Security docs

crivetimihai · crivetimihai · commit 414bc7582435 · 2025-08-12T15:16:45.000+01:00
Signed-off-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;
diff --git a/docs/docs/architecture/security-features.md b/docs/docs/architecture/security-features.md
@@ -6,31 +6,35 @@
 
 ## Comprehensive Security Capabilities
 
+**Legend**: ✅ = Completed | 🚧 = In Progress | 📋 = Planned
+
 ### 🔐 Authentication & Identity Management
 
-* **JWT Token Management** - Configurable JWT tokens with expiration, per-user token catalogs, and revocation support ([#87](https://github.com/IBM/mcp-context-forge/issues/87), [#425](https://github.com/IBM/mcp-context-forge/issues/425))
+* **JWT Token Management** - Configurable JWT tokens with expiration, per-user token catalogs, and revocation support ([#87](https://github.com/IBM/mcp-context-forge/issues/87), ✅ [#425](https://github.com/IBM/mcp-context-forge/issues/425))
 
-* **Database-Backed User Authentication** - Argon2id password hashing replacing basic auth ([#544](https://github.com/IBM/mcp-context-forge/issues/544))
+* **Database-Backed User Authentication** - Argon2id password hashing replacing basic auth ([#544](https://github.com/IBM/mcp-context-forge/issues/544)) 🚧
 
 * **Enterprise SSO Integration** - Support for GitHub, Google, LDAP/Active Directory identity providers ([#220](https://github.com/IBM/mcp-context-forge/issues/220), [#277](https://github.com/IBM/mcp-context-forge/issues/277), [#278](https://github.com/IBM/mcp-context-forge/issues/278), [#284](https://github.com/IBM/mcp-context-forge/issues/284))
 
+* **OAuth Integration** - Support for OAuth 2.0 for delegated access to MCP servers ([#605](https://github.com/IBM/mcp-context-forge/issues/605)) 🚧
+
 * **Per-Virtual-Server API Keys** - Scoped access control for individual virtual servers ([#282](https://github.com/IBM/mcp-context-forge/issues/282))
 
-* **Enhanced Session Management** - Secure session handling for Admin UI ([#541](https://github.com/IBM/mcp-context-forge/issues/541))
+* **Enhanced Session Management** - Secure session handling for Admin UI ([#541](https://github.com/IBM/mcp-context-forge/issues/541)) 🚧
 
-* **CSRF Token Protection** - Cross-site request forgery prevention ([#543](https://github.com/IBM/mcp-context-forge/issues/543))
+* **CSRF Token Protection** - Cross-site request forgery prevention ([#543](https://github.com/IBM/mcp-context-forge/issues/543)) 🚧
 
 ### 🛡️ Authorization & Access Control
 
 * **Role-Based Access Control (RBAC)** - User/Team/Global scopes with private, team, and global catalog separation ([#283](https://github.com/IBM/mcp-context-forge/issues/283))
 
-* **Attribute-Based Access Control (ABAC)** - Dynamic authorization based on user attributes, resource properties, and environmental context (Planned)
+* **Attribute-Based Access Control (ABAC)** - Dynamic authorization based on user attributes, resource properties, and environmental context ([#706](https://github.com/IBM/mcp-context-forge/issues/706)) 🚧
 
 * **Policy-as-Code Engine** - Rego-based policy enforcement for fine-grained authorization ([#271](https://github.com/IBM/mcp-context-forge/issues/271))
 
-* **IP-Based Access Control** - Configurable IP allowlisting for network-level security ([#536](https://github.com/IBM/mcp-context-forge/issues/536))
+* **IP-Based Access Control** - Configurable IP allowlisting for network-level security ([#536](https://github.com/IBM/mcp-context-forge/issues/536)) 🚧
 
-* **Endpoint Feature Flags** - Selectively enable/disable tools, resources, prompts, servers, gateways ([#537](https://github.com/IBM/mcp-context-forge/issues/537))
+* **Endpoint Feature Flags** - Selectively enable/disable tools, resources, prompts, servers, gateways ([#537](https://github.com/IBM/mcp-context-forge/issues/537)) 🚧
 
 * **Resource-Level Access Control** - Virtual server composition with granular tool/resource visibility control
 
@@ -40,9 +44,9 @@
 
 * **Cryptographic Request Signing** - End-to-end request/response signing and verification ([#230](https://github.com/IBM/mcp-context-forge/issues/230))
 
