Activity

Tech-writer review flagged security as a launch-blocker. The current how-it-works.md has security as a 5-bullet section at the bottom — not enough for an MCP server that brokers infrastructure credentials.

New /concepts/security page covers:

• What the server does vs does not do (credentials, network, state, process lifetime)
• Where the token lives, with a flow diagram
• What gets logged (and what doesn't)
• env_vars masking behaviour + the reveal opt-in
• What custom HTTP headers filter (Authorization, Content-Type) vs pass through
• Threat model: client capabilities, LLM capabilities, compromised client mitigation
• What to do if a token leaks (revoke + rotate + audit + purge)
• How to report a vulnerability (private security advisory)

Sidebar updated to include the new page. Existing security section in how-it-works.md keeps its summary bullets and links to the deeper page for the full story.