potiuk opened a new pull request, #160: URL: https://github.com/apache/solr-mcp/pull/160
**This is a proposal for the Solr PMC to review — please correct, reject, or discuss as needed.** The maintainers are the decision-makers; nothing here is a requirement. This adds a **v0 draft threat model** (`THREAT_MODEL.md`) for the Solr MCP Server plus the conventional discoverability wiring — a `## Security` section in the existing `AGENTS.md` pointing at a new `SECURITY.md`, which points at `THREAT_MODEL.md` — so an automated agentic security scanner can mechanically find the model. **Context.** The ASF Security team is preparing Apache Solr's repositories for an automated agentic security scan. Discoverability (the scanner following `AGENTS.md → SECURITY.md → model`) is the one hard gate — without it a scan can't run. The Solr *search server* (`apache/solr`) already has its model merged; this PR is the equivalent for the **MCP server**, whose surface is different again (a Spring AI Model Context Protocol bridge exposing Solr operations as tools to AI clients). The model cross-references `apache/solr`'s `THREAT_MODEL.md` for the backend-Solr side. **This is a v0 draft — mostly `*(inferred)*`.** The Security team drafted it from the repo's public artefacts (the `docs/security/` STDIO + HTTP pages, the tool/service classes, `SolrConfig`, the security config classes, `XmlDocumentCreator`) using the [`threat-model-producer`](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573) rubric. Every claim carries a provenance tag; every `*(inferred)*` tag routes to a matching question in **§14 Open questions**. Easiest review is to **react** to §14 (one-line confirm / correct / strike per question); we fold your answers in and the tags become `*(maintainer)*`. The draft leans on your existing `docs/security/*.md` work — it credits the secured-by-default HTTP posture (OAuth2 + JWT audience binding + restrictive CORS), the STDIO OS-user trust model, the XXE-hardened XML indexing, and the read+additive-only tool set as **provided** properties, and centers the genuinely MCP-specific risks (prompt injection / tool-poisoning via returned Solr content; single shared backend credential with no per-caller authz; the `SOLR_URL`-is-deployer-config-not-tool-input invariant) as the disclaimed properties and open questions. **Scope note:** solr-mcp was one of the repos flagged for scope confirmation in the scan enrollment. If the PMC would rather **not** include it this cycle, close the PR and we'll drop it. If you'd rather own the model yourselves, close it and we'll wait. Questions / pushback welcome — happy to adjust anything to match project conventions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
