zonerMCP

The server demonstrates strong security hardening, explicitly noted in its `replit.md` and implemented in the code. Key measures include: an explicit layer registry and field policy (allowlist approach, blocked fields, summary/full profiles), structured query modes to prevent freeform SQL injection, comprehensive input validation (e.g., coordinate ranges, bounding box size limits, object ID counts, string lengths), record count caps on query results, bearer token authentication (configurable), robust rate limiting with IP-based and authenticated token buckets, a response cache, optional session enforcement (though stateless mode is default, it's configurable), validation for geometry inclusion, payload size limits, and configurable CORS origins. External API calls (ArcGIS) are made with a timeout to prevent long-running requests. The `ARCGIS_BASE_URL` is correctly configured as a required secret and checked at startup. No 'eval' or other obviously dangerous patterns were found.