Skip to content

docs(rust): add MCP security documentation, OWASP mapping, and examples#830

Open
jackbatzner wants to merge 10 commits intomicrosoft:mainfrom
jackbatzner:jb/rust-mcp-docs
Open

docs(rust): add MCP security documentation, OWASP mapping, and examples#830
jackbatzner wants to merge 10 commits intomicrosoft:mainfrom
jackbatzner:jb/rust-mcp-docs

Conversation

@jackbatzner
Copy link
Copy Markdown
Contributor

@jackbatzner jackbatzner commented Apr 6, 2026

Description

Adds comprehensive documentation for the Rust MCP security primitives that landed in #796, including API reference, OWASP MCP Cheat Sheet compliance mapping, tool usage guide, i18n updates, and example integration pointers.

Key additions:

  • docs/api-reference.md — Full API reference for agentmesh-mcp crate
  • docs/mcp-tools.md — Tool usage and integration guide
  • docs/owasp-mcp-mapping.md — OWASP MCP Security Cheat Sheet §1–§12 compliance mapping
  • CHANGELOG.md — Entry for Rust MCP governance surface
  • Updated agentmesh/README.md and agentmesh-mcp/README.md with doc links
  • Updated docs/i18n/README.zh-CN.md with Rust install + doc links

Follow-up to #796 (Rust MCP core, already merged).

Type of Change

  • Documentation update

Package(s) Affected

  • agent-mesh

Checklist

  • My code follows the project style guidelines
  • I have updated documentation as needed
  • I have signed the Microsoft CLA

Related Issues

Follow-up documentation for #796 (Rust MCP parity, merged).

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 6, 2026

Welcome to the Agent Governance Toolkit! Thanks for your first pull request.
Please ensure tests pass, code follows style (ruff check), and you have signed the CLA.
See our Contributing Guide.

@github-actions github-actions bot added documentation Improvements or additions to documentation agent-mesh agent-mesh package size/XL Extra large PR (500+ lines) labels Apr 6, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 6, 2026
edited
Loading

🤖 AI Agent: security-scanner — **1. Prompt Injection Defense Bypass**

After reviewing the provided pull request, here are the findings based on the security scan criteria:

1. Prompt Injection Defense Bypass

Rating: 🔵 LOW

  • Analysis: The documentation update does not introduce any new code that directly handles user input or prompt processing. However, it does reference the .NET MCP Protocol Support and its McpGateway component, which includes a 5-stage pipeline for governance. The documentation mentions "deny-list → allow-list → sanitization → rate-limiting → human approval" but does not provide specific details on how the sanitization step is implemented. Without further details, it is unclear if the sanitization process is robust against prompt injection attacks.
  • Recommendation: Ensure that the sanitization step in the McpGateway is thoroughly tested against known prompt injection techniques. Consider adding examples of how the sanitization process works in the documentation.

2. Policy Engine Circumvention

Rating: 🔵 LOW

  • Analysis: The documentation mentions that the .NET MCP Protocol Support includes a GovernanceKernel for deterministic policy evaluation and a McpGateway for policy enforcement. However, the documentation does not provide details on how the policies are defined, enforced, or tested for bypass scenarios.
  • Recommendation: Include detailed documentation on how policies are defined and enforced in the GovernanceKernel. Additionally, provide examples of how to test for policy circumvention to ensure that users can validate their configurations.

3. Trust Chain Weaknesses

Rating: 🟡 MEDIUM

  • Analysis: The .NET MCP Protocol Support includes a McpSessionAuthenticator with cryptographic session binding and TOCTOU-safe concurrency. It also mentions the use of HMAC-SHA256 for message integrity and ML-DSA-65 post-quantum signing on .NET 10+. However, the documentation does not specify how SPIFFE/SVID validation or certificate pinning is handled, which are critical for ensuring a secure trust chain.
  • Recommendation: Clarify in the documentation how SPIFFE/SVID validation and certificate pinning are implemented. If these are not currently supported, consider adding them to the roadmap to strengthen the trust chain.

4. Credential Exposure

Rating: 🔵 LOW

  • Analysis: The documentation mentions a CredentialRedactor for redacting 10 credential patterns, including API keys, tokens, PEM files, and connection strings. There is no indication that the documentation changes introduce any new risks of credential exposure.
  • Recommendation: Ensure that the CredentialRedactor is thoroughly tested for all supported credential patterns and that it is integrated into all relevant logging and error-handling pathways.

5. Sandbox Escape

Rating: 🟠 HIGH

  • Analysis: The MCP Server Hardening Guide provides detailed recommendations for sandboxing MCP servers, including the use of gVisor or Kata Containers for untrusted servers. However, the guide does not specify how to handle cases where these sandboxing mechanisms are not available or fail. Additionally, the guide does not address potential escape scenarios in detail.
  • Recommendation: Expand the hardening guide to include fallback mechanisms for environments where gVisor or Kata Containers are not available. Include a section on detecting and mitigating potential sandbox escape attempts.

6. Deserialization Attacks

Rating: 🟡 MEDIUM

  • Analysis: The .NET MCP Protocol Support uses System.Text.Json for JSON handling, which is generally safer than alternatives like Newtonsoft.Json. However, the documentation does not specify whether additional safeguards are in place to prevent deserialization attacks, such as input validation or type checking.
  • Recommendation: Document the safeguards in place to prevent deserialization attacks. If not already implemented, consider adding input validation and type checking to the JSON deserialization process.

7. Race Conditions

Rating: 🔵 LOW

  • Analysis: The documentation mentions that the McpSessionAuthenticator includes TOCTOU-safe concurrency checks. This indicates that race conditions in session handling have been considered and mitigated.
  • Recommendation: No immediate action required. Ensure that the TOCTOU-safe concurrency checks are thoroughly tested and documented.

