1mcp

The server leverages WASM sandboxing (QuickJS/Pyodide) for strong code isolation, preventing direct access to Node.js APIs or the host filesystem. Code capsules are JWS-signed with Ed25519 keys and verified prior to execution to prevent tampering. Network and filesystem policies (e.g., allowed domains, max body bytes, read-only/writable paths, path traversal protection) are implemented and double-enforced on both the server and browser execution environments. However, the project's own `SECURITY.md` still labels it 'DEVELOPMENT - NOT PRODUCTION READY'. Notable remaining risks include: (1) Upstream MCP servers are fully trusted without authentication, posing a risk if a configured MCP is malicious. (2) Comprehensive rate limiting beyond queue depth is not implemented, creating a potential for resource exhaustion. (3) DNS resolution to private IPs is not blocked in v1, which could lead to network bypasses. (4) The default `127.0.0.1` bind address for local runs offers basic protection, but exposing the server via `--bind 0.0.0.0` in production without additional authentication is insecure.