-* **TLS/mTLS Support** - Certificate-based authentication with private CA support ([#568](https://github.com/IBM/mcp-context-forge/issues/568))
+* **TLS/mTLS Support** - Certificate-based authentication with private CA support ([#568](https://github.com/IBM/mcp-context-forge/issues/568)) 🚧
 
-* **Enterprise Secrets Management** - HashiCorp Vault integration for secure credential storage ([#542](https://github.com/IBM/mcp-context-forge/issues/542))
+* **Enterprise Secrets Management** - HashiCorp Vault integration for secure credential storage ([#542](https://github.com/IBM/mcp-context-forge/issues/542)) 🚧
 
 * **Transport Layer Security** - Multiple secure protocols (SSE, WebSocket, HTTPS) with configurable TLS termination
 
@@ -58,15 +62,15 @@
 
 * **AI Guardrails & PII Masking** - Input/output sanitization with sensitive data detection ([#229](https://github.com/IBM/mcp-context-forge/issues/229))
 
-* **Content Size & Type Limits** - Security limits for resources and prompts ([#538](https://github.com/IBM/mcp-context-forge/issues/538))
+* **Content Size & Type Limits** - Security limits for resources and prompts ([#538](https://github.com/IBM/mcp-context-forge/issues/538)) 🚧
 
-* **XSS Prevention** - DOMPurify integration and content sanitization ([#336](https://github.com/IBM/mcp-context-forge/issues/336), [#341](https://github.com/IBM/mcp-context-forge/issues/341), [#361](https://github.com/IBM/mcp-context-forge/issues/361))
+* **XSS Prevention** - DOMPurify integration and content sanitization (✅ [#336](https://github.com/IBM/mcp-context-forge/issues/336), [#341](https://github.com/IBM/mcp-context-forge/issues/341), ✅ [#361](https://github.com/IBM/mcp-context-forge/issues/361))
 
-* **SQL Injection Prevention** - Database-level security constraints ([#342](https://github.com/IBM/mcp-context-forge/issues/342))
+* **SQL Injection Prevention** - Database-level security constraints ([#342](https://github.com/IBM/mcp-context-forge/issues/342)) 🚧
 
 ### 🛠️ Plugin & Middleware Framework
 
-* **Pre/Post Request Hooks** - Extensible plugin system for custom security policies ([#319](https://github.com/IBM/mcp-context-forge/issues/319))
+* **Pre/Post Request Hooks** - Extensible plugin system for custom security policies (✅ [#319](https://github.com/IBM/mcp-context-forge/issues/319), ✅ [#682](https://github.com/IBM/mcp-context-forge/issues/682))
 
 * **AI Middleware Integration** - Framework for adding LLM-based security capabilities ([#313](https://github.com/IBM/mcp-context-forge/issues/313))
 
@@ -76,11 +80,11 @@
 
 ### 📊 Monitoring & Audit
 
-* **Comprehensive Audit Logging** - Database-backed audit trail for all operations ([#535](https://github.com/IBM/mcp-context-forge/issues/535))
+* **Comprehensive Audit Logging** - Database-backed audit trail for all operations ([#535](https://github.com/IBM/mcp-context-forge/issues/535)) 🚧
 
 * **Structured JSON Logging** - Correlation IDs for request tracing ([#300](https://github.com/IBM/mcp-context-forge/issues/300))
 
-* **Dual Logging Support** - Console and file outputs with rotation policies ([#364](https://github.com/IBM/mcp-context-forge/issues/364))
+* **Dual Logging Support** - Console and file outputs with rotation policies (✅ [#364](https://github.com/IBM/mcp-context-forge/issues/364))
 
 * **OpenTelemetry Integration** - OpenLLMetry for comprehensive observability ([#175](https://github.com/IBM/mcp-context-forge/issues/175))
 
@@ -96,35 +100,35 @@
 
 * **Gateway-Level Rate Limiting** - Configurable request throttling per client/endpoint ([#257](https://github.com/IBM/mcp-context-forge/issues/257))
 
-* **Tool Execution Limits** - Resource controls and execution boundaries ([#539](https://github.com/IBM/mcp-context-forge/issues/539))
+* **Tool Execution Limits** - Resource controls and execution boundaries ([#539](https://github.com/IBM/mcp-context-forge/issues/539)) 🚧
 
 * **Circuit Breakers** - Automatic failover for unstable backends ([#301](https://github.com/IBM/mcp-context-forge/issues/301))
 