8. Supply Chain

Rating: 🟡 MEDIUM

  • Analysis: The documentation does not address supply chain risks, such as dependency confusion or typosquatting in NuGet packages. The .NET MCP Protocol Support relies on cryptographic libraries and other dependencies that could be targeted in a supply chain attack.
  • Recommendation: Add a section to the documentation on verifying the integrity of dependencies, such as using SHA-256 hashes for NuGet packages. Consider implementing automated dependency scanning in the CI/CD pipeline.

Summary of Findings

  1. Prompt Injection Defense Bypass: 🔵 LOW
  2. Policy Engine Circumvention: 🔵 LOW
  3. Trust Chain Weaknesses: 🟡 MEDIUM
  4. Credential Exposure: 🔵 LOW
  5. Sandbox Escape: 🟠 HIGH
  6. Deserialization Attacks: 🟡 MEDIUM
  7. Race Conditions: 🔵 LOW
  8. Supply Chain: 🟡 MEDIUM

Actionable Recommendations

  1. Prompt Injection: Provide examples of the sanitization process in the McpGateway.
  2. Policy Engine: Document how policies are defined, enforced, and tested.
  3. Trust Chain: Clarify SPIFFE/SVID validation and certificate pinning mechanisms.
  4. Sandbox Escape: Expand the hardening guide to include fallback mechanisms and escape detection.
  5. Deserialization: Document safeguards against deserialization attacks.
  6. Supply Chain: Add dependency verification steps and implement automated scanning.

This PR primarily updates documentation, but the areas mentioned above should be addressed to ensure the robustness of the .NET MCP Protocol Support and its security features.

github-actions[bot]
github-actions bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Summary

This pull request introduces comprehensive documentation for the Rust MCP security primitives, including API references, OWASP compliance mapping, and integration guides. While the documentation is well-structured and provides actionable examples, there are several areas that require attention to ensure correctness, security, and backward compatibility.

🔴 CRITICAL: Security Issues

  1. Replay Protection in McpMessageSigner and McpSessionAuthenticator:

    • The documentation mentions InMemoryNonceStore for replay detection but does not clarify how nonce expiration is handled. If nonces are not expired or garbage collected, this could lead to memory exhaustion and potential bypass of replay protection.
    • Action: Ensure that InMemoryNonceStore implements a mechanism for expiring old nonces after a configurable TTL. Update the documentation to highlight this behavior.

  2. Fail-Closed Behavior in McpGateway:

    • While the documentation states that the gateway pipeline is "fail-closed," there is no explicit mention of how failures in individual components (e.g., rate limiter or response scanner) are handled. If a component fails, the gateway must default to denying the request.
    • Action: Audit the implementation of McpGateway to ensure that failures in subcomponents result in a fail-closed decision. Update the documentation to explicitly state this behavior.

  3. Credential Redaction in McpResponseScanner:

    • The CredentialRedactor is used to sanitize payloads and responses, but the documentation does not specify whether it supports nested structures or edge cases like base64-encoded secrets.
    • Action: Verify that CredentialRedactor handles nested structures and encoded secrets effectively. Update the documentation with examples of edge cases.

  4. Rate Limiting in McpSlidingRateLimiter:

    • The documentation does not clarify whether rate limits are enforced globally or per agent. If rate limits are global, a single misbehaving agent could exhaust the quota for all agents.
    • Action: Ensure that rate limits are enforced per agent and update the documentation to reflect this.

🟡 WARNING: Potential Breaking Changes

  1. API Surface Changes:

    • The addition of new types and methods in the Rust MCP API (e.g., McpGateway, McpResponseScanner, McpSessionAuthenticator) expands the public API surface. While this is not inherently breaking, future changes to these types could impact backward compatibility.
    • Action: Ensure that all new types and methods are thoroughly tested and documented as stable. Consider marking them as experimental if they are subject to change.

  2. Tool Metadata Scanning:

    • The McpSecurityScanner introduces new functionality for scanning tool metadata. If users rely on this for critical security checks, any changes to its behavior or API could break integrations.
    • Action: Document the stability guarantees for McpSecurityScanner and its associated types.

💡 Suggestions for Improvement

  1. OWASP MCP Mapping Completeness:

    • The documentation mentions compliance with 11 out of 12 sections of the OWASP MCP Security Cheat Sheet. It would be helpful to explicitly list the missing section and provide guidance on mitigating risks in that area.
    • Action: Add a note in owasp-mcp-mapping.md explaining the missing section and any planned roadmap for addressing it.

  2. Concurrency and Thread Safety:

    • The documentation does not explicitly address thread safety for shared components like McpMetricsCollector, InMemoryAuditSink, and InMemoryRateLimitStore.
    • Action: Add a section in the documentation to clarify the thread-safety guarantees of these components and provide examples of safe usage in multi-threaded environments.

  3. Examples for Advanced Use Cases:

    • While the documentation provides basic examples, it would be beneficial to include advanced use cases, such as integrating MCP primitives into distributed systems or handling large-scale deployments.
    • Action: Add a section in mcp-tools.md with advanced examples, including distributed persistence strategies for McpSessionStore and McpRateLimitStore.

  4. Internationalization (i18n):

    • The Chinese documentation (README.zh-CN.md) has been updated, but other languages are not mentioned.
    • Action: Consider adding translations for other widely-used languages (e.g., Spanish, French) to improve accessibility.

  5. Testing Coverage:

    • The documentation does not mention testing strategies for the Rust MCP primitives.
    • Action: Add a section in mcp-tools.md recommending testing strategies, such as unit tests for individual components and integration tests for the full pipeline.

Final Recommendations

  • Address the critical security issues related to replay protection, fail-closed behavior, credential redaction, and rate limiting.
  • Ensure backward compatibility for the expanded API surface and document stability guarantees.
  • Incorporate the suggested improvements to enhance the usability and robustness of the documentation.

