---
name: security
description: Security and compliance for MCPAtlas: threat model, RBAC, audit, supply chain, input validation, plugin sandbox. Use when implementing auth, hardening, or reviewing security-sensitive code.
---

# Security — MCPAtlas

Apply BluePrint §8 (Security & Compliance) and DEEP_PLAN §9.

## Threat model (BluePrint §8)

| Threat | Mitigation |
|--------|------------|
| Malicious MCP client / crafted queries | Input validation, query length limits (e.g. 1KB), regex-safe search |
| Plugin exfiltration via network | WASM sandbox, network allowlist per plugin manifest |
| GitHub token leak | Never log; never in responses; sealed secrets / external store in K8s |
| DoS via expensive queries | Per-client rate limit (token bucket), request timeout (e.g. 30s), semaphore |
| Supply chain (deps, image) | cargo-deny, cargo-audit, SBOM, cosign, pinned base images |
| WASM escape | Wasmtime sandbox, no WASI FS, CPU epoch limits |

## Authentication and RBAC

- **STDIO**: No auth (local trust).
- **HTTP**: Auth middleware. Roles: Anonymous (read), Reader (read), PluginAdmin (+ plugin install), Admin (all + /admin). API key in `Authorization: Bearer <key>`; validate against config or Redis. No auth = reject or Anonymous.
- Store key hashes (e.g. bcrypt), not raw keys. Optional scopes for tool-level access.

## Input validation

- Validate and bound all MCP params: string length, allowed enums, numeric ranges. Reject with clear JSON-RPC error.
- Sanitize search/graph inputs; use parameterized queries. No user-controlled format strings in SQL or index queries.
- Request body size limit (e.g. 1MB). Return 413 or equivalent when exceeded.

## Audit logging

- Log tool calls: timestamp, session_id, client_ip, method, tool_name, params_hash (SHA-256, not raw params), response_code, latency_ms. Structured JSON to stderr or OTLP.
- Never log: API keys, tokens, full request params, PII.

## Supply chain

- **Build**: Hermetic where possible; pinned base image. CI: no self-hosted runners for release.
- **Signing**: Cosign for binaries and container image. Attest SBOM (SPDX).
- **Dependencies**: cargo-deny (licenses, duplicates, tree); cargo-audit for advisories. Fix or document exceptions.
- **SLSA**: Use slsa-github-generator (or equivalent) for provenance in release workflow.

## Plugin sandbox

- Network: only hosts declared in plugin manifest; host validates URL before proxy.
- Memory: max_memory_mb via Wasmtime StoreLimits.
- CPU: max_cpu_ms per call via epoch interruption.
- No filesystem. Plugin signing (e.g. .wasm.sig) before load. Log every plugin tool call (name, tool, latency, outcome).

When adding auth, new endpoints, or plugin hooks: check threat model and audit surface.