mcpproxy-go

The project demonstrates a strong focus on security, implementing multiple layers of defense: default localhost-only binding, API key authentication for REST endpoints (skipped for secure IPC), an active security quarantine system for new servers, Docker isolation for untrusted stdio servers, and robust OAuth 2.1 support with PKCE. IPC between the tray and core uses platform-specific sockets/pipes with 8 layers of OS-level security validation. However, internal documentation (docs/security-skipped-auth-tests.md) highlights a critical past vulnerability where API key security tests were skipped, leading to a TCP authentication bypass. While the project is proactive in identifying and addressing such issues, its prior existence impacts the immediate 'safest' rating. The JavaScript code execution feature is heavily sandboxed to prevent filesystem, network, and module access.