Once these issues are addressed, this pull request will significantly improve the discoverability and usability of the Rust MCP security primitives.

github-actions[bot]
github-actions bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Pull Request Review: docs(rust): add MCP security documentation, OWASP mapping, and examples

Summary

This pull request introduces comprehensive documentation for the Rust MCP security primitives, including API references, OWASP compliance mappings, usage guides, and integration examples. It also updates the changelog and README files to reflect these additions.

🔴 CRITICAL: Security Issues

  1. OWASP MCP Security Cheat Sheet Mapping (11/12 Compliance):

    • The documentation mentions compliance with 11 out of 12 sections of the OWASP MCP Security Cheat Sheet. However, the missing section is not explicitly identified or explained. This could lead to a false sense of security for users relying on the toolkit for full compliance.
    • Action: Clearly document the missing section and provide mitigation strategies or a roadmap for achieving full compliance.

  2. MCP Gateway and Session Authentication:

    • The documentation highlights McpSessionAuthenticator and McpMessageSigner but does not specify how cryptographic operations are safeguarded against common vulnerabilities like key leakage, replay attacks, or insufficient entropy in nonce generation.
    • Action: Include explicit details in the documentation about cryptographic safeguards (e.g., secure key storage, nonce generation algorithms, and replay protection mechanisms).

🟡 WARNING: Potential Breaking Changes

  1. Rust MCP API Reference:

    • The addition of agentmesh-mcp as a standalone crate and its integration into the broader SDK introduces new public APIs. While this is documented, any changes to these APIs in future releases could break backward compatibility.
    • Action: Ensure that all new APIs are versioned and clearly marked as stable or experimental. Add backward compatibility guarantees to the documentation.

  2. Changelog Entry for Rust MCP Governance Surface:

    • The changelog entry mentions new persistence seams (McpSessionStore, McpNonceStore, etc.) and injected components (Clock, NonceGenerator). These could impact existing integrations if users are unaware of the new requirements.
    • Action: Highlight these changes prominently in the documentation and provide migration guides for existing users.

💡 Suggestions for Improvement

  1. Documentation Discoverability:

    • While the documentation is comprehensive, the addition of Rust-specific links in the main README and i18n files is helpful but could be further improved with a dedicated "What's New" section for Rust MCP features.
    • Action: Add a "What's New" section to the main README to highlight Rust MCP documentation updates.

  2. Example Code:

    • The Rust example code for policy enforcement (agentmesh::AgentMeshClient) is minimal and does not demonstrate advanced features like session authentication or rate limiting.
    • Action: Expand the example code to include usage of McpSessionAuthenticator, McpSlidingRateLimiter, and other advanced features.

  3. OWASP Mapping Details:

    • The OWASP MCP mapping documentation should include specific examples or test cases demonstrating how each section is addressed. This would make the compliance claims more transparent and actionable.
    • Action: Add code snippets or test case references for each OWASP MCP section in the mapping documentation.

  4. Concurrency and Thread Safety:

    • The documentation does not address thread safety concerns for concurrent agent execution, particularly in the context of McpSessionStore and McpRateLimitStore.
    • Action: Add a section to the documentation discussing thread safety and best practices for concurrent usage.

  5. Sandbox Escape Vectors:

    • While the documentation mentions sandboxing features, it does not provide details on how the sandbox prevents escape vectors such as privilege escalation or unauthorized resource access.
    • Action: Include a dedicated section in the documentation explaining the sandbox architecture and its security guarantees.

Final Recommendations

  • Merge Readiness: The documentation updates are well-structured and provide valuable information for users of the Rust MCP features. However, the identified critical security issues and potential breaking changes should be addressed before merging.
  • Follow-Up Actions: Create additional pull requests to address the critical and warning issues, and consider the suggestions for improving the documentation and examples.

Let me know if you need further assistance!

github-actions[bot]
github-actions bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Pull Request Review: docs(rust): add MCP security documentation, OWASP mapping, and examples

🔴 CRITICAL

1. Potential Sandbox Escape Vectors

  • The documentation mentions "Rust MCP governance surfaces" and "atomic nonce/session enforcement" but does not clarify how sandboxing is enforced at the Rust level. If the Rust MCP primitives are used in environments where sandboxing is critical (e.g., untrusted agent execution), the lack of explicit sandboxing mechanisms could lead to security bypasses. Ensure that sandboxing is explicitly addressed in the Rust MCP documentation, especially for environments where untrusted code or agents are executed.

2. Cryptographic Operations

  • The documentation highlights Ed25519-based credentials and SPIFFE/SVID support but does not provide details on how cryptographic keys are managed, stored, or rotated. Improper key management can lead to identity spoofing or compromise. Ensure that the Rust MCP documentation includes best practices for secure key storage, rotation, and revocation.

🟡 WARNING

1. Backward Compatibility

  • The addition of Rust MCP documentation and examples introduces new API surfaces (agentmesh-mcp). If these APIs are not backward-compatible with existing Rust SDKs (agentmesh), it could lead to breaking changes for users upgrading their dependencies. Ensure that the Rust MCP APIs are clearly marked as additive and do not conflict with existing functionality.

2. OWASP MCP Mapping

  • The OWASP MCP Security Cheat Sheet mapping claims compliance across 11 of 12 sections but does not specify which section is not covered. This could lead to user confusion or misinterpretation of security guarantees. Clarify the missing section and provide guidance on how users can mitigate risks in that area.

💡 SUGGESTIONS

1. Thread Safety in Concurrent Agent Execution

  • The documentation mentions "atomic nonce/session enforcement" but does not elaborate on thread safety guarantees for concurrent agent execution. Consider adding examples or documentation on how the Rust MCP primitives handle concurrency, especially in multi-threaded environments.

