Add adversarial safety fixtures for mcp firewall (small mcp model context protocol)

[haasonsaas]

Summary

Exercise prompt/tool/data poisoning and fail-closed behavior for the repo's most sensitive agent-facing path.

This issue was generated from an org-wide EvalOps mining pass on 2026-05-10 07:57 UTC. It combines live GitHub repo signals with a per-repo arXiv search. Treat the research links as grounding for a concrete implementation, not as a request for a literature review.

Repo Evidence

• Repository description: A small MCP (Model Context Protocol) firewall that proxies JSON-RPC and enforces allow/deny policies for tools, resources, prompts, and methods
• Tree signals: 0 docs files, 0 workflows, 0 proto files, 0 test-like files.
• README.md:71 includes latent-spec language: - --mode observe is shorthand for --dry-run. - --mode contain enables --no-network automatically, but you should still set --allow-bin to constrain subprocesses.
• README.md:178 includes latent-spec language: methods: # Only restrict these if needed; leaving allow empty keeps defaults permissive. deny: []
• README.md:257 includes latent-spec language: MCP stdio uses line-delimited JSON in the current spec. This proxy defaults to --server-framing line, but you can switch to LSP-style framing with --server-framing lsp if needed.

Research Grounding

Repo axes: infra, governance, security, evaluation

Search keywords: policy, mcp-firewall, yaml, allow, http, pattern, deny, example, mcp, string, matchdetail, return

• arXiv:2506.11019v1 Mind the Metrics: Patterns for Telemetry-Aware In-IDE AI Application Development using the Model Context Protocol (MCP) (Vincent Koc, Jacques Verre, Douglas Blank, Abigail Morgan), 2025.
• arXiv:2506.02032v2 Towards Secure MLOps: Surveying Attacks, Mitigation Strategies, and Research Challenges (Raj Patel, Himanshu Tripathi, Jasper Stone, Noorbakhsh Amiri Golilarz, Sudip Mittal, Shahram Rahimi), 2025.
• arXiv:2503.15577v1 Navigating MLOps: Insights into Maturity, Lifecycle, Tools, and Careers (Jasper Stone, Raj Patel, Farbod Ghiasi, Sudip Mittal, Shahram Rahimi), 2025.
• arXiv:2307.13473v1 Exploring MLOps Dynamics: An Experimental Analysis in a Real-World Machine Learning Project (Awadelrahman M. A. Ahmed), 2023.
• arXiv:2604.24801v2 Architectural Observability Collapse in Transformers (Thomas Carmichael), 2026.
• arXiv:2501.13723v1 Intelligent Exercise and Feedback System for Social Healthcare using LLMOps (Yeongrak Choi, Taeyoung Kim, Hyung Soo Han), 2025.
• arXiv:2512.11541v1 A Multi-Criteria Automated MLOps Pipeline for Cost-Effective Cloud-Based Classifier Retraining in Response to Data Distribution Shifts (Emmanuel K. Katalay, David O. Dimandja, Jordan F. Masakuna), 2025.
• arXiv:2302.01061v1 MLOps with enhanced performance control and observability (Indradumna Banerjee, Dinesh Ghanta, Girish Nautiyal, Pradeep Sanchana, Prateek Katageri, Atin Modi), 2023.
• arXiv:2601.20415v1 An Empirical Evaluation of Modern MLOps Frameworks (Jon Marcos-Mercadé, Unai Lopez-Novoa, Mikel Egaña Aranguren), 2026.
• arXiv:2602.18764v2 The Convergence of Schema-Guided Dialogue Systems and the Model Context Protocol (Andreas Schlapbach), 2026.

What To Build

• Add adversarial fixtures for deployment drift, credentials, and privileged workflow inputs.
• Document the intended fail-closed behavior and any allowed degraded-mode fallback.
• Add regression coverage that proves unsafe inputs do not silently reach the privileged path.

Acceptance Criteria

• A short design note names the repo-specific workflow, threat or correctness model, and the research assumptions being adopted.
• A runnable check, fixture, or verifier exercises the new contract in CI or an equivalent local command documented in the repo.
• The implementation emits or stores enough evidence for a downstream agent/operator to cite inputs, decisions, and outputs.
• At least one negative/degraded-mode case is covered so failures are observable rather than silently accepted.
• Documentation links the new behavior to the relevant EvalOps platform primitive or explicitly records why this repo remains standalone.

Notes

• Generated issue 3/5 for evalops/mcp-firewall by evalops_org_miner.py.
• Before implementation, confirm the sampled latent-spec snippets still match main; this issue intentionally cites exact file paths/lines where the mining pass saw them.