Agent Fabric Security Rules
SquireX provides deep integration with MuleSoft Agent Fabric (Flex Gateway) to detect security gaps in multi-agent orchestration. These rules analyze broker configurations, LLM provider settings, and A2A protocol cards.
Rulesโ
AF-01: Broker PII Routing Without Guardโ
| Field | Value |
|---|---|
| ID | AGENTFORCE-AF-01 |
| Severity | Critical |
| Category | MuleSoft Agent Fabric |
Detects Agent Fabric brokers that route requests to agents processing PII-classified fields without PII output guards. When a broker routes PII data to agents that lack masking or filtering policies, sensitive data may leak through the routing layer.
Fix: Add a PII output policy to the target agent, or configure the broker to apply PII masking before routing.
AF-02: LLM Provider Without Rate Limitโ
| Field | Value |
|---|---|
| ID | AGENTFORCE-AF-02 |
| Severity | High (escalates to Critical when serving multiple brokers) |
| Category | MuleSoft Agent Fabric |
Detects LLM provider configurations in Agent Fabric that lack rate limiting controls. Without rate limits, a single compromised agent can exhaust the LLM quota, causing service degradation or denial-of-service across all agents in the fabric.
Fix: Configure rateLimit, concurrencyLimit, or maxTokens on the LLM provider.
AF-03: A2A Card Overpermissioned Scopeโ
| Field | Value |
|---|---|
| ID | AGENTFORCE-AF-03 |
| Severity | High (escalates to Critical with 3+ sensitive skills) |
| Category | MuleSoft Agent Fabric |
Detects A2A Agent Cards that advertise sensitive capabilities (database writes, deployments, payments) without requiring strong authentication (mTLS, OAuth2). Remote agents discovering this card at /.well-known/agent.json can invoke privileged operations without identity verification.
Sensitive skills detected:
database_write,database_delete,record_deletedeploy,deploy_metadata,execute_apexpayment_process,payment_refunduser_create,user_modify,user_deletepermission_grant
Fix: Require mTLS or OAuth2 authentication on A2A cards that expose write, deploy, or payment operations.
AF-04: Broker Privilege Escalation via Routingโ
| Field | Value |
|---|---|
| ID | AGENTFORCE-AF-04 |
| Severity | High |
| Category | MuleSoft Agent Fabric |
Detects Agent Fabric brokers with routing strategies (fallback, round-robin) that route across agents at different privilege levels. A low-privilege request may be routed to a high-privilege agent through fallback, enabling indirect privilege escalation.
Fix: Separate brokers by privilege tier, or use capability-based routing to prevent cross-tier escalation.
AF-05: Bidirectional Agent Communication Without Brokerโ
| Field | Value |
|---|---|
| ID | AGENTFORCE-AF-05 |
| Severity | Medium |
| Category | MuleSoft Agent Fabric |
Detects agents that can communicate bidirectionally (Agent A โ Agent B) without a mediating broker to control the conversation. This creates potential infinite loops and uncontrolled A2A communication that bypasses governance policies.
Fix: Route inter-agent communication through an Agent Fabric broker with loop detection and max-hop limits.
CLI Usageโ
# Scan with Agent Fabric rules (included by default)
squireinterp scan scan-request.json
# Filter to Agent Fabric rules only
squireinterp scan scan-request.json --rules AGENTFORCE-AF-01,AGENTFORCE-AF-02,AGENTFORCE-AF-03,AGENTFORCE-AF-04,AGENTFORCE-AF-05
Metadata Requirementsโ
Agent Fabric rules require the parser to extract YAML configurations from:
agent-network.yamlโ broker, LLM provider, and policy definitions*.a2aCard-meta.xmlโ A2A Agent Card declarations*.agentFabric-meta.xmlโ Flex Gateway configurations