2. Type Safety and Validation

  • While the Python packages rely on Pydantic for model validation, the Rust MCP documentation does not mention equivalent type safety mechanisms. Consider highlighting how type safety is enforced in Rust (e.g., through strong typing or validation libraries).

3. Performance Benchmarks

  • The documentation mentions governance overhead (<0.1 ms per operation) but does not provide benchmarks for the Rust MCP primitives. Adding performance benchmarks for Rust MCP operations would help users evaluate its suitability for high-throughput environments.

4. Security Tooling Integration

  • The documentation mentions integration with tools like CodeQL, Gitleaks, and Dependabot but does not specify whether these tools are configured to scan Rust code. Ensure that Rust-specific security tooling (e.g., cargo-audit, rustsec) is integrated and documented.

5. Internationalization

  • The i18n updates include Rust installation and documentation links but do not provide localized examples for Rust MCP usage. Consider adding localized Rust examples to improve accessibility for non-English-speaking users.

Summary

This pull request adds valuable documentation for the Rust MCP primitives, including OWASP mapping, usage guides, and examples. However, it raises critical concerns regarding sandboxing, cryptographic operations, and thread safety. Addressing these issues will ensure the robustness and security of the Rust MCP integration. Additionally, clarifying backward compatibility and enhancing documentation with localized examples and performance benchmarks will improve user adoption and trust.

Recommended Actions

  1. Address sandboxing and cryptographic key management concerns in the Rust MCP documentation.
  2. Clarify OWASP MCP mapping and missing section coverage.
  3. Ensure backward compatibility with existing Rust SDKs.
  4. Add thread safety, type safety, and performance benchmarks for Rust MCP primitives.
  5. Integrate Rust-specific security tooling and provide localized examples.

Let me know if further assistance is required!

github-actions[bot]
github-actions bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Feedback for PR: docs(rust): add MCP security documentation, OWASP mapping, and examples

🔴 CRITICAL: Security Concerns

  1. Incomplete OWASP MCP Security Cheat Sheet Coverage:

    • The documentation mentions coverage across 11 of 12 sections of the OWASP MCP Security Cheat Sheet. However, the missing section is not explicitly identified or explained. This omission could lead to a false sense of security for users relying on the toolkit for comprehensive compliance. Ensure that the missing section is explicitly documented, along with the rationale for its exclusion or plans for future implementation.

  2. Potential Sandbox Escape Vectors:

    • The documentation mentions "execution sandbox" with "4 layers of permission rings, saga orchestration, termination control, and kill switch." However, it does not provide details on how these mechanisms prevent sandbox escape. Consider adding a detailed explanation of the sandboxing mechanism, including how it handles potential escape vectors such as syscall manipulation, memory corruption, or privilege escalation.

  3. Cryptographic Operations:

    • The documentation mentions Ed25519-based credentials and SPIFFE/SVID for zero-trust identity. Ensure that the cryptographic operations (e.g., key generation, signing, verification) are implemented securely, following best practices such as constant-time operations to prevent timing attacks. If not already done, add tests to verify the robustness of cryptographic operations against common attacks.

🟡 WARNING: Potential Breaking Changes

  1. Rust MCP Documentation and API Reference:

    • The addition of Rust MCP documentation and API reference introduces new concepts and terminology that may not align with existing Python-based or other SDKs. Ensure that the Rust MCP API is consistent with the design principles and naming conventions of the other SDKs to avoid confusion for users working across multiple languages.

  2. Backward Compatibility:

    • The documentation update introduces new Rust MCP governance surfaces (agentmesh::mcp and agentmesh-mcp) and enterprise MCP enforcement patterns. If these changes alter existing APIs or behavior, ensure that backward compatibility is maintained or clearly document breaking changes in the changelog.

💡 Suggestions for Improvement

  1. Enhanced Documentation for Rust MCP:

    • The documentation for Rust MCP governance surfaces and enterprise enforcement patterns is comprehensive but could benefit from additional examples. For instance, provide a detailed walkthrough of a real-world use case, such as integrating MCP with a specific agent framework (e.g., LangChain or OpenAI Agents).

  2. OWASP Mapping Details:

    • While the OWASP MCP mapping is a valuable addition, consider including specific examples or code snippets that demonstrate how the toolkit addresses each OWASP MCP Security Cheat Sheet section. This will make the documentation more actionable for users.

  3. Thread Safety in Concurrent Agent Execution:

    • The documentation does not address thread safety explicitly, which is a critical aspect of concurrent agent execution. Add a section detailing how the toolkit ensures thread safety, especially for shared resources like McpSessionStore, McpNonceStore, and McpRateLimitStore.

  4. Type Safety and Validation:

    • Ensure that all Rust APIs use strong type definitions and validation mechanisms to prevent type-related errors. Consider adding examples of how the Rust MCP SDK enforces type safety and validates inputs.

  5. Internationalization (i18n):

    • The i18n updates for the Rust documentation are a good addition. However, ensure that the translated content is reviewed by native speakers for accuracy and cultural relevance.

  6. Performance Benchmarks for Rust MCP:

    • The performance section provides benchmarks for Python but does not include metrics for the Rust MCP SDK. Adding these benchmarks will help users evaluate the performance of the Rust implementation.

  7. Security Tools Integration:

    • The documentation mentions several security tools like CodeQL, Gitleaks, and ClusterFuzzLite. Consider adding a section on how these tools are integrated into the CI/CD pipeline and how users can customize them for their specific needs.

Summary

This PR significantly enhances the documentation for the Rust MCP security primitives, providing valuable resources for users. However, there are critical security concerns and potential breaking changes that need to be addressed. Additionally, there are opportunities to improve the documentation and ensure consistency across SDKs.

github-actions[bot]
github-actions bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Feedback for Pull Request: docs(rust): add MCP security documentation, OWASP mapping, and examples

🔴 CRITICAL: Security Concerns

  1. OWASP MCP Mapping Completeness:

    • While the documentation claims compliance with OWASP MCP Cheat Sheet §1–§12, there is no evidence of automated validation or test coverage for all sections. Ensure that the Rust MCP primitives are rigorously tested against OWASP MCP guidelines, particularly for edge cases like nonce replay attacks, fail-open scenarios, and cryptographic key misuse.

