mcp-gatekeeper

The server's primary function is shell command execution, which is inherently high-risk. However, mcp-gatekeeper implements robust, multi-layered security controls to mitigate these risks. Key measures include: - **Mandatory directory sandboxing (`--root-dir`)**: All operations are restricted to a specified root directory, with symlink resolution to prevent escapes. - **Glob-based argument restrictions**: Fine-grained control over allowed command arguments, crucial for preventing command injection. - **Multiple sandbox modes (bubblewrap, WASM, none)**: - `bubblewrap` provides strong namespace isolation, making it highly secure for native binaries. - `wasm` mode uses wazero runtime for maximum isolation, preventing system calls and network access. - The `none` mode is acknowledged as less secure, offering only path validation. - **API Key-based Access Control**: API keys are generated with strong randomness, stored as bcrypt hashes, and displayed only once at creation. - **Environment Variable Filtering**: Allowed environment variables are configurable per API key, preventing sensitive information leakage. - **Network Access Restriction**: Both `bubblewrap` and `wasm` sandboxes explicitly block network access for executed commands. - **Audit Logging**: All command requests and their execution results are logged for review, regardless of policy decisions. - **Rate Limiting**: Configurable rate limiting for the HTTP API adds another layer of protection against abuse. No 'eval' or malicious patterns were identified in the provided source code. The implementation uses standard and secure Go practices for command execution (`os/exec`) and cryptographic hashing (`bcrypt`).