mcp_docker

The server implements a multi-layered security approach: comprehensive input validation, blocking of dangerous shell commands (e.g., `rm -rf /`, fork bombs, `curl | bash`), environment variable injection protection, sensitive mount path blocking, and error message sanitization to prevent information disclosure. It supports OAuth/OIDC authentication with JWKS caching and introspection, IP filtering (with X-Forwarded-For support), and both pre- and post-authentication rate limiting. Audit logging is robust, structured, and includes automatic redaction of sensitive fields in both arguments and results. The `generate_compose` prompt explicitly redacts environment variable values to prevent credential leakage to LLMs. Strict safety tiers (SAFE, MODERATE, DESTRUCTIVE) with configurable overrides and fine-grained tool/resource filtering are implemented. Continuous fuzzing is integrated to proactively identify vulnerabilities. Explicit warnings are logged for insecure configurations (e.g., HTTP transport on non-localhost, exposed Docker sockets). The primary remaining risk noted in `SECURITY.md` is Retrieval Agent Deception (RADE) where malicious container logs, returned verbatim, could potentially manipulate AI agents, recommending user-side filtering.