zeph_config/mcp_security.rs
1// SPDX-FileCopyrightText: 2026 Andrei G <bug-ops>
2// SPDX-License-Identifier: MIT OR Apache-2.0
3
4//! Pure-data security types for MCP tool metadata.
5//!
6//! These types are config-level data shapes — they carry no runtime logic and have no
7//! dependency on `zeph-mcp` or any other feature crate. `zeph-mcp` re-exports them so
8//! existing paths (`zeph_mcp::tool::ToolSecurityMeta`) continue to resolve.
9
10use serde::{Deserialize, Serialize};
11
12/// Sensitivity level of the data a tool accesses or produces.
13///
14/// Used by the data-flow policy to enforce that high-sensitivity tools can only be
15/// registered on trusted servers. The ordering `None < Low < Medium < High` allows
16/// `max()` comparisons when computing the worst-case sensitivity of a tool set.
17#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
18#[serde(rename_all = "lowercase")]
19#[non_exhaustive]
20pub enum DataSensitivity {
21 /// No sensitive data.
22 #[default]
23 None,
24 /// Low-sensitivity data (e.g. public reads).
25 Low,
26 /// Medium-sensitivity data (e.g. internal reads, database queries).
27 Medium,
28 /// High-sensitivity data (e.g. writes, shell execution, credentials).
29 High,
30}
31
32/// Coarse capability class for an MCP tool.
33///
34/// Assigned by operator config or inferred via heuristics at registration time.
35/// Stored inside [`ToolSecurityMeta::capabilities`] and used by the data-flow policy.
36#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
37#[serde(rename_all = "snake_case")]
38#[non_exhaustive]
39pub enum CapabilityClass {
40 /// Reads from the local filesystem.
41 FilesystemRead,
42 /// Writes to the local filesystem.
43 FilesystemWrite,
44 /// Makes outbound network calls.
45 Network,
46 /// Executes shell commands.
47 Shell,
48 /// Reads from a database.
49 DatabaseRead,
50 /// Writes to a database.
51 DatabaseWrite,
52 /// Writes to agent memory.
53 MemoryWrite,
54 /// Calls an external API.
55 ExternalApi,
56}
57
58/// A parameter path and the injection pattern that matched it.
59///
60/// JSON pointer format: `/properties/key/description`.
61#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
62pub struct FlaggedParameter {
63 /// JSON pointer into `input_schema` identifying the flagged value.
64 pub path: String,
65 /// Name of the injection pattern that matched.
66 pub pattern_name: String,
67}
68
69/// Per-tool security metadata.
70///
71/// Assigned by operator config or inferred from tool name heuristics at registration time.
72/// Stored alongside `McpTool` in the tool registry.
73#[derive(Debug, Clone, Default, Serialize, Deserialize)]
74pub struct ToolSecurityMeta {
75 /// Data sensitivity of this tool's outputs.
76 #[serde(default)]
77 pub data_sensitivity: DataSensitivity,
78 /// Capability classes this tool exercises.
79 #[serde(default)]
80 pub capabilities: Vec<CapabilityClass>,
81 /// Parameters whose `input_schema` values matched an injection pattern.
82 #[serde(default)]
83 pub flagged_parameters: Vec<FlaggedParameter>,
84}