-* **Smart Retry Mechanisms** - Exponential backoff with jitter ([#258](https://github.com/IBM/mcp-context-forge/issues/258), [#456](https://github.com/IBM/mcp-context-forge/issues/456))
+* **Smart Retry Mechanisms** - Exponential backoff with jitter ([#258](https://github.com/IBM/mcp-context-forge/issues/258), ✅ [#456](https://github.com/IBM/mcp-context-forge/issues/456))
 
 ### 🔍 Security Testing & Validation
 
 * **SAST/DAST Integration** - Semgrep and OWASP ZAP automated testing ([#259](https://github.com/IBM/mcp-context-forge/issues/259))
 
-* **Input Validation Test Suite** - Comprehensive security validation tests ([#552](https://github.com/IBM/mcp-context-forge/issues/552))
+* **Input Validation Test Suite** - Comprehensive security validation tests (✅ [#552](https://github.com/IBM/mcp-context-forge/issues/552))
 
 * **Fuzz Testing** - Hypothesis, atheris, schemathesis, RESTler ([#256](https://github.com/IBM/mcp-context-forge/issues/256))
 
 * **Mutation Testing** - Test quality validation with mutmut ([#280](https://github.com/IBM/mcp-context-forge/issues/280))
 
-* **Security Scanners** - Bandit, grype, nodejsscan integration ([#279](https://github.com/IBM/mcp-context-forge/issues/279), [#415](https://github.com/IBM/mcp-context-forge/issues/415), [#499](https://github.com/IBM/mcp-context-forge/issues/499))
+* **Security Scanners** - Bandit, grype, nodejsscan integration ([#279](https://github.com/IBM/mcp-context-forge/issues/279), ✅ [#415](https://github.com/IBM/mcp-context-forge/issues/415), ✅ [#499](https://github.com/IBM/mcp-context-forge/issues/499))
 
 ### 🏗️ Infrastructure Security
 
-* **Zero-Trust Architecture** - Peer gateway health checks with automatic failover ([#424](https://github.com/IBM/mcp-context-forge/issues/424))
+* **Zero-Trust Architecture** - Peer gateway health checks with automatic failover (✅ [#424](https://github.com/IBM/mcp-context-forge/issues/424))
 
-* **Configuration Validation** - Schema enforcement with startup security checks ([#285](https://github.com/IBM/mcp-context-forge/issues/285), [#534](https://github.com/IBM/mcp-context-forge/issues/534))
+* **Configuration Validation** - Schema enforcement with startup security checks ([#285](https://github.com/IBM/mcp-context-forge/issues/285), [#534](https://github.com/IBM/mcp-context-forge/issues/534)) 🚧
 
-* **Security Headers** - Configurable headers and CORS policies ([#344](https://github.com/IBM/mcp-context-forge/issues/344), [#533](https://github.com/IBM/mcp-context-forge/issues/533))
+* **Security Headers** - Configurable headers and CORS policies ([#344](https://github.com/IBM/mcp-context-forge/issues/344), [#533](https://github.com/IBM/mcp-context-forge/issues/533)) 🚧
 
-* **Well-Known URI Handler** - security.txt and robots.txt support ([#540](https://github.com/IBM/mcp-context-forge/issues/540))
+* **Well-Known URI Handler** - security.txt and robots.txt support ([#540](https://github.com/IBM/mcp-context-forge/issues/540)) 🚧
 
-* **Password Policy Engine** - Configurable password and secret policies ([#426](https://github.com/IBM/mcp-context-forge/issues/426))
+* **Password Policy Engine** - Configurable password and secret policies ([#426](https://github.com/IBM/mcp-context-forge/issues/426)) 🚧
 
 * **Graceful Shutdown** - SIGTERM-safe rollouts with connection draining ([#217](https://github.com/IBM/mcp-context-forge/issues/217))
 
@@ -138,7 +142,7 @@ These advanced security features are under consideration for future releases:
 
 * **Signature Verification** - Digital signature validation for MCP server responses and tool executions
 
-* **MCP Server Code Scanning** - Automated security analysis of MCP server source code using multiple linters and security scanners (Bandit, Semgrep, CodeQL) before deployment
+* **MCP Server Code Scanning** - Automated security analysis of MCP server source code using multiple linters and security scanners (Bandit, Semgrep, CodeQL) before deployment ([#654](https://github.com/IBM/mcp-context-forge/issues/654)) 🚧
 
