Skip to main content

mcplint_rules/
lib.rs

1//! Security rules for mcplint.
2//!
3//! Each rule implements the [`mcplint_core::Rule`] trait and detects a specific class of
4//! security issue in MCP tool configurations:
5//!
6//! | Rule  | Module | What it detects |
7//! |-------|--------|-----------------|
8//! | MG001 | [`mg001_unbounded_string`] | Unbounded string parameters flowing to dangerous sinks |
9//! | MG002 | [`mg002_over_permissioning`] | Tool descriptions that understate actual capabilities |
10//! | MG003 | [`mg003_escalation_chains`] | Cross-tool/cross-server escalation chains |
11//! | MG004 | [`mg004_filesystem_scope`] | Filesystem access without path confinement |
12//! | MG005 | [`mg005_weak_auth`] | Missing or weak authentication |
13//! | MG006 | [`mg006_metadata_leakage`] | Internal metadata leakage in descriptions |
14//! | MG007 | [`mg007_broad_scope`] | Overly broad tool parameter scopes |
15//! | MG008 | [`mg008_transport_security`] | Insecure transport (HTTP/WS without TLS) |
16//! | MG009 | [`mg009_env_leakage`] | Sensitive environment variables passed to servers |
17//!
18//! Use [`default_registry()`] to get a [`mcplint_core::RuleRegistry`] with all rules registered.
19
20pub mod mg001_unbounded_string;
21pub mod mg002_over_permissioning;
22pub mod mg003_escalation_chains;
23pub mod mg004_filesystem_scope;
24pub mod mg005_weak_auth;
25pub mod mg006_metadata_leakage;
26pub mod mg007_broad_scope;
27pub mod mg008_transport_security;
28pub mod mg009_env_leakage;
29
30use mcplint_core::RuleRegistry;
31
32/// Create a registry populated with all rules.
33pub fn default_registry() -> RuleRegistry {
34    let mut registry = RuleRegistry::new();
35    registry.register(Box::new(mg001_unbounded_string::Mg001UnboundedString));
36    registry.register(Box::new(mg002_over_permissioning::Mg002OverPermissioning));
37    registry.register(Box::new(mg003_escalation_chains::Mg003EscalationChains));
38    registry.register(Box::new(mg004_filesystem_scope::Mg004FilesystemScope));
39    registry.register(Box::new(mg005_weak_auth::Mg005WeakAuth));
40    registry.register(Box::new(mg006_metadata_leakage::Mg006MetadataLeakage));
41    registry.register(Box::new(mg007_broad_scope::Mg007BroadScope));
42    registry.register(Box::new(mg008_transport_security::Mg008TransportSecurity));
43    registry.register(Box::new(mg009_env_leakage::Mg009EnvLeakage));
44    registry
45}