  2. SPIFFE/SVID Credential Handling:

    • The documentation mentions SPIFFE/SVID but does not clarify how credentials are securely stored, rotated, or revoked. This could lead to identity spoofing or unauthorized access. Add explicit details about credential lifecycle management and integration with secure storage mechanisms.

  3. Sandbox Escape Vectors:

    • The documentation does not address how the Rust MCP primitives interact with sandboxing mechanisms. Ensure that sandbox escape vectors (e.g., syscall injection, privilege escalation) are mitigated, especially in environments where MCP tools execute untrusted code.

🟡 WARNING: Potential Breaking Changes

  1. Rust MCP API Surface:

    • The addition of new Rust MCP governance surfaces (agentmesh::mcp and agentmesh-mcp) introduces new public APIs. Ensure backward compatibility by documenting deprecated APIs and providing migration guides for existing users.

  2. Documentation Structure:

    • The inclusion of Rust-specific documentation in multiple locations (docs/api-reference.md, docs/mcp-tools.md, etc.) may confuse users who are accustomed to Python-first documentation. Consider consolidating Rust documentation under a single directory (e.g., docs/rust/) for clarity.

💡 Suggestions for Improvement

  1. Automated OWASP Compliance Validation:

    • Integrate OWASP MCP compliance checks into the CI pipeline. Use tools like CodeQL or custom scripts to validate adherence to OWASP MCP Cheat Sheet guidelines.

  2. Cryptographic Operations Documentation:

    • Expand the documentation to include examples of cryptographic operations (e.g., Ed25519 signing, HMAC validation) and their security implications. This will help users understand how to securely use MCP primitives.

  3. Concurrency and Thread Safety:

    • Document how the Rust MCP primitives handle concurrent agent execution. Include examples of thread-safe usage patterns and potential pitfalls (e.g., race conditions in nonce generation).

  4. Type Safety and Validation:

    • Ensure that all Rust MCP APIs use strong type definitions and validation mechanisms (e.g., Result types, enums for actions). This will reduce runtime errors and improve developer experience.

  5. Internationalization (i18n):

    • The updates to docs/i18n/README.zh-CN.md are a good start, but consider adding localized examples for Rust MCP usage to make the documentation more accessible to non-English speakers.

Summary

This PR significantly improves the documentation for Rust MCP primitives, but there are critical security concerns and potential breaking changes that need to be addressed. Focus on enhancing OWASP compliance validation, sandbox security, and credential handling. Additionally, streamline the documentation structure and ensure backward compatibility for existing users.

Action Items

  1. Address the critical security concerns outlined above.
  2. Provide migration guides for new Rust MCP APIs.
  3. Integrate automated OWASP compliance checks into CI.
  4. Expand documentation on cryptographic operations and thread safety.

Let me know if you need further clarification or assistance!

github-actions[bot]
github-actions bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Feedback on Pull Request: docs(rust): add MCP security documentation, OWASP mapping, and examples

🔴 CRITICAL: Security Concerns

  1. Incomplete OWASP MCP Mapping:

    • The OWASP MCP Security Cheat Sheet compliance mapping claims coverage across 11 of 12 sections. However, the documentation does not specify which section is not covered or why. This omission could lead to a false sense of security for users relying on this toolkit for compliance. Please explicitly document the missing section and provide guidance on how users can mitigate risks related to that section.

  2. SPIFFE/SVID Credential Handling:

    • The documentation mentions SPIFFE/SVID-based zero-trust identity but does not provide details on how credentials are securely stored, rotated, or revoked. This is a critical aspect of identity management. Please include detailed documentation on the lifecycle management of SPIFFE/SVID credentials, including best practices for secure storage and rotation.

  3. Sandbox Escape Vectors:

    • The documentation highlights "4-layer permission rings" and "sandbox isolation," but it does not provide specifics on how sandboxing prevents escape vectors such as syscall injection or memory corruption. Ensure that the Rust MCP documentation includes a detailed explanation of sandboxing mechanisms and their limitations.

🟡 WARNING: Potential Breaking Changes

  1. Rust MCP API Surface:
    • The addition of Rust MCP governance surfaces (agentmesh::mcp and agentmesh-mcp) introduces new APIs (McpGateway, McpSecurityScanner, etc.). While this is a documentation update, users upgrading to this version may encounter compatibility issues if they rely on older SDKs or undocumented behaviors. Ensure backward compatibility by clearly documenting deprecated APIs and migration paths.

💡 Suggestions for Improvement

  1. Type Safety and Validation:

    • The documentation does not specify whether the Rust MCP APIs enforce type safety or validate inputs (e.g., for McpSessionAuthenticator or McpMessageSigner). Consider adding examples of type-safe usage and validation mechanisms to prevent misuse.

  2. Concurrency and Thread Safety:

    • The Rust MCP documentation should explicitly address thread safety in concurrent agent execution. For example, are McpSessionStore and McpNonceStore designed to handle concurrent access safely? If not, provide guidance on how users can implement thread-safe patterns.

  3. OWASP Agentic Top 10 Compliance:

    • While the documentation claims full coverage of OWASP Agentic Top 10 risks, it would be beneficial to include specific examples or test cases demonstrating how each risk is mitigated. This will help users understand the practical application of the toolkit.

  4. Performance Benchmarks:

    • The documentation mentions governance overhead of < 0.1 ms per operation. Consider including detailed benchmarks for the Rust MCP components, especially for high-throughput scenarios involving concurrent agents.

