TikiTribe · rocklambros · Feb 14, 2026 · Jan 23, 2026 · Feb 4, 2026 · Feb 4, 2026
@@ -1,2 +1,29 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+*.egg-info/
+dist/
+build/
+.pytest_cache/
+.coverage
+htmlcov/
+.venv/
+venv/
+ENV/
+
 # PDF documents (reference materials)
 *.pdf
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
@@ -8,6 +8,7 @@ This repository provides comprehensive security rules for Claude Code, covering
 
 **Coverage**:
 - OWASP Top 10 2025 (web application security)
+- OWASP MCP Top 10 2025 (Model Context Protocol security)
 - AI/ML security (NIST AI RMF, MITRE ATLAS, Google SAIF)
 - Agentic AI security (tool use, autonomy, sandboxing)
 - Language-specific rules (Python, JavaScript, TypeScript, Go, Rust, Java, C#, Ruby, R, C++, Julia, SQL)
@@ -22,6 +23,7 @@ claude-secure-coding-rules/
 ├── rules/
 │   ├── _core/                      # Foundation rules (apply to all projects)
 │   │   ├── owasp-2025.md          # OWASP Top 10 2025 security rules
+│   │   ├── mcp-security.md        # Model Context Protocol (MCP) security rules
 │   │   ├── ai-security.md         # AI/ML system security rules
 │   │   └── agent-security.md      # Agentic AI security rules
 │   │
@@ -82,12 +84,12 @@ claude-secure-coding-rules/
 
 | Category | Count | Description |
 |----------|-------|-------------|
-| Core Rules | 3 | OWASP 2025, AI Security, Agent Security |
+| Core Rules | 4 | OWASP 2025, MCP Security, AI Security, Agent Security |
 | Languages | 12 | Python, JavaScript, TypeScript, Go, Rust, Java, C#, Ruby, R, C++, Julia, SQL |
 | Backend Frameworks | 5 | FastAPI, Express, Django, Flask, NestJS |
 | AI/ML Frameworks | 11 | LangChain, CrewAI, AutoGen, Transformers, vLLM, Triton, TorchServe, Ray Serve, BentoML, MLflow, Modal |
 | Frontend Frameworks | 5 | React, Next.js, Vue, Angular, Svelte |
-| **Total Rule Sets** | **36** | Comprehensive security coverage |
+| **Total Rule Sets** | **37** | Comprehensive security coverage |
 
 ## Rule Format
 

@@ -12,6 +12,7 @@ This repository provides comprehensive security rules for Claude Code, covering
 ### Key Features
 
 - **OWASP Top 10 2025** - Complete coverage of modern web security risks
+- **OWASP MCP Top 10 2025** - Model Context Protocol security for AI assistants and tools
 - **AI/ML Security** - Rules for machine learning systems using NIST AI RMF, MITRE ATLAS, and Google SAIF
 - **Agentic AI Security** - Specialized rules for autonomous AI systems with tool use
 - **100+ Rule Sets** - Covering 12 languages, 5 backend frameworks, 11 AI/ML frameworks, 5 frontend frameworks, 51 RAG tools, IaC (Terraform/Pulumi), containers (Docker/K8s), and CI/CD (GitHub Actions/GitLab CI)
@@ -66,6 +67,7 @@ claude-secure-coding-rules/
 ├── rules/
 │   ├── _core/                    # Foundation rules (apply to all projects)
 │   │   ├── owasp-2025.md        # OWASP Top 10 2025 security rules
+│   │   ├── mcp-security.md      # Model Context Protocol (MCP) security rules
 │   │   ├── ai-security.md       # AI/ML system security rules
 │   │   ├── agent-security.md    # Agentic AI security rules
 │   │   └── rag-security.md      # RAG system security rules
@@ -322,6 +324,7 @@ cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")  # SQL Injection!
 | **NIST AI RMF** | Full | AI risk management framework |
 | **MITRE ATLAS** | Full | Adversarial ML attack taxonomy |
 | **OWASP LLM Top 10** | Full | LLM-specific security risks |
+| **OWASP MCP Top 10** | Full | Model Context Protocol security |
 | **Google SAIF** | Partial | Secure AI framework |
 | **ISO/IEC 23894** | Partial | AI risk management guidance |
 
@@ -391,6 +394,22 @@ cp rules/languages/go/CLAUDE.md myproject/
 # - Handle errors securely
 ```
 
+### MCP Server Development
+
+```bash
+# Setup for Model Context Protocol servers
+cp rules/_core/mcp-security.md myproject/
+cp rules/languages/typescript/CLAUDE.md myproject/  # or Python
+
+# Claude Code will now:
+# - Prevent hardcoded credentials in MCP configurations
+# - Enforce short-lived, scoped tokens
+# - Verify tool manifest integrity with signatures
+# - Sanitize tool arguments against command injection
+# - Isolate context between sessions
+# - Require mutual authentication (mTLS)
+```
+
 ### Rust Systems
 
 ```bash

@@ -11,8 +11,8 @@ Thank you for your interest in contributing! This guide explains how to add, mod
 
 ## Project Overview
 
-This project provides **25 security rule sets** covering:
-- **3 Core rule sets**: OWASP 2025, AI/ML Security, Agent Security
+This project provides **26 security rule sets** covering:
+- **4 Core rule sets**: OWASP 2025, MCP Security, AI/ML Security, Agent Security
 - **12 Language rules**: Python, JavaScript, TypeScript, Go, Rust, Java, C#, Ruby, R, C++, Julia, SQL
 - **5 Backend frameworks**: FastAPI, Express, Django, Flask, NestJS
 - **5 Frontend frameworks**: React, Next.js, Vue, Angular, Svelte
@@ -60,6 +60,7 @@ claude-secure-coding-rules/
 ├── rules/
 │   ├── _core/                       # Foundation rules (apply to all projects)
 │   │   ├── owasp-2025.md           # OWASP Top 10 2025 web security
+│   │   ├── mcp-security.md         # Model Context Protocol (MCP) security
 │   │   ├── ai-security.md          # AI/ML security (NIST AI RMF, MITRE ATLAS)
 │   │   └── agent-security.md       # Agentic AI security (tool use, sandboxing)
 │   │

@@ -1172,6 +1172,27 @@ audit.log_security_event(
 )
 ```
 
+**Don't**:
+```python
+# VULNERABLE: No audit logging
+def find_entity(entity_id: str):
+    return neo4j_client.find_entity(entity_id)  # No visibility into who accessed what
+
+# VULNERABLE: Logging sensitive data
+def find_user_data(user_id: str):
+    result = neo4j_client.query(f"MATCH (u:User {{id: '{user_id}'}}) RETURN u")
+    logger.info(f"Query result: {result}")  # May contain PII or secrets
+
+# VULNERABLE: Insufficient detail
+def execute_query(query):
+    logger.info("Query executed")  # No user, query type, or timing information
+    return session.run(query)
+```
+
+**Why**: Graph databases in RAG systems contain sensitive knowledge relationships that require auditability for compliance (GDPR, SOC2), security incident response, and performance monitoring. Without audit logs, unauthorized access and data exfiltration go undetected.
+
+**Refs**: OWASP A09:2025 (Security Logging and Monitoring Failures), CWE-778 (Insufficient Logging), NIST 800-53 AU-2, GDPR Article 30
+
 ---
 
 ## Quick Reference