poly-secret-mcp

The server executes external CLI tools (Vault, SOPS) via `Deno.Command.run`. While Deno's `Command` typically treats array arguments as literal strings (preventing basic shell injection), the code directly concatenates user-provided inputs into single string arguments before passing them to the CLI (e.g., `--field=` + field, `["` + key + `"] "` + value + `"`). This pattern could potentially lead to application-level injection vulnerabilities if the underlying CLI tools (Vault or SOPS) misinterpret or improperly process crafted strings that exploit internal parsing flaws. However, the project's `SECURITY.md` demonstrates a strong commitment to security, including CI-enforced checks, non-root container usage, no hardcoded secrets, and clear vulnerability reporting policies. Future integration with a formally verified `proven` library for access control and audit logging is planned, which would significantly enhance security.