Security model
nene-mcp assumes a local-dev MCP bridge to a trusted base URL. Threat model focuses on misconfiguration and catalog mistakes.
Defaults
| Control | Behavior |
|---|---|
| Write tools | Fail closed without NENE_MCP_BEARER_TOKEN |
| HTTP redirects | Disabled (follow_location = 0) — prevents internal SSRF via redirects |
| Duplicate tool names | Rejected at catalog load (v0.1.3+) |
| Secrets | Bearer only in env; never in catalog or nene_mcp_about |
| JSON-RPC errors | Safe messages; no stack traces on stdout |
SSRF considerations
- Catalog paths append to configured base URL
- Absolute URLs in catalog paths produce malformed requests against the base host — not arbitrary host fetch
- Redirect following disabled after FT3 finding
Operator responsibilities
- Keep Bearer tokens out of git and catalog JSON
- Pin Packagist versions for production-like trials
- Review
safety: writeentries before sharing MCP config
Reporting
See repository SECURITY.md and security policy for implementers.
Field Trial security cadence: every FT where N % 3 == 0.