dannystocker/mcp-multiagent-bridge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
mcp-multiagent-bridge/SECURITY.md
ggq-admin e5003e9653 docs: Add governance files for OSS release 
- Add MIT LICENSE
- Add SECURITY.md with responsible disclosure policy
  * Vulnerability reporting guidelines
  * YOLO mode security considerations
  * Agentic AI threat model
  * Anthropic & OpenAI policy compliance
  * Security roadmap
- Add CONTRIBUTING.md with guidelines
  * Bug reporting template
  * Feature request process
  * PR workflow and commit format
  * Development setup instructions
- Update README.md with policy compliance
  * Beta software warning
  * YOLO mode safety notice
  * Anthropic Acceptable Use Policy
  * Anthropic Responsible Scaling Policy
  * Updated security features list
- Pin dependencies to specific versions
  * mcp>=1.0.0,<2.0.0

Ready for public GitHub release.
2025-10-27 00:50:33 +01:00

200 lines
5.1 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 1.0.x | :white_check_mark: |
## Reporting a Vulnerability
**DO NOT** open a public GitHub issue for security vulnerabilities.
Instead, please report security issues responsibly:
- Create a private security advisory on GitHub
- Or email: [your-email]@[domain].com (replace with actual email)
- Subject: "SECURITY: Claude Code Bridge - [brief description]"
Please include:
1. Description of the vulnerability
2. Steps to reproduce
3. Potential impact
4. Suggested fix (if any)
You will receive a response within 48 hours.
---
## Security Considerations
### ⚠️ YOLO Mode
YOLO mode enables command execution. This is inherently dangerous and should only be used:
- In isolated development environments
- With explicit user confirmation
- With audit logging enabled
- By users who understand the risks
**Never enable YOLO mode:**
- On production systems
- With untrusted agents
- On shared machines
- Without proper backups
**Safety Features:**
1. Environment variable gate (`YOLO_MODE=1` required)
2. Double confirmation (typed phrase + one-time code)
3. Dry-run default (no actual execution without approval token)
4. Command validation (blocks dangerous patterns)
5. Audit logging (all actions logged with timestamps)
6. Timeout limits (commands killed after 30s by default)
7. Workspace restriction (commands run in specified directory)
### Token Security
Session tokens are cryptographically secure (64-char hex) but:
- Stored in plain text in SQLite
- Visible in MCP debug logs
- Not encrypted at rest
- Expire after 3 hours
For production use, consider:
- Encrypting database at rest
- Using environment-specific key management
- Shorter token lifetimes for sensitive operations
### Known Limitations
1. **No encryption in transit**: Messages stored as plain text in SQLite
2. **No user authentication**: Anyone with file access can read database
3. **Rate limiting**: Implemented but test in your environment
4. **Command execution risks**: YOLO mode can modify system
5. **Audit logs not tamper-proof**: SQLite database can be modified
---
## Threat Model
### In Scope:
- Local multi-agent coordination
- Development/testing environments
- Isolated workspaces
- Human-supervised operations
### Out of Scope:
- Production deployments without additional safeguards
- Multi-tenant systems
- Public-facing APIs
- Unattended automation
---
## Agentic AI Considerations
### Command Execution Risks
YOLO mode enables agentic behavior (AI taking actions in the real world).
This carries significant risks:
**Threat Model:**
- Malicious commands injected by adversarial prompts
- Unintended destructive operations from AI errors
- Privilege escalation attempts
- Data exfiltration
- Credential theft
**Mitigations:**
- Command validation (whitelist + blacklist)
- Execution timeout (30s default)
- Workspace restriction
- Audit logging
- Multi-step approval process
- Environment-specific gating
**Recommended Controls:**
- Run in Docker container with no network access
- Use read-only filesystem where possible
- Drop all unnecessary capabilities
- Monitor audit logs continuously
- Set up alerts for suspicious patterns
- Maintain offline backups
### Compliance with AI Provider Policies
**Anthropic Claude:**
- Comply with [Responsible Scaling Policy](https://www.anthropic.com/responsible-scaling-policy)
- Maintain human oversight
- Document intended use
- Implement operational safeguards
**OpenAI:**
- Comply with [Usage Policies](https://openai.com/policies/usage-policies)
- No unauthorized system access
- No malware development
- Human-in-the-loop for high-risk actions
**Your Responsibility:**
- Ensure compliance with provider terms
- Supervise all agent operations
- Report security issues responsibly
- Maintain appropriate logging
### Acceptable Use
**Allowed:**
- Development and testing workflows
- Automated code quality checks
- Safe file operations (within workspace)
- Git operations (with confirmation)
- Package management (npm/pip install)
**Not Allowed:**
- Production deployments without safeguards
- Unattended operation on critical systems
- Privilege escalation attempts
- Network attacks or exploitation
- Data theft or unauthorized access
- Malware development or deployment
---
## Security Roadmap
Future security enhancements:
- [ ] Message encryption at rest
- [ ] Rate limiting per session (implemented, needs hardening)
- [ ] Command execution sandboxing (Docker)
- [ ] Tamper-evident audit logs
- [ ] TLS for network transport
- [ ] OAuth/OIDC authentication
- [ ] Role-based access control
---
## Security Best Practices
When using this bridge:
1. **Isolate**: Run in dedicated VM or container
2. **Monitor**: Review audit logs regularly
3. **Limit**: Use restrictive YOLO modes
4. **Backup**: Maintain offline backups
5. **Update**: Keep dependencies current
6. **Test**: Validate before production use
7. **Document**: Record configuration decisions
---
## Contact
For security concerns:
- GitHub Security Advisories (preferred)
- Email: [Add your email here]
For general questions:
- GitHub Issues
- GitHub Discussions
---
**Last Updated:** 2025-10-27
Reference in a new issue View git blame Copy permalink