Skip to main content

zeph_config/
mcp_security.rs

1// SPDX-FileCopyrightText: 2026 Andrei G <bug-ops>
2// SPDX-License-Identifier: MIT OR Apache-2.0
3
4//! Pure-data security types for MCP tool metadata.
5//!
6//! These types are config-level data shapes — they carry no runtime logic and have no
7//! dependency on `zeph-mcp` or any other feature crate. `zeph-mcp` re-exports them so
8//! existing paths (`zeph_mcp::tool::ToolSecurityMeta`) continue to resolve.
9
10use serde::{Deserialize, Serialize};
11
12/// Sensitivity level of the data a tool accesses or produces.
13///
14/// Used by the data-flow policy to enforce that high-sensitivity tools can only be
15/// registered on trusted servers. The ordering `None < Low < Medium < High` allows
16/// `max()` comparisons when computing the worst-case sensitivity of a tool set.
17#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
18#[serde(rename_all = "lowercase")]
19#[non_exhaustive]
20pub enum DataSensitivity {
21    /// No sensitive data.
22    #[default]
23    None,
24    /// Low-sensitivity data (e.g. public reads).
25    Low,
26    /// Medium-sensitivity data (e.g. internal reads, database queries).
27    Medium,
28    /// High-sensitivity data (e.g. writes, shell execution, credentials).
29    High,
30}
31
32/// Coarse capability class for an MCP tool.
33///
34/// Assigned by operator config or inferred via heuristics at registration time.
35/// Stored inside [`ToolSecurityMeta::capabilities`] and used by the data-flow policy.
36#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
37#[serde(rename_all = "snake_case")]
38#[non_exhaustive]
39pub enum CapabilityClass {
40    /// Reads from the local filesystem.
41    FilesystemRead,
42    /// Writes to the local filesystem.
43    FilesystemWrite,
44    /// Makes outbound network calls.
45    Network,
46    /// Executes shell commands.
47    Shell,
48    /// Reads from a database.
49    DatabaseRead,
50    /// Writes to a database.
51    DatabaseWrite,
52    /// Writes to agent memory.
53    MemoryWrite,
54    /// Calls an external API.
55    ExternalApi,
56}
57
58/// A parameter path and the injection pattern that matched it.
59///
60/// JSON pointer format: `/properties/key/description`.
61#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
62pub struct FlaggedParameter {
63    /// JSON pointer into `input_schema` identifying the flagged value.
64    pub path: String,
65    /// Name of the injection pattern that matched.
66    pub pattern_name: String,
67}
68
69/// Per-tool security metadata.
70///
71/// Assigned by operator config or inferred from tool name heuristics at registration time.
72/// Stored alongside `McpTool` in the tool registry.
73#[derive(Debug, Clone, Default, Serialize, Deserialize)]
74pub struct ToolSecurityMeta {
75    /// Data sensitivity of this tool's outputs.
76    #[serde(default)]
77    pub data_sensitivity: DataSensitivity,
78    /// Capability classes this tool exercises.
79    #[serde(default)]
80    pub capabilities: Vec<CapabilityClass>,
81    /// Parameters whose `input_schema` values matched an injection pattern.
82    #[serde(default)]
83    pub flagged_parameters: Vec<FlaggedParameter>,
84}