claude-code-ultimate-guide/examples/scripts/mcp-registry-template.yaml at main · FlorianBruniaux/claude-code-ultimate-guide · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# MCP Registry Template
# Copy to: .claude/mcp-registry.yaml in your shared config repo
#
# Purpose: Track approved MCP servers, their scope, and review status.
# This is the org-level source of truth for permitted MCP usage.
#
# Related: guide/security/enterprise-governance.md §3.2

metadata:
  organization: "[Your Organization Name]"
  review_cycle: quarterly
  last_reviewed: "YYYY-MM-DD"
  next_review: "YYYY-MM-DD"
  owner: "platform-team@company.com"
  policy_doc: "https://your-wiki/ai-usage-charter"

# ─────────────────────────────────────────────────────────────────
# APPROVED MCPs
# ─────────────────────────────────────────────────────────────────
approved:

  # Example: Read-only documentation lookup (LOW risk)
  - name: context7
    version: "1.2.3"                # Pin exact version — never "latest"
    source: "https://github.com/context7/mcp-server"
    npm_package: "@context7/mcp-server"
    approved_by: "john.doe@company.com"
    approved_date: "2026-01-15"
    expires: "2026-07-15"           # 6 months default
    data_scope: PUBLIC              # PUBLIC | INTERNAL | CONFIDENTIAL | RESTRICTED
    risk: LOW                       # LOW | MEDIUM | HIGH
    rationale: "Read-only documentation lookup. No data egress, no credentials."
    config:
      command: npx
      args: ["-y", "@context7/mcp-server@1.2.3"]
      env: {}

  # Example: Local reasoning (LOW risk)
  - name: sequential-thinking
    version: "0.6.2"
    source: "https://github.com/modelcontextprotocol/servers"
    npm_package: "@modelcontextprotocol/server-sequential-thinking"
    approved_by: "jane.smith@company.com"
    approved_date: "2026-01-15"
    expires: "2026-07-15"
    data_scope: INTERNAL
    risk: LOW
    rationale: "Local reasoning only. No network access, no file I/O beyond scratch."
    config:
      command: npx
      args: ["-y", "@modelcontextprotocol/server-sequential-thinking@0.6.2"]
      env: {}

  # Example: Read-only internal database (MEDIUM risk, shorter expiry)
  - name: internal-db-readonly
    version: "2.1.0"
    source: "internal"              # "internal" for company-built MCPs
    approved_by: "security@company.com"
    approved_date: "2026-02-01"
    expires: "2026-05-01"           # Shorter expiry for higher risk
    data_scope: CONFIDENTIAL
    risk: MEDIUM
    rationale: "Read-only replica. Allowlisted tables exclude PII, payments, audit."
    restrictions:
      - "Read-only database user only (no INSERT/UPDATE/DELETE)"
      - "No access to: users, payments, audit_log, sessions tables"
      - "Only connect to readonly replica, never primary"
    config:
      command: npx
      args: ["-y", "@company/db-mcp@2.1.0"]
      env:
        DB_HOST: "readonly-replica.internal"
        DB_USER: "claude_readonly"
        # DB_PASS: loaded from secrets manager at runtime

# ─────────────────────────────────────────────────────────────────
# PENDING REVIEW
# ─────────────────────────────────────────────────────────────────
pending_review:

  - name: github-mcp
    requested_by: "dev@company.com"
    requested_date: "2026-03-05"
    source: "https://github.com/modelcontextprotocol/servers"
    use_case: "Automated PR creation, issue management"
    proposed_data_scope: INTERNAL
    status: under_review            # under_review | sandbox_trial | awaiting_security
    reviewer: "jane.smith@company.com"
    expected_decision: "2026-03-20"
    notes: "Check GitHub token scope — should be limited to specific repos"

# ─────────────────────────────────────────────────────────────────
# DENIED
# ─────────────────────────────────────────────────────────────────
denied:

  - name: browser-automation-mcp
    denied_date: "2026-02-10"
    requested_by: "dev2@company.com"
    reason: >
      Full browser automation with no scope restriction. Can navigate to arbitrary URLs,
      exfiltrate data via screenshots, and access internal sites via authenticated sessions.
      Risk too high without a sandboxed browser environment.
    alternative: "Use Playwright MCP with restricted URL allowlist if browser access required."

  - name: filesystem-mcp-unrestricted
    denied_date: "2026-01-20"
    requested_by: "dev3@company.com"
    reason: >
      Unrestricted filesystem access. CVE-2025-53109/53110 not patched in requested version.
      Would allow sandbox escape via prefix bypass + symlinks.
    alternative: "Use Claude Code's built-in Read/Write/Edit tools with permissions.deny rules."

# ─────────────────────────────────────────────────────────────────
# VERSION BUMP POLICY
# ─────────────────────────────────────────────────────────────────
version_bump_policy:
  patch:                            # e.g., 1.2.3 → 1.2.4
    requires: check_release_notes   # Check for CVEs/breaking changes, then auto-approve
    approver: tech_lead
    turnaround: "48h"
  minor:                            # e.g., 1.2.3 → 1.3.0
    requires: full_security_review
    approver: security_team
    turnaround: "1 week"
  major:                            # e.g., 1.2.3 → 2.0.0
    requires: full_security_review + sandbox_trial
    approver: security_team + engineering_director
    turnaround: "2 weeks"

# ─────────────────────────────────────────────────────────────────
# SECURITY INCIDENT CONTACTS
# ─────────────────────────────────────────────────────────────────
incident_response:
  report_to: "security@company.com"
  slack: "#security-incidents"
  response_time_sla: "4 hours business hours"
  escalation: "engineering-director@company.com"