enterprise_mcp_server

The system employs token-based authentication (JWT and OAuth2 with PKCE support) and role-based access control, backed by PostgreSQL. Audit logging is comprehensive, and SQL injection is mitigated through parameterized queries. Password hashing uses PBKDF2_HMAC, with a recommendation for `passlib` in production. However, several critical areas warrant attention: 1. **Arbitrary Code Execution via Claude CLI**: The `claude_code` tool in `src/tools/claude.py` uses `subprocess.run` to interact with the external `@anthropic-ai/claude-code` CLI. While the `claude-code-sdk` provides some structure, the default `allowed_tools` for `ClaudeCodeOptions` (e.g., `['Read', 'Write', 'Bash']`) are highly permissive. A malicious or poorly constrained prompt could potentially lead to arbitrary command execution within the container's environment if `permission_mode` is set to `bypassPermissions` or `acceptEdits` is not carefully supervised, posing a significant risk. 2. **API Gateway Trust**: The `api_gateway.py` proxies all requests to the Enterprise MCP Server. While it adds rate limiting and analytics, it does not perform its own authentication, relying entirely on the backend server for this. If the backend server's authentication fails or is bypassed, the gateway offers no protection. 3. **CORS Configuration**: The default `CORS_ALLOWED_ORIGINS` includes broad wildcard origins (`http://localhost:*`, `http://127.0.0.1:*`) for local development, which should be restricted in a production environment. 4. **Keycloak vs. Internal Auth**: The presence of `KeycloakAuthMiddleware` alongside internal JWT authentication (`auth.py`) suggests a potential for dual or ambiguous authentication paths, which could lead to misconfigurations if not explicitly understood and managed. 5. **SKIP_SANDBOX**: The `SKIP_SANDBOX` environment variable allows disabling sandboxing for dynamic tool execution, which is explicitly dangerous and should never be enabled in production.