The pipeline ordering is smart — L8 identity running before anything touches the ingestion layer means a rogue agent gets rejected before it even gets to inject anything. I've seen a couple agent wrappers that run input scanning first and only check identity after, which is just asking for trouble.

One thing I noticed digging through the code though — L4 risk scoring categorizes actions purely by verb. _categorize_action parses the action string for keywords like "read" or "delete" but never looks at params. So read.file targeting /etc/shadow gets a risk score of 1, while delete.file on /tmp/cache.json scores 7. In real agent workloads the target matters as much as the verb — feels like the policy engine could bridge this gap with param-aware rules, since the condition evaluator already supports params.* field resolution.

Also noticed TrustScorer takes a decay_rate in __init__ but never actually applies time-based decay anywhere — trust only changes on interactions. So an agent that was trusted six months ago and went dormant still walks back in with the same score. Small thing but could matter in long-running multi-agent setups.

The MCP rug-pull detection is the standout feature for me. Cross-referencing tool names against their descriptions to catch things like "safe_search" that actually calls exec — haven't seen that anywhere else. With how fast MCP is getting adopted this could get real traction.

This looks fantastic, agent security is definitely under-addressed. Curious how you handle inter-agent trust scoring when multiple agents collaborate or share state, especially in edge cases like delegated actions or nested calls. Also, have you run it against more adversarial prompt injection attempts in production, beyond the red team suite?

Really thorough coverage of the attack surfaces—especially including identity as a core layer. Curious how you handle cross-agent permissions in dynamic workflows: do you rely solely on deterministic checks at each action, or is there a runtime trust evaluation that can adapt as agents interact?