pmcp-code-mode 0.5.0

Code Mode validation and execution framework for MCP servers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

name: pmcp-code-mode
version: 0.1.0
description: Code Mode validation and execution framework for MCP servers
contracts:
  - name: hmac_token_roundtrip
    type: property
    description: "Tokens generated by HmacTokenGenerator verify successfully against the same code"
    verification: "cargo test -p pmcp-code-mode --test property_tests -- hmac_roundtrip"

  - name: hmac_modification_detection
    type: property
    description: "Modified code fails token verification"
    verification: "cargo test -p pmcp-code-mode --test property_tests -- hmac_detects"

  - name: hmac_bitflip_rejection
    type: property
    description: "Bit-flipped tokens fail verification (negative token fuzzing)"
    verification: "cargo test -p pmcp-code-mode --test property_tests -- bitflip"

  - name: hmac_wrong_secret_rejection
    type: property
    description: "Tokens generated with one secret cannot be verified with a different secret"
    verification: "cargo test -p pmcp-code-mode --test property_tests -- wrong_secret"

  - name: hash_code_determinism
    type: property
    description: "hash_code produces identical output for identical input"
    verification: "cargo test -p pmcp-code-mode --test property_tests -- hash_code_deterministic"

  - name: canonicalize_idempotency
    type: property
    description: "canonicalize_code(canonicalize_code(x)) == canonicalize_code(x)"
    verification: "cargo test -p pmcp-code-mode --test property_tests -- canonicalize_idempotent"

  - name: graphql_validation_determinism
    type: property
    description: "Same GraphQL query produces identical validation results across invocations"
    verification: "cargo test -p pmcp-code-mode --test property_tests -- graphql_validation_deterministic"

  - name: token_secret_zeroize
    type: invariant
    description: "TokenSecret zeroes memory on drop via secrecy::SecretBox"
    verification: "grep -q SecretBox crates/pmcp-code-mode/src/token.rs"

  - name: token_secret_no_serialize
    type: invariant
    description: "TokenSecret does not implement Serialize, Deserialize, Debug, Display, or Clone"
    verification: "cargo test -p pmcp-code-mode --test property_tests -- token_secret_trait"

  - name: default_deny_policy
    type: invariant
    description: "Without NoopPolicyEvaluator, operations are denied by default (DenyAllEvaluator rejects valid queries)"
    verification: "cargo test -p pmcp-code-mode --test property_tests -- default_deny"

  - name: parser_no_panic
    type: robustness
    description: "GraphQL and JavaScript parsers never panic on arbitrary input"
    verification: "Fuzz targets: fuzz/fuzz_targets/fuzz_graphql_code_mode.rs and fuzz/fuzz_targets/fuzz_javascript_code_mode.rs (requires nightly: cargo +nightly fuzz run fuzz_graphql_code_mode)"

  - name: token_verification_no_panic
    type: robustness
    description: "Token decode and verify never panic on arbitrary input"
    verification: "Fuzz target: fuzz/fuzz_targets/fuzz_token_code_mode.rs (requires nightly: cargo +nightly fuzz run fuzz_token_code_mode)"