Security model
nene-mcp assumes a local-dev MCP bridge to a trusted base URL. Threat model focuses on misconfiguration and catalog mistakes.
For commercial adoption boundaries (developer tool vs production gateway), see Commercial use & production scope.
Defaults
| Control | Behavior |
|---|---|
| Write tools | Fail closed without NENE_MCP_BEARER_TOKEN |
| HTTP redirects | Disabled (follow_location = 0) — prevents internal SSRF via redirects |
| Duplicate tool names | Rejected at catalog load (v0.1.3+) |
Invalid safety value | Rejected at catalog load — must be read or write (v0.1.7+) |
| Secrets | Bearer only in env; never in catalog or nene_mcp_about |
| Stderr HTTP log | Opt-in (NENE_MCP_LOG=stderr); method/path/status/duration only — no Bearer or bodies |
| JSON-RPC errors | Safe messages; no stack traces on stdout |
SSRF considerations
- Catalog paths append to configured base URL
- Absolute URLs in catalog paths produce malformed requests against the base host — not arbitrary host fetch
- Redirect following disabled after FT3 finding
Operator responsibilities
- Keep Bearer tokens out of git and catalog JSON
- Pin Packagist versions for production-like trials
- Review
safety: writeentries before sharing MCP config nene_mcp_aboutmay includecatalogPath(filesystem path totools.json) for operator debugging — not a secret, but omit catalog from shared MCP configs if path disclosure matters- Align
safetywith HTTP method + OpenAPI auth — do not label Bearer-protected POST asread(write-tools-bearer)
Reporting
See repository SECURITY.md and security policy for implementers.
Field Trial security cadence: every FT where N % 3 == 0.