adityamparikh opened a new pull request, #119: URL: https://github.com/apache/solr-mcp/pull/119
## Summary - Adds `docs/security/stdio.md` documenting the security posture of the Solr MCP server when run in STDIO mode (the default). - Captures *why* STDIO has no in-process auth layer — and that this is intentional and spec-aligned — with citations to the MCP specification (Authorization, Transports, Security Best Practices), Spring AI MCP Security reference, `spring-ai-community/mcp-security`, and Spring Security/Boot Javadoc. - Pure docs change. No code, config, or behavior changes. The TL;DR for reviewers: the MCP Authorization spec explicitly says STDIO implementations *SHOULD NOT* follow OAuth and should retrieve credentials from the environment instead. The doc records that fact and the operational guardrails (don't run elevated, treat `SOLR_URL` as deployer config, never write to stdout) for future contributors. A follow-up doc for HTTP-mode security is referenced as planned but not included here. ## Test plan - [x] `docs/security/stdio.md` renders correctly on GitHub (table, blockquotes, links). - [x] All external links resolve (MCP spec pages, Spring AI / Spring blog, Spring Security/Boot Javadoc). - [x] No code paths touched; existing CI (unit + integration) is unaffected. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