  5. Localization and Accessibility:

    • The i18n updates are a great addition. However, ensure that the translated documentation is kept up-to-date with the English version to avoid discrepancies. Consider adding a process for regular synchronization.

Summary

This pull request significantly improves the documentation for the Rust MCP security primitives and their compliance with OWASP standards. However, there are critical gaps in security documentation, potential breaking changes, and areas for improvement in type safety, thread safety, and performance benchmarking. Addressing these issues will enhance the reliability and usability of the toolkit for developers and security practitioners.

@jackbatzner
Copy link
Copy Markdown
Contributor Author

jackbatzner commented Apr 6, 2026

CI Status Summary — All findings addressed

All CI checks pass except:

Fixes this round:

  • Added axum/tokio to REGISTERED_CARGO_PACKAGES for dependency-scan
  • Added Rust docs clarifications (OWASP Section 3 coverage, key rotation guidance, sandbox expectations)
  • Normalized line endings

@imran-siddique
Copy link
Copy Markdown
Member

imran-siddique commented Apr 6, 2026

Reviewed docs - content looks good. This PR is blocked on its dependency feature PR being merged first. Will merge this once the base PR lands.

@imran-siddique imran-siddique mentioned this pull request Apr 6, 2026
Merged
8 tasks
github-actions[bot]
github-actions bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Pull Request Review: docs(rust): add MCP security documentation, OWASP mapping, and examples

Summary

This PR introduces comprehensive documentation for the Rust MCP security primitives, including API references, OWASP compliance mapping, usage guides, and examples. The documentation is well-structured and aligns with the project's goals of providing security-focused governance for AI agents.

🔴 CRITICAL Issues

  1. Missing Security Validation for Rust MCP Examples

    • The Rust MCP examples provided in the documentation do not explicitly demonstrate how to handle security-critical operations such as nonce validation, fail-closed decisions, or cryptographic integrity checks.
    • Impact: Users may inadvertently integrate insecure patterns into their applications.
    • Action: Update the examples to include explicit security validation steps, such as verifying nonce integrity, fail-closed behavior, and cryptographic signatures.

  2. OWASP MCP Mapping Incomplete

    • The OWASP MCP mapping documentation claims compliance with 11 out of 12 sections but does not provide details on why the 12th section is not covered.
    • Impact: This could lead to a false sense of security for users relying on the toolkit for complete OWASP compliance.
    • Action: Clearly document the missing section and provide guidance on how users can address this gap in their implementations.

🟡 WARNING: Potential Breaking Changes

  1. Introduction of agentmesh-mcp Crate
    • Adding a new crate (agentmesh-mcp) introduces a new dependency surface for Rust users. This could potentially lead to compatibility issues or require updates to existing integrations.
    • Action: Ensure backward compatibility by providing migration guides for users upgrading from previous versions of the Rust SDK.

💡 Suggestions for Improvement

  1. Thread Safety Documentation

    • The documentation does not address thread safety for concurrent agent execution in the Rust MCP primitives.
    • Action: Add a section to the documentation explicitly discussing thread safety guarantees or limitations, especially for components like McpSessionAuthenticator and McpSlidingRateLimiter.

  2. Expand OWASP MCP Mapping

    • While the OWASP MCP mapping is a great addition, consider adding specific examples or code snippets that demonstrate compliance with each section. This will make the documentation more actionable for users.

  3. Highlight Cryptographic Operations

    • The documentation mentions Ed25519-based credentials but does not elaborate on how cryptographic operations are implemented or validated.
    • Action: Include details on cryptographic primitives used, key management best practices, and examples of secure usage.

  4. Sandbox Escape Prevention

    • The documentation should explicitly address how the Rust MCP primitives interact with the sandboxing mechanisms provided by the toolkit. This is critical for preventing sandbox escapes.
    • Action: Add a dedicated section on sandboxing in the Rust MCP documentation.

  5. Type Safety and Validation

    • The documentation does not specify whether the Rust MCP primitives enforce type safety or validate inputs (e.g., session tokens, nonce values).
    • Action: Include examples demonstrating input validation and type safety features.

  6. Backward Compatibility

    • While this PR primarily adds documentation, the introduction of new features like agentmesh-mcp should be accompanied by clear backward compatibility guarantees.
    • Action: Add a changelog entry explicitly stating whether existing Rust SDK users need to make changes to their code.

Final Notes

This PR significantly enhances the documentation for Rust MCP security primitives, making it easier for users to integrate and understand the toolkit's capabilities. However, critical security aspects like validation, thread safety, and sandboxing need to be addressed to ensure robust and secure usage.

Recommended Actions Before Merge:

  • Address the 🔴 CRITICAL issues.
  • Provide migration guides for 🟡 WARNING items.
  • Incorporate 💡 SUGGESTIONS to improve usability and security.

@jackbatzner jackbatzner mentioned this pull request Apr 6, 2026
Merged
8 tasks
@github-actions github-actions bot added tests and removed agent-mesh agent-mesh package labels Apr 6, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 6, 2026
edited
Loading

🤖 AI Agent: breaking-change-detector — Summary

🔍 API Compatibility Report

Summary

This pull request primarily involves documentation updates and the addition of new features for the .NET MCP Protocol Support. It does not introduce any changes to the Python packages published to PyPI, nor does it modify any existing Python APIs. Therefore, no breaking changes were identified.

Findings

Severity Package Change Impact
🔵 agent-mesh Added .NET MCP Protocol Support documentation and examples Not breaking, but should be documented

Migration Guide

✅ No breaking changes were found in this pull request. No migration is required for downstream users of the Python packages published to PyPI.

github-actions[bot]
github-actions bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Summary

This pull request primarily adds documentation for the Rust MCP security primitives introduced in #796. The documentation includes API references, OWASP MCP compliance mapping, tool usage guides, and deployment hardening strategies. While the changes are primarily documentation-focused, they touch on critical security aspects of the MCP protocol and its integration into the broader Agent Governance Toolkit.

