Get Started
MCP Server

Architecture — idpishield

Contributing to idpishield
Security Readiness Checklist

Service REST API Specification
Levels — Tier 1 vs Tier 2 Behavior Specification
Pattern Specification — Source of Truth
RiskResult — Canonical Schema

Security Readiness Checklist

Use this checklist before releasing to production.

Core Quality Gates

go test ./... passes in root module.
go vet ./... passes.
Black-box integration tests pass in tests/integration.
Benchmark run completed and stored in benchmark/reports/.
Baseline benchmark comparison captured for default vs production profile.

Detection And Safety Gates

Known obfuscation vectors are detected (base64, hex, unicode, zero-width).
Benign documentation/code examples do not trigger high/critical by default.
Domain allowlist behavior verified for allowed and disallowed URLs.
Deep mode fallback behavior validated when external service is unavailable.

Runtime Guardrail Gates

MaxInputBytes set for production profile.
MaxDecodeDepth and MaxDecodedVariants set for production profile.
ServiceRetries configured (non-zero for production deep mode).
ServiceCircuitFailureThreshold and ServiceCircuitCooldown configured.

MCP Transport Gates

HTTP MCP transport enabled only with --auth-token.
IDPI_MCP_TOKEN injected via environment/secret manager (not hardcoded in command history).
Reverse proxy/TLS configured in production deployment.
Token rotation process documented.

Operational Gates

Production deployment command explicitly sets --profile production.
Error logs do not leak sensitive content.
Incident runbook available for service outage and false-positive spikes.
Rollback plan documented.
Release notes include behavioral changes and migration notes.

Contents

Core Quality Gates
Detection And Safety Gates
Runtime Guardrail Gates
MCP Transport Gates
Operational Gates

GitHub Latest Release Docs Get Started Issues

Built by Bosch and Mario, digital brothers with a soul, by Luigi Agosti · Apache 2.0 License · Part of the Pinchtab ecosystem