 * **Binary Analysis** - Static and dynamic analysis of compiled MCP server binaries for vulnerabilities
 
@@ -204,13 +208,13 @@ MCP Gateway implements a comprehensive, multi-layered security approach with "de
 
 ### Comprehensive Security Pipeline
 
-**Pre-commit Security Gates**: 
+**Pre-commit Security Gates**:
 
 - Bandit, Semgrep, Dodgy for security scanning
 - Type checking and code quality enforcement
 - Run `make security-all` locally before pushing
 
-**Continuous Integration Security**: 
+**Continuous Integration Security**:
 
 - 30+ security scans on every PR
 - CodeQL semantic analysis
@@ -228,11 +232,11 @@ MCP Gateway implements a comprehensive, multi-layered security approach with "de
 
 ### 🏆 Currently Implemented (v0.5.0)
 
-* **Authentication**: JWT tokens with configurable secrets, Basic Auth support
-* **Input Validation**: Comprehensive validation across all API endpoints using Pydantic
-* **XSS Prevention**: Character restrictions, URL scheme validation, JSON depth limits
-* **Security Scanning**: 30+ security tools integrated, 100% Bandit pass rate
-* **Container Hardening**: 
+* **Authentication**: JWT tokens with configurable secrets, Basic Auth support (✅ [#663](https://github.com/IBM/mcp-context-forge/issues/663), ✅ [#705](https://github.com/IBM/mcp-context-forge/issues/705))
+* **Input Validation**: Comprehensive validation across all API endpoints using Pydantic (✅ [#339](https://github.com/IBM/mcp-context-forge/issues/339), ✅ [#340](https://github.com/IBM/mcp-context-forge/issues/340))
+* **XSS Prevention**: Character restrictions, URL scheme validation, JSON depth limits (✅ [#409](https://github.com/IBM/mcp-context-forge/issues/409))
+* **Security Scanning**: 30+ security tools integrated, 100% Bandit pass rate (✅ [#421](https://github.com/IBM/mcp-context-forge/issues/421), ✅ [#638](https://github.com/IBM/mcp-context-forge/issues/638), ✅ [#590](https://github.com/IBM/mcp-context-forge/issues/590))
+* **Container Hardening**:
   - **Ultra-minimal scratch-based runtime** - Final image contains only Python runtime and application
   - **Red Hat UBI9-based build** - Built from latest patched UBI9 (registry.access.redhat.com/ubi9/ubi:9.6)
   - **Fully patched on every build** - Automatic security updates via `dnf upgrade -y`
@@ -243,7 +247,9 @@ MCP Gateway implements a comprehensive, multi-layered security approach with "de
   - **Pre-compiled Python bytecode** - Optimized with -OO, stripping docstrings and assertions
   - **Minimal attack surface** - No shell, no development tools, no documentation
 * **Secure Defaults**: Admin UI disabled by default, localhost-only binding
-* **Secret Detection**: Gitleaks, Dodgy integration preventing credential leaks
+* **Secret Detection**: Gitleaks, Dodgy integration preventing credential leaks (✅ [#558](https://github.com/IBM/mcp-context-forge/issues/558))
+* **Security Headers**: HTTP header passthrough with authorization support (✅ [#685](https://github.com/IBM/mcp-context-forge/issues/685))
+* **Authentication Masking**: Auth values masked in API responses (✅ [#601](https://github.com/IBM/mcp-context-forge/issues/601), ✅ [#471](https://github.com/IBM/mcp-context-forge/issues/471), ✅ [#472](https://github.com/IBM/mcp-context-forge/issues/472))
 
 ### 🚀 Upcoming Security Enhancements
 
@@ -407,4 +413,4 @@ For security vulnerabilities, report privately via [GitHub's security reporting]
 2. Click "Report a vulnerability"
 3. Fill out the vulnerability details
 
-For more information, see our [Security Policy](https://github.com/IBM/mcp-context-forge/security/policy).
+For more information, see our [Security Policy](https://github.com/IBM/mcp-context-forge/security/policy).
diff --git a/mutmut_config.py b/mutmut_config.py
@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 """Configuration for mutmut mutation testing framework."""
 
