Skip to content

Security

The adapter already has a real security posture - it is not just "auth on or off." This section explains the threat model, the controls that exist today, and the deeper pages for auth and session handling, metadata controls, and tool-definition pinning.

The default stance is deliberately conservative, but not maximal:

  • visible tool metadata is sanitized before it is forwarded
  • tool-definition drift is surfaced as a warning by default

That gives a new deployment some real protection without forcing every installation into a strict block-only posture on day one.

Read this section in order

This section is split deliberately.

What this section covers

Today, the relevant controls include:

  • adapter auth and signed URL flows
  • session-scoped uploads and artifacts
  • session binding on the authenticated path
  • tool-surface reduction and per-server hiding
  • optional description minimization or stripping for upstream tools
  • metadata sanitization for model-visible tool text
  • storage-path and artifact-locator boundaries
  • quota and lifecycle controls
  • fail-closed persistence choices
  • tool-definition pinning and session invalidation on drift

This section explains those controls as a system instead of leaving them scattered across config snippets.

Where the details live

Use the docs in this order:

  • read this section for the trust boundaries, risks, and protections
  • use the Configuration guide when you need the exact fields and defaults
  • use the scenario pages linked from Configuration when you want a complete deployment shape

That way you can start with the security model, then move into the config and deployment pattern that fits your environment.

If you want the maintainer-facing snapshot of what is implemented right now in the repo, see the root SECURITY.md on GitHub.

Where to start

Use the path that matches your question:

Next steps