '{manifest.author}'"
+                )
             public_key = self._trusted_keys[manifest.author]
             verify_signature(manifest, public_key)
             logger.info("Signature verified for %s@%s", name, manifest.version)
@@ -107,7 +117,7 @@ def install(
         self._resolve_dependencies(manifest, _seen=_seen)
 
         # V29: Re-verify signature after dependency resolution (TOCTOU guard)
-        if verify and manifest.signature and manifest.author in self._trusted_keys:
+        if verify:
             public_key = self._trusted_keys[manifest.author]
             verify_signature(manifest, public_key)
 

packages/agent-mesh/src/agentmesh/services/rate_limiter.py

@@ -108,6 +108,7 @@ def __init__(
         per_agent_rate: float = 10,
         per_agent_capacity: int = 20,
         backpressure_threshold: float = 0.8,
+        max_agent_buckets: int = 100_000,
     ) -> None:
         self._global_bucket = TokenBucket(rate=global_rate, capacity=global_capacity)
         self._per_agent_rate = per_agent_rate
@@ -117,11 +118,16 @@ def __init__(
         self._global_capacity = global_capacity
         self._per_agent_capacity_val = per_agent_capacity
         self._backpressure_threshold = backpressure_threshold
+        self._max_agent_buckets = max_agent_buckets
 
     def _get_agent_bucket(self, agent_did: str) -> TokenBucket:
         """Get or create a per-agent token bucket."""
         with self._lock:
             if agent_did not in self._agent_buckets:
+                # V23: Evict oldest buckets when limit reached
+                if len(self._agent_buckets) >= self._max_agent_buckets:
+                    oldest_key = next(iter(self._agent_buckets))
+                    del self._agent_buckets[oldest_key]
                 self._agent_buckets[agent_did] = TokenBucket(
                     rate=self._per_agent_rate,
                     capacity=self._per_agent_capacity,

packages/agent-mesh/src/agentmesh/transport/base.py

@@ -37,7 +37,7 @@ class TransportConfig:
 
     host: str = "localhost"
     port: int = 8080
-    use_tls: bool = False
+    use_tls: bool = True
     timeout_seconds: int = 30
     max_retries: int = 5
     retry_delay_seconds: float = 1.0