 
@@ -16,4 +17,4 @@ def pre_mutation(context):
 
 def post_mutation(context):
     """Any post-mutation processing."""
-    pass
+    pass
diff --git a/run_mutmut.py b/run_mutmut.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python3
+# -*- coding: utf-8 -*-
 """
 Workaround script for mutmut v3 stats collection failure.
 Generates mutants and then runs them despite stats failure.
@@ -19,69 +20,69 @@ def main():
     # Check for command line arguments
     sample_mode = "--sample" in sys.argv or len(sys.argv) == 1  # Default to sample mode
     sample_size = 20  # Default sample size
-    
+
     if "--full" in sys.argv:
         sample_mode = False
         print("🧬 Starting FULL mutation testing (this will take a long time)...")
     else:
         print("🧬 Starting mutation testing (sample mode)...")
         print("💡 Tip: Use 'python run_mutmut.py --full' for complete testing")
-    
+
     # Clean previous runs
     print("🧹 Cleaning previous mutants...")
     os.system("rm -rf mutants .mutmut-cache")
-    
+
     # Generate mutants (will fail at stats but mutants are created)
     print("📝 Generating mutants (this may take a minute)...")
     stdout, stderr, _ = run_command("mutmut run --max-children 2 2>&1 || true")
-    
+
     # Show some output to indicate progress
     if "done in" in stdout:
         import re
         match = re.search(r'done in (\d+)ms', stdout)
         if match:
             print(f"  Generated in {int(match.group(1))/1000:.1f} seconds")
-    
+
     # Check if mutants were generated
     if not Path("mutants").exists():
         print("❌ Failed to generate mutants")
         return 1
-    
+
     print("✅ Mutants generated successfully")
-    
+
     # Get list of mutants
     print("📊 Getting list of mutants...")
     stdout, stderr, _ = run_command("mutmut results 2>&1 | grep -E 'mutmut_[0-9]+:' | cut -d: -f1")
     all_mutants = [m.strip() for m in stdout.strip().split('\n') if m.strip()]
-    
+
     if not all_mutants:
         print("❌ No mutants found")
         return 1
-    
+
     # Sample mutants for quicker testing
     import random
-    
+
     print(f"🔍 Found {len(all_mutants)} total mutants")
-    
+
     if sample_mode:
         actual_sample_size = min(sample_size, len(all_mutants))
         mutants = random.sample(all_mutants, actual_sample_size)
         print(f"📈 Testing a sample of {len(mutants)} mutants for quick results")
     else:
         mutants = all_mutants
         print(f"🚀 Testing ALL {len(mutants)} mutants (this will take a while)...")
-    
+
     # Run each mutant
     results = {"killed": 0, "survived": 0, "timeout": 0, "error": 0}
     survived_mutants = []
-    
+
     for i, mutant in enumerate(mutants, 1):
         print(f"  [{i}/{len(mutants)}] Testing {mutant}...", end=" ", flush=True)
-        
+
         # Run the mutant with a shorter timeout and minimal tests
         cmd = f"timeout 10 bash -c 'cd mutants && MUTANT_UNDER_TEST={mutant} python -m pytest tests/unit/mcpgateway/utils/ -x --tb=no -q 2>&1'"
         stdout, stderr, returncode = run_command(cmd)
-        
+
         if returncode == 124:  # timeout
             print("⏰ TIMEOUT")
             results["timeout"] += 1
@@ -95,7 +96,7 @@ def main():
         else:
             print("❓ ERROR")
             results["error"] += 1
-    
+
     # Print summary
     print("\n" + "="*50)
     print("📊 MUTATION TESTING RESULTS:")
@@ -104,24 +105,24 @@ def main():
     print(f"🙁 Survived:  {results['survived']} mutants")
     print(f"⏰ Timeout:   {results['timeout']} mutants")
     print(f"❓ Error:     {results['error']} mutants")
-    
+
     total = sum(results.values())
     if total > 0:
         score = (results['killed'] / total) * 100
         print(f"\n📈 Mutation Score: {score:.1f}%")
-        
+
         if sample_mode and len(all_mutants) > len(mutants):
             estimated_total_score = score  # Rough estimate
             print(f"📊 Estimated overall score: ~{estimated_total_score:.1f}% (based on sample)")
-    
+
     # Show surviving mutants if any
     if survived_mutants and len(survived_mutants) <= 5:
         print("\n⚠️  Surviving mutants (need better tests):")
         for mutant in survived_mutants[:5]:
             print(f"  - {mutant}")
             print(f"    View with: mutmut show {mutant}")
-    
+
     return 0
 
 if __name__ == "__main__":
-    sys.exit(main())
+    sys.exit(main())
