mcp-dev-journal

The MCP server internally uses parameterized SQL queries via 'better-sqlite3', which prevents SQL injection vulnerabilities. API keys for AI providers, Linear, and the inter-service MCP_API_KEY are configured via environment variables, reducing the risk of hardcoded credentials. It is CRITICAL to set strong, non-default values for all API keys and secrets in production environments. File system access for database operations and backups is confined to specified paths or the project's designated 'data' directory. The 'eval' usage observed in the 'web' app's AI tool generation API route does not directly impact the MCP server's operations, but is a general caution within the broader workspace context. MCP server-to-web app communication relies on the 'MCP_API_KEY' for authentication; if this is not configured, API calls from the MCP server to Tartarus's repository endpoints will be unauthenticated, potentially exposing data if the Tartarus web app is not otherwise secured.