🔴 CRITICAL Issues

  1. Missing Explicit Cryptographic Key Rotation Guidance
    The documentation does not provide explicit guidance on cryptographic key rotation for HMAC-SHA256 or ML-DSA keys used in the MCP governance layer. Key rotation is essential for mitigating risks associated with compromised keys.
    Action: Add a section in the hardening guide or API reference detailing how to rotate cryptographic keys securely, including TTLs, revocation mechanisms, and backward compatibility strategies.

  2. Potential Sandbox Escape via Misconfigured File System Mounts
    The Kubernetes deployment example allows writable mounts (readOnly: false) for /workspace. This could enable sandbox escape if the MCP tool or server is compromised and writes malicious files to the host filesystem.
    Action: Enforce stricter file system isolation by default. For writable mounts, specify exact paths and validate inputs to prevent path traversal attacks.

  3. Lack of Explicit ReDoS Mitigation in Regex Usage
    While the coding conventions mention using matchTimeout for regex safety, the documentation does not explicitly enforce this in the examples or provide a clear implementation guide. Regular expression denial-of-service (ReDoS) attacks are a common vector for resource exhaustion.
    Action: Include explicit examples of safe regex usage with matchTimeout in the documentation, especially for .NET SDK McpGateway sanitization patterns.

🟡 WARNING: Potential Breaking Changes

  1. Post-Quantum Cryptography Dependency on .NET 10+
    The documentation introduces ML-DSA post-quantum cryptography for .NET 10+. This creates a potential compatibility issue for users on .NET 8.0 or earlier.
    Action: Clearly document fallback mechanisms for environments that do not support ML-DSA, such as continuing with HMAC-SHA256.

  2. Expanded .cspell.json Dictionary
    The .cspell.json file has been significantly expanded, which might introduce unexpected behavior for contributors unfamiliar with the new terms.
    Action: Provide contributors with a changelog or documentation explaining the rationale for the additions and how they align with the project's goals.

💡 Suggestions for Improvement

  1. OWASP MCP Compliance Mapping
    The OWASP MCP compliance mapping is comprehensive but could benefit from a summary table that highlights which sections are fully covered, partially covered, or out of scope. This would improve readability and help users quickly assess compliance.

  2. Telemetry Metrics Documentation
    The .NET MCP Protocol Support section mentions OpenTelemetry counters but does not provide detailed examples of how to configure or query these metrics.
    Action: Add a subsection with sample code for configuring and querying OpenTelemetry metrics.

  3. Internationalization (i18n) Updates
    The i18n documentation update for Chinese (README.zh-CN.md) is mentioned but not included in the diff. Ensure that all i18n updates are included in the PR to avoid incomplete documentation.

  4. Testing Coverage for MCP Governance Layer
    While the documentation mentions xUnit tests for the .NET SDK, it does not specify whether the MCP governance layer is covered by tests.
    Action: Add a section in the documentation detailing the test coverage for MCP-related components, including threat detection and policy enforcement.

  5. Agent Identity Examples
    The .NET MCP Protocol Support section mentions DID-based agent identity but does not provide examples for integrating SPIFFE/SVID.
    Action: Include SPIFFE/SVID integration examples to align with OWASP Agentic Top 10 compliance.

Final Recommendation

  • Address the 🔴 CRITICAL issues immediately to ensure secure deployment and usage of the MCP governance layer.
  • Resolve the 🟡 WARNING items to maintain backward compatibility and avoid breaking changes for existing users.
  • Implement the 💡 Suggestions to improve documentation clarity, usability, and compliance.

Once these changes are made, the PR will be ready for approval.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 6, 2026
edited
Loading

🤖 AI Agent: docs-sync-checker — Issues Found

📝 Documentation Sync Report

Issues Found

  • ✅ All public APIs in the .NET MCP Protocol Support additions appear to have adequate documentation in the form of guides, examples, and references.
  • ✅ The README.md files for both the project and the affected package (agent-governance-dotnet) have been updated to reflect the new .NET MCP Protocol Support features.
  • ✅ The CHANGELOG.md includes a detailed entry for the new .NET MCP Protocol Support additions, covering the features and their scope.
  • ✅ Example code and usage instructions for the new .NET MCP Protocol Support APIs are included in the README.md and additional documentation files.
  • ✅ Type hints are not applicable for this .NET-focused addition, as the language itself enforces type safety.

Suggestions

  • 💡 Ensure that the new .NET MCP Protocol Support features are also covered in any relevant project-level documentation in the docs/ directory, if applicable.
  • 💡 Consider adding more detailed examples or tutorials in the examples/ directory to demonstrate the integration of .NET MCP Protocol Support with other components of the toolkit.

Final Assessment

✅ Documentation is in sync.

jackbatzner and others added 7 commits April 8, 2026 08:30
@jackbatzner
feat(dotnet): add MCP protocol support with OWASP coverage, multi-tar…
5603eff 
…get .NET 8/10, ML-DSA post-quantum signing

Add comprehensive MCP (Model Context Protocol) security governance to the .NET SDK
with 11/12 OWASP MCP Security Cheat Sheet sections covered. Multi-targets .NET 8.0
(LTS) and .NET 10.0 with post-quantum ML-DSA-65 (NIST FIPS 204) signing on .NET 10+.

