inboxfewer

The project exhibits an exceptionally strong security posture. It adheres to Kubernetes Pod Security Standards (Restricted profile) by running as a non-root user, dropping all capabilities, and enforcing a read-only root filesystem. NetworkPolicy support is included for defense-in-depth. Crucially, it provides critical warnings against common secret management anti-patterns (e.g., `--set` for secrets, committing to Git) and recommends robust solutions like Kubernetes Secrets, External Secrets Operator, and Sealed Secrets. Its OAuth 2.1 implementation features an OAuth Proxy architecture, ensuring LLMs never handle sensitive tokens directly. This includes dynamic client registration (RFC 7591), PKCE, mandatory state parameters, refresh token rotation, per-IP client limits, and optional token encryption at rest (`MCP_OAUTH_ENCRYPTION_KEY`). All HTTP responses include security headers, and HTTPS is enforced for non-loopback addresses. Image scanning with Trivy is integrated into CI/CD. The development team clearly prioritizes security-by-design.