lerian-mcp-server

The server operates in a 'documentation-only' mode, meaning it explicitly does NOT connect to Lerian backend APIs, significantly reducing its attack surface. It features comprehensive input validation and output sanitization (against XSS, SQL injection, path traversal, dangerous protocols) adapted to various MCP clients. Sensitive data is redacted in logs, and secrets (like `CURSOR_SECRET` and `CACHE_ENCRYPTION_KEY`) are automatically generated and persisted securely with `0o600` file permissions if not provided via environment variables. Rate limiting is implemented, and global error handlers are in place. Configuration loading includes security checks, enforcing localhost backend URLs even if external ones are configured (though backend API access is disabled). The project includes dedicated security audit scripts (`npm audit`, `security:audit`).