Core components:
- McpGateway: 5-stage pipeline (deny→allow→sanitize→rate-limit→approve)
- McpSecurityScanner: 6-threat detection with SHA-256 fingerprinting
- McpMessageHandler: JSON-RPC routing with tool-to-ActionType classification
- McpResponseScanner: Output validation (injection, credentials, exfiltration)
- McpSessionAuthenticator: Crypto session binding with TOCTOU-safe concurrency
- McpMessageSigner: HMAC-SHA256 (.NET 8) + ML-DSA-65 post-quantum (.NET 10+)
- CredentialRedactor: 10 credential pattern redaction for audit logs
- McpSlidingRateLimiter: Per-agent sliding window rate limiting

Integration:
- ASP.NET Core: AddMcpGovernance(), UseMcpGovernance(), MapMcpGovernance()
- IConfiguration binding, ILogger<T>, IHealthCheck, gRPC interceptor
- McpToolRegistry with [McpTool] attribute auto-discovery
- AgentGovernance.ModelContextProtocol adapter sub-package (official SDK)
- OTel metrics: mcp_decisions, mcp_threats_detected, mcp_rate_limit_hits, mcp_scans

Tests: 973 passing (0 failures)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jackbatzner
fix: harden dotnet mcp seams
2461136 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jackbatzner
fix: remove .github/ workflow changes per maintainer review
c0f9412 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jackbatzner
fix: address dotnet mcp review feedback
53fddcd 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jackbatzner
fix: clean support branch docs checks
83581ed 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jackbatzner
fix: add technical terms to cspell allowlist for dotnet MCP docs
53e46e9 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jackbatzner
ci: retrigger checks
a4df498 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jackbatzner and others added 3 commits April 8, 2026 08:30
@jackbatzner
fix: add 'bursty' to cspell allowlist for rate-limiting docs
09a4f2d 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jackbatzner
fix: add technical terms to cspell allowlist and fix dependency issues
b8becb3 
Add smolagents, quickstarts, sandboxing, helpdesk to cspell dictionary.
Add openai-agents and smolagents to dependency confusion allowlist.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jackbatzner
fix: add technical terms to cspell allowlist
4f6450d 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions[bot]
github-actions bot reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Feedback for Pull Request: docs(rust): add MCP security documentation, OWASP mapping, and examples

🔴 CRITICAL: Security Concerns

  1. Sandbox Escape Vectors in Kubernetes Deployment Guide:

    • The mcp-server-hardening.md guide suggests using emptyDir volumes for temporary storage. While this is acceptable for ephemeral data, it does not explicitly recommend mounting the volume with readOnly: true for tools that do not require write access. This omission could lead to potential privilege escalation or data tampering by malicious MCP tools.
    • Action: Add explicit recommendations for readOnly: true wherever possible, especially for sensitive paths.

  2. Cloud Metadata Service Exposure:

    • The mcp-server-hardening.md guide mentions blocking cloud metadata IPs (e.g., 169.254.169.254) but relies on default NetworkPolicy behavior. This could lead to accidental exposure if the default behavior changes or if additional egress rules are added later.
    • Action: Explicitly add rules to block metadata service IPs for all major cloud providers (AWS, Azure, GCP) to ensure SSRF protection.

  3. Cryptographic Operations:

    • The .NET MCP Protocol Support documentation mentions using HMAC-SHA256 for cryptographic signing but does not provide details on key management practices. Improper key management can lead to vulnerabilities.
    • Action: Include documentation on secure key storage and rotation practices, such as using Azure Key Vault or AWS KMS.

🟡 WARNING: Potential Breaking Changes

  1. Public API Changes:
    • The addition of .NET MCP Protocol Support introduces new public APIs, such as McpGateway, McpSecurityScanner, and McpSessionAuthenticator. While these are new features, any changes to these APIs in the future could break backward compatibility.
    • Action: Ensure these APIs are well-documented and follow semantic versioning principles. Add tests to validate backward compatibility for future releases.

💡 Suggestions for Improvement

  1. OWASP MCP Security Cheat Sheet Mapping:

    • The owasp-mcp-mapping.md documentation provides a good overview of compliance with OWASP MCP Security Cheat Sheet sections. However, it does not include a summary table or visual representation of compliance levels for each section.
    • Action: Add a summary table or visual chart to provide a quick overview of compliance status for each section.

  2. Thread Safety Documentation:

    • The .NET MCP Protocol Support documentation mentions TOCTOU-safe concurrency for McpSessionAuthenticator. However, it does not provide details on how thread safety is achieved across the governance pipeline.
    • Action: Add a section explaining thread safety mechanisms, such as locks or atomic operations, used in the governance pipeline.

  3. Type Safety and Validation:

    • The .NET MCP Protocol Support documentation mentions the use of SortedDictionary for deterministic schema hashing. While this is a good practice, it would be beneficial to include examples of how schema validation is performed and how errors are handled.
    • Action: Add examples of schema validation and error handling in the documentation.

  4. Backward Compatibility Testing:

    • The .NET MCP Protocol Support introduces new features that may impact backward compatibility. While this is noted in the review, there is no mention of automated tests to ensure backward compatibility.
    • Action: Add automated tests to verify backward compatibility for the new .NET MCP governance APIs.

  5. Internationalization (i18n) Updates:

    • The README.zh-CN.md file includes Rust installation and documentation links but does not provide translated content for the new .NET MCP Protocol Support section.
    • Action: Update the i18n documentation to include translated content for .NET MCP Protocol Support.

  6. Documentation Consistency:

    • The README.md file mentions .NET MCP Protocol Support but does not provide a direct link to the new mcp-server-hardening.md guide.
    • Action: Add a direct link to the mcp-server-hardening.md guide in the .NET MCP Protocol Support section of the README.md.

Summary

This pull request introduces valuable documentation updates for the Rust MCP security primitives and the new .NET MCP Protocol Support. However, there are critical security concerns related to sandbox escape vectors and cloud metadata service exposure that must be addressed. Additionally, potential breaking changes in the new APIs should be carefully managed with robust documentation and backward compatibility tests. Several improvements to documentation clarity and completeness are also suggested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation size/XL Extra large PR (500+ lines) tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jackbatzner @imran-siddique