dotfiles

MCP Policy

MCP is treated as a controlled execution boundary.

Default posture

The tracked default is strict-local.

Properties:

• local-first
• least privilege
• no broad filesystem roots
• no wildcard or unsafe flags
• no network-facing MCP servers enabled by default
• machine-readable validation output

Policy artifact

The source of truth lives in mcp-policy.json. Approved package pins live in mcp-lock.json. Tracked server registry entries live in mcp-registry.json.

Current defaults:

• Allowed launchers: npx, node, uvx
• Trusted transports: stdio, http
• Blocked filesystem roots: /, /home, /Users
• Blocked argument patterns: ^--allow-.*, ^--unsafe$, ^\\*$
• Network-facing servers disabled by default: github, brave-search, fetch, puppeteer, filesystem
• Approved packages must resolve through the tracked MCP lock manifest
• Every active server must match the tracked MCP registry
• HTTP transports must use https:// and registry-declared OAuth2

Validation

Run:

dot mcp --strict
dot mcp -s -j
dot mcp registry

The JSON form is the audit artifact for CI, release validation, and workstation attestation.

Change control

Any change to MCP policy requires:

1. A signed commit
2. A matching test update
3. A release note if the effective trust boundary changes
4. A policy bundle review when enterprise defaults change

Supply-chain controls

Phase 2 adds explicit package locking for default MCP servers.

Current approved refs:

• [email protected]
• @modelcontextprotocol/[email protected]
• [email protected]

dot mcp --strict and dot mcp -s now verify that:

• package refs are version-pinned
• the pinned refs match the tracked lock manifest
• non-approved package refs are rejected in strict mode
• active servers match the tracked registry entries
• remote HTTP transports are HTTPS and OAuth-backed

Policy bundle baselines live in policy-bundles.json.

This site is open source. Improve this page.