This document describes the security architecture of mcp-trove-crunchtools.
| Asset | Sensitivity | Impact if Compromised |
|---|---|---|
| SQLite Database | Medium | Index metadata, embeddings exposed |
| Indexed File Content | High | Text chunks from local files exposed |
| Local File Paths | Medium | Directory structure revealed |
| Actor | Capability | Motivation |
|---|---|---|
| Malicious AI Agent | Can craft tool inputs | Data exfiltration, path traversal |
| Local Attacker | Access to filesystem | Database tampering, content theft |
| Vector | Description | Mitigation |
|---|---|---|
| Path Traversal | Manipulated file paths in index/search | Input validation, path canonicalization |
| SQL Injection | Crafted tool inputs | Parameterized queries only |
| Denial of Service | Index extremely large files | File size limits, batch limiting |
| Content Injection | Crafted file names or content | Content stored as-is, safe queries |
+---------------------------------------------------------+
| Layer 1: Credential Protection |
| - N/A — local files only, no external API credentials |
| - SecretStr pattern available if credentials added later |
+---------------------------------------------------------+
| Layer 2: Input Validation |
| - Pydantic models for all tool inputs |
| - Reject unexpected fields (extra="forbid") |
| - Field length limits, path validation |
+---------------------------------------------------------+
| Layer 3: File System Hardening |
| - Read-only file access (no writes to indexed files) |
| - Path canonicalization to prevent traversal |
| - File size limits to prevent memory exhaustion |
| - Exclude patterns for binary/large files |
+---------------------------------------------------------+
| Layer 4: Runtime Protection |
| - No shell execution (subprocess) |
| - No dynamic code evaluation (eval/exec) |
| - asyncio.Semaphore for resource limiting |
| - Batch size limits on indexing operations |
+---------------------------------------------------------+
| Layer 5: Supply Chain Security |
| - Automated CVE scanning via GitHub Actions |
| - Container built on Hummingbird for minimal CVEs |
| - Weekly dependency audits |
+---------------------------------------------------------+
This server has no API tokens or credentials. It reads local files and stores embeddings in a local SQLite database. The primary security concerns are input validation and file access control.
All inputs are validated:
- File paths: Canonicalized, must exist on filesystem
- Search queries: String length limited
- Limits/offsets: Bounded integers
- Extra Fields: Rejected (Pydantic extra="forbid")
This project uses GitHub Actions to automatically scan for CVEs:
- Weekly Scheduled Scans: Every Monday at 9 AM UTC
- PR Checks: Every pull request is scanned before merge
- Dependabot: Enabled for automatic security updates
The container image is built on Hummingbird Python from Project Hummingbird:
| Advantage | Description |
|---|---|
| Minimal CVE Count | Dramatically reduced attack surface |
| Rapid Security Updates | Security patches applied promptly |
| Python Optimized | Pre-configured with uv package manager |
| Non-Root Default | Runs as non-root user |
| Production Ready | Proper signal handling, minimal footprint |
Before each release:
- All inputs validated through Pydantic models
- File paths canonicalized before access
- No shell execution
- No eval/exec
- Error messages don't leak internals
- Dependencies scanned for CVEs
- Container rebuilt with latest Hummingbird base
Report security vulnerabilities using GitHub's private security advisory. This creates a private channel visible only to maintainers.
Do NOT open public issues for security vulnerabilities.