Skip to main content

zeph_config/
mcp_security.rs

1// SPDX-FileCopyrightText: 2026 Andrei G <bug-ops>
2// SPDX-License-Identifier: MIT OR Apache-2.0
3
4//! Pure-data security types for MCP tool metadata.
5//!
6//! These types are config-level data shapes — they carry no runtime logic and have no
7//! dependency on `zeph-mcp` or any other feature crate. `zeph-mcp` re-exports them so
8//! existing paths (`zeph_mcp::tool::ToolSecurityMeta`) continue to resolve.
9
10use serde::{Deserialize, Serialize};
11
12/// Sensitivity level of the data a tool accesses or produces.
13///
14/// Used by the data-flow policy to enforce that high-sensitivity tools can only be
15/// registered on trusted servers. The ordering `None < Low < Medium < High` allows
16/// `max()` comparisons when computing the worst-case sensitivity of a tool set.
17#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
18#[serde(rename_all = "lowercase")]
19pub enum DataSensitivity {
20    /// No sensitive data.
21    #[default]
22    None,
23    /// Low-sensitivity data (e.g. public reads).
24    Low,
25    /// Medium-sensitivity data (e.g. internal reads, database queries).
26    Medium,
27    /// High-sensitivity data (e.g. writes, shell execution, credentials).
28    High,
29}
30
31/// Coarse capability class for an MCP tool.
32///
33/// Assigned by operator config or inferred via heuristics at registration time.
34/// Stored inside [`ToolSecurityMeta::capabilities`] and used by the data-flow policy.
35#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
36#[serde(rename_all = "snake_case")]
37pub enum CapabilityClass {
38    /// Reads from the local filesystem.
39    FilesystemRead,
40    /// Writes to the local filesystem.
41    FilesystemWrite,
42    /// Makes outbound network calls.
43    Network,
44    /// Executes shell commands.
45    Shell,
46    /// Reads from a database.
47    DatabaseRead,
48    /// Writes to a database.
49    DatabaseWrite,
50    /// Writes to agent memory.
51    MemoryWrite,
52    /// Calls an external API.
53    ExternalApi,
54}
55
56/// A parameter path and the injection pattern that matched it.
57///
58/// JSON pointer format: `/properties/key/description`.
59#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
60pub struct FlaggedParameter {
61    /// JSON pointer into `input_schema` identifying the flagged value.
62    pub path: String,
63    /// Name of the injection pattern that matched.
64    pub pattern_name: String,
65}
66
67/// Per-tool security metadata.
68///
69/// Assigned by operator config or inferred from tool name heuristics at registration time.
70/// Stored alongside `McpTool` in the tool registry.
71#[derive(Debug, Clone, Default, Serialize, Deserialize)]
72pub struct ToolSecurityMeta {
73    /// Data sensitivity of this tool's outputs.
74    #[serde(default)]
75    pub data_sensitivity: DataSensitivity,
76    /// Capability classes this tool exercises.
77    #[serde(default)]
78    pub capabilities: Vec<CapabilityClass>,
79    /// Parameters whose `input_schema` values matched an injection pattern.
80    #[serde(default)]
81    pub flagged_parameters: Vec<FlaggedParameter>,
82}