potiuk opened a new pull request, #160:
URL: https://github.com/apache/solr-mcp/pull/160

   **This is a proposal for the Solr PMC to review — please correct, reject, or 
discuss as needed.** The maintainers are the decision-makers; nothing here is a 
requirement.
   
   This adds a **v0 draft threat model** (`THREAT_MODEL.md`) for the Solr MCP 
Server plus the conventional discoverability wiring — a `## Security` section 
in the existing `AGENTS.md` pointing at a new `SECURITY.md`, which points at 
`THREAT_MODEL.md` — so an automated agentic security scanner can mechanically 
find the model.
   
   **Context.** The ASF Security team is preparing Apache Solr's repositories 
for an automated agentic security scan. Discoverability (the scanner following 
`AGENTS.md → SECURITY.md → model`) is the one hard gate — without it a scan 
can't run. The Solr *search server* (`apache/solr`) already has its model 
merged; this PR is the equivalent for the **MCP server**, whose surface is 
different again (a Spring AI Model Context Protocol bridge exposing Solr 
operations as tools to AI clients). The model cross-references `apache/solr`'s 
`THREAT_MODEL.md` for the backend-Solr side.
   
   **This is a v0 draft — mostly `*(inferred)*`.** The Security team drafted it 
from the repo's public artefacts (the `docs/security/` STDIO + HTTP pages, the 
tool/service classes, `SolrConfig`, the security config classes, 
`XmlDocumentCreator`) using the 
[`threat-model-producer`](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573)
 rubric. Every claim carries a provenance tag; every `*(inferred)*` tag routes 
to a matching question in **§14 Open questions**. Easiest review is to 
**react** to §14 (one-line confirm / correct / strike per question); we fold 
your answers in and the tags become `*(maintainer)*`.
   
   The draft leans on your existing `docs/security/*.md` work — it credits the 
secured-by-default HTTP posture (OAuth2 + JWT audience binding + restrictive 
CORS), the STDIO OS-user trust model, the XXE-hardened XML indexing, and the 
read+additive-only tool set as **provided** properties, and centers the 
genuinely MCP-specific risks (prompt injection / tool-poisoning via returned 
Solr content; single shared backend credential with no per-caller authz; the 
`SOLR_URL`-is-deployer-config-not-tool-input invariant) as the disclaimed 
properties and open questions.
   
   **Scope note:** solr-mcp was one of the repos flagged for scope confirmation 
in the scan enrollment. If the PMC would rather **not** include it this cycle, 
close the PR and we'll drop it. If you'd rather own the model yourselves, close 
it and we'll wait.
   
   Questions / pushback welcome — happy to adjust anything to match project 
conventions.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to