New in Smartflow 1.7 — Trust-Fabric Egress Auditing: every hand-off to an external agent, MCP server, or LLM is now sealed at the boundary for audit. Jump to the overview →
  Audit & Governance

Trust-Fabric Egress Auditing

The moment a request leaves Smartflow for an external agent, MCP server, or LLM that runs its own workflows, our visibility ends. Trust-Fabric Egress Auditing seals a tamper-evident record at exactly that boundary — proving what left, when, to whom, and that everything downstream is explicitly opaque. A control, not a blind spot.

Boundary attestation Tamper-evident chain MCP + A2A + LLM Identity-bound Returned-payload scan

Smartflow is the trust boundary

Smartflow sees everything that flows through it — prompts, responses, tool calls, agent-to-agent traffic, compliance verdicts, cost, and identity. But the instant data is handed to something outside the perimeter, that visibility stops. Trust-Fabric Egress Auditing marks that line.

It attests at the boundary, not beyond it

Smartflow does not pretend to see inside a third party's agentic workflow. Instead, at the exact chokepoint where a call leaves the perimeter, it seals a record: this request left the Smartflow trust fabric at time T, to destination Y, under user X's identity, releasing tool/data Z — and downstream is opaque.

The record is tamper-evident

Each egress marker is written to the same HMAC-linked audit chain Smartflow uses for every governed request (sequence number + previous-entry hash + signed entry). It cannot be silently altered or deleted, and it surfaces alongside the original request in the VAS log and Traces views.

It scans what comes back

Data returning from an opaque source is still untrusted. Smartflow runs its compliance scan on the returned payload and notes on the egress record whether sensitive identifiers (PII / PHI / secrets) came back — so a hand-off that returns regulated data is flagged for review.

The one-line pitch: "We can prove, with a signed record, exactly where Smartflow's visibility ends — and that the boundary was crossed under a known identity with known data. That is the chain-of-custody hand-off auditors ask for."

The question every security team asks

"We can see our own agents and MCP calls. But the agent we call is outside our perimeter, and it may invoke other agents and tools before returning data. Can you track that?"

The honest answer is the strong answer. You cannot see inside someone else's agent — and claiming you can erodes trust. What you can do is treat the perimeter crossing as a recordable event, which is exactly how regulators already think about third-party data flows:

It is a recognized control

Not a gap

Third-party data-sharing logs, GDPR processor hand-off records, SR 11-7 third-party / vendor model risk, and DLP egress accounting all rest on the same principle: mark the hand-off, declare where you lose visibility.

"Opaque" is a finding, not a failure

Auditors want the line drawn

An audit trail that ends with "data left to external-public endpoint Y; downstream visibility: none" is far more defensible than silence. It tells the examiner precisely where the controlled zone stops.

Where this applies today. In Smartflow, the external destinations that perform their own work are MCP servers (external tools / agents) and the LLM / A2A endpoints calls are routed to. Both are now marked. If you later add direct proxying to external agent endpoints, the same machinery marks them with no extra work.

How a destination is classified

Smartflow classifies every egress using signals it already has — the destination URL, whether the operator declared a server internal-only, and the MCP Trust Registry status. Internal destinations stay inside the fabric and are not marked; everything else is a boundary crossing.

internal

Inside the perimeter

Private / RFC-1918 host, cluster-internal DNS, loopback, or a server the operator declared not reachable from public IPs. Stays inside the trust fabric — no egress record.

external_trusted

Public, but vetted

A public endpoint that is marked Trusted in the MCP Trust Registry. Still a boundary crossing — it is recorded — but at a lower severity because it has been vetted.

external_public

Public, not vetted

A public endpoint with no trust-registry vetting. Full downstream opacity. Recorded, and escalated when the returned payload carries sensitive data.

unknown

Unresolvable destination

No URL, or a host that cannot be parsed. Treated as outside the perimeter for safety — recorded rather than assumed safe.

Fail safe, not silent. When in doubt, Smartflow marks the egress. A destination is only treated as inside the perimeter when it is provably internal or explicitly declared so by an operator.

What gets recorded at the boundary

Every boundary crossing produces a sealed perimeter_egress audit event and stamps perimeter fields onto the request's VAS log row, so it shows up wherever you already review traffic.

// Sealed perimeter_egress audit event { "event_type": "perimeter_egress", "boundary": "smartflow_trust_fabric", "destination_kind": "mcp", // mcp | a2a | llm "destination_name": "context7", "destination_url": "https://mcp.example.com", "classification": "external_public", "downstream_visibility": "none", "tool_or_method": "resolve-library-docs", "actor": "[email protected]", "actor_groups": "Engineering", "request_id": "req_9f2c…", "compliance_scan_id": "scan_4b81…", "returned_data_had_findings": true, "returned_finding_summary": "email,credit_card", "note": "Request left the Smartflow trust fabric (external_public)." }

The same crossing also stamps these fields onto the request's VAS log row:

VAS fieldTypeMeaning
left_perimeter bool true when this request's data was released outside the trust fabric.
perimeter_classification string internal / external_trusted / external_public / unknown.
perimeter_destination string The endpoint (URL or provider id) data left the perimeter to.
Severity scales with risk. An unvetted public destination that returns sensitive data is recorded as HIGH; an unvetted public destination with a clean payload is MEDIUM; a vetted, trusted destination is LOW.

Where it is enforced

Egress marking runs at the gateway chokepoints data actually passes through — so it cannot be bypassed by an agent or client choosing a different path.

MCP Gateway

Every tool call proxied to an upstream MCP server is classified using the server's URL, its internal-only flag, and its Trust Registry status. Smartflow reuses the returned-payload compliance scan it already performs, then seals the egress record and stamps the VAS row.

A2A Gateway

Agent-to-agent tasks execute against a cloud LLM provider — a destination outside the perimeter. Each task now seals a perimeter_egress record and runs a quick sensitive-identifier sweep on the returned text, closing what was previously an unaudited path.

Observability export

The perimeter markers are also forwarded to downstream log / SIEM pipelines via the standard observability payload, so trust-boundary crossings land in your existing security tooling — not just the Smartflow dashboards.

Reading the records & configuration

The markers surface in the tools you already use, and a durable, dedicated egress audit stream is one config toggle away.

VAS Log & Traces

Filter or scan for left_perimeter = true to see every request that crossed the boundary, with its classification and destination inline. Each row links back to the original request and its compliance verdict.

Tamper-evident audit chain

For MCP egress the marker is carried on the request's sealed VAS log row, which is part of the HMAC-linked audit chain — durable and verifiable by default, with no extra configuration.

Optional: a dedicated, persistent egress stream

To keep a standalone, append-only audit file of only perimeter crossings (handy for shipping straight to a WORM store), set two environment variables on the proxy. Without them, the dedicated stream stays in-memory while the VAS chain remains the durable record.

# Durable, verifiable dedicated egress audit stream PERIMETER_AUDIT_LOG_FILE=/var/audit/perimeter-egress.log SF_AUDIT_SIGNING_KEY=<stable-hex-secret> # survives restarts; makes signatures verifiable
Bottom line. Smartflow proves a request passed through its governed gateway, applied policy and compliance, and — when it handed off to an opaque downstream agent — recorded that hand-off in a way an auditor can trust. You will never claim to see what you cannot; you will always be able to